July 2007
Beer and Privacy (3 July 2007)
Belgian Court Rules ISPs Must Stop File-Sharing (5 July 2007)
The Greek Cellphone Tapping Scandal (6 July 2007)
Pen Registers and the Internet (7 July 2007)
Security and Usability: Windows Vista (13 July 2007)
Fidget Toys (13 July 2007)
Checkers: Solved (19 July 2007)
Secondary Uses and Privacy (20 July 2007)
Security Flaw in the iPhone (23 July 2007)
Hacking Forensic Software (26 July 2007)
Insider Attacks (28 July 2007)

Pen Registers and the Internet

7 July 2007

The 9th Circuit Court of Appeals has just issued a dangerous opinion in United States v. Forrester on the applicability of "pen registers" to the Internet. In doing so, they ignored important technical issues that go to the heart of what makes the Internet different from the phone network.

A pen register is a device that records what phone numbers someone dials. (A close cousin, the trap-and-trace device, records what phone numbers dial a particular numer.) The criteria for law enforcement use of either are spelled out in 18 USC 3121-3127. The crucial constitutional element in these statutes is that a search warrant, which must be supported by "probable cause", is not required. Instead, all that’s needed is "a certification by the applicant that the information likely to be obtained is relevant to an ongoing criminal investigation".

This procedure was justified by Smith v. Maryland, 442 U.S. 735 (1979). In it, the Supreme Court ruled that phone numbers were voluntarily given to a third party — the phone company — and that the caller thus had no legitimate expectation of privacy. It noted that

Petitioner concedes that if he had placed his calls through an operator, he could claim no legitimate expectation of privacy. We are not inclined to hold that a different constitutional result is required because the telephone company has decided to automate.
The court also noted that people realize that the phone company can record such information:
All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills. In fact, pen registers and similar devices are routinely used by telephone companies "for the purposes of checking billing operations, detecting fraud, and preventing violations of law." Electronic equipment is used not only to keep billing records of toll calls, but also "to keep a record of all calls dialed from a telephone which is subject to a special rate structure." Pen registers are regularly employed "to determine whether a home phone is being used to conduct a business, to check for a defective dial, or to check for overbilling."
But does any of this apply to IP addresses, email addresses, and URLs? Individuals do not see bills for email or packets sent. The overabundance of spam would tend to suggest that no one is checking for Internet fraud or violations of the law, let alone by something like a pen register. In short, ordinary uses do not have the same awareness that they arguably do for phone numbers.

Beyond that, there is a more important distinction. A crucial part of the court’s reasoning in Smith was that phone numbers are "given" to the phone company:

This Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.
Are IP addresses, email addresses, or URLs given to a third party? It is in this respect that the court missed some subtle technical points. IP addresses are clearly given to the ISP; there’s no other way for the packets to reach their destination. But what of email addresses? For most consumers, destination email addresses are indeed given to their ISP; specifically, they are sent to the ISP’s SMTP relay server, and that machine does the actual email delivery. Similarly, inbound email is generally retrieved from the ISP’s mail server. While it is unclear to what extent consumers understand the detailed configurations involved, the fact that consumer email addresses tend to have the ISP’s domain name makes this a plausible argument. In this respect, the reasoning in Smith would seem to apply. However, the Internet is not the phone network.

The essence of the Internet is end-to-end communications, where the ISP is not involved except as a passive carrier of the traffic. There is nothing preventing someone from sending email traffic directly from his or her originating machine to the recipient’s receiving machine. No third parties — a crucial part of the Supreme Court’s reasoning — need be involved. While admittedly that would be an unusual situation for consumers, it is quite common for businesses. (Even some individuals have such setups; indeed, some email I sent to a friend discussing this case followed exactly such a path: from my machines directly to my friend’s, with no ISP servers involved.) The opinion in this case ignores the distinction; the factual record as presented here does not state whether or not ISPs were involved. In that way, it sets a dangerous precedent.

There is one bright note in the court’s opinion. A footnote noted that

Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators ("URL") of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the person’s Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times’ website at http://www.nytimes.com, whereas a technique that captures URLs would also divulge the particular articles the person viewed.
The pen register statute specifically bars interception of "content"; "content", according to the statute
includes any information concerning the substance, purport, or meaning of that communication.
Does the non-host part of a URL qualify? I think so, and the judges in this case seem to think so, but it’s never been tested in court.
https://www.cs.columbia.edu/~smb/blog/2007-07/2007-07-07.html