Pen register

A pen register, or dialed number recorder (DNR), is a device that records all numbers called from a particular telephone line. The term has come to include any device or program that performs similar functions to an original pen register, including programs monitoring Internet communications.

The United States statutes governing pen registers are codified under 18 U.S.C., Chapter 206.

Definitions
The term pen register originally referred to a device for recording telegraph signals on a strip of paper. Samuel F. B. Morse's 1840 telegraph patent described such a register as consisting of a lever holding an armature on one end, opposite an electromagnet, with a fountain pen, pencil or other marking instrument on the other end, and a clockwork mechanism to advance a paper recording tape under the marker.

The term telegraph register came to be a generic term for such a recording device in the later 19th century. Where the record was made in ink with a pen, the term pen register emerged. By the end of the 19th century, pen registers were widely used to record pulsed electrical signals in many contexts. For example, one fire-alarm system used a "double pen-register", and another used a "single or multiple pen register".

As pulse dialing came into use for telephone exchanges, pen registers had obvious applications as diagnostic instruments for recording sequences of telephone dial pulses. In the United States, the clockwork-powered Bunnell pen register remained in use into the 1960s.

After the introduction of tone dialing, any instrument that could be used to record the numbers dialed from a telephone came to be defined as a pen register. Title 18 of the United States Code defines a pen register as:

"a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication, but such term does not include any device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device or process used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business"

This is the current definition of a pen register, as amended by passage of the 2001 USA PATRIOT Act. The original statutory definition of a pen register was created in 1984 as part of the Electronic Communications Privacy Act, which defined a "Pen Register" as:

"A device which records or decodes electronic or other impulses which identify the numbers called or otherwise transmitted on the telephone line to which such device is dedicated."

A pen register is similar to a trap and trace device. A trap and trace device would show what numbers had called a specific telephone, i.e., all incoming phone numbers. A pen register rather would show what numbers a phone had called, i.e. all outgoing phone numbers. The two terms are often used in concert, especially in the context of Internet communications. They are often jointly referred to as "Pen Register or Trap and Trace devices" to reflect the fact that the same program will probably do both functions in the modern era, and the distinction is not that important. The term "pen register" is often used to describe both pen registers and trap and trace devices.

Background
In Katz v. United States (1967), the United States Supreme Court established its "reasonable expectation of privacy" test. It overturned Olmstead v. United States (1928) and held that warrantless wiretaps were unconstitutional searches, because there was a reasonable expectation that the communication would be private. From then on, the government was required to get a warrant to execute a wiretap.

Twelve years later the Supreme Court held that a pen register is not a search because the "petitioner voluntarily conveyed numerical information to the telephone company." Smith v. Maryland, 442 U.S. 735, 744 (1979). Since the defendant had disclosed the dialed numbers to the telephone company so they could connect his call, he did not have a reasonable expectation of privacy in the numbers he dialed. The court did not distinguish between disclosing the numbers to a human operator or just the automatic equipment used by the telephone company.

The Smith decision left pen registers completely outside constitutional protection. If there was to be any privacy protection, it would have to be enacted by Congress as statutory privacy law.

Pen Register Act
The Electronic Communications Privacy Act (ECPA) was passed in 1986 (Pub. L. No. 99-508, 100 Stat. 1848). There were three main provisions or Titles to the ECPA. Title III created the Pen Register Act, which included restrictions on private and law enforcement uses of pen registers. Private parties were generally restricted from using them unless they met one of the exceptions, which included an exception for the business providing the communication if it needed to do so to ensure the proper functioning of its business.

For law enforcement agencies to get a pen register approved for surveillance, they must get a court order from a judge. According to 18 U.S.C. § 3123(a)(1), the "court shall enter an ex parte order authorizing the installation and use of a pen register or trap and trace device anywhere within the United States, if the court finds that the attorney for the Government has certified to the court that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation". Thus, a government attorney only needs to certify that information will "likely" be obtained in relation to an 'ongoing criminal investigation'. This is the lowest requirement for receiving a court order under any of the ECPA's three titles. This is because in Smith v. Maryland, the Supreme Court ruled that use of a pen register does not constitute a search. The ruling held that only the content of a conversation should receive full constitutional protection under the right to privacy; since pen registers do not intercept conversation, they do not pose as much threat to this right.

Some have argued that the government should be required to present "specific and articulable facts" showing that the information to be gathered is relevant and material to an ongoing investigation. This is the standard used by Title II of the ECPA with regard to the contents of stored communications. Others, such as Daniel J. Solove, Petricia Bellia, and Dierdre Mulligan, believe that probable cause and a warrant should be necessary. Paul Ohm argues that standard of proof should be replaced/reworked for electronic communications altogether.

The Pen Register Act did not include an exclusionary rule. While there were civil remedies for violations of the Act, evidence gained in violation of the Act can still be used against a defendant in court. There have also been calls for Congress to add an exclusionary rule to the Pen Register Act, as this would make it more analogous to traditional Fourth Amendment protections. The penalty for violating the Pen Register Act is a misdemeanor, and it carries a prison sentence of not more than one year.

USA PATRIOT Act
Section 216 of the 2001 USA PATRIOT Act expanded the definition of a pen register to include devices or programs that provide an analogous function with Internet communications. Prior to the Patriot Act, it was unclear whether or not the definition of a pen register, which included very specific telephone terminology, could apply to Internet communications. Most courts and law enforcement personnel operated under the assumption that it did, however, the Clinton administration had begun to work on legislation to make that clear, and one magistrate judge in California did rule that the language was too telephone-specific to apply to Internet surveillance.

The Pen Register Statute is a privacy act. As there is no constitutional protection for information divulged to a third party under the Supreme Court's expectation of privacy test, and the routing information for phone and Internet communications are divulged to the company providing the communication, the absence or inapplicability of the statute would leave the routing information for those communications completely unprotected from government surveillance.

The government also has an interest in making sure the Pen Register Act exists and applies to Internet communications. Without the Act, they cannot compel service providers to give them records or do Internet surveillance with their own equipment or software, and the law enforcement agency, which may not have very good technological capabilities, will have to do the surveillance itself at its own cost.

Rather than creating new laws regarding Internet surveillance, the Patriot Act simply expanded the definition of a pen register to include computer software programs doing Internet surveillance by accessing information. While not completely compatible with the technical definition of a pen register device, this was the interpretation that had been used by almost all courts and law enforcement agencies prior to the change.

NSA call database controversy
When, in 2006, the Bush administration came under fire for having secretly collected billions of phone call details from regular Americans, ostensibly to check for calls to terror suspects, the Pen Register Act was cited, along with the Stored Communications Act, as an example of how such domestic spying violated Federal law.

In 2013, the Obama administration sought a court order "requiring Verizon on an 'ongoing, daily basis' to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries". The order was approved on April 25, 2013, by federal Judge Roger Vinson, member of the secret Foreign Intelligence Surveillance Court (FISC), which court had been created by the Foreign Intelligence Surveillance Act (FISA). The order gave the government unlimited authority to compel Verizon to collect and provide the data for a specified three-month period ending on July 19. This is the first time significant and top-secret documents have been revealed exposing the continuation of the practice on a massive scale under U.S. President Barack Obama.

According to The Guardian, "it is not known whether Verizon is the only cell-phone provider to be targeted with such an order, although previous reporting has suggested the NSA has collected cell records from all major mobile networks. It is also unclear from the leaked document whether the three-month order was a one-off or the latest in a series of similar orders".

Hemisphere DEA call database controversy
On September 1, 2013, the DEA's Hemisphere Project was revealed to the public by The New York Times. In a series of PowerPoint slides acquired through a lawsuit, AT&T is revealed to be operating a call database going back to 1987 which the DEA has warrantless access to with no judicial oversight under "administrative subpoenas" originated by the DEA. The DEA pays AT&T to maintain employees throughout the country devoted to investigating call records through this database for the DEA. The database grows by 4 billion records per day, and presumably covers all traffic that crosses AT&T's network. Internal directives instructed participants never to reveal the project publicly, despite the fact that the project was portrayed as a "routine" part of DEA investigations; several investigations unrelated to drugs have been mentioned as using the data. When questioned on their participation, Verizon, Sprint, and T-Mobile refused to comment on whether they were part of the project, generating fears that pen registers and trap and trace devices are effectively irrelevant in the face of ubiquitous private-public-partnership surveillance with indefinite data retention.

Information collected
Information that is legally collectible according to 2014 pen trap laws includes:

Phone

 * Dialed numbers
 * Received call numbers
 * The time the call was made
 * Whether the call was answered, or went to voice-mail
 * The length of each call
 * Content of SMS text messages
 * Post-cut-through dialed digits--(digits dialed after call is connected, like banking personal identification number (PIN) or prescription refill numbers)
 * The real-time location of a cell phone to within a few meters

Email

 * All email header information other than the subject line
 * The email addresses of the people to whom an email was sent
 * The email addresses of people who received the email
 * The time each email is sent or received
 * The size of each email that is sent or received

Internet

 * IP address, port, and protocol used
 * The IP address of other computers on the Internet that information was exchanged with
 * Time-stamp and size information of Internet access
 * Protocol traffic analysis to obtain URL web addresses surfed on the web, emails posted or read, instant messages exchanged, and information posted onto message boards