On September 8, 2021, the U.S. Court of Appeals for the Seventh Circuit released an opinion that rejected a defendant’s Fourth Amendment challenge to the government’s use of pen registers to obtain data for a single internet protocol (“IP”) address that was then used to prove that the defendant had launched a cyberattack against his former employer. The Circuit ultimately held that the use of a pen register to track IP addresses is not a “search” under the Fourth Amendment and does not require the government to obtain a search warrant. United States v. Soybel, No 19-1936 (7th Cir. Sept. 8, 2021).
In 2016, industrial supply company W.W. Grainger suffered a series of cyberattacks in which millions of records were deleted from a segment of its business. Grainger determined that each of the attacks originated from a single IP address outside of Grainger’s network. After discovering this issue, Grainger referred the cyberattack to the FBI, which found that the implicated IP address came from an apartment building in Chicago where a former disgruntled employee, Edward Soybel, resided.
To confirm the source of the attacks, the FBI had to monitor internet traffic in and out of Soybel’s apartment. Since the IP addresses were being routed through a master router in the apartment building, the FBI was unable to determine where the source of the cyberattack against Grainger was coming from without the use of a device known as a pen register. In 1986, Congress passed the Pen Register Act, 18 U.S.C. §§ 3121 et seq., authorizing law enforcement to use pen registers and “trap-and-trace” surveillance devices to obtain information as part of a criminal investigation. Historically, such devices were used to trace telephone numbers dialed on landline telephones and now, with common use of the internet, they are used to track IP addresses.
In this case, the FBI obtained approval to use the pen register device from a district judge upon a minimal statutory showing of relevance to the investigation. The pen register was then used to record specific IP addresses coming through the master router for Soybel’s apartment building and the external IP addresses to which they were connecting. In this way, the IP addresses of the websites visited from Soybel’s apartment demonstrated that Grainger’s systems had been unlawfully accessed. FBI’s surveillance confirmed that Soybel accessed Grainger’s network 790 times between September and November 2016.
Before trial in the Northern District of Illinois on twelve counts of violating the Computer Fraud and Abuse Act, Soybel sought to suppress evidence collected using the IP pen registers as a warrantless search in violation of the Fourth Amendment. He contended that the government should have been required to make a showing of probable cause to use the pen register – which it had not. Soybel further claimed that the unlawfulness of the government’s actions was supported by a Supreme Court case from 2018 that held the collection of historical cell-site location information from a cell phone (“CSLI”) required a search warrant. See Carpenter v. United States, 138 S. Ct. 2206 (2018). The district court rejected this challenge. It found that even if a search warrant should have been sought, law enforcement officers were operating prior to the Carpenter decision and were entitled to rely on the “good faith exception” to the exclusionary rule. That is, the officers were acting in good faith when they relied on pre-Carpenter law to evaluate their obligations under the Fourth Amendment.
Soybel was ultimately convicted and filed an appeal with the Seventh Circuit. On appeal, the defendant argued that he had a reasonable expectation of privacy in the data collected from the pen register and, because no search warrant was obtained before using the pen register, the evidence should have been suppressed. The Seventh Circuit disagreed. It held that the pen register only collected external data – the IP addresses and the times of connection – and did not collect the content or substance of the connections. It further found the case to be analogous to the use of telephone pen registers and in line with decades-old precedent holding that there is no expectation of privacy in the telephone numbers dialed on a landline. Like the IP pen register, the telephone pen register only collected the telephone numbers and the time and duration of the call. The contents of the telephone calls were not collected. Citing the third-party doctrine, the Court noted that there was no expectation of privacy in an IP pen register because the IP addresses were routed through a third-party internet service provider. By using a third-party ISP, the defendant knowingly exposed his data to the public and therefore had no expectation of privacy. The Court likened the defendant’s use of a third-party ISP to the historical use of a telephone switchboard and held that prior precedent in telephone pen register cases supported a finding that defendant’s privacy rights were not violated.
The Court also determined that the Carpenter decision did not change the result in this case because the unique features of CSLI are not present in IP-address data. It reasoned that IP-address data was stationary, impersonal, and forward-looking, while CSLI tracked an individual’s movements in great detail through monitoring the location of an individual’s cell phone, a device which the Court noted was indispensable to daily life today. The collection of CSLI, the Court found, allows the compilation of a “detailed chronicle of a person’s presence” in various locations over a period of years and can even be applied retrospectively because cell carriers keep historical records for years. CSLI demanded a higher level of Fourth Amendment protection while IP-address data did not.
This decision is important for a number of reasons. Companies seeking to protect themselves from cyberattack can be confident that the government has one more arrow in its sheath to combat cyber criminals. The decision also serves as a warning to those disgruntled employees who mistakenly believe that their internet activity is protected from disclosure. Pen registers have long been an important law enforcement tool allowing investigators to identify the criminal connections suspects are making through their communication devices. This decision shows that advances in technology will not deter law enforcement scrutiny and courts will not create an artificially high bar to collect IP data — as long as it is not a substantial intrusion into an individual’s privacy.