Rutgers Computer and Technology Law
Journal
2002
Notes and Comments
CARNIVORE IN CYBERSPACE: EXTENDING
THE ELECTRONIC COMMUNICATIONS
PRIVACY ACT'S FRAMEWORK TO CARNIVORE
SURVEILLANCE
Geoffrey A. North [FNa1]
Copyright © 2002 Rutgers Computer and Technology Law Journal; Geoffrey A.
North
I. Introduction
With each advance of communications technology comes a correlated
advance in the technology of surveillance: if the developments of the Internet
and e-mail constitutes a revolution in the way Americans communicate, these
developments have fomented a similar revolution in the way the United States
government investigates crime. While
some advances in surveillance have been facilitated by the passage of the
Communications Assistance for Law Enforcement Act of 1994 (CALEA) [FN1], perhaps the single most powerful and far-reaching
surveillance tool to monitor Internet communications arose out of the
governmental concern of preventing cyberspace from being overrun with crime.
This tool has been ominously dubbed "Carnivore." [FN2]
If advances in communications and surveillance technology occur in
distinct and evenly matched steps, it should not be surprising that Carnivore's
features mirror the elements of the major telephonic surveillance devices:
wiretaps, pen registers and trap-and-trace devices. Carnivore, however, is believed to impound information
transmitted through cyberspace with unprecedented efficiency.
While privacy advocates have expressed deep concerns about the potential
abuses of Carnivore's capabilities, government officials have argued powerfully
for the need to patrol the electronic frontier for potential crime.
The balancing of the interests of these sometimes polarized groups will
shape the structure of this note. In
Part II of this Note, the known facts surrounding Carnivore will be examined, with
a discussion of Carnivore's similarity to telephonic surveillance devices. Part III will survey the current state of
pertinent Fourth Amendment law, including the Katz doctrine, its progeny, and
cases decided under Title III of the Omnibus Crime Control and Safe Streets Act
[FN3] and the Electronic
Communications Privacy Act of 1996 (ECPA) [FN4]. Finally, this Note will conclude that the
safeguards provided under those two Acts are
readily applicable to Carnivore, and should be used to develop a balance
between the privacy interests of the public at large and the law enforcement
interests of the government.
II. Privacy and Law Enforcement in
Cyberspace
The FBI computer labs in Quantico, Virginia recently developed
"Carnivore," with the express intent of creating a tool capable of
tapping into and monitoring Internet traffic. [FN5] The specter of
Carnivore now looms heavily over cyberspace, for it is feared that the
application will be used by the FBI to "police cyberspace." [FN6] While government
agencies such as the FBI and the Department of Justice have long had the
ability to monitor private telephone conversations with a variety of
technological devices, electronic communication was believed to be secure from
monitoring by the government. Now, however, the advent of Carnivore has
officially extended the reach of the FBI into cyberspace.
It is not merely that the FBI now has the ability to monitor private
electronic communications that has made civil liberties groups apprehensive, it
is the breadth of the government's reach.
Barry Steinhardt, the Associate Director of the American Civil Liberties
Union (ACLU) recognizes the governmental interest in preventing the Internet
from becoming overrun with criminal plotting and actual illegal acts, but
believes some boundaries must be set for
governmental agencies. [FN7] As Steinhardt
notes, "[t]he central issue is how much liberty the government should be
able to destroy in order to 'catch a few perps." ' [FN8]
Due to its vast information-gathering capacity, Carnivore's targets will
not necessarily be limited to specific e-mail transmissions that are suspected
of communicating details of illegal activities. Carnivore is not subject to the concerns of efficiency and time
which force the government to target specific individuals for conventional
telephone wiretaps. Rather, Carnivore
may have the ability to impound all electronic communications, then filter out
those that do not give rise to investigation.
One commentator, James H. Johnston, recalls:
[T]he apocryphal story of the ruthless commander of the Ottoman forces
that sacked Constantinople. When he saw
the defenders and residents of the city take sanctuary in a church, he ordered
his men to set it afire. A lieutenant
pointed out that there were faithful as well as infidels inside, but the
general said, 'Burn it anyway, and let God sort them out.' [FN9]
A great deal of concern has arisen among civil liberties groups such as
the ACLU because so little is known about Carnivore's reach and capabilities.
While an independent review of Carnivore has recently been completed, it
has faced pointed criticisms from advocates of personal privacy. The review team that was chosen from the
Illinois Institute of Technology's Research Institute "include[d] a large number of White House
insiders, including a former Clinton information policy advisor, and a former
Justice Department official." [FN10] This research
group's stated objective was to "determine whether it's technically
possible for Carnivore to snoop on e-mail beyond the scope of a wiretap order,
and whether it poses other privacy risks." [FN11]
The Attorney General for the Clinton Administration, Janet Reno, allowed
for the eventual release of thousands of pages of information regarding
Carnivore. However, an initial block of information released, totaling over
seven hundred pages of material, has encountered reactions of deep
disappointment. [FN12] Much of
the material that has thus far been declassified and released has been stripped
of any value, its meaning obscured by the blocking out of apparently key
portions censored by the government before its release. [FN13] The anticipated
release of an additional two hundred pages was withheld completely. [FN14]
There have also been numerous calls for the FBI to make Carnivore's
source code publicly available. [FN15] Due to the
inadequacies that have riddled the independent review and releases of
information thus far, many critics believe that this step will be the most
effective way to ascertain the potential reach of Carnivore. The FBI, however, has resisted, fearing that
such a release will, in effect, hand over the use of Carnivore's capabilities
to hackers. [FN16]
The lack of available information about
Carnivore, combined with what some believe is a lack of candor on the part of
the government in disclosing only the most general details has fueled the fears
of civil liberties groups that Carnivore really does possess the power to
conduct all-encompassing surveillance of communications carried out in
cyberspace.
Among such groups' greatest worries is that Carnivore has the
far-reaching power to surveil either all correspondence that takes place over
the Internet or through e-mail, or any that the investigating governmental
agency chooses, regardless of whether a warrant to seize such information has
been obtained. [FN17] In addition, opponents of Carnivore fear
that the program gives the FBI the power to read all correspondence it
intercepts and then filter out the innocuous transmissions. Donald Kerr, FBI Assistant Director, has
testified to Congress that Carnivore "does not search through the contents
of every message and collect those that contain key words like 'bomb' and
'drugs." ' [FN18] The ACLU,
however, has claimed that the FBI is engaged in an "'unprecedented' power
grab that threatens the privacy of all Americans." [FN19] Moreover, the FBI
has offered only its word as assurance that Carnivore's power is not being
abused. [FN20]
The federal government has an undeniable interest in protecting the
safety of American citizens. This
governmental interest extends into cyberspace as well. [FN21] Privacy groups argue, however, that this
interest must stop somewhere short of
observing the contents of e-mail messages that pass between private
individuals, tracking the destinations of Internet users, and monitoring an
individual's electronic communications.
Just as some commentators have looked to the "interest that a law
enforcement officer might have in examining the contents of a hard drive . . .
[for] the trove of information there may yield important insights into crimes
that the owner may have committed," there is a similar temptation for law
enforcement officers to observe the communications and correspondence of an
individual through the Internet and through e-mail. [FN22] In fact, because
Carnivore gives the government the ability to sift through all e-mail
correspondence that passes through an Internet Service Provider
("ISP"), the governmental reach may be even more insidious.
A. How does Carnivore work?
The greatest source of apprehension surrounding Carnivore is the lack of
both public and expert understanding of how the application functions, and
then, to what extent Carnivore can and will be implemented to monitor or
intercept e- mail and other electronic correspondence. [FN23] James Dempsey, senior staff counsel for the
Center for Democracy and Technology, explains that "[t]he first problem
with Carnivore is that even [the] ISPs [where Carnivore has been installed] do
not know how it works and how its searches are limited." [FN24]
Installed and configured to properly reflect the specifications detailed
in a warrant, Carnivore does not possess the sinister characteristics that
privacy advocates attribute to it.
Donald Kerr, Assistant Director of the FBI, testified at a Senate
Judiciary Committee Hearing in 2000 that Carnivore "can be configured to
specifically comply with each court order." [FN25] The Carnivore system is made up of several
seemingly harmless components. First, it is a "conventional personal
computer . . . installed on the premises of an Internet Service Provider."
[FN26] This computer is
equipped with a modified version of commercially available software: a
"customized" version of a "Windows 2000 application." [FN27]
However, Carnivore is more than merely the sum of its parts. The modifications to the Windows application
infuse Carnivore with the power to police the traffic flowing through the ISP
in which it has been installed. These modifications allow the FBI to
"intercept and view . . . the E- mail [and] Web browsing activity or other
Internet traffic of a suspect." [FN28] The electronic
transmissions traveling through an ISP in which Carnivore has been installed
"will be routed through Carnivore, which will extract and record whatever
information is specified in a warrant issued by a court." [FN29]
The Carnivore application bears a strong resemblance to programs known
as "packet sniffers." Packet sniffers are so named because of the
way in which e- mail messages are transmitted through cyberspace. Upon transmission, e-mail messages are
disassembled, or "broken up into 'packets,' or uniform chunks of
data." [FN30] The packets then travel to their final
destination. Depending upon certain circumstances, the various packets that
comprise a single e-mail message may travel vastly different routes before
arriving at their ultimate destination.
The packets may arrive out of order and be reassembled in correct
sequence once they reach their final destination. Alternately, the packets may
travel together and reach their destination in a unified form.
Carnivore is, essentially, a sophisticated packet-sniffing device. Under one of its functions, "Carnivore
'sniffs' [the packets that comprise e-mail messages flowing through an ISP] to
read the address information in the header.
If the packet is to or from a targeted e-mail address (Carnivore search
warrants might well name an e-mail address rather than a person), Carnivore will,
depending on the court order, record either the address information or the
entire packet on its hard disk." [FN31] After such an
interception, an FBI agent can use software to reassemble the collected packets
and "read the information that Carnivore has taken in." [FN32] The agent must then determine "which
information is relevant and which is not.
The irrelevant information is deleted immediately and no copies are
kept. The relevant information becomes
part of the working papers of the investigation." [FN33]
C. Carnivore's capabilities: Search
functions
Carnivore is capable of carrying out several types of
interceptions. This Note will examine the
functions that are analogous to the searches that can be performed in the
context of telephonic surveillance.
Carnivore can be configured to collect data based on either the content
of, the destination of, or the origin of, (or some combination of these) data
transmitted over the Internet or through e-mail. The ten Carnivore functions identified and tested in the
Independent Technical Review of the Carnivore System are directly analogous to
telephonic surveillance devices, or hybrids of those devices.
These functions fall generally into two categories: those that sort
through and collect data based on its content, and those that target
transmissions based on "non-content" [FN34] elements such as
the address to which a transmission is directed, or the address from which a
transmission is received.
The latter category consists of three configurations. The results of
these configurations resemble, to some degree, the results that are obtained
using telephone pen-register filtering: (1) non-content e-mail collection, by which the non-content (or "From" and
"To" address) fields contained in e-mail transmissions are collected;
[FN35] (2) non-content
web browsing collection, by which the internet protocol ("IP")
addresses for a target's web browsing activities are collected; [FN36] and (3) non-content file transfer activity collection, by
which the source and destination IP addresses, but not the content, of the
target's file downloading activity are collected. [FN37]
The former category includes the configurations that produce results
that more closely resemble those that would be achieved using telephone
wiretaps. These include: (1) full collection on a fixed IP address, (by which
"the contents of communications to and from a target, who has a fixed IP
address - includ[ing] web browsing contents, FTP login session, commands and
data, e-mail contents from the target IP address" are collected); [FN38] (2) e-mail
content collection, by which the contents of e-mail communications that were
sent from and to a target e-mail ID are collected; [FN39] (3) alias e-mail collection, by which outgoing e-mail of a
target who has an alias is collected; (4) filtering of text strings on web
activity, by which the web- browsing contents that contain a specific text
string are collected; [FN40] (5) filtering on
text string for e-mail collection, by which e-mail containing a key word is
collected; [FN41] (6) filtering on text string and e-mail address or e-mail user
ID for e-mail collection, by which both a search can be narrowed by targeting
both an e-mail address user name and a key word; [FN42] and (7)
filtering on text string for FTP collection, by which FTP communication
containing a key word is collected. [FN43]
D. Telephonic surveillance devices
Much of the existing case law surrounding the Fourth Amendment implications
of searches and seizures of electronic communications is derived from the
monitoring of telephonic communications; therefore, it is useful to briefly
examine the three main devices used to carry out such surveillance.
All three of these devices bear some similarity to Carnivore in that
they must be physically linked to the system in which the communication is
being transmitted. However, while
Carnivore is installed at the central location of an Internet Service
Provider's premises, a wiretap is often installed at the premises from which
the monitored individual transmits communications. Therefore, by this feature
(combined with its ability to filter all communications that pass through it),
Carnivore may, in effect, eliminate the need to target a specific location or
individual, and thus remove the variable of efficiency in carrying out a
search.
Once attached to a telephone line, a "pen register" allows the
user to record the date and time a telephone call is placed. Most importantly, a pen register records the
number dialed from the line. [FN44]
Neither pen registers nor Carnivore physically intrude upon a monitored individual's home. Pen registers, unlike wiretap devices, are installed at a remote
location, on telephone company property.
Similarly, Carnivore is installed on an Internet Service Provider's
property, and never physically reaches an individual's home.
Like a pen register, a "trap and trace" telephone monitoring
device is attached to the telephone line of an individual who is being
monitored. Instead of monitoring outgoing call information, however, a
"trap and trace" device records the date, time, and telephone number
of all incoming calls. [FN45]
Finally, a wiretap enables an investigator to monitor content by
allowing him or her to "listen and record the telephone conversation
itself." [FN46]
These devices can be used separately or in conjunction with each other
to establish a comprehensive record of telephone calls made and received at a
particular location, in addition to the content of the calls. [FN47]
Carnivore also combines these features under one application; however,
because Carnivore can monitor both e-mail correspondence and Internet traffic,
it can intercept not only conversations similar to those that could be
monitored by the telephonic devices, but it also can be used to monitor an
individual's movements from destination to destination on the Internet. Based on the content of websites a monitored
individual visits, the FBI has the potential to make damaging inferences about
an individual. This feature of Carnivore may allow the FBI to carry out even
farther-reaching investigations of an individual than those carried out through
the use of telephonic devices.
James Dempsey believes that there is a clear distinction between
Carnivore and "ordinary telephone taps," because the way in which
Carnivore has been implemented has, in effect, "insert[ed] the FBI into
the ISP network." [FN48] Dempsey asserts
that this is a formula for disaster, because it gives the FBI too much
leeway. Instead, he proposes that
"ISPs should control their own networks, isolating and delivering to the
government only what the government is entitled to intercept, thus serving as a
buffer between the government and the communications of innocent
customers." [FN49] Furthermore,
Dempsey believes that "the FBI should make the technology of Carnivore -
including some of the source code and the right to modify it - available to any
ISP that needs it to comply with a surveillance order. This would reinstate the kind of checks and
balances we depend on to preserve our rights." [FN50]
"Carnivore is used not only for wiretaps but also for other forms
of surveillance that are conducted with no judicial oversight, under the weak
standards of the 'pen register' statute, drafted for the telephony world.
Carnivore collects addressing information from the Internet that is much more
revealing than the dialed telephone numbers collected by pen registers. If the government is to collect on the
Internet transactional information more personally
revealing than that collected on telephone lines, then Congress must impose
higher standards for the government to engage in such surveillance." [FN51] The FBI claims that Carnivore meets the
standards of Federal wiretapping standards.
"Carnivore can be configured to intercept only those E- mails being
transmitted either to or from the named subject." This type of technology exists in a
commercially available form. [FN52]
III. The evolution of Fourth
Amendment law in the Twentieth Century's
Technological Boom
The Fourth Amendment of the United States Constitution provides for
"[t]he right of the people to be secure in their persons, houses, papers,
and effects, against unreasonable searches and seizures, shall not be violated,
and no Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be searched, and the
persons or things to be seized." [FN53]
However, the Fourth Amendment right to privacy does not operate as an
absolute protection against all intrusions by the government. The need for law enforcement agencies to
investigate has been recognized by the courts as well. There is a legitimate
governmental interest underlying the creation and implementation of
Carnivore. The Internet provides, in
essence, an entirely new and sprawling means of communication. As with the telephone system before it, the Internet can be used by criminals to
plan and even carry out illegal activities. [FN54] However, just
because there is potential for harmful uses does not imply that the government
should be unbridled in the monitoring of all that passes across the Internet's
lines of transmission.
A. The Development of Fourth
Amendment Law
Traditionally, the first step in the analysis of Fourth Amendment search
and seizure issues is for a court to determine whether a search has, in fact,
taken place. The standard used to
address this question in the context of various methods of eavesdropping, like
the technology used to carry out the eavesdropping itself, has been in a state
of flux throughout the twentieth century.
The FBI has, in essence, conceded that e-mail is protected by a
reasonable expectation of privacy, by requiring law enforcement officials to
secure a warrant before deploying Carnivore.
Nevertheless, it is instructive to examine the evolution of the standard
in order to provide a historical context for the law's regard for the progress
of surveillance technology.
For several decades, the controlling standard for the legality of
searches and seizures was articulated in Olmstead v. United States. [FN55] Olmstead and several co-conspirators were
convicted of violations of the Prohibition Act on the basis of information
gleaned from telephone wiretaps.
Olmstead objected to the use as evidence:
The information which led to the discovery of the conspiracy and its
nature [because it] was largely obtained by intercepting messages on the telephones
of the conspirators by four federal prohibition officers. Small wires were inserted along the ordinary
telephone wires from the residences of four of the petitioners and those
leading from the chief office. [FN56] The key distinction that made the surveillance of
Olmstead's telephone communications non-violative of the Fourth Amendment was
that "[t]he insertions were made without trespass upon any property of the
defendants." [FN57] The Olmstead Court reasoned that "[t]he
well known historical purpose of the Fourth Amendment, directed against general
warrants and writs of assistance, was to prevent the use of governmental force to
search a man's house, his person, his papers, and his effects; and to prevent
their seizure against his will." [FN58] The defining characteristic of the
challenged search in Olmstead, was that the "evidence was secured by the
use of the sense of hearing and that only." [FN59] The Court reasoned
that the search did not violate the defendant's Fourth Amendment rights because
"[t]here was no entry of the houses or offices of the defendants." [FN60]
This view of the Fourth Amendment arises from a rigid reading of its
text. [FN61] Critics argue that
the Olmstead Court's interpretation of the Fourth Amendment was flawed as soon
as it was conceived: such strict adherence to the Amendment's text needlessly turned a blind eye
to what were foreseeable technological advances. [FN62]
Consequently, Olmstead is now referred to for Justice Brandeis'
dissenting opinion as often as it is for its holding. Espousing a flexible interpretation of the Fourth Amendment in
the face of technological advances in the field of communication, [FN63] Justice Brandeis
laid the groundwork for the currently prevailing expectation of privacy
standard. Furthermore, Justice Brandeis
presaged current thinking on Fourth Amendment searches and seizures, by
pointing to its language as the source of an inalienable "right to be let
alone." [FN64]
Olmstead's "trespass doctrine" was overruled by Katz v. United
States. [FN65] Katz was charged with illegally
"transmitting wagering information by telephone . . . in violation of a
federal statute." [FN66] In pursuit of Katz, the FBI installed
"an electronic listening and recording device" in the wires of the
public telephone booth Katz had been using. [FN67] The Court determined that:
[T]he Government's activities in electronically listening to and
recording the petitioner's words violated the privacy upon which he justifiable
relied while using the telephone booth and thus constituted a 'search and
seizure' within the meaning of the Fourth Amendment. The fact that the electronic device employed to achieve that end
did not happen to penetrate the wall of the
booth can have no constitutional significance. [FN68] The rule in Katz is often distilled to the
idea that "the Fourth Amendment protects people, not places." [FN69] However, it is
Justice Harlan's concurring opinion that articulates the two-tiered test for
determining whether an individual's expectation of privacy in voice (and now
data) communications is reasonable:
[F]irst, that a person have exhibited an actual (subjective) expectation
of privacy and, second, that the expectation be one that society is prepared to
recognize as 'reasonable.' Thus a man's
home is, for most purposes, a place where he expects privacy, but objects,
activities, or statements that he exposes to the 'plain view' of outsiders are
not 'protected' because no intention to keep them to himself has been
exhibited. On the other hand,
conversations in the open would not be protected against being overheard, for
the expectation of privacy under the circumstances would be unreasonable. [FN70]
The first prong of this test is considered to be the threshold
requirement. If the individual being
monitored cannot meet this requirement, no search has taken place, and therefore,
there can be no violation of the Fourth Amendment. [FN71]
Once the first prong of the test has been satisfied, a court can
consider whether society considers the expectation of privacy reasonable under
the circumstances of the search. Courts have previously considered a variety
of factors in evaluating this second prong: "property interests, the use
ascribed to the area searched, society's longstanding beliefs, current
circumstances, and legislative enactments." [FN72]
B. The Effect of the Omnibus Crime
Control and Safe Streets Act of 1968 and the Electronic Communications Privacy
Act
Title III of the Omnibus Crime Control and Safe Streets Act of 1968 [FN73] codified the
Fourth Amendment principles set forth by the Katz Court. Title III, following Justice Harlan's
concurrence in Katz, contemplates the reasonable expectation of privacy
requirements. [FN74] Title III also preserves the implicit
balancing that constitutes the underpinning of Fourth Amendment analysis, by
proscribing the interception of oral and wire communications, "while
making provision for law enforcement to intercept these communications for use in
criminal investigations." [FN75]
The Electronic Communications Privacy Act of 1986 ("ECPA")
amended Title III when it became clear that Title III was not equipped to deal
with the advance of technology in the field of electronic communication. [FN76] ECPA was intended to align Title III with
innovations such as "cellular telephones, computer-to-computer
transmissions, and electronic mail systems . . . ." [FN77]
Title I of the ECPA prohibits unauthorized
interception of electronic communications. [FN78] In this context,
unauthorized means, among other things, those communications impounded without
the authority of an appropriate court order. [FN79] Title II proscribes the unauthorized access
to stored wire and electronic communications. [FN80] However, despite the ECPA's attempts to
modernize existing legislation, it was unable to resolve the potential
quagmires surrounding the application of the reasonable expectation of privacy
standard. While the privacy standard
still controls, it is increasingly difficult to apply because it is not always
"clear or obvious" whether such a reasonable expectation exists among
users of these new technologies. [FN81]
C. Beginning The Surveillance Process
In developing guidelines for the deployment and use of Carnivore, the
FBI has conceded that an investigating agent must obtain a warrant before
beginning a surveillance. The process
of obtaining a warrant hinges upon the FBI's ability to "demonstrate to the
satisfaction of a judge probable cause that a crime has been committed or is
about to be committed and that the surveillance is necessary to obtain relevant
information." [FN82]
In order for the FBI to obtain authorization to begin using Carnivore's
"pen register" function to conduct surveillance, it is only necessary
for the FBI to "show the relevance of
the information sought." [FN83]
IV. Following the Framework of the
ECPA to Restrict the Scope of Carnivore
Interceptions
The FBI has derived a series of safeguards directly from the ECPA that
must be satisfied before Carnivore can be deployed. [FN84] First, only certain high-ranking officials
in the Department of Justice "can authorize application for a wiretap via
Carnivore or any other mechanism." [FN85] The second restriction provides that
Carnivore can only be used in the investigation of a felony. [FN86] Third, "only
an Article III judge or state court may grant the order." [FN87] The fourth and
fifth requirements are directly related to traditional probable cause and
warrant requirements. The showing of
probable cause, however, must be accompanied by a showing that "normal
investigative procedures have been tried and have not been sufficient, and that
there is probable cause to believe that communications relevant to the
investigation can be captured." [FN88] The fifth requirement describes the
particularity of the wiretap order, and requires that such an order contain:
(1) [T]he identity of the interceptee, if known; (2) the nature and
location of the communications facilities to which the authority to intercept
is granted; (3) a particular description of the type of communication sought to
be intercepted, and a statement of the particular offense to which it relates; (4) the identity of the agency
authorized to intercept the communications, and of the person authorizing the
application; and (5) the period of time during which such interception is
authorized, including a statement as to whether or not the interception shall
be automatically terminated when the described communication is first obtained.
[FN89] The final
requirement places stringent limits upon the duration of the use of the device,
providing that "'the interception of communication' must be
'minimized,"' and must not "continue for 'any period longer than is
necessary to achieve the objective of the authorization, or in any event longer
than thirty days." ' [FN90]
There is a large and well-developed body of case law under the ECPA and
the Omnibus Crime Control and Safe Streets Act of 1968. The federal court system has consistently
held, under a broad spectrum of circumstances, that these requirements must be
satisfied to the letter in order for information obtained by the use of
surveillance devices to be admitted as evidence in the prosecution of a
criminal defendant. The policy of
strict adherence to the provisions of the ECPA and the Omnibus Act favored by
federal courts works as a bulwark against abusive or unauthorized use of such
technology by law enforcement officials.
The ECPA allows for the post-interception remedy of the suppression, at
trial, of evidence improperly captured by wire, oral, or electronic surveillance. [FN91] Therefore, a law
enforcement official's failure to adhere to the details of the ECPA scheme may
have the dire consequence of stripping the prosecution of its ability to use
the information, regardless of its potentially damaging effect. The threat of the suppression of evidence
should operate as a deterrent to such improper use of surveillance tools,
including Carnivore.
Federal courts have been confronted with motions to suppress improperly
collected evidence based on nearly every conceivable ground under the Omnibus
Act and the ECPA. For example, the
failure of law enforcement officials to include basic, requisite details in an
application for an order to commence surveillance, [FN92] as well as more
fundamental attacks on the power of the government to conduct such surveillance
have been raised as reasons for the suppression of evidence. [FN93] In considering
such motions, courts attempt to attain a balance between individual privacy
interests and the needs of law enforcement to effectively pursue criminal
activity.
A. Authorization by the Attorney
General
The formalistic approach federal courts take in the analysis of orders
for surveillance is illustrated by the United States Supreme Court's discussion
in U.S. v. Chavez. [FN94] In Chavez, the
Court examined the consequences of a failure to properly identify the express
authority of the Attorney General in a wiretap
order. [FN95] The Court
considered whether information intercepted in electronic surveillance,
implemented under an order that incorrectly identified the authorizing officer
as an Executive Assistant to the Attorney General, should be suppressed because
of the order's failure to conform exactly to 18
U.S.C. § 2516's requirement that the authorizing officer be the Attorney
General or the Assistant Attorney General. [FN96]
Although the Supreme Court ultimately reversed the Ninth Circuit Court
of Appeals' order to suppress, [FN97] the Chavez Court reiterated that a general policy of
unbending compliance with all of the provisions of Title III should be
advanced. [FN98] While in some rare
cases, a failure to clearly present the Attorney General's approval of an
application for surveillance may be overlooked, in most cases, such a deviation
should spell doom for the government's ability to present wire information
captured under the order at trial. The
government's interest in enforcing the sanctity of all provisions of Title III
should be clear: without the public's support, an Attorney General whose
failures to enforce the ECPA's safeguards capture the public's attention will
be susceptible to political ramifications.
Furthermore, the Court's holding in Chavez does no damage to the
additional authorization requirements contained in 18
U.S.C. § 2516. Again, these
authorization requirements envision the fixing of responsibility of ensuring
the propriety of surveillance orders upon a single figure, the Attorney General, who must answer to the authority of
the public at large. [FN99]
B. The Reporting Provisions of the
ECPA
A protection directly related to the Attorney General's accountability
in the context of the political process is that contained in the reporting
provisions of 18
U.S.C. § § 2518(1)(a), 2518(4)(d) and 2519. These provisions
require that statistics reflecting surveillance orders and their results be
reported to the Administrative Office of the United States Courts. [FN100] This office would then make these reports publicly
available. [FN101] In arriving at its
decision in Chavez, the Court concluded that these reports operate as a
concrete means by which the public can ascertain the effectiveness and
propriety of surveillance orders authorized by the Attorney General. "The purpose of these reports is 'to
form the basis for a public evaluation' of the operation of Title III and to
'assure the community that the system of court- ordered electronic surveillance
. . . is properly administered." ' [FN102]
C. The Deployment of the Device must
be in an Investigation of Felony
Federal courts have upheld the statutory structure that limits the
implementation of electronic surveillance equipment to the investigation of
enumerated felonies listed in 18
U.S.C. § 2516 that either have been or are about to be committed. [FN103] The courts
frequently considered the effectiveness of
electronic surveillance in combating the breed of criminal activity at
issue. For example, electronic
surveillance has long been considered to be among the most effective
investigative means by which the full extent of a broad network of conspirators
in an organized crime operation can be ascertained. [FN104] Similarly, certain
types of criminal activity have become associated with the Internet. [FN105]
In United States v. United States District Court for the Eastern
District of Michigan, [FN106] the United States Supreme Court contemplated the possible
effects of allowing the President to order surveillances in matters of domestic
safety without first securing a warrant.
The Court rejected such searches as an impermissible failure to meet the
standard of reasonableness that is met when probable cause is shown. [FN107]
In a concurring opinion, Justice Douglas further warned of the dangers
of warrantless searches carried out without an underlying crime:
[H]ere, federal agents wish to rummage for months on end through every
conversation, no matter how intimate or personal, carried over selected
telephone lines, simply to seize those few utterances which may add to their
sense of the pulse of a domestic underground . . . . We are told that one national security wiretap lasted for 14
months and monitored over 900 conversations. [FN108]
The Court similarly recognized the danger of possible abuses of
warrantless searches authorized only by the
President: if such surveillance were to be allowed, the President "'on his
motion, could declare"' any group or individual who poses a political
threat, or is generally unpopular, "'to be a clear and present danger to
the structure of the Government."' [FN109] If granted, this
type of unchecked power would undermine not only the balance between individual
privacy and law enforcement efforts, but would disrupt the "open public
discourse [that] is essential to our free society." [FN110]
D. Normal investigative procedures
must have been attempted or exhausted
"Due to the clandestine nature of electronic eavesdropping, the
need is acute for placing on the Government the heavy burden to show that the
'exigencies of the situation make its course imperative." ' [FN111] This showing requires "[t]he FBI [to]
explain why traditional enforcement methods are insufficient to obtain the
information desired." [FN112] While this requirement should operate as a
safeguard against the indiscriminate use of Carnivore, [FN113] courts have traditionally been reluctant to construct an
overly burdensome standard against the applicant for a surveillance order. [FN114] An inflexible
standard would hinder law enforcement's ability to pursue criminal activity
efficiently. Therefore, in order to
ensure that law enforcement efforts can keep pace with criminal activity,
courts have generally viewed "the statutory requirement 'that normal
investigative procedures' be first exhausted
. . . in a 'practical and common sense fashion." ' [FN115]
To engage in this kind of "common sense" analysis requires a
judge to consider "whether or not normal investigative procedures have
been tried and have failed or why they are unlikely to succeed if tried, or to
be too dangerous" against the backdrop of "all the facts and
circumstances." [FN116] This kind of
"common sense" analysis results in allowing the government to obtain
authorization for wire or electronic surveillance, even though it may not have
proven that "every other imaginable method of investigation has been
unsuccessfully attempted." [FN117]
E. Minimization: A Final Check on the
Reasonableness of the Scope of the Surveillance
Searches carried out using the Carnivore system are subject to at least
two stages of "minimization." [FN118] The first of these
stages occurs when the Carnivore system is configured to capture only the
information specified in the court order. [FN119] The second stage occurs when the FBI agent
involved with the case "determines which information [that Carnivore
captures] is relevant and which is not.
The irrelevant information is deleted immediately and no copies are
kept. The relevant information becomes
part of the working papers of the investigation." [FN120]
At trial, the target of a surveillance that has been conducted can challenge
the scope of the wiretap under 18
U.S.C. § 2518(5). [FN121] This section requires that the interceptions
made in the surveillance must be "minimized." Section
2518(5) provides that the interception "may
not be longer than necessary" to achieve the objective of the
authorization. [FN122] Section
2518(5) does not set forth a definition of
minimization, nor does it offer guidelines on how to achieve proper
minimization beyond its provision that without authorized extensions, at its
longest, a surveillance must cease after thirty days has lapsed. [FN123] Section
2518(6) allows for a judge to monitor the
progress of a surveillance that has been authorized. [FN124]
Courts have consistently held that the minimization requirement is to be
applied on a case-by-case basis. The
factors courts have considered in whether acceptable minimization has been
carried out include the percentage of communications intercepted out of all
communications, [FN125] the
length of time conversations are monitored before they are determined to be
relevant or irrelevant, [FN126] the percentage
of intercepted conversations that were not pertinent to the investigation, [FN127] and whether the surveillance continued beyond the
determined end date. [FN128] Although a court may take statistics
reflecting these factors into consideration, "blind reliance on the
percentage of nonpertinent calls intercepted [for example] is not a sure guide
to the correct answer." [FN129] The correct approach for a court considering
minimization questions is to suppress:
[E]vidence derived from an electronic surveillance order unless, after
reviewing the monitoring log and hearing the testimony of the monitoring
agents, it is left with the conviction that on the whole the agents have shown
a high regard for the right of privacy and have done all they reasonably could
to avoid unnecessary intrusion. [FN130]
This approach demands that courts examine the overriding circumstances
of a surveillance scheme. For example,
the United States Supreme Court has held that in some cases, even a wide-range
monitoring of "virtually all conversations" need not violate the
principle of minimization. [FN131]
It is "also important to consider the circumstances of the
wiretap. For example, when the
investigation is focusing on what is thought to be a widespread conspiracy more
extensive surveillance may be justified in an attempt to determine the precise
scope of the enterprise." [FN132] Courts have even permitted evidence collected in
unauthorized extensions beyond the wiretap order to be used at trial. [FN133]
This method of analysis is particularly necessary in the face of
examining the surveillance of complex schemes of criminal activity. For example, in United States v. Cox, the
court noted that in enacting 18
U.S.C. § 2518(5):
[A]s a part of Title III of the Omnibus Crime Control and Safe Streets
Act of 1968 . . . Congress was considering problems of great complexity and was
seeking to treat them in a reasonable manner.
An overly restrictive interpretation
of the minimization requirement could make it impossible to use this device in
connection with the investigation of organized criminal conspiracies. [FN134]
F. Pen registers
The Katz rationale has been roundly criticized since the case was
decided. [FN135] One such criticism is that the Court's
determination of the range of conduct that falls under the protection of the
objective standard is marred by disparities with current perspectives. [FN136] Such disparity is
borne out in Smith v. Maryland, [FN137] in which the
Court first articulated its position on the Fourth Amendment implications of
the use of pen registers to intercept the numbers dialed on a monitored phone. [FN138]
The Smith Court based its reasoning upon the assumption of risk analysis
propounded in United States v. Miller. [FN139] The Miller Court
held that a bank depositor has no "legitimate 'expectation of
privacy" ' in financial information "voluntarily conveyed to . . .
banks and exposed to their employees in the ordinary course of business." [FN140] Likewise, the
Smith Court held that an individual targeted in pen register monitoring cannot maintain
a reasonable expectation of privacy in the telephone numbers he dialed from his
home telephone. [FN141] Any telephone user, the Court reasoned, must
know that in dialing, he "convey[s] numerical information to the phone
company . . . and that the phone company . .
. record[s] this information for a variety of legitimate business
purposes." [FN142] A telephone user could not sustain a claim
of a reasonable expectation of privacy - he would fail to meet the second prong
of the Katz analysis. [FN143] Therefore, the Court held that the
installation and use of a pen register "was not a 'search,' and no warrant
was required." [FN144]
The Smith Court was deeply divided, with two dissenting opinions, both
of which relied upon the Katz rationale to conclude that dialed telephone
numbers should fall under the protection of the Fourth Amendment. [FN145] Justice
Stewart argued that because "[t]he numbers dialed from a private telephone
. . . are not without 'content," ' they should be considered to be framed
by a reasonable expectation of privacy. [FN146] Consequently, the dialed numbers should be
afforded the "constitutional protection recognized in Katz." [FN147]
A separate dissenting opinion by Justice Marshall also relies upon the
principle that the Fourth Amendment contemplates an individual's right to
privacy. [FN148] Justice Marshall was willing to concede that
an individual may understand that the telephone company records dialed
telephone numbers; however, he rejected the idea that such an understanding can
give rise to the expectation that:
[T]his information [will] be made available to the public in general, or
the government in particular. Privacy is not a discrete commodity,
possessed absolutely or not at all. Those who disclose certain facts to a bank
or phone company for a limited business purpose need not assume that this
information will be released to other persons for other purposes. [FN149]
Justice Marshall's dissent foreshadows the current concern among privacy
groups about the potential ramifications of Carnivore's ability to impound vast
amounts of information transmitted electronically through an Internet Service
Provider. [FN150] Justice Marshall wrote:
Privacy in placing calls is of value not only to those engaged in
criminal activity. The prospect of unregulated
governmental monitoring will undoubtedly prove disturbing even to those with
nothing illicit to hide. Many
individuals, including members of unpopular political organizations or
journalists with confidential sources, may legitimately wish to avoid
disclosure of their personal contacts.
Permitting governmental access to telephone records on less than
probable cause may thus impede certain forms of political affiliation and
journalistic endeavor that are the hallmark of a truly free society. [FN151]
If Justice Marshall's and Justice Stewart's assertions that telephone
numbers dialed from an individual's home should be protected by the Fourth
Amendment because of their content hold true, then the truth of these
assertions must redouble in the context of web-site addresses. [FN152] Web-site addresses are far more revealing than telephone numbers;
in fact, web-site addresses are frequently chosen for their descriptive or
suggestive capacities. Law enforcement
officials need look no further than the face of an intercepted web- site
address to make inferences regarding the content of an individual's Internet
destinations. The stream of an
individual's Internet traffic, even observed solely through these addresses, if
pieced together could, as Justice Stewart noted regarding telephone numbers in
Smith, "easily . . . reveal the most intimate details of a person's
life." [FN153]
Because web-site addresses may reveal significantly more substantive
content of an individual's communications than telephone numbers, the pen
register function of Carnivore again raises the issue of what constitutes a
search under the Fourth Amendment. [FN154] Following Smith,
federal courts have held that the installation of a telephone pen register is
not a separate search and consequently, "a separate order is not necessary
when a pen register is used along with an authorized wiretap." [FN155]
Such reasoning, however, if applied to the pen register function of
Carnivore, would allow the government to intrude further into private communications
than the majority opinion in Smith contemplates. The technological advances represented by the Carnivore pen
register function therefore threaten to alter the balance of individual privacy
and law enforcement activity that was established in Smith. Justices Stewart's and Marshall's dissenting opinions may point the
way to the adaptation that is necessary.
Given the far greater substantive content that may be derived from the
Carnivore pen register function, surveillance conducted with this function may
be considered searches, and therefore require further authorization.
V. Conclusion
The existing statutory scheme for the interception of wire and
electronic communications contained in the Electronic Communications Privacy
Act (ECPA) provides a proven framework of checks and balances between the
competing interests of individual privacy protection as developed in Fourth
Amendment jurisprudence and the ability of law enforcement to effectively
investigate and pursue criminal activity.
The terms of the ECPA are readily applicable to Carnivore. Although there are technical differences
between Carnivore and telephonic surveillance devices, Carnivore represents the
Internet equivalent to telephone surveillance devices. Both are equipped to intercept content and
non-content elements of communications.
Therefore, the overarching rationale federal courts have relied upon in
considering telephonicsurveillance should translate, for the most part, to
Carnivore surveillance. A reasonable
expectation of privacy should veil the content of e-mail transmissions in the
same way the content of telephone conversations has been protected. Warrantless interceptions of content-based Internet communications should be
impermissible, just as they are with regard to telephone conversations.
However, an adjustment for the Carnivore pen register function will be
necessary in order to maintain the balance the ECPA struck between individual
privacy and law enforcement activities.
Web-site addresses may reveal far greater substantive content than
telephone numbers; therefore, the Smith Court's conclusion that dialed
telephone numbers are not protected by the Fourth Amendment cannot be applied
to Carnivore pen register searches without modification.
Procedurally, the ECPA adequately restricts the interests of federal law
enforcement by imposing stringent limits upon the scope and the logistics of a
surveillance effort. The strict
interpretation courts have applied to both warrant orders and surveillance
provides an additional layer of protection. The government must demonstrate
substantial exigent circumstances before the safeguards against intrusions from
over-reaching surveillances will be relaxed.
The Internet and e-mail have become inextricably linked to many elements
of life in the United States.
Therefore, it is essential to prevent cyberspace from slipping toward
the brink of lawlessness, where even the cautious and experienced may fall prey
to crime. At the same time, the
government's enhanced ability to conduct surveillance of private communication
will require that courts heed Justice Brandeis' prescient dissent in Olmstead
and apply the Fourth Amendment to new
technology so that the balance of individual privacy and law enforcement is
maintained.
[FNa1]. J.D. Candidate
2002, Rutgers Law School - Newark. The
author would like to thank the staff of the Rutgers Computer & Technology
Law Journal for their editorial assistance.
[FN1]. H.R. Rep. No. 103-827, at 9 (1994), reprinted in 1994 U.S.C.C.A.N. 3489, quoted in Michelle Skatoff-Gee, Changing Techologies and the Expectation of Privacy: A Modern Dilemma, 28 Loy. U. Chi. L.J. 189, 204 (1996). The Communications Assistance for Law Enforcement Act of 1994 was passed with the intention o