Still "Penned" In: Seventh Circuit Holds IP Address Pen Register Orders Still Constitutional After Carpenter

Enforcement Edge: Shining Light on Government Enforcement

By Elliot S. Rosenwald Jayce Born Ronald D. Lee

In 2016, Edward Soybel, a disgruntled former employee, began perpetrating cyberattacks against his former employer, W.W. Grainger, Inc. (Grainger), an industrial supply company. One of Grainger’s key service offerings, KeepStock, uses large database tables stored on Grainger’s computers to help its customers keep track of their inventory. By remotely logging into KeepStock and deleting millions of records, Soybel effectively rendered KeepStock useless for several days until Grainger was able to restore the data.

Grainger called in the FBI, which determined that the IP address from which the attacks had been perpetrated belonged to the master router used for all outgoing internet traffic from the large Chicago apartment building in which Soybel resided. To identify which unit in the building had generated the attacks, the FBI had to obtain information from the master router itself, so it sought to place two tracking devices: one to track what IP addresses the master router accessed, and another to track what IP addresses Soybel’s unit accessed (like the Seventh Circuit, we’ll refer to these two devices collectively as a “pen register”). After showing that the IP address information was “relevant to an ongoing investigation,” the FBI obtained an order pursuant to the Pen Register Act and installed the pen register.

By correlating the timing of the IP address data derived from the pen register—but without having access to the contents of the transmissions—the FBI determined that the attacks had emanated from Soybel’s unit. Soybel was arrested and charged with 12 counts of violating the Computer Fraud and Abuse Act and ultimately was convicted by a jury on all 12. On appeal, Soybel argued that the FBI’s use of the pen register without a warrant, which would have required the government to show probable cause rather than just that the information was “relevant” to an investigation, violated his Fourth Amendment rights. In a September 8, 2021 opinion, the Seventh Circuit rejected this argument and affirmed Soybel’s conviction.

Soybel grounded his appeal in the Supreme Court’s landmark Fourth Amendment decision Carpenter v. United States, 138 S. Ct. 2206 (2018), which issued while Soybel’s charges were pending. In Carpenter, the Court held unconstitutional a statutory scheme that permitted access to historical cell site location information (CSLI) by court order and without a warrant, similar to the Pen Register Act. Soybel argued that the evidence from the pen register should have been suppressed because the IP information was sufficiently similar to the CSLI in Carpenter that it likewise required a warrant. The Seventh Circuit was not persuaded.

The court began by noting that not all investigative techniques constitute searches subject to Fourth Amendment scrutiny. The Fourth Amendment provides no protection for information an individual “knowingly exposes to the public,” a principle known as the “third-party doctrine.” See Katz v. United States, 389 U.S. 347, 351 (1967). In Smith v. Maryland, 442 U.S. 735 (1979), the Supreme Court applied this doctrine to permit law enforcement to install a pen register to track a landline’s phone call history, pursuant to the Pen Register Act, on the basis that a phone user voluntarily discloses the numbers she dials (as opposed to the contents of her conversation) to the phone company, a third party, as part of the dialing process. Prior to Carpenter, the circuit courts consistently had held that discovering IP addresses through pen registers on internet routers was as constitutional as discovering phone numbers in the same manner. The Soybel court followed these precedents, explaining that “technological differences don’t necessarily beget constitutional ones.”

In Soybel, the Seventh Circuit joined three other circuits in concluding that Carpenter did not change this conclusion. The court noted that the CSLI data at issue in Carpenter were materially different from Soybel’s IP data because, as the Supreme Court had explained, the CSLI data revealed “the whole of [Carpenter’s] physical movements” and created “an all-encompassing record of the phone holder’s whereabouts . . . [for] every moment, over several years.”

To the Seventh Circuit, those “unique features” of CSLI are not found in IP address data: The government had not accessed information regarding Soybel’s movements but rather had merely learned what websites someone in Soybel’s apartment had accessed and when. Even if the IP pen register incidentally had captured sensitive information such as visits to political or dating websites, the government could not access any content from those visits or even confirm who had accessed the sites. And unlike the historical CLSI data in Carpenter, the government could not access IP data from prior to the time it installed the pen register. Finally, while CSLI is collected passively whenever a cell phone is powered on, an internet user must act affirmatively to visit a website (or to remotely delete reams of data from a former employer, as the case may be) to generate IP data.

For all these reasons, the court held that “an IP pen register is analogous in all material respects to a traditional telephone pen register,” and Soybel thus did not have a reasonable expectation of privacy in the data the register collected.

As discussed in a recent Enforcement Edge post, the federal circuit courts are in the process of answering a variety of questions that the Supreme Court left open in Carpenter. Soybel is another piece of that puzzle. Entities that collect historical CSLI received some measure of clarity from Carpenter about what information is not fair game to government investigators without a warrant. But entities that collect other forms of potentially sensitive data, such as the IP data here or location data generated by internet-of-things devices and consumer wearables, still face some uncertainty in the wake of Carpenter about what information about a person’s activities carries a reasonable expectation of privacy and therefore necessitates a warrant to collect. We discussed some considerations for companies operating in this space earlier this year. Companies that collect or process such data for EU residents also have to think about whether and how these decisions impact their obligations under the GDPR post-Schrems II to challenge certain law enforcement requests for data.

With its decisions in Soybel and Hammond, the Seventh Circuit, at least, has signaled its inclination to cabin Carpenter. However, the Soybel court did highlight some factors that may, under Carpenter, weigh in favor of requiring a warrant—if the information collected is retrospective, if it is specific to a single individual, if it involves universal location tracking, and if it is ubiquitous in modern life. Only the last of these factors favored the defendant in Soybel, and the court readily found it insufficient to require the evidence to be suppressed.

Courts are likely to continue wrestling with Fourth Amendment issues arising from prosecutions based on digital data collected without a warrant. We’ll keep you updated.

© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.