Peter A. Crusco (NYLJ/Rick Kopstein)
When I was about 12 years old, my father introduced me to the fine art of numismatics, otherwise known as coin collecting, by giving me a Whitman Roosevelt Dime collectors book. He probably intended that I have a backup plan in case the court I spent most of my time in then—the basketball court—did not work out for me. In order to fill the book’s empty dime slots, you had to get all dimes minted from 1946 through 1964. It was no easy feat. It required regular visits to the local bank branch, waiting in long lines, and exchanging hard earned dollar bills for five dollar rolls of dimes. Then followed the arduous task of cleaning and scrutinizing the coins at home for the special minted markings that would identify that small silver nugget as a thing that was worth more than its face value. That was my pre-Internet world of “currency transactions.” Today, we have digital currencies that are not limited by country or continent, and that may be traded online in “digital wallets,” as referenced in United States v. Ulbricht, 2017 U.S. App. LEXIS 9517 (May 31, 2017).
Last month in Ulbricht, the U.S. Court of Appeals for the Second Circuit upheld the legality of evidence obtained as a result of court-ordered pen registers that federal agents obtained for defendant’s Internet routing data. The evidence provided a key link connecting defendant’s online activity to a massive narco-money laundering Bitcoin criminal enterprise scheme that thrived through a website he created called Silk Road.
The defendant contended that his Fourth Amendment rights had been violated when the government failed to obtain search warrants that required the probable cause standard to obtain the sought after data and instead utilized pen registers under the “Pen/Trap Act,” pursuant to 18 U.S.C. §§3121-27, which requires a much more relaxed standard. See Ashcroft v. al-Kidd, 563 U.S. 731 (2011) (“The Fourth Amendment was a response to the English Crown’s use of general warrants, which often allowed royal officials to search and seize whatever and whomever they pleased while investigating crimes or affronts to the Crown.”). The significance of this ruling in light of established Fourth Amendment jurisprudence will be addressed in this article.
Background and Bitcoins
In February 2015, defendant Ross William Ulbricht was convicted after trial and sentenced to life imprisonment for drug trafficking and other crimes associated with his creation and running of Silk Road, a massive online marketplace whose users primarily purchased and sold illegal goods such as illegal drugs, and services such as providing false identification documents and computer hacking software. Bitcoin, a completely decentralized currency, operating free of nation states and central banks and an anonymous but traceable digital currency, was the exclusive currency that Silk Road accepted and traded in. United States v. Ulbricht, 2017 U.S. App. LEXIS 9517, *3 (May 31, 2017). Ulbricht ran the operation under the covert username Dread Pirate Roberts (DPR). The government contended that between 2011 and 2013, thousands of vendors used Silk Road to sell approximately $183 million worth of illegal drugs, as well as other goods and services, and that Ulbricht acting as DPR earned millions of dollars in profits from the commissions collected by Silk Road on purchases. In October 2013, Ulbricht was arrested, and the government seized the Silk Road servers and shut down the website.
Silk Road operated using the Tor Network, which renders Internet traffic through the Tor browser very difficult to track. After Ulbricht became a primary suspect in the investigation, the government obtained five “pen/trap” court orders pursuant to the federal Pen/Trap Act. The court orders authorized law enforcement agents to collect IP address data for Internet traffic to and from Ulbricht’s home wireless router and other devices that regularly connected to Ulbricht’s home router. An IP address is analogous to a telephone number and reveals the online identity of the communicating device without revealing the communication’s content. The orders did not permit access to the content of Ulbricht’s communications, or geo-locating information, nor did the government seek such access or information. Ulbricht, 2017 U.S. App. LEXIS 9517, at *39, n.29; Cf., People v. Bialostok, 80 N.Y. 2d 738 (1993) (pen register with additional capacity to monitor conversations required an eavesdropping warrant).
Ulbricht contended that the government’s use of his home Internet routing data violated the Fourth Amendment because it helped the government match his online activity with the DPR’s use of Silk Road. He contended he had a constitutionally protected privacy interest in IP address traffic to and from his home and since the government obtained the data without a search warrant that would have necessitated a probable cause finding, the evidence should be suppressed.
Legal Standard and Investigation
After the horrific attacks on Sept. 11, 2001, Congress provided law enforcement with new, enhanced legal tools to aid in investigations. See USA Patriot Act, Pub. L. No. 107-56, signed into law on Oct. 26, 2011. These tools included enhanced authorization for electronic surveillance, access to digital records kept by third-party digital service providers, and upgraded computer surveillance techniques including the pen register and trap trace provisions of the federal code, that is, 18 U.S.C. §§3123(a)(3)(A) and 3127. Those provisions had until then been limited to telephonic communications, such as records of phone numbers dialed from or to the targeted phones. See Stored Communications Act, 18 U.S.C. §§2701-2712, enacted as part of the Electronic Communications Act of 1986 (ECPA); Communications Assistance For Law Enforcement Act (CALEA), 47 U.S.C. §§1001-1021. Even prior to these amendments, pen registers and trap trace surveillance tools were well established in law enforcement circles as reliable and valuable investigative options when investigative targets were telephonically active. United States v. Owen, 621 F. Supp. 1498, 1503 n.2 (E.D. Mich. 1985). The amendments authorized law enforcement to utilize pen register and trap trace devices (see 18 U.S.C. §3122(b)(2) (2017)) on computer communications, that is, packet switched data networks of a provider of electronic communications service to the public, which included not only dialing and signaling information data from smart phones but also routing and addressing data transmitted by an instrument or facility from which a wire or electronic communication was/is transmitted, provided, however, that such information did not include the contents of any communication.
Under the federal Pen/Trap Act, a government attorney may make an application for an order authorizing or approving the installation and use of a pen register or trap and trace device to a court of competent jurisdiction. A pen register is defined as a device or process that records or decodes dialing, routing addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, and “shall not include the contents of any communication.” 18 U.S.C. 3127(3); see also N.Y.S. C.P.L. Article 705. A “trap and trace” device is a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communications. 18 U.S.C. 3127(4); see also N.Y.S. C.P.L. Article 705. Trap and trace devices do not capture the “contents of any communication.”
The Pen/Trap statute does not require a search warrant for the use of a pen register or trap and trace device, and does not demand a showing of probable cause that a crime is being committed through use of the phone. Instead, the statute only requires that the application by the government contain a “certification” that the information likely to be obtained by its employment is relevant to an ongoing criminal investigation. 18 U.S.C. 3122(b)(2). Ulbricht claimed that the pen/trap orders violated the Fourth Amendment because he had a reasonable expectation of privacy in the IP address routing information that the order allowed the government to collect. The government conceded that Ulbricht had standing to pursue his Fourth Amendment arguments on appeal. Ulbricht, 2017 U.S. App. LEXIS 9517, *36 n.28 (May 31, 2017).
The fundamental purpose of the Fourth Amendment of the U.S. Constitution “is to safeguard the privacy and security of individuals against arbitrary invasions by government officials.” Camara v. Mun. Ct., 387 U.S. 523, 528 (1967). The Fourth Amendment provides in relevant part that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated … .” U.S. Const. 4th Amend. The Fourth Amendment does not guarantee against all searches and seizures, only those that are unreasonable. See United States v. Sharpe, 470 U.S. 675, 682 (1985). In order for the protection of the Fourth Amendment to be invoked under the Katz test, an individual asserting a violation thereof must satisfy its twofold requirements: first, that the person has exhibited an actual (subjective) expectation of privacy and second, that the expectation be one that society is prepared to recognize as “reasonable.” Katz v. United States, 389 U.S. 347, 361 (1967). In determining whether an expectation of privacy is reasonable, one must look to “a source outside of the Fourth Amendment, either by reference to concepts of real or personal property law or to understandings that are recognized and permitted by society.” See, e.g., Rakas v. Illinois, 439 U.S. 128, 144 n.12 (1978). The Katz test has become the touchstone of Fourth Amendment analysis. The Fourth Amendment does not protect the merely subjective expectation of privacy, but only those “expectations that society is prepared to recognize as reasonable.” Katz, 389 U.S. at 360; Oliver v. United States, 466 U.S. 170, 177 (1984) (there is no reasonable expectation of privacy in an open field).
One factor in determining whether expectations of privacy are reasonable is “our societal understanding that certain areas deserve the most scrupulous protection from government invasion.” See, e.g., Hudson v. Palmer, 468 U.S. 517, 526 (1984) (determining that society is not prepared to recognize as legitimate any subjective expectation of privacy that a convicted prisoner might have in his prison cell). In the Ulbricht opinion, authored by Judge Gerard E. Lynch, the court opined that the U.S. Supreme Court has long held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties, including phone numbers dialed in making telephone calls and captured by a pen register (citing Smith v. Maryland, 442 U.S. 735, 743-44 (1979)). Phone users typically know that they must convey numerical information to the phone company and the phone company records this information for a variety of legitimate business purposes. Similarly, the court reasoned that Internet users should know that third-party equipment is used in order to engage communications, and that directing the routing of information and IP addresses is not merely passively conveyed through third-party equipment, but rather voluntarily turned over in order to direct the third-party servers.
The Second Circuit rejected Ulbricht’s contention that modern technology’s capability to entrust “great quantities of information to third-party vendors” makes extensive government surveillance possible, which therefore requires the re-evaluation of the Smith v. Maryland third-party doctrine, a view advanced in the concurring opinion of Justice Sonia Sotomayor in United States v. Jones, 565 U.S. 400, 417-18 (2012). Instead, Second Circuit determined that it remained bound by the third-party doctrine, “until and unless it is overturned by the Supreme Court.” United States v. Ulbricht, 2017 U.S. App. LEXIS 9517 at *37. The Second Circuit therefore joined the Third, Fourth, Sixth and Eighth Circuits that have held that collecting IP address information devoid of content is “constitutionally indistinguishable from the use of a pen register.”
The “third-party doctrine” was first articulated in the pre-digital world of 1979 in the U.S. Supreme Court case, Smith v. Maryland, 442 U.S. 735, 742-45 (1979) (defendant did not have a reasonable expectation of privacy in the numbers he had dialed from his telephone, because he voluntarily conveyed that information to his cellular telephone company when he placed the calls); Cf., United States v. Jones, 132 S. Ct. 945 at 955 (2012) (Sotomayor, J., concurring). There the high court held that a defendant did not have a reasonable expectation of privacy in the telephone numbers he dialed, even after that information was automated by the telephone company, or as the court stated, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith v. Maryland, 442 U.S. at 743-44; see also United States v. Miller, 425 U.S. 435, 442-44 (1976) (a bank customer had no reasonable expectation of privacy in financial information that he voluntarily conveyed to the bank for it to use in the ordinary course of business). Similarly, the Sixth Circuit in 2012 in United States v. Skinner, 690 F.3d 772 (6th Cir. 2012) cert. den. 133 S. Ct. 2851 (2013), compared cell phone technology to giving the numbers to a telephone operator, where they would not be confidential.
In 2012, the U.S. Supreme Court in United States v. Jones, 132 S. Ct. 945, 955- 957 (2012) (Sotomayor, J., concurring, opining that, in this digital age “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.”), invalidated the warrantless use of a GPS device on defendant’s automobile. There, the police secretly placed a GPS tracking device on defendant’s vehicle, which was found to be a physical intrusion into a constitutionally protected area as per the “trespassory test.” The court also opined that such test provides little guidance in cases of “electronic or other modes of surveillance that do not depend upon a physical invasion on property.” For those cases, Katz would continue to apply. The court also stated that situations involving merely the transmission of electronic signals without trespass would remain subject to the Katz analysis.
In New York state, the third-party doctrine enunciated in Smith v. Maryland was followed by the New York State Court of Appeals in People v. Guerra, 65 N.Y.2d 60, 63-64 (1985); but see People v. Weaver, 12 N.Y.3d 433, 445 (2009) (court expanded New York’s constitutional protections in holding that the state Constitution, Article 1 §12, the analog to the Fourth Amendment, prohibits the government’s use of a GPS tracking device to monitor an automobile’s movements in the absence of exigent circumstances without a warrant). New York’s version of the federal Pen/Trap statute, C.P.L. Article 705, has specific statutory elements and requires a court order satisfying the standard of reasonable suspicion. C.P.L. §705.10(2).
The Second Circuit’s decision upholding the third-party doctrine was issued while intense debate over that doctrine continues, as reflected in various state and federal court decisions in similar or analogous circumstances. For instance, some courts have decided that the doctrine is wholly inapplicable to cell phone location information finding that the telephone subscriber does not “voluntarily convey” their location information to their own cellular service provider in the sense that one first identifies a discrete item of information or data point like a telephone number or a check or deposit slip and then transmits it to the provider. Other courts have rejected the third-party doctrine, finding instead that their own state constitutions provide their citizens with greater privacy protections, and that the cell phone service provider’s ability to access cell site location information did not “translate into a waiver of an expectation of privacy.” Pennsylvania v. Rushing, 2013 Pa. Super. 162 (2013) (warrant required to track defendant’s cell phone under court’s interpretation of State constitution); State v. Earls, 214 N.J. 564, 587 (2013) (rejecting the third-party doctrine); Commonwealth v. Augustine, 467 Mass. 230 (2014) (holding that the state generally must obtain a warrant before acquiring a person’s historical cell site location information records); Tracey v. Florida, 152 So. 3d 504 (2014) (court determined that when police obtained a trap and trace order without a warrant satisfying the higher standard of probable cause they violated the Fourth Amendment. The trap and trace devices used in Tracey provided police with real time cell site location information); But see State v. Rodriguez, 2017 R.I. Super. LEXIS 89 (May 30, 2017) (third-party doctrine followed; no expectation of privacy in IP address).
Ulbricht is yet another example of why courts proceed with care when considering changes, however slight, to the Fourth Amendment’s concept of privacy expectations in communications and records in the digital age. See City of Ontario, Cal. v. Quon, 560 U.S. 746, 759 (2010) (courts may risk “error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear.”).