A search warrant is not required for law enforcement to use pen registers to record the IP addresses visited by a criminal suspect, a federal appeals court recently held. This follows a 1979 Supreme Court case, Smith v. Maryland, which held that warrants were not required to use pen registers to record the telephone numbers dialed by criminal suspects on landline telephones. A pen register is a surveillance device that captures phone numbers dialed from a specific phone line.

United States v. Soybel was set in motion by a series of cyberattacks faced by W.W. Grainger, Inc. in 2016. Grainger, an industrial supplies provider, was able to pinpoint the apartment building of a disgruntled former employee, Edward Soybel, as the source of the attacks. To confirm that the attacks came from Soybel’s apartment unit in particular, the FBI applied for, and was granted, an order under the Pen Register Act, which requires a showing that the information sought was “relevant to an ongoing criminal investigation into computer crimes.” By contrast, a warrant would have required a finding of probable cause, setting a higher evidentiary threshold for the police.

The court order authorized the installation of pen registers and ‘trap and trace’ devices to monitor internet traffic in and out of the building generally and Soybel’s unit specifically. The data collected included the IP addresses of the websites visited by internet users within Soybel’s apartment. The pen registers revealed that Soybel’s private internet protocol (IP) address attempted to connect to Grainger’s systems 790 times between September and November 2016. In the trial court, Mr. Soybel was indicted on 12 counts of violating the Computer Fraud and Abuse Act. As the appeals court described it, the pen registers were “instrumental in confirming that Soybel unlawfully accessed Grainger’s system.” Soybel moved to suppress the pen register evidence at trial but was denied.

On appeal to the Seventh Circuit, Soybel argued that use of the pen registers violated his Fourth Amendment right against an unreasonable search, citing the Supreme Court’s 2018 decision in Carpenter v. United States, holding that a warrant was necessary to obtain cell tower location information pertaining to an individual’s cell phone.

The Seventh Circuit found that the use of pen registers was more similar to the original pen register case, Smith v. Maryland, than to Carpenter v United States. The collection of historical cell-site information at play in Carpenter involved, said the court, “unique privacy interests that are absent here,” such as a detailed record of the locations where a person had carried his phone.

One fact supporting this analysis is that, while IP pen registers can detect the IP addresses reached from a specific phone line, the order in Soybel was limited to collecting information solely regarding whether Soybel accessed Grainger’s systems in particular. The Seventh Circuit noted that IP pen registers do not collect information about an individual’s past activities, unlike the historical cell-site information obtained in Carpenter.

The fact that Soybel had voluntarily conveyed IP-address information to third parties, notably his internet service provider, was also significant to the court. Unlike the ordinary user of a cellphone, who opens himself up to tracking without any affirmative act on his part, Soybel took the affirmative step of connecting to Grainger’s servers remotely.

While this case involved newer technology than the Supreme Court considered in 1979, the information obtained was not very different from what was obtained in Smith, and the pen registers did not reveal nearly the same level of information provided by historical cell-site information. The information obtained from the pen registers was also routed through a third-party. The Seventh Circuit’s decision makes a good deal of sense in light of Smith.

This case solidifies a company’s ability--through the efforts of the FBI--to track down malicious actors who access their computer systems without authority. Soybel was convicted of violations of the Computer Fraud and Abuse Act on the basis of evidence gathered without a warrant. The appeals court makes it clear that the Supreme Court’s requirement (in Carpenter) of a warrant for cell tower location information will not support a legal challenge to evidence of internet activity gathered by pen register.