In 2016, Edward Soybel, a disgruntled former employee, began carrying out cyberattacks against his former employer, WW Grainger, Inc. (Grainger), an industrial supply company. One of Grainger’s main service offerings, KeepStock, uses large database tables stored on Grainger’s computers to help its customers track their inventory. By remotely logging into KeepStock and deleting millions of records, Soybel effectively rendered KeepStock useless for several days until Grainger was able to restore the data.
Grainger called the FBI, who determined that the IP address from which the attacks were carried out belonged to the main router used for all Internet traffic out of the large Chicago apartment building in which Soybel resided. To identify which unit in the building had generated the attacks, the FBI had to get information from the master router itself, so they sought to place two trackers: one to track the IP addresses accessed by the master router, and another to track which IP address the Soybel unit is being accessed at (like the seventh circuit, we’ll call these two devices collectively a “pen register”). After showing that the IP address information was “relevant to an ongoing investigation”, the FBI obtained a Pen Registry Act order and installed the Pen Registry.
By correlating the timing of IP address data derived from the pen log, but without having access to the contents of the transmissions, the FBI determined that the attacks emanated from Soybel’s unit. Soybel was arrested and charged with 12 counts of violating the Computer Fraud and Abuse Act and was ultimately found guilty by a jury out of the 12. On appeal, Soybel argued that the use by the FBI’s warrantless pen registry, which would have required the government to show probable cause rather than simply that the information was “relevant” to an investigation, violated his Fourth Amendment rights. In a September 8, 2021 opinionthe Seventh Circuit rejected this argument and upheld Soybel’s conviction.
Soybel based his appeal on the Supreme Court’s landmark Fourth Amendment ruling Carpenter v. United States, 138 S.Ct. 2206 (2018), which was issued while Soybel’s charges were pending. In Carpenter, the Court ruled unconstitutional a legislative scheme that allowed access to historical cell-site location information (CSLI) by court order and without a warrant, similar to the Pen Register Act. Soybel argued that the Pen Registry evidence should have been removed because the IP information was sufficiently similar to that of the CSLI in Carpenter that a warrant was also needed. The Seventh Circuit was unconvinced.
The court began by noting that not all investigative techniques constitute searches subject to Fourth Amendment scrutiny. The Fourth Amendment provides no protection for information that an individual “knowingly exposes to the public,” a principle known as the “third party doctrine.” See Katz v. United States, 389 U.S. 347, 351 (1967). In Smith v. Maryland, 442 U.S. 735 (1979), the Supreme Court applied this doctrine to allow law enforcement to install a pen log to track a landline’s telephone call history, pursuant to the Pen Register Act, on the grounds that a telephone user voluntarily discloses the numbers they dial (as opposed to the content of their conversation) to the telephone company, a third party, as part of the dialing process. Prior to Carpenter, circuit courts had always held that discovering IP addresses through pen registries on Internet routers was as constitutional as discovering telephone numbers in the same way. the soy The court followed these precedents, explaining that “technological differences do not necessarily lead to constitutional differences”.
In soythe Seventh Circuit joined three other circuits in concluding that Carpenter did not change this conclusion. The court noted that the CSLI data at issue in Carpenter differed materially from Soybel’s intellectual property data because, as the Supreme Court had explained, CSLI’s data revealed “the whole of [Carpenter’s]physical movements” and created “a complete record of the phone holder’s whereabouts. . . [for] every moment, for several years.”
For the Seventh Circuit, these “unique characteristics” of CSLI are not found in the IP address data: the government had not accessed information about Soybel’s movements, but simply learned which websites someone in Soybel’s apartment had accessed and when. Even though the IP Pen Registry had incidentally captured sensitive information such as visits to political or dating websites, the government could not access any content from those visits or even confirm who had accessed the sites. And unlike the historical CLSI data in Carpenter, the government could not access IP data from before the Pen Registry was installed. Finally, while the CSLI is collected passively every time a cell phone is turned on, a user must act affirmatively to visit a website (or to remotely delete tons of data from a former employer, as the case may be). ) to generate IP data.
For all these reasons, the court held that “an IP pen registry is analogous in all material respects to a traditional telephone pen registry”, and Soybel therefore had no reasonable expectation of confidentiality in the data collected by the register.
As discussed in a recent App Edge post, the federal circuit courts are in the process of answering a variety of questions that the Supreme Court left open in Carpenter. soy is another piece of this puzzle. Entities that collect CSLI history have received some clarity from Carpenter on the information not fair game to government investigators without a warrant. But entities that collect other forms of potentially sensitive data, such as IP data here or location data generated by Internet of Things devices and consumer wearables, still face some uncertainty at Following Carpenter what information about an individual’s activities raises a reasonable expectation of privacy and therefore requires a collection warrant. We discussed some considerations for businesses operating in this space earlier this year. Companies that collect or process such data for EU residents should also consider the impact of these rulings on their obligations under the GDPR afterSchrem II to challenge certain law enforcement data requests.
With its decisions in soy and Hammondthe seventh circuit, at least, signaled its inclination to the cabin Carpenter. However, the soy the court highlighted certain factors which may, under Carpenter, weigh in favor of requiring a warrant-if the information collected is retrospective, if it is specific to a single individual, if it involves universal location tracking, and if it is ubiquitous in modern life. Only the last of these factors favored the defendant in soyand the court immediately found it insufficient to require the suppression of the evidence.
Courts will likely continue to wrestle with Fourth Amendment problems arising from lawsuits based on digital data collected without a warrant. We will keep you posted.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.