The Volokh Conspiracy

computer pen-register case; the Court very helpfully amended the opinion today to clarify that the surveillance program was installed at the ISP's connection facility rather than on the individual's personal machine.

I don't think this clarification helps individuals. If the URL capturing happened on the suspects computer there might be something they could do to make such a process more difficult. If this process is done at the ISP their only recourse is to use a secured proxy.

The idea that capturing your URL requests is like a pen register is a false one from a technical perspective because their is much more detailed information contained in URLs than there is in a phone number or physical address. This includes all of your Google search request terms, and many website logins and passwords. These are the sort of details that would be on the inside of a letter rather than on the outside.

The court's decision refers to IP addresses but it is unclear to me from the decision if the IP address they refer to is really that--just the IP address of the root server of the website he visited--or, more likely, the IP address and the subfolders, database request or login information that is often submitted as part of a web-page request.

Scote:

Footnote 6 of the opinion responds to your concerns:

Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (“URL”) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the person's Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times’ website at http://www.nytimes.com, whereas a technique that captures URLs would also divulge the particular articles the person viewed. See Pen Register Application, 396 F. Supp. 2d at 49 (“[I]f the user then enters a search phrase [in the Google search engine], that search phrase would appear in the URL after the first forward slash. This would reveal content . . . .”).

I wrote a longer post, but deleted it after further thought. I am okay with this decision to the extent that a federal pen register can only "to/from addresses of his email messages, the Internet protocol ("IP") addresses of the websites that he visited and the total volume of information transmitted to or from his account. As to the second one of those three, I am seriously concerned about the privacy implications, and disagree with normatively, but Smith v. Maryland is still good law and binding upon Judge Fisher. However, you had indicated in a previous post that this factual assertion is not correct (in theory, if not in practice in that case). If not, I still have a number of objections based on what would be an overextention of Smith v. Maryland.

I trust some readers are thinking that even if the court's decision is correct as a matter of Fourth Amendment law, the result is still troubling as a matter of policy.

I agree that the patch to the court's opinion is very welcome.

As a matter of my own over-riding policy, I'm much happier to have been wrong about some of the facts in this case, and to have been wrong about the correct interpretation of the Ninth Circuit's original opinion, than I would have been to let such a potentially outrageous precedent go without comment.

Further, just in case anyone was offended by my earlier characterization regarding the mental state of three distinguished judges, then I apologize.

But, I'm still not entirely convinced that the updated opinion is correct as a matter of Fourth amendment law.

As the Ninth Circuit noted (p.9060), Justice Blackmun's opinion in Smith v Maryland rested on the basis:

Telephone users, in sum, typically know that they must convey numerical information to the phone company; that the phone company has facilities for recording this information; and that the phone company does in fact record this information for a variety of legitimate business purposes.

I'd agree that internet users obtaining internet protocol (IPv4) service from an internet service provider (ISP) should be charged with the knowledge that an IPv4 packet header conveyed to an IPv4 router must be interpreted by that router. The router needs to examine—at the very least—the IP protocol field (check for v4) and the destination IP address.

But IPv4 routers don't handle mail at the (E)SMTP level. And there's no general requirement that an internet user must use the same provider for IPv4 service and e-mail service.

Further, various IP-over-IP tunneling protocols are in common use today. And, as the Internet transitions to IPv6, more tunneling will be necessary. An IPv4 router only needs to examine the outermost IPv4 packet header. Everything else is content.

An order authorizing the collection of information equivalent to a POTS pen register trap/trace, by means of a mirror port on a layer 3 switch ("routing switch") or on a router, should only cover the outermost IP packet header. Otherwise, you're stretching the basic facts of Smith beyond reasonable recognition.

There isn't a one to one relationship between IP addresses and servers, websites, what have you. Even if we add port numbers, things don't improve much.

Hi all!
Find a real sex partner for [url=http://realpartner.bravehost.com/]tonight[/url]
http://realpartner.bravehost.com
Good luck