Brief of Amicus Curiae of CEI, Cato Institute, Reason Foundation et al. in Ulbricht v. United States

View Full Document as PDF

When the government uses a “pen/trap” device without a warrant to collect the Internet Protocol (“IP”) addresses associated with a citizen’s Internet browsing over time, it is conducting an unreasonable seizure, so this practice generally violates the Fourth Amendment.[1] This brief aims to demonstrate why various assumptions underlying Fourth Amendment doctrine do not apply to the warrantless seizure of data revealing the IP addresses a citizen visits while using the Internet. 

In particular:

1. The Second Circuit’s decision, like other recent decisions, applied Fourth Amendment “third party doctrine” to a pen/trap’s collection of IP addresses visited during Internet browsing. This doctrine arose from the theory that when one discloses illegal activity to a third party, they “assume the risk” that the third party will disclose that illegal behavior to the government. Along the way, the theory was generalized to say that disclosure of any information, legal or illegal, to a third party assumes the risk of a subsequent disclosure to the government.

Inherent in the concept of assumed risk, however, is the notion of choice: one must choose whether to disclose the information if they can fairly be said to assume any risk. That assumption is lacking, however, when it comes to whether to use the Internet and thereby disclose your browsing history to an Internet service provider. Using the Internet is a necessity of modern life for any citizen hoping to participate as a functioning member of society. Surely the third party doctrine has been stretched beyond its limit when engaging in such a necessity of life is said to constitute a conscious “choice” to disclose information to a third party, and that such disclosure “assumes the risk” that the government will force the third party to hand it over.

2. The Second Circuit likewise relied on the so-called “content/non-content” distinction underlying Fourth Amendment doctrine in concluding that no search or seizure occurred here. Because, in its view, “routing” information revealed in an IP address does not reveal “content,” the Fourth Amendment is not implicated. But this superficial approach ignores reality: an IP address is readily converted to a particular website, which reveals at least some of the “content” a citizen is viewing on the Internet. A particular website may have many pages, in which case an IP address alone may not reveal precisely all of the content a person viewed at a website, but that does not mean the IP address reveals zero content. Yet that appears to be the conclusion reached in the court below. 

            Finally, we briefly review the statutory scheme authorizing pen/trap seizures to demonstrate that (a) the judicial oversight of government pen/trap applications is ministerial, (b) the statute authorizes essentially any federal or state agency conducting a criminal investigation to obtain such an order, and (c) the scope is incredibly broad both as to subject matter and time. In short, the process is no substitute for a warrant.

Amici agree with Petitioner’s suggestion that this case should, at a minimum, be held pending the decision in Carpenter v. United States, cert. granted, No. 16-402 (argued Nov. 29, 2017) (historical cell site location data). Yet this case presents its own unique issues and compelling reasons for review.

BRIEF BACKGROUND ON THE  RELATIONSHIP BETWEEN  IP ADDRESSES AND WEBSITES

When the government engages in pen register and trap-and-trace surveillance, it gathers, among other things, the IP addresses that the monitored citizen visits and the outgoing and incoming Internet routing data for a person’s e-mail and other communications. See United States v. Ulbricht, 858 F.3d 71, 83 (2d Cir. 2017) (“The [pen/trap] orders authorized law enforcement agents to collect IP address data for Internet traffic to and from Ulbricht’s home wireless router and other devices that regularly connected to Ulbricht’s home router.”).

This brief focuses, in particular, on the government’s collection of IP addresses. In many cases, it is a simple matter to convert an IP address into a website. Say, for example, a pen register captures a citizen viewing IP address 141.105.69.239. Government agents can copy and paste that address into any number of free online databases and learn, instantaneously, that the citizen is looking at the WikiLeaks website, while a person viewing 35.162.89.225 is looking at Reason.org.^[2]

To be sure, knowing only an IP address associated with a website does not allow the government to know exactly which web pages within the particular website a citizen visits, each of which has its own Uniform Resource Locator (“URL”). But the government can still learn a substantial amount about a person’s web browsing simply from the home pages she visits.

While the government appears to take the position that in extreme cases it can obtain a complete web browsing history, including every page (URL) visited, see U.S. Dep’t of Justice, U.S. Attorneys’ Manual § 9–7.500, multiple courts have acknowledged that government seizure of that data would raise serious Fourth Amendment concerns. United States v. Forrester, 512 F.3d 500, 510 n.6 (9th Cir. 2008) (“Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the [URL] of the pages visited might be more constitutionally problematic.”); In re Application of United States for an Order Authorizing Use of a Pen Register & Trap, 396 F. Supp. 2d 45, 49 (D. Mass. 2005). That sort of seizure would also plainly violate 18 U.S.C. § 3127(3) and (4), which prohibit the government from obtaining the “contents” of any communication gathered in a pen/trap data seizure. See below, Section III.

Because the government is doubtless aware that there is no Fourth Amendment justification for the warrantless collection of a complete browsing history of every web page a citizen visits, it appears to generally limit its pen/trap data seizure to IP addresses. In other words, the Court is not likely to face a case that raises the issue of warrantless seizure of Internet browsing history in any starker terms than this case.

ARGUMENT

This case asks the Court to once again grapple with how to reconcile the Fourth Amendment’s guarantee against unreasonable searches and seizures with advancements in technology. See, e.g., Kyllo v. United States, 533 U.S. 27 (2001) (thermal imaging); United States v. Jones, 565 U.S. 400 (2012) (GPS tracking); Riley v. California, 134 S. Ct. 2473 (2014) (search of digital information on a cell phone). In Carpenter, an amicus group heavily overlapping with this one argued for application of the Fourth Amendment’s text and recognition of property rights in data to resolve the issues in cases like this one. Here, we illustrate how fraught it is to use “reasonable expectation of privacy” doctrine and particularly its derivative, the third-party doctrine.[3]

The Court has long recognized that technological advancements shape societal expectations of privacy. “Rapid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior.” City of Ontario v. Quon, 560 U.S. 746, 759 (2010). This dynamic relationship thus shapes both privacy expectations and “the degree to which society will be prepared to recognize those expectations as reasonable.” Id. at 759–60.

Read the full brief here