Police Blotter: Judge rejects Feds' attempts to snoop on touch tones

The Justice Department says it doesn't need to a wiretap order to extract touch tones from telephone calls in progress. A federal judge says otherwise.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
6 min read

Police Blotter is a regular CNET News report on the intersection of technology and the law.

What: Feds want to eavesdrop on touch tones pressed during phone calls without obtaining a court-authorized wiretap order first.

When: U.S. Magistrate Judge James Orenstein in the Eastern District of New York rules on December 16, 2008.

Outcome: Surveillance request rejected.

What happened, according to court records and other documents:
Just about everyone knows that the FBI must obtain a formal wiretap order from a judge to listen in on your phone calls legally. But the U.S. Department of Justice believes that police don't need one if they want to eavesdrop on what touch tones you press during the call.

Those touch tones can be innocuous ("press 0 for an operator"). Or they can include personal information including bank account numbers, passwords, prescription identification numbers, Social Security numbers, credit card numbers, and so on--all of which most of us would reasonably view as private and confidential.

That brings us to New York state, where federal prosecutors have been arguing that no wiretap order is necessary. They insist that touch tones cannot be "content," a term of art that triggers legal protections under the Fourth Amendment.

On June 11, 2008, U.S. Magistrate Judge James Orenstein denied prosecutors' request to obtain in-call touch tones, a denial that the Justice Department appealed to a district judge. After being asked for more information, prosecutors said that they would configure their wiretap gear not to record in-call touch tones received from the wireless provider, presumably using tone-detection equipment. (In industry lingo, in-call touch tones are called "post-cut-through dialed digits," or PCTDD, and the government's request is called a pen register.)

That was enough for U.S. District Judge Nicholas Garaufis to approve the idea on November 26.

Probably thinking that ruling would be the last word on the topic, the Justice Department came back on December 16 for what was supposed to be a routine pen register request. It would let federal agents receive all phone numbers dialed by a suspect. A pen register is easy to get; all the Feds have to do is claim it's possibly "relevant" to an ongoing investigation.

The case happened to be referred to Orenstein, who was working with a different district judge this time, and concluded he didn't have to follow Garaufis' opinion because it was not binding precedent. Orenstein rejected the government's request.

This isn't the first time that the Justice Department has expressed a keen interest in post-call touch tones, and claimed it didn't need a wiretap order to obtain them. In 2007, Police Blotter covered yet another judge--also in the Eastern District of New York--rejecting the warrantless surveillance request. Two years earlier, Police Blotter revealed that the Justice Department believed that pen register orders could also be used to track mobile phones.

The FBI and other police agencies have always liked access to lists of numbers dialed; knowing who's talking to whom at a particular time can be almost as good as knowing what they're saying.

The debate is really over the in-call touch tones, and it dates back to at least 1994, when FBI director Louis Freeh was lobbying Congress to expand wiretap laws. Here's an excerpt from a hearing:

Sen. Patrick Leahy (D-VT): You say this would not expand law enforcement's authority to collect data on people, and yet if you're going to the new technologies, where you can dial up everything from a video movie to do your banking on it, you are going to have access to a lot more data, just because that's what's being used for doing it.

FBI Director Louis Freeh: I don't want that access, and I'm willing to concede that. What I want with respect to pen registers is the dialing information, telephone numbers which are being called, which I have now under pen register authority. As to the banking accounts and what movie somebody is ordering in Blockbuster, I don't want it, don't need it, and I'm willing to have technological blocks with respect to that information, which I can get with subpoenas or other process. I don't want that in terms of my access, and that's not the transactional data that I need.

That was then. Now the Justice Department claims it does want it, does need it, and is unwilling to go through the trouble of obtaining a wiretap order--but without publicly saying why. The court documents aren't helpful; Judge Orenstein's order last month was actually redacted and the requests are filed under seal.

Which invites speculation: Are police most interested in voicemail passwords? Online banking logins? Regulatory proceedings from almost a decade ago suggest that police were especially interested in the digits pressed after using an 800 number to reach a long distance carrier.

Excerpt from U.S. Magistrate Judge James Orenstein's opinion:
I find that proposal insufficient for the following reason. The pen register statute does not merely forbid the government as such from decoding content such as PCTDD; if it did, I would agree that the government's proposal is workable. Rather, the statute also makes it unlawful for a pen register itself to record the contents of a communication.

The government explicitly seeks authorization to have its agents install and use, or cause to be installed and used, a device or process that will record all dialing, routing, addressing, and signaling information but that will only exclude the decoding of any PCTDD within such information. Thus, as a result of the orders the government would have me issue, agents of the government (or employees of a service provider, acting at their behest) would install and use a device or process to record the contents of communications. In doing so, they would be using a device or process that cannot be considered a "pen register," and would thereby violate the law. That the same agents, or others acting on their behalf, would somehow later delete the portion of the recording that constituted the contents of the communication would not serve to undo the already completed unlawful act, nor would it retroactively transform something that was not a pen register into something that was.

I emphasize that my basis for denying the requested relief in part is a narrow matter of statutory interpretation. I see no constitutional difficulty with allowing the government to obtain the information it seeks to use for investigative purposes by means of a device or process that would qualify as a pen register but for the fact that, during the collection process, PCTDD information is initially recorded and then quickly deleted. Nor do I mean to convey a belief that Congress would or should, if presented with the issue, do anything other than endorse the methodology the government proposes. However, Congress has taken great care to establish a finely calibrated statutory regime to regulate various forms of electronic surveillance; to the extent that I cannot reconcile an otherwise seemingly appropriate surveillance technique with the relevant statutory provisions, I conclude that I must leave it to Congress to change the law rather than accept the government's implicit invitation to do so.

For the reasons set forth above, I grant the government's application only to the extent that the relevant service provider would in any event record the relevant post-cut-through dialed digits for its own purposes and only to the extent that the provider is able to delete such information before disclosing any other dialing, routing, addressing, or signaling information to the government. To the extent that the provider would not in any event record post-cut-through dialed digits without the requested orders, or is unable to delete all such information from the dialing, routing, addressing, and signaling information it would disclose to the government, I deny the government's application.