Pen Register Trap and Trace Template

Home , Pen register, Trap and trace device

3 SUPERIOR COURT OF WASHINGTON FOR SNOHOMISH COUNTY

4 IN THE MATTER OF APPLICATION FOR AN ) ORDER AUTHORIZING INSTALLATION AND ) 5 USE OF A PEN REGISTER AND TRAP AND ) No. TRACE; AUTHORIZING DISCLOSURE OF ) 6 NON-CONTENT STORED AND ) TRANSACTIONAL RECORDS; AND ) APPLICATION 7 ACQUISITION OF HISTORIC RECORDS AND ) DEVICE LOCATION INFORMATION ) 8 ) ) 9 STATE OF WASHINGTON ) 10 ) ss. COUNTY OF SNOHOMISH ) 11

12 being first duly sworn on oath, deposes and says:

13 (1) I am a fully-commissioned, sworn Police Officer with 14 I am currently assigned to: 15

19 (2) I am involved in an ongoing criminal investigation (as detailed in paragraph (4) 20 below) and believe that the information likely to be obtained through the installation and use of a 21 pen register/trap and trace device is relevant to that investigation. 22 (3) This application is based on information I have gained from my own investigation, 23 personal observations, training and experience, as well as information related to me by other

APPLICATION – 1 Revised 08.23.12

1 detectives, police officers, and/or federal agents through oral and written reports. Further, I have

2 reviewed and am familiar with the investigative file in this matter.

3 (4)

18 (5) The suspect's whereabouts are presently unknown. From my training and experience

19 I know that service providers for:

21 retain information pertaining to their subscribers and account-holders. That information

22 typically includes the subscriber’s name, telephone number, email address, billing address,

APPLICATION – 2 Revised 08.23.12

1 billing/payment information, account initiation date, account features, and information pertaining

2 to any other accounts linked to the primary account.

3 (6) Service Provider Specific Facts (Check all that apply):

4 For Mobile/Cellular Telephone:

5 Service for the above-listed target telephone number is provided by the above-identified

6 service provider. The service provider identity was obtained through a query of a publicly-

7 available database that has proven reliable by routinely yielding verifiably accurate information

8 in previously investigations.

9 For Social Media Site/Email Account:

10 Service for the above-listed

11 is provided by the above-identified service provider.

17 (7) Electronic Communications Service Specific Facts (Check all that apply):

18 Cellular network and phone communications:

19 From my training and experience, I know the following:

20 A cellular telephone (cell phone) is a mobile device that transmits and receives wire and

21 electronic communications. These communications can include traditional telephone calls, two-

22 way radio communications, Voice over Internet conversations (VoIP), text, email, peer-to-peer

23 communicati ons, communications using social networking websites, and other communications

APPLICATION – 3 Revised 08.23.12

1 using the Internet. Individuals using cell phones contract with service providers, which maintain

2 antenna towers (also known as "cell towers") and/or satellites covering specific geographic areas.

3 In order to transmit or receive calls and data, a cell phone must send a radio signal to an antenna

4 tower or satellite that, in turn, is connected to a cellular service provider’s network.

5 In addition to a unique telephone number (known in telecom parlance as the Mobile

6 Directory Number, or MDN), each cell phone has one or more unique network or hardware

7 identifiers associated with it. Depending on the particular network and device protocol, the

8 embedded or associated unique identifiers for any given cell phone could take several different

9 forms, such as Electronic Serial Number (ESN) (including 8-digit hex format); Mobile

10 Electronic Identity (MEID), Subscriber Identity Module (SIM) or International Mobile

11 Equipment Identity (IMEI), for hardware; and Mobile Identification Number (MIN); Mobile

12 Station Identity (MSID); Mobile Subscriber Integrated Services Digital Network number

13 (MSISDN). The unique identifiers – as transmitted from a cell phone to a cellular antenna or

14 tower or satellite – are like the telephone numbers. They are unique, can frequently be recorded

15 by pen register or trap and trace or similar devices, and indicate the identity of the cell phone

16 making the communication without revealing the communication’s content. In many cases,

17 users have the autonomous ability to change or “swap” the original, provider-approved

18 network/hardware combinations, such as removing the hardware SIM card (which contains the

19 network IMSI that is slaved to the network MSISDN) and placing it inside another phone

20 (bearing a different hardware IMEI). In other cases, such as for a device without a SIM, or to

21 change the MSISDN associated with an IMSI on a SIM, a user must submit a request to the

22 service provider (in person, by phone or on the Internet) to change the network identity (MDN,

23 MSISDN, MIN/MSID) and hardware (ESN/MEID) assignments.

APPLICATION – 4 Revised 08.23.12

1 Providers of electronic communications services, such as the above-listed service

2 provider, have technical capabilities that allow the provider to collect data for a particular target

3 address and for usage at specific cellular towers/satellites. This data includes the date, time,

4 duration, initiating and destination numbers and addresses with which the cell phone or device

5 communicates, as well as location information that identifies the cell towers and/or GPS

6 satellites that receive radio signals from particular cell phones or devices (this is known as cell-

7 site location information, or CSLI) and is included in what service providers commonly refer to

8 as "call detail data." Service providers also maintain engineering maps that show cell site tower

9 locations, their sectors, and their orientations. Many cell towers divide their coverage up into

10 multiple sectors (most often three 120º sectors). Where this is the case, the provider can usually

11 identify the sector of the tower that transmitted the communication. Some companies can further

12 narrow the device location within a particular sector.

13 When a cellular telephone or other electronic device is turned on to register its

14 availability to receive communications on the network, or when the device actually sends or

15 receives communications, it will communicate with a cell tower or satellite within its radio

16 frequency range. While cell phones frequently do not communicate with the closest

17 tower/antenna, their approximate location can often be estimated by mapping the geographic

18 distribution of towers/antennas in the specific “switch” (market) where the phone is registered.

19 As a cellular telephone moves through geographic space, one cell tower or satellite will "hand

20 off" the cell phone's (or other device's) signal to another cell tower or satellite with greater ability

21 to maintain the connection. Some cell phones or other electronic communication devices

22 additionally communicate their physical location, in precise terms (such as longitude and

23 latitude), to the provider via global positioning system (“GPS”) satellite or multilateration (e.g.

APPLICATION – 5 Revised 08.23.12

1 triangulated signals off three or more towers) measurements that are shared with or accessible to

2 the provider owing to software settings and terms of service (TOS) agreements.

3 Depending on tower/satellite location, a cell phone or other electronic communication

4 device may communicate with a tower/satellite owned or operated by a service provider other

5 than the provider with which the phone or device is contracted. When this occurs, the second

6 service provider will have records pertaining to that particular cell phone or device.

7 Additionally, cell phone calling numbers can be "ported," which means that a customer can

8 transfer - to a different service provider - his or her service contract for the device, the device

9 address, phone number, and/or other identifiers unique to the particular device. If this occurs,

10 the first service provider, as well as the new service provider, will have usage and location

11 records for the cell phone.

12 Service providers retain information about cellular telephone signals and transactions at

13 each tower or satellite, whether or not a particular device sent or received any communication.

14 Some of these stored records are retained to substantiate billing (e.g. toll) charges while others

15 are used for fraud detection and prevention. Many are used for systems monitoring, diagnostic

16 and maintenance reasons, such as balancing the network’s traffic load and identifying

17 requirements for additional capacity.

18 Because of this, and the fact that cell phone owners typically have their phones either

19 with or very near them, cell tower and GPS location information for a particular cell phone

20 typically leads to locating the person using that device. This information can be used to assist

21 and corroborate surveillance officers' observations and anticipate future movements and

22 locations of the suspect by establishing his or her habit pattern over time. For example, if the

23 telephone consistently signals the same tower both late at night and in the early morning hours, it

APPLICATION – 6 Revised 08.23.12

1 is reasonable to conclude that the suspect is living, sleeping, hiding or working at a night job in

2 that vicinity.

3 Internet Communications (Social media/Email):

4 From my training and experience I know the following:

5 Whether the target address is a phone number, email address, internet service connection,

6 or social networking site, or something similar, it is becoming increasingly common that

7 communications of all types transit the "world wide web" through the Internet. These can

8 include calls using mobile cellular telephones; calls using Voice over Internet Protocol1 (VoIP);

9 peer-to-peer conversations, with or without a video component, email, text messages,

10 communications in which photos, videos or other data are sent and received, social networking,

11 and the like. Service providers generate data documenting these communications whenever they

12 occur. This data can identify persons or entities with whom or with which the device user

13 communicates, as well as the user's geographic location.

14 The Internet is a global computer network which electronically connects computers and

15 Internet-enabled cell phones or other electronic devices, and that allows communications and

16 transfers of data and information across state and national boundaries. To gain access to the

17 Internet, an individual utilizes an Internet Service Provider (ISP). When an individual

18 communicates through the Internet, the individual also sends an Internet Protocol (IP) address

19 which identifies the individual user by account and ISP. The IP addresses of both the sender and

20 the recipient(s) are needed for communications over the Internet to reach the receiving

21 computer(s) or Internet-enabled cell phone(s) for which the communication is intended.

1 23 VoIP communications can occur using the cellular network, the Internet, or both, and can include communications between mobile phones and computers or between two or more computers. The latter is known as a peer-to-peer communication. APPLICATION – 7 Revised 08.23.12

1 An IP address, together with the date and time of a communication is unique to each

2 communication. “Ranges” of IP addresses are typically assigned to “major” users of the Internet,

3 like governments, large corporations and Internet Service Providers. These entities in turn assign

4 specific addresses to individual users, sometimes called “subscribers.” An IP address can be

5 assigned to an individual computer permanently or long term (called “static” addresses) or

6 assigned on an as-needed basis for each connection made to the Internet by a computer (called

7 “dynamic” addresses). Typically, users who access the Internet via a dial-up connection to their

8 Internet Service Provider receive “dynamic” IP addresses while users who access the Internet

9 through a broadband connection like DSL or cable receive “static” IP addresses.

10 When a particular IP address can be used by several users simultaneously, the ISP assigns

11 each user device a "port" address. This occurs, for example, at internet "hot spots." In this case,

12 the combination of an IP address, a Port address, and the date and time is unique to each device

13 and user session. The IP address and Port address session combination is known as the "socket

14 address" or as a "socket address pair." Service providers correlate records of socket addresses

15 together with date/time information to their subscriber access records, and retain these records in

16 the regular course of business. Using the socket address and date/time information, service

17 providers can also identify, via records they routinely maintain, the device that accessed the

18 network for that particular session, and the physical location at which the access occurred or is

19 occurring. The device is identified through its MAC address. Computers, internet enabled cell

20 phones, and other digital devices each have a "MAC address" (Media Access Device), which is a

21 globally unique address that is written into hardware at the time of manufacture. When the

22 device is connected to the Internet the MAC address is relayed to the ISP as part of the

APPLICATION – 8 Revised 08.23.12

1 computer's communication, and is digitally linked to the IP address, Port, date and time of the

2 communication.

3 Internet Service Providers and others who are assigned ranges of IP addresses maintain,

4 in the normal course of business, a record of their sub-assignment of individual IP addresses,

5 ports and socket addresses to individual users. Some of these stored and transactional records

6 are retained to substantiate usage charges while others are used for fraud detection and

7 prevention. Many are used for systems monitoring, diagnostic and maintenance reasons, such as

8 balancing the network’s traffic load and identifying requirements for additional capacity. When

9 such records are maintained, it is possible to identify the specific account, device, and physical

10 location of communications associated with the use of a particular IP address at a specific date

11 and time. The above-described information can be captured by a pen register and trap and trace

12 and is, in the computer network context, conceptually identical to the origin and destination

13 phone numbers and cell site information captured by a pen register and trap and trace device

14 installed on a telephone number. In both cases, it is possible to use a combination of hardware

15 and software to ascertain the source, destination addresses, and physical location associated with

16 communications to and from the target address.

17 Email Specific Facts

18 In the case of email communications, pen register and trap and trace capture the sending

19 and destination addresses of incoming or outgoing electronic mail or other impulses that identify

20 the originating sender as well as recipient(s), email addresses, IP addresses, numbers, and/or

21 other unique identifier of an internet enabled cell phone, computer, or other device from which

22 an email, wire or electronic communication is transmitted. This includes addressing information

23 contained in "packet headers" and "mail headers." "Header information" includes non-content

APPLICATION – 9 Revised 08.23.12

1 information such as the source, destination, routing, and packet payload (size) information

2 associated with all internet data. The message header of an email contains the message's source

3 and destination(s), expressed as email addresses in "From," "To," "CC" (carbon copy), and

4 "BCC" (blind carbon copy) fields. The email addresses in an email's message header are

5 analogous to "to" and "from" addresses for traditional letters and the origin and destination

6 numbers for telephone calls, because they indicate both the origin and destination(s) of the

7 communication. More than one destination address may be specified in a single message. No

8 two email addresses can be identical. Internet e-mail addresses adhere to the standard format

9 "username@network," where username identifies the specific user mailbox associated with the

10 network, typically the service provider on whose system the mailbox is located. The subject line

11 of an email message is not "header information" and is not otherwise part of the addressing and

12 routing information.

13 (8) Based on my training and experience and the facts set forth in paragraph (4) above, I

14 assert that there is probable cause to believe that installation and use of a pen register and trap

15 and trace in this investigation will lead to obtaining evidence of the above-described crime(s),

16 weapons or other things by means of which the described crime(s) has/have been committed

17 and/or learning the location of a person for whose arrest there is probable cause.

18 (9) I know from my training and experience that the kind of information described in

19 paragraph (5) above often leads directly or indirectly to evidence of the crime(s) under

20 investigation and/or the location of a person for whose arrest there is probable cause.

21 The communications, movements, location, and duration of activity or inactivity of the

22 device(s) using the target address are often significant evidence leading to solving of crime.

23 Historical as well as current call detail, usage detail, and location records for the target address

APPLICATION – 10 Revised 08.23.12

1 will indicate a pattern of activity and/or associations with other persons who may possess

2 evidence of the above-described crimes; persons with whom the suspect may have discussed the

3 above-listed crime(s); persons who may know where to find the listed suspect and/or the devices

4 using the target address; persons to whom the above-identified suspect may have made

5 statements relevant to the listed crime(s); persons who may have noticed evidence relevant to

6 this investigation, or locations where the suspect may have left or secreted evidence. For

7 example, for any particular target address and device using a target address, call detail records

8 and the addresses at which a particular IP address is used reveal a user's physical location over

9 time. It can provide information about the geographic breadth and frequency of the suspect's

10 movements. This information is evidence of the crime(s) under investigation. It can place a

11 suspect at the scene of a crime, or away from the scene of a crime, or at locations relevant to the

12 crime (such as a storage facility); can provide information about locations at which the listed

13 suspect meets with associates; and can provide information about where the suspect lives, works,

14 or sleeps. With this information investigators can locate suspects and can identify persons who

15 have been in contact with the listed suspect over a period of time.

16 (10) These pleadings and the Court’s Order are required by RCW 9.73.260(4) to be filed

17 under seal until further order of the Court. This is because there would otherwise be a substantial

18 threat to the interests of effective law enforcement, to public safety, and, depending on the case,

19 to victims or witnesses. By its very nature, authority to use the tools described herein are and

20 must be covert to be effective. In my experience, suspects who know their electronic

21 comm unications are being monitored by law enforcement quickly change their behavior. They

22 get rid of their cell phones and other mobile communication or other digital devices, or stop

23 using the email address, social networking site, or computer that they had previously been using.

APPLICATION – 11 Revised 08.23.12

1 They also frequently flee to unknown locations, hide or destroy evidence, and otherwise alter

2 their behavior, taking other actions to conceal their crime and their physical location. When this

3 occurs, the investigative tools contemplated herein become useless. A suspect's sudden

4 disassociation with the target address thwarts police efforts to protect the public by locating

5 fugitives and witnesses, collecting evidence of crime, or locating crime victims, including those

6 who have been kidnapped and the existing danger to victims, witness, and public safety would

7 continue.

8 ______9 Detective/Agent Signature

10 SUBSCRIBED and SWORN to before me this day of , 20 11

12 ______JUDGE OF THE SUPERIOR COURT 13 Application Approved: 14

17 Deputy Prosecuting Attorney

APPLICATION – 12 Revised 08.23.12

6 SUPERIOR COURT OF WASHINGTON FOR SNOHOMISH COUNTY 7 IN THE MATTER OF APPLICATION FOR AN ) 8 ORDER AUTHORIZING INSTALLATION AND ) USE OF A PEN REGISTER AND TRAP AND ) No. 9 TRACE; AUTHORIZING DISCLOSURE OF ) NON-CONTENT STORED AND ) 10 TRANSACTIONAL RECORDS; AND ) ORDER ACQUISITION OF HISTORIC RECORDS AND ) 11 DEVICE LOCATION INFORMATION ) ) 12 )

13 NOTICE: This order is issued pursuant to RCW 10.96.020. A response is due within twenty business days of receipt, unless a shorter time is stated herein, or the applicant 14 consents to a recipient's request for additional time to comply.

15 TO: ;

16 AND TO: , and other law

17 enforcement officers working with him/her:

18 WHEREAS, sworn application having been made before me by

20 a commissioned law enforcement officer of the above-identified law enforcement agency; and

21 full consideration having been given to the matters set forth therein;

ORDER – 1 Revised 08.23.12

1 The court hereby FINDS:

2 (1) The above-identified investigators and investigative agency/agencies are engaged in

3 an ongoing criminal investigation of the crime(s) of

6 Information that may be obtained through the installation and use of a pen register and trap and

7 trace device is relevant to that ongoing investigation.

8 (2) There is probable cause to believe that the installation and use of a pen register and

9 trap and trace device will lead to obtaining evidence of a crime, contraband, fruits of crime,

10 things criminally possessed, weapons, or other things by means of which a crime has been

11 committed or reasonably appears about to be committed, or will lead to learning the location of a

12 person who is unlawfully restrained or reasonably believed to be a witness in a criminal

13 investigation or for whose arrest there is probable cause.

14 (2) The target phone number/account is

17 (3) Service to the listed target address/telephone number is supplied by

20 an electronic communications service provider as defined by RCW 9.73.260 and 18 USC §

21 2 510(15), located at ;

ORDER – 2 Revised 08.23.12

1 (4) The account associated with the listed target address/telephone number is controlled

2 by/registered to:

4 (5) The subject of the ongoing criminal investigation is

8 Now, Therefore,

9 IT IS HEREBY ORDERED pursuant to RCW 9.73.260 that

11 shall install and use a pen register and/or equivalent technology to register, filter, record and

12 decode electronic or other impulses, including, but not limited to dialing, routing, addressing,

13 signs and signaling information, or other impulses that together with date time and duration

14 identify the numbers dialed, electronic mail addressing or routing information, packet headers,

15 addressing, routing, email address, IP address and/or other non-content information otherwise

16 transmitted from the target address; and information tending to identify the device using the

17 target address, such as ESN (in 8-digit hex format), MEID, SIM IMEI, MIN, MSID, MSISDN,

18 and MAC Address, and any other unique identifiers for the electronic device using:

ORDER – 3 Revised 08.23.12

1 IT IS FURTHER ORDERED pursuant to RCW 9.73.260 that

3 shall install and use a trap and trace device and/or equivalent technology to trace, identify,

4 register, filter, record and decode electronic or other impulses, including, but not limited to

5 dialing, routing, addressing, signs and signaling information or other impulses that, together with

6 date time and duration, identify the numbers dialed, electronic mail addressing or routing

7 information, packet headers, addressing, routing, email address, IP address and/or other non-

8 content information otherwise transmitted to the target address, or other impulses that identify

9 the originating numbers or digital addresses from which a wire or electronic communication is

10 transmitted dialed or transmitted; and, if known, the customer or user name or identity associated

11 with the device, number or address sending communications, signals, messages, or other

12 electronic impulses to the above-identified target address; and information tending to identify the

13 device using the target address, such as ESN (in 8-digit hex format), MEID, SIM IMEI, MIN,

14 MSID, MSISDN, and MAC Address, and any other unique identifiers for the electronic device

15 using:

18 IT IS FURTHER ORDERED pursuant to RCW 9.73.260 that:

21 shall search for and seize evidence of the location of the device using the target address, and is

22 directed to use any electronic means reasonably available to locate the device using the target

23 address, and that the above-listed service provider shall assist by, on a 24-hour basis, supplying

ORDER – 4 Revised 08.23.12

1 the listed investigative agency with Subscriber (or Registration) Account Information; Usage and

2 Location Information, together with corresponding engineering maps showing all pertinent cell

3 site tower locations, sectors and orientations; GPS Precision Location Information and/or E911

4 information, and Device Identifying Information for the duration of this order or until the

5 investigation is completed; and

6 IT IS FURTHER ORDERED pursuant to RCW 9.73.260 that:

9 shall furnish agents of the above-identified investigative agency/agencies forthwith all

10 information, facilities, and technical assistance necessary to accomplish the installation and

11 operation of the pen register and trap and trace and search of their facilities and records

12 unobtrusively and with minimum interference to the services accorded persons with respect to

13 whom the installation and use is to take place; and

14 IT IS FURTHER ORDERED pursuant to this Court’s determination of probable cause,

17 is directed to furnish agents of the above-identified investigative agency/agencies forthwith all

18 evidence of the above-listed crime(s) contained in the service provider's records for the target

19 address, including: The subscriber’s/account-holder’s name, telephone number, email address,

20 billing address, billing/payment information, account initiation date, account features,

21 information pertaining to any other accounts linked to the primary account, call or

22 communication detail records (including text messages, MMS messages, and IM

23 communications) , and cell site and/or ISP data; and

ORDER – 5 Revised 08.23.12

1 IT IS FURTHER ORDERED that all records and information required to be provided

2 pursuant to this order shall be provided in a commercially-reasonable electronic format specified

3 or agreed to by the investigative agency/agencies and delivered forthwith via electronic mail as

4 specified by the law enforcement officer serving this Order; and

5 IT IS FURTHER ORDERED that the listed service provider be compensated by the

6 above-identified investigative agency/agencies for reasonable expenses incurred in complying

7 with this Order; and

8 IT IS FURTHER ORDERED that the listed service provider, its agents and employees,

9 other person served with this order, and any other person or entity from whom assistance was

10 requested, shall not disclose the installation and use of pen register and trap and trace device or

11 the existence of the investigation to the listed subscriber or to any other person, unless otherwise

12 ordered by this court; and

13 IT IS FURTHER ORDERED that this Order is effective

14 until , at the same time of day, or upon the

15 arrest of the suspect/completion of the investigation, whichever is sooner; and

16 IT IS FURTHER ORDERED pursuant to RCW 9.73.260(4) and in compliance with 18

17 USC §3123(d)(1) and the findings of this Court that the file in this cause be sealed until

18 otherwise ordered by the Court.

ORDER – 6 Revised 08.23.12

1 This order is issued pursuant to RCW 9.73.260 and in accordance with 18 USC sections

2 3122 and 3123, 18 USC sections 2703 and 2711, 47 USC section 1002, and Article I, section 7

3 of the Washington State Constitution.

4 DONE this day of . 20 , at .

6 ______JUDGE OF THE SUPERIOR COURT 7

ORDER – 7 Revised 08.23.12