United States v. Soybel

13 F.4th 584

UNITED STATES of America, Plaintiff-Appellee,

v.Edward SOYBEL, Defendant-Appellant.

No. 19-1936

United States Court of Appeals, Seventh Circuit.

Argued June 3, 2020

Decided September 8, 2021

Nicholas J. Eichenseer, Attorney, Office of the United States Attorney, Chicago, IL, for Plaintiff-Appellee.

Robert J. Palmer, Attorney, May, Oberfell & Lorber, Mishawaka, IN, for Defendant-Appellant.

Before Sykes, Chief Judge, and Bauer and St. Eve, Circuit Judges.

Sykes, Chief Judge.

Industrial-supply company W.W. Grainger was the victim of a series of cyberattacks against its computer systems in 2016. Grainger isolated the source of the intrusions to a single internet protocol ("IP") address, which came from a high-rise apartment building where disgruntled former employee Edward Soybel lived.¹

Grainger reported the attacks to the FBI. To confirm the source, the government sought and received a court order under the Pen Register Act, 18 U.S.C. §§ 3121 et seq. , authorizing the installation of pen registers and "trap and trace" devices to monitor internet traffic in and out of the building generally and Soybel's unit specifically.² Among the data collected, the pen registers recorded the IP addresses of the websites visited by internet users within Soybel's apartment. The IP pen registers were instrumental in confirming that Soybel unlawfully accessed Grainger's system. The district court denied Soybel's motion to suppress the pen-register evidence and its fruits, and a jury convicted him of 12 counts of violating the Computer Fraud and Abuse Act.

This appeal presents a constitutional issue of first impression for our circuit: whether the use of a pen register to identify IP addresses visited by a criminal suspect is a Fourth Amendment "search" that requires a warrant. We hold that it is not. IP pen registers are analogous in all material respects to the telephone pen registers that the Supreme Court upheld against a Fourth Amendment challenge in Smith v. Maryland, 442 U.S. 735, 99 S.Ct. 2577, 61 L.Ed.2d 220 (1979). The connection between Soybel's IP address and external IP addresses was routed through a third party—here, an internet-service provider. Soybel has no expectation of privacy in the captured routing information, any more than the numbers he might dial from a landline telephone.

Soybel insists that this case is governed not by Smith but by Carpenter v. United States , ––– U.S. ––––, 138 S. Ct. 2206, 201 L.Ed.2d 507 (2018). We disagree. Carpenter concerned historical cell-site location information ("CSLI"). The warrantless acquisition of that type of data implicates unique privacy interests that are absent here. Historical CSLI provides a detailed record of a person's past movements, which is made possible so long as he carries a cell phone. In contrast, the IP pen register had no ability to track Soybel's past movements. And Carpenter is also distinguishable based on the extent to which a person voluntarily conveys IP-address information to third parties. Accordingly, though our reasoning differs from the district judge's, we hold that the suppression motion was properly denied.

Soybel also challenges the sufficiency of the evidence on one of the 12 counts. We reject this argument and affirm the judgment in all respects.

I. Background

Edward Soybel worked as an IT contractor for Grainger's KeepStock business unit from November 2014 until he was fired in February 2016. KeepStock provides Grainger customers with proprietary software and industrial equipment-dispensing machines to optimize their inventory management. Dispensing machines at customer sites across the country connect to computer servers at Grainger's Niles, Illinois facility, which also serves as the home base for the KeepStock IT helpdesk where Soybel worked.

KeepStock stores information about its dispensing machines and its customers’ log-in credentials in large "database tables." Helpdesk staff have their own KeepStock usernames and passwords, and when logged in to the KeepStock system, they could add and delete information in the tables. Performing the same functions remotely (outside the Grainger firewall) required access to the KeepStock "desktop client"—an application downloaded to a computer.

In July 2016 Grainger discovered that over the course of a week, someone with Grainger log-in credentials had accessed KeepStock and deleted millions of records from the database tables. As a result, KeepStock was effectively shut down for Grainger employees and customers alike until IT personnel could restore the data. An internal investigation revealed that the culprit had deleted the records via the desktop client using the log-ins of several current KeepStock employees, including Soybel's former supervisor. Further investigation led Grainger to believe that the intrusions all came from the same IP address outside of Grainger's network. Grainger reported the IP address to the FBI, which then determined that the address came from a large apartment building in Chicago where Soybel lived with his mother.

However, the FBI could not yet confirm that Soybel was responsible. The identified IP address came not from an individual unit but from the building's "master router" that distributed internet service throughout the building. The master router was, in effect, the middleman between the individual units and the rest of the internet. Each unit in the building had its own unique private IP address, but when an individual user accessed a website, only the master router's IP address would be visible to that website's servers. At the same time, the master router knew to which private IP address it should relay that website's traffic. The upshot is that when an internet user in the building connected to Grainger's servers, only the master router could confirm the private IP address—and thus the specific apartment unit—that was responsible for the KeepStock attacks.

To confirm its suspicions about Soybel, the government applied for an order under the Pen Register Act to install IP pen registers for the master router and Soybel's unit for 60 days. The data to be recorded was highly technical.³ For our purposes it's enough to note that the government sought to collect (1) connections between the master router's and the unit's IP addresses on the one hand, and external IP addresses on the other; and (2) the time that the connections occurred. That is, the information from the pen registers would help the government determine whether and when Soybel tried to access KeepStock.

At the same time, the government's application specified that the pen registers would not record the content of any communications between IP addresses, an express limitation in the Pen Register Act. See 18 U.S.C. §§ 3121(c), 3127(3) – (4). The data the government would collect might show, for instance, that an internet user connected to a Google IP address.⁴ But it could not reveal the specific Google website accessed (i.e., YouTube or Gmail), let alone what the user was doing within that website.

A district judge granted the application in September 2016. The order was not based on a finding of probable cause. Instead, as required by the Act, the judge found that the government had included the requisite certification that the information to be obtained was "relevant to an ongoing criminal investigation" into computer crimes. Id. § 3122(b)(2) (including the certification among the required contents for a Pen/Trap application); id. § 3123(a)(1) (specifying this finding as a prerequisite for the order).

The building's internet-service provider then installed the pen registers in the building's mechanical room without entering Soybel's unit. While the master router's pen register captured only internet connections to and from KeepStock's IP addresses, Soybel's pen register recorded all internet connections that came from that unit. Put differently, the pen register associated with his apartment recorded connections between his private IP address and the IP addresses of those websites that internet users in the apartment had visited. The pen registers revealed that Soybel's private IP address—and only Soybel's private IP address—attempted to connect to KeepStock 790 times between September and November 2016. Grainger confirmed that these attempts came at the same time that the master router's IP address tried to breach the KeepStock firewall.

One of the recorded intrusions is particularly relevant for this appeal. In September 2016 Soybel changed the KeepStock password for Grainger business analyst Dan Hoehne in the middle of the night. Soybel clicked on a forgotten password option for Hoehne's username and used his own Gmail account as the recovery email. He then changed Hoehne's password to "1234" and temporarily locked Hoehne out of KeepStock. Though by this time Grainger had blocked the master router's IP address from accessing its system, forensic examination of Soybel's laptop later showed that he was able to change Hoehne's password using the IP address of a nearby apartment building.

A grand jury charged Soybel with 12 counts of violating the Computer Fraud and Abuse Act. See 18 U.S.C. § 1030. Count 10 related to the act of changing Hoehne's password and alleged that Soybel knowingly caused "the transmission of a program, information, code, or command" to "intentionally cause[ ] damage without authorization[ ] to a protected computer." Id. § 1030(a)(5)(A).

Following Soybel's indictment, the Supreme Court issued its decision in Carpenter , holding that the government must generally obtain a search warrant to access historical CSLI. 138 S. Ct. at 2220. The Court concluded that a court order under the Stored Communications Act is insufficient because it requires less than probable cause. Id. Soybel moved to suppress all evidence obtained as a result of the Pen/Trap order, arguing that Carpenter had broader Fourth Amendment implications beyond the CSLI context.

The judge denied the suppression...