Pen Register Act — Real-Time Surveillance of Communication Metadata
The Pen Register Act (18 U.S.C. §§ 3121–3127), enacted as Title III of the Electronic Communications Privacy Act of 1986, governs the real-time collection of communication metadata — the numbers dialed, routing information, and addressing data of phone calls, emails, and internet communications, but not their content. A "pen register" records the numbers you dial out (outgoing calls); a "trap and trace device" records the numbers that call in (incoming calls). In the digital era, these devices capture far more than phone numbers — they can collect email addresses, IP addresses, URL metadata, and other routing information that reveals who you communicate with, when, and how often. The legal standard for obtaining a pen register/trap-and-trace order is far lower than for a wiretap: the government need only certify that the information is "relevant to an ongoing criminal investigation" — no probable cause required, no showing that other investigative methods have failed. A judge presented with a proper application must issue the order — there is essentially no judicial discretion to deny it. Orders are limited to 60 days (renewable). The Pen Register Act has been the legal basis for some of the most expansive government surveillance programs, including the NSA's bulk collection of telephone metadata revealed by Edward Snowden in 2013 (conducted under FISA's equivalent provision, Section 215). See also the Stored Communications Act for how the government accesses stored (rather than real-time) electronic records.
Current Law (2026)
| Parameter | Value |
|---|---|
| Governing law | 18 U.S.C. §§ 3121–3127 (Pen Register Act, 1986; amended by USA PATRIOT Act 2001) |
| Standard | Government must certify information is "relevant to an ongoing criminal investigation" |
| Judicial role | Judge must issue order upon proper certification — effectively mandatory |
| Duration | 60 days per order (renewable for additional 60-day periods) |
| Covers | Outgoing dialing/routing/addressing information (pen register) and incoming (trap and trace) |
| Does NOT cover | Content of communications — that requires a wiretap order under 18 USC 2510+ |
| Emergency exception | Designated law enforcement officers may install without prior court order if an emergency exists (court order must be obtained within 48 hours) |
| Criminal penalty | Unauthorized use: fine and/or up to 1 year imprisonment |
| Annual reporting | AG must report to Congress on the number of pen register/trap-and-trace orders sought |
Legal Authority
- 18 U.S.C. § 3121 — General prohibition (no person may install or use a pen register or trap and trace device without a court order or statutory exception)
- 18 U.S.C. § 3122 — Application for an order (a government attorney may apply, in writing under oath, to a court for a pen register/trap-and-trace order)
- 18 U.S.C. § 3123 — Issuance of an order (upon proper application, the court shall issue the order authorizing installation and use for up to 60 days; the order is sealed)
- 18 U.S.C. § 3125 — Emergency installation (designated officers may install without prior court order when an emergency involving immediate danger of death, serious injury, national security threat, or organized crime exists — must obtain court authorization within 48 hours)
- 18 U.S.C. § 3127 — Definitions (pen register: device recording outgoing dialing, routing, addressing, and signaling information; trap and trace: device capturing incoming addressing information)
How It Works
The Act's most significant — and most criticized — feature is its extremely low legal standard for government access. The government need only certify that the information sought is "relevant to an ongoing criminal investigation." Unlike a wiretap order (which requires probable cause, exhaustion of alternatives, and specificity about the target and crimes) or even a standard search warrant, the pen register standard is essentially self-certifying: the government says it's relevant, and the judge must issue the order. The Act draws a fundamental distinction between metadata (who you called, when, for how long, from where) and content (what you said) — pen registers capture only metadata. The Supreme Court held in Smith v. Maryland (1979) that people have no reasonable expectation of privacy in phone numbers they dial because they voluntarily convey that information to the phone company. However, Carpenter v. United States (2018) — requiring a warrant for comprehensive cell-site location information — has called this reasoning into question for digital metadata that reveals detailed information about a person's life.
The 2001 PATRIOT Act significantly expanded the Act by redefining pen registers and trap-and-trace devices to cover routing, addressing, and signaling information for all electronic communications — not just telephone numbers — allowing the government to collect email header information, IP addresses, and other internet metadata using the low relevance standard. The PATRIOT Act also authorized nationwide orders valid in any jurisdiction. In emergencies involving immediate danger of death, serious bodily injury, threats to national security, or organized crime, law enforcement may install pen registers and trap-and-trace devices without prior court authorization — provided a court order is obtained within 48 hours; if the court denies the subsequent application, all collected information must be destroyed.
How It Affects You
If you're a phone or internet user, the Pen Register Act creates a legal pathway for the government to collect real-time metadata about your communications without a probable cause warrant. The standard is deliberately low: law enforcement certifies to a judge that the information is "relevant to an ongoing criminal investigation," and the judge must issue the order — essentially no discretion to deny it. Orders run 60 days and are renewable. What gets captured: phone numbers you dial and that call you, IP addresses you communicate with, email routing headers (to/from addresses, not content), URL metadata, cell-tower routing information — everything except the actual content. Under Smith v. Maryland (1979), metadata you share with carriers is not constitutionally protected because you voluntarily conveyed it to the phone company. Carpenter v. United States (2018) created a warrant requirement for historical cell-site location data (7+ days of tracking), but this hasn't been extended to prospective pen register orders. The privacy exposure: metadata reveals your social network, physical movement patterns, professional relationships, and daily habits with precision that can be more revealing than call content. Your communications metadata is also reachable through National Security Letters (no judicial involvement at all) for national security investigations.
If you're a telecommunications provider, ISP, or online platform receiving a pen register order, compliance is mandatory under 18 U.S.C. § 3123 — you must provide all "information, facilities, and technical assistance" to install and operate the collection device. Orders are sealed; you typically cannot disclose their existence to the targeted user while active. Challenge options are narrow: jurisdictional and form objections are available, but the "relevant to an ongoing investigation" standard leaves little room to push back on substance. Many platform companies publish annual Transparency Reports (Google, Apple, Meta, Microsoft) disclosing aggregate government data demand figures — these are the best public window into pen register volumes across the industry, though reporting is aggregated and doesn't reveal individual orders.
If you're facing a federal investigation or working on criminal defense, pen register evidence deserves careful scrutiny. Challenge points include: whether the order's scope was temporally and geographically tailored to the investigation, whether content data was collected under the guise of metadata collection, and whether Carpenter's warrant reasoning should extend to the comprehensive pattern of metadata collected (who, when, where, how long, in patterns revealing activities and associations). Courts have split on how far Carpenter extends beyond its specific cell-site location holding. Pen register data often underlies subsequent investigative steps — wiretap applications, search warrants — so a successful pen register challenge can suppress downstream evidence. The National Association of Criminal Defense Lawyers (nacdl.org) and Electronic Frontier Foundation (eff.org/issues/surveillance) publish digital surveillance defense resources.
If you work in privacy policy or civil liberties advocacy, the Pen Register Act represents a structural gap at the core of U.S. surveillance law. The 1986 statute — designed when metadata meant dialed phone numbers — has been stretched to cover the comprehensive digital footprint of modern life without legislative update. The two-tier system (content requires probable cause + wiretap warrant; metadata needs only "relevance" certification) creates asymmetric protection that doesn't reflect how revealing metadata has become. The USA FREEDOM Act (2015) addressed bulk collection under the FISA equivalent; individual targeted orders remain easy. Reform proposals — requiring probable cause for pen registers, requiring post-investigation notice to targets, or applying Carpenter proportionality review to comprehensive metadata — have gained bipartisan support without advancing legislatively. The ACLU Surveillance Project (aclu.org/issues/privacy-technology/surveillance-technologies) and EFF track pending litigation and legislative efforts on surveillance law modernization.
State Variations
The Pen Register Act is federal law, but states play a role:
- Many states have their own pen register/trap-and-trace statutes for state investigations
- Some states require a higher standard than the federal "relevance" test (e.g., reasonable suspicion or probable cause)
- State courts may interpret state constitutions to provide greater protection for communication metadata
- Federal pen register orders preempt state restrictions for federal investigations
Implementing Regulations
- The Pen Register Act (18 U.S.C. §§ 3121–3127) is self-executing — it establishes the complete legal framework for government use of pen registers and trap-and-trace devices through court orders, with no implementing regulations in the CFR
- DOJ Criminal Resource Manual — internal DOJ guidance covering pen register/trap-and-trace application procedures, required certifications, emergency installation protocols, and compliance with the 48-hour post-emergency court order requirement
Pending Legislation
No standalone Pen Register Act reform bills have been introduced in the 119th Congress. Electronic surveillance provisions appear in broader privacy and national security legislation — see Electronic Surveillance (ECPA) and FISA Foreign Intelligence.
Recent Developments
The Pen Register Act's relevance standard has been debated intensely since the Snowden revelations exposed the NSA's bulk telephone metadata program (conducted under FISA Section 215, which uses a parallel "relevance" standard). The USA FREEDOM Act of 2015 ended bulk metadata collection under FISA but left the criminal pen register standard unchanged. Courts continue to grapple with post-Carpenter questions about whether comprehensive digital metadata collection triggers Fourth Amendment protections beyond the Pen Register Act's minimal requirements. The expansion of internet-of-things devices (smart home, connected cars, wearables) creates new categories of metadata that may be collected under pen register authority.