Meet Stingrays, The Surveillance Tech The Government Doesn’t Want To Talk About

For nearly two decades U.S. law enforcement agencies have used counter-terrorism devices known as “stingrays” after the brand name of one variant or ISMI (international mobile subscriber identity)-catchers to track locations in domestic investigations, but information about the devices has been kept carefully under wraps from the public and sometimes even from judges authorizing its deployment. Last week an Arizona judge ruled that a tracking warrant used to deploy the device against Daniel David Rigmaiden, who is accused of collecting millions of dollars in rebates by submitting fraudulent tax returns, was valid despite the fact that the FBI failed to disclose they would be using a stingray or explain how the devices functioned in that warrant.

Much of what is known about their current use in the U.S. comes from a treasure trove of heavily redacted documents being dripped out month by month thanks to an Electronic Privacy Information Center (EPIC) Freedom of Information Act (FOIA) lawsuit and a handful of public cases like Rigmaiden that have been released publicly. Speaking at a Yale Information Society Project (ISP) on biometrics and location tracking earlier this year, EPIC Appellate Advocacy Counsel Alan Butler noted:

“The biggest problem I see with stingrays is the secrecy aspect — The fact that we don’t know how they are used, how exactly they work, what different techniques are available […] The accountability measures that would be in place for other warranted, more standard surveillance methods are really nonexistent here.”

One thing we do know, according to statement at the same conference from the American Civil Liberty Union’s (ACLU) Chris Soghoian, is that stingrays work by essentially exploiting a security vulnerability in cell service technology: Phones are constantly searching for the nearest signal so they know what tower to connect to when a call comes in, and phones will automatically connect to any tower identifying itself as having the strongest signal strength from your carrier.

The device sends out a signal pretending to be a nearby cell tower with the strongest signal, tricking phones into connecting and allowing the operator to harvest identifying information about devices in the form of the unique ID string of numbers associated with the device known as ISMI and in some variants even communications content, although U.S. law enforcement generally denies using them for the latter need. Whenever a phone is powered on, you can measure the strength of the phone responding to this signal and triangulate a location. This graphic adapted from one in Jennifer Valentino-Devries’ excellent Wall Street Journal coverage of the Rigmaiden case in 2011 shows how it works:

Due to the nature of the devices, they gather up all information within a certain signal range including information about non-target devices — meaning innocent bystanders are having their data sucked up as well. In court documents associated with the Rigmaiden case the FBI requested permission to “expunge” all data obtained in the process, but how much data operators generally have access to during the surveillance process or if that is the standard practice remains unclear leading to a number of questions about whether or not the Fourth Amendment rights of the general public are being compromised. Soghoian noted as much at the Yale ISP conference, saying “No matter how the stingray is used — to identify, locate or intercept — they always send signals through the walls of homes […] The signals always penetrate a space protected by the Fourth Amendment.”

There are a variety of situations this could be used unrelated to criminal investigations, like aiding search and rescue teams, but when it’s used by law enforcement it’s usually because the phone company can’t find the phone for some reason (such as lacking a GPS chip), to identify what phones are being used by a suspect in a burner type situation (think the Wire), or when the phone company refuses to help with an investigation. But the legal framework for deployment in the United States is murky.

In the Rigmaiden case a warrant was sought because they were after the signal on a mobile wireless card believed to be within his residence where he might have a reasonable expectation of privacy. But FBI and Department of Justice officials have claimed investigators’ stingrays should be treated like “pen registers.” Pen registers are a category of tools that gather information on outgoing calls — normally, the numbers dialed on a particular phone — but don’t receive the content of the communications and do not require a warrant to deploy. Instead, they are allowed under the Electronic Privacy Communications Act of 1986 (ECPA) with a court order that only requires investigators to believe information gathered as a result of the order is likely to assist an ongoing investigation, a lesser standard than probable cause.

However, some judges have found that location information is more intrusive type of surveillance than call logs, and across the field courts appear to be applying different standards — with the prosecution in Rigmaiden saying that “decisions are made on a case-by-case basis” by magistrate and district judges. In US v. Jones, the Supreme Court ruled a GPS tracking device being placed on a suspect’s car constituted a search, but did not rule on if the search was warranted or constitutional.

Due to the lack of disclosure used by investigators pursuing stingray deployment, it is also unclear how often the devices are being used by law enforcement although evidence suggests they are being deployed in at least a handful of states. Reporting from the LA Times uncovered 21 uses of the devices by the LAPD in a four month period in 2012 “apparently without the courts’ knowledge that the technology probes the lives of non-suspects who happen to be in the same neighborhood.”

The lack of clarity around almost every aspect of stingray tech and its use by law enforcement did not happen by accident: The FBI delayed releasing the documents now being released thanks to EPIC’s FOIA lawsuit, only acquiescing when being ordered by a federal judge “to produce all records, except those subject to classification review, by August 1, 2013,” and among the documents already released in that inquiry was a nondisclosure agreement preventing FBI staff from discussing the technology.