|A Stingray device, via the Wall Street Journal|
The devices exploit a security flaw in cell phone communications that, to my mind, sounds essentially like wiretapping one's phone, intercepting the signal in a man-in-the-middle style attack, contents and all. Standards for 3G and 4G phones include encryption but your smart phone will also use a 2G connection if that's the strongest, nearest signal. Anyone who wants to exploit this security flaw can do it, said Soghoian. Even if it's illegal, there's not an easy way to stop it, though there may be ways to detect when the device is being used. Some hackers in Berlin created an "IMSI catcher catcher" using a $20 prepaid phone they modified. It works becuse Stingrays look like a normal tower to your cell phone but it doesn't act like one. The German hackers designed software that looks for Stingrays' tell-tale signature
The FCC knows about these flaws because they approve local use of "Stingrays" but won't require phone companies to fix these vulnerabilities because they're "in on the deal," said Soghoian, which means the flaws will "stick with us for a long time." Though Harris charges tens of thousands of dollars for the devices, US hackers have demonstrated it's possible to build one for around $1,000. The "age of low cost stingrays is fully on the horizon," he said.
Alan Butler, Appellate Advocacy Counsel for the Electronic Privacy Information Center, said the legal standards for using stingrays are not clear but thinks they have constitutional privacy implications. The SCOTUS cases US v Karo and Kyollo v US are the closest to being on point, he said. Both are about revealing personal details in protected spaces. There are also arguably statutory implications, he said, in 47 USC Sec 222(f) and 47 USC Sec 1002(a).
The Department of Justice claims Stingrays are similar to pen registers and authorized by the same court precedents and statutes, but it's obvious the devices' capabilities are far more sweeping than merely collecting incoming and outgoing phone numbers. The federal Communications Act regulates technology that interferes with communication but courts have not yet found that Stingrays violate that law.
Similar to cell tower dumps, where non-suspects' information is collected along with the surveillance targets, Stingrays raise the question, "What happens to data regarding innocent devices?" On this subject we know next to nothing. The government has exercised extreme controls and secrecy regarding how it uses the technology. Huge swaths of response to FOIA requests are routinely withheld or redacted, said Butler. (Last month, Slate.com covered the most recent of Butler's FOIA requests on Stingrays, the results of which may be accessed here.)
Federal Magistrate Judge Brian Owsley of the Texas Southern District spoke next, calling Stingrays "cell tower dumps on steroids." He said judges don't see many Stingray requests: He's seen two that he knows of (since it's only been relatively recently that he or anyone else outside the tech companies and law enforcement understood what they were). Documentation coming before a judge on these orders looks essentially like a pen register application and many judges simply don't understand what they're seeing. Magistrate judges are not usually very tech savvy, said Owsley. Upon receiving his second request regarding the technology, he sent an email to every magistrate judge in the country telling them about the devices. About 10% of judges responded. Most hadn't noticed them before or had only seen one or two. Hardly anyone understood them. Indeed, he said, often DOJ officials don't understand the tech any more than magistrate judges; the AUSAs just submit a standardized form, which for the most part are rubber stamped.
Owsley first delved into details of the device when a request was submitted to locate and track smuggled cell phones in and out of a prison with the device. He told the AUSA he needed more information and the prosecutor promised to send a memo. He did not submit it for six weeks by which time prison officials located the phone without the device. An order was never issued. Owsley's second run-in with Stingrays involved a drug case where the target was changing phones faster than the feds could submit warrants to tap them.
The moderator, Valentino-Devries, noted that boilerplate pen register orders name a target, asking "What do stingray orders look like?" Owsley referred her to the DOJ's electronic surveillance manual (pdf) and said to search under "triggerfish," which is the analog version of the device. The main difference is that pen register orders are directed at a third party because that's who controls the technology. However, sometimes AUSAs simultaneously request vendor information to narrow the Stingray's target, which also has the effect of making them appear on the surface to the judge more like a routine pen register case.
Soghoian argued that use of these devices comes close to a "general warrant" of the type the Fourth Amendment was explicitly created to prevent. The government is sending signals through people's walls clothes, etc., and inevitably most of those whose information is captured are innocent people. that's not much different than using invasive technology to search every house on the block, he argued. (The fact that the signal penetrates walls of homes and private spaces made Grits wonder if there may be implications for Stingrays from SCOTUS Justice Antonin Scalia's opinion in US v. Jones relying on "trespass" by the government to restrict use of mobile tracking devices attached to personal vehicles.)
Butler noted that one problem with the government's pen register theory is the location limit on pen registers (Stingrays are mobile, fitting in a squad cars or even embedded in clothing.) Owsley added that a pen register order must have a target number, while Stingrays are looking for a target number. The distinction is important because pen registers operate under lesser legal standards than are applied to cell tower dumps, for example.
The even bigger difference, though, is that Stingrays and IMSI catchers can actually capture content. Harris doesn't have marketing materials online, but according to their price list (which has been made public), they sell an interception module that's actually capable of tapping phones just like an old-fashioned wiretaps, but no one knows which agencies have purchased it. Vendors from other countries advertise interception more aggressively. DOJ tells its employees not to intercept content, said Butler, but the fact that they need to say so implies that the ability exists. Owsley said that AUSA's may not undestand the tech but they do know they're not supposed to intercept content. By contrast, he thinks FBI agents don't understand the same limits the AUSA's seem to and may be using the technology more broadly.
Other agencies use the information even more broadly. Immigration and Customs Enforcement (ICE) purchased $3 million worth of Stingrays over several years, and are purchasing airborne mounting kits for both drones and manned aircraft. The FBI has said in response to FOIAs on the topic that they have 20,000 documents related to Stingrays but could provide just two public court orders related to them. Soghoian thinks there's intentional concealment by law enforcement about the devices. (The exclusionary rule doesn't apply in immigration contexts, an audience member noted, citing a case out of the Fourth Circuit, so for now ICE's use of the devices remains entirely beyond court review.)
Butler said DOJ has a strong belief that this is a law-enforcement sensitive method they should keep secret to the greatest extent possible, so it's hard to establish case law underlying use of technique. The government uses similar tech in war zones, often mounted on drones. As a result, we've now ended up in a weird situation where small town sheriffs and intelligence agencies are using same gear, mostly in secret.
The moderator asked why more information hadn't been revealed when evidence from Stingrays is used in criminal court. Owsley replied that the burden falls on criminal defense attorneys who may not understand the tech or what questions to ask. (Grits would have added that since most convictions stem from plea bargains, often the government never has to show its cards.) ACLU's Catherine Crump added from the audience that she'd been told the feds often use it for hunting fugitives, where there's no risk of a suppression hearing.
Next up: Biometrics and Drones.
See prior, related Grits posts from the conference: