Ross Rice, a former FBI agent, [who] said it’s likely [they are] being used illegally.I wouldn't be too sure about that: Some law enforcement do have Stingrays - Fort Worth PD definitely owns one and several people have told me Houston PD does too, though I've never confirmed it. Departments must sign non-disclosure agreements when they purchase Stingrays so it's impossible right now to know which agencies have them. And Texas law does not specifically regulate the devices.
“I doubt that they are installed by law enforcement as they require a warrant to intercept conversations or data and since the cell providers are ordered by the court to cooperate with the intercept, there really would be no need for this,” Rice said.
“Most likely, they are installed and operated by hackers, trying to steal personal identification and passwords.”
Given that, IMO most IMSI catchers the company found are likely run by law enforcement or spooks (many of the devices are located near military bases, reported Computer World). Perhaps it's just the NSA doing their thing. The feds have even used wearable Stingray devices to covertly monitor political demonstrations. Who knows?
Still, it's notable that, while criminals can't buy the necessary equipment pre-fabbed from the Harris Corporation (Stingray's manufacturer), the tech involved isn't particularly high end stuff and there's nothing to stop someone with nefarious motives from making their own if they have the technical chops.
The Federal Communications Commission recently established a task force to study whether these devices are being misused. But Grits agrees with this expert quoted by the Washington Post that the FCC shouldn't seek to regulate the devices (let courts and legislatures do that) but to eliminate the vulnerabilities that allow them to operate:
Stephanie K. Pell, a cyber-ethics fellow at the Army Cyber Institute at the U.S. Military Academy, said the FCC should investigate not only the illegal uses of IMSI catchers but the network vulnerabilities that allow them to work.Law enforcement won't like that suggestion because it would eliminate one of their favorite new toys, but technology is value neutral. An IMSI catcher doesn't care if it's used to catch crooks or commit crimes. So if cops want to stop the bad guys from using them, the tradeoff will be that they must also remove this tool from their own toolbox.
“I think it would be prudent to assume that the Chinese government and criminal gangs don’t care if IMSI catchers are illegal,” said Pell, who has written extensively about the technology. “Ultimately if we are going to get to the root of the problem, we will have to deal with this from a network vulnerability perspective.”
Until a technical solution is in place, Grits will continue to support laws regulating the use of IMSI catchers by government. But the safer approach would be for the FCC to require companies to fix the vulnerability and, eventually, make the issue moot.