Saturday, March 09, 2013

Bypassing the telecoms: 'Stingrays' allow direct government phone surveillance with little oversight

The third panel at Yale Law School's Location Tracking and Biometrics conference last weekend focused on so-called "Stingray" devices, which is a trade name for a fake cell-phone tower operated by police that tricks your phone into sending its signal to them instead of your cell-phone carrier. (Go here to see the video; the panel on Stingrays begins at the 6:01:28 mark.) The panel was moderated by Jennifer Valentino-Devries, a reporter from the Wall Street Journal who has written extensively about the devices and who I was pleased to learn is a transplanted Texan from San Antonio and a fellow Daily Texan alum. (See her initial WSJ story, and followups here and here, from which Grits first learned about the technology.)

A Stingray device, via the Wall Street Journal
Researcher and electronic privacy activist Christopher Soghoian began the discussion with an overview of the device, the technical name for which is an IMSI catcher. The technology, which came out of Germany and the UK, was the subject of extended patent litigation over who owns the rights from its development. (The ultimate ruling was the tech was not original enough to merit a patent.) The US military utilizes similar technology developed by Boeing and it's also used extensively by American intelligence services. An outfit called Harris Corporation has captured the US law enforcement market with devices costing $60,000 to $175,000. (See prior Grits coverage; in Texas, the Fort Worth PD purchased one.) Most local agencies which have purchased them have done so through grants from the Department of Justice. Soghoian struck out on FOIA requests submitted to the DOJ but learned more from the Federal Communications Commission which must approve their use. Most requests for FCC approval are boilerplate language distributed by Harris, he said. The government uses the devices either when a target is routinely and quickly changing phones to thwart a wiretap, he said, or when phone companies deny law enforcement personal subscriber information and police don't have sufficient cause for a warrant.

The devices exploit a security flaw in cell phone communications that, to my mind, sounds essentially like wiretapping one's phone, intercepting the signal in a man-in-the-middle style attack, contents and all. Standards for 3G and 4G phones include encryption but your smart phone will also use a 2G connection if that's the strongest, nearest signal. Anyone who wants to exploit this security flaw can do it, said Soghoian. Even if it's illegal, there's not an easy way to stop it, though there may be ways to detect when the device is being used. Some hackers in Berlin created  an "IMSI catcher catcher" using a $20 prepaid phone they modified. It works becuse Stingrays look like a normal tower to your cell phone but it doesn't act like one. The German hackers designed software that looks for Stingrays' tell-tale signature

The FCC knows about  these  flaws because they approve local use of "Stingrays" but won't require phone companies to fix these vulnerabilities because they're "in on the deal," said Soghoian, which means the flaws will "stick with us for a long time." Though Harris charges tens of thousands of dollars for the devices, US hackers have demonstrated it's possible to build one for around $1,000. The "age of low cost stingrays is fully on the horizon," he said.

Alan Butler, Appellate Advocacy Counsel for the Electronic Privacy Information Center, said the legal standards for using stingrays are not clear but thinks they have constitutional privacy implications. The SCOTUS cases US v Karo and Kyollo v US are the closest to being on point, he said. Both are about revealing personal details in protected spaces. There are also arguably statutory implications, he said, in 47 USC Sec 222(f) and 47 USC Sec 1002(a).

The Department of Justice claims Stingrays are similar to pen registers and authorized by the same court precedents and statutes, but it's obvious the devices' capabilities are far more sweeping than merely collecting incoming and outgoing phone numbers. The federal Communications Act regulates technology that interferes with communication but courts have not yet found that Stingrays violate that law.

Similar to cell tower dumps, where non-suspects' information is collected along with the surveillance targets, Stingrays raise the question, "What happens to data regarding innocent devices?" On this subject we know next to nothing. The government has exercised extreme controls and secrecy regarding how it uses the technology. Huge swaths of response to FOIA requests are routinely withheld or redacted, said Butler. (Last month, covered the most recent of Butler's FOIA requests on Stingrays, the results of which may be accessed here.)

Federal Magistrate Judge Brian Owsley of the Texas Southern District spoke next, calling Stingrays "cell tower dumps on steroids." He said judges don't see many Stingray requests: He's seen two that he knows of (since it's only been relatively recently that he or anyone else outside the tech companies and law enforcement understood what they were). Documentation coming before a judge on these orders looks essentially like a pen register application and many judges simply don't understand what they're seeing. Magistrate judges are not usually very tech savvy, said Owsley. Upon receiving his second request regarding the technology, he sent an email to every magistrate judge in the country telling them about the devices. About 10% of judges responded. Most hadn't noticed them before or had only seen one or two. Hardly anyone understood them. Indeed, he said, often DOJ officials don't understand the tech  any more than  magistrate judges; the AUSAs just submit a standardized form, which for the most part are rubber stamped.

Owsley first delved into details of the device when a request was submitted to locate and track smuggled cell phones in and out of a prison with the device. He told the AUSA he needed more information and the prosecutor promised to send a memo. He did not submit it for six weeks by which time prison officials located the phone without the device. An order was never issued. Owsley's second run-in with Stingrays  involved a drug case where the target was changing phones faster than the feds could submit warrants to tap them.

The moderator, Valentino-Devries, noted that boilerplate pen register orders name a target, asking "What do stingray orders look like?" Owsley referred her to the DOJ's electronic surveillance manual (pdf) and said to search under "triggerfish," which is the analog version of the device. The main difference is that pen register orders are directed at a third party because that's who controls the technology. However, sometimes AUSAs simultaneously request vendor information to narrow the Stingray's target, which also has the effect of making them appear on the surface to the judge more like a routine pen register case.

Soghoian argued that use of these devices comes close to a "general  warrant" of the type the Fourth Amendment was explicitly created to prevent. The government is sending signals through  people's walls clothes, etc., and inevitably most of those whose information is captured are innocent people. that's not much different than using invasive technology to search every house on the block, he argued. (The fact that the signal penetrates walls of homes and private spaces made Grits wonder if there may be implications for Stingrays from SCOTUS Justice Antonin Scalia's opinion in US v. Jones relying on "trespass" by the government to restrict use of mobile tracking devices attached to personal vehicles.)

Butler noted that one problem with the government's pen register theory is the location limit on pen registers (Stingrays are mobile, fitting in a squad cars or even embedded in clothing.) Owsley added that a pen register order must have a target number, while Stingrays are looking for a target number. The distinction is important because pen registers operate under lesser legal standards than are applied to cell tower dumps, for example.

The even bigger difference, though, is that Stingrays and IMSI catchers can actually capture content. Harris doesn't have marketing materials online, but according to their price list (which has been made public), they sell an interception module that's actually capable of tapping phones just like an old-fashioned wiretaps, but no one knows which  agencies have purchased it. Vendors from other countries advertise interception more aggressively. DOJ tells its employees not to intercept content, said Butler, but the fact that they need to say so implies that the ability exists. Owsley said that AUSA's may not undestand the tech but they do know they're not supposed to intercept content. By contrast, he thinks FBI agents don't understand the same limits the AUSA's seem to and may be using the technology more broadly.

Other agencies use the information even more broadly. Immigration and Customs Enforcement (ICE) purchased $3 million worth of Stingrays over several years, and are purchasing airborne mounting kits for both drones and manned aircraft. The FBI has said in response to FOIAs on the topic that they have 20,000 documents related to Stingrays but could provide just two public court orders related to them. Soghoian thinks there's intentional concealment by law enforcement about the devices. (The exclusionary rule doesn't apply in immigration contexts, an audience member noted, citing a case out of the Fourth Circuit, so for now ICE's use of the devices remains entirely beyond court review.)

Butler said DOJ has a strong belief that this is a law-enforcement sensitive method they should keep secret to the greatest extent possible, so it's hard to establish case law underlying use of technique. The government uses similar tech in war zones, often mounted on drones. As a result, we've now ended up in a weird situation where small town sheriffs and intelligence agencies are using same gear, mostly in secret.

The moderator asked why more information hadn't been revealed when evidence from Stingrays is used in criminal court. Owsley replied that the burden falls on criminal defense attorneys who may not understand the tech or what questions to ask. (Grits would have added that since most convictions stem from plea bargains, often the government never has to show its cards.) ACLU's Catherine Crump added from the audience that she'd been told the feds often use it for hunting fugitives, where there's no risk of a suppression hearing.

Next up: Biometrics and Drones.

See prior, related Grits posts from the conference:


Anonymous said...

I understand the concern raised with the government purchasing and using this technology, but am more concerned about the conduct of private corporations. With dwindling budgets and increased public awareness, I don't worry too much about my local PD using this technology. However, I am far more concerned about intelligence organizations like LexusNexus, Reuters, and others who are actively in the intelligence gathering and selling business? If Ft Worth PD can get one, who is to say that some multi-million dollar corporation doesn't have one either? I haven't seen this issue addressed anywhere and would be curious to know if others have raised similar concerns.

Gritsforbreakfast said...

At the conference they said that was a bigger issue in other countries than here, especially outside of Europe and including in some totalitarian regimes where their use is completely wide open to anyone - companies, private citizens, etc..

That said, with the prices coming down - given that somebody can now apparently build one for $1,000 - the risk of use in the private sector for corporate espionage or even by individuals, PIs, aggrieved spouses, etc., becomes greater.

I wouldn't discount your local PD getting one, though. DOJ and DHS grants in the past few years have been pretty easy to come by. Ironically, that's one benefit of the sequester - precisely those grant funds, in the near term, are drying up.

Anonymous said...

However citizen Joe is promised privacy..the govn and private corporation with and have developed and abuse technology until the public becomes aware. We usually find out through accidental vigilence on the part of a few. Most cases too late to overcome damage done.

Anonymous said...

They can record me all they want. I've done nothing and plan to do no wrong. No fear here.

Gritsforbreakfast said...

No fear, you say, 8:39, yet you choose to comment anonymously. A tad inconsistent, no?

Everybody wants privacy at some level, for the same reason you prefer not to attach your name to your opinions. Ironic that you can't see it.

Anonymous said...

I posted anonymous because I don't have a Google account nor do I know what an OpenID or Name/URL consist of.

Gritsforbreakfast said...

Exactly, you don't want to give your information because you don't know who you're giving it to - you value your privacy. Just not that of others.

Skifool said...

Grits, don't be too hard on Anon. 6:28, it was awhile before I could figure out that, even if you don't have a Google account, you can just post under a name and ignore the UIL part.

I appreciate your excellent coverage of these issues.

Skifool said...

I mean ignore the URL part.

Anonymous said...

The fix for this is to add a software feature to cell phones to digitally scramble the conversation on the fly. It would take very little processor overhead.

Anonymous said...

Agree with grits 100%

Anonymous said...

Don't know about y'all but less govn intrusion in my life makes me feel like I truly have the freedoms and privacy that we have claimed and beat our chests to. Thanks grits for ur vigilence

Anonymous said...

Personally, I don't believe that merely protecting the content of our conversations goes far enough. Consider the implications of someone using this technology to identify the participants in a political protest, those who choose to shop at a sexually oriented business, or those who frequent a "gay" bar. All are engaging in lawful activity, yet can be specifically identified and either targeted or marketed too based upon their phone number and subscriber information. That needs to be protected as well.

window phones said...

However, I am far more concerned about intelligence organizations like LexusNexus, Reuters, and others who are actively in the intelligence gathering and selling business? If Ft Worth PD can get one, who is to say that some multi-million dollar corporation doesn't have one either? I haven't seen this issue addressed anywhere and would be curious to know if others have raised similar concerns.

Anonymous said...

Government data gathering on individuals is rapidly increasing to the point that all aspects of the daily lives of American citizens are, or soon will be recorded, and stored for future reference. Yet, why spend so much time, money, and effort on spying on mom, and pop, and the kids? Seriously, does government believe that terrorism justifies this level of intrusion, or could it be that such information gathering really isn't so much about terrorism, or law enforcement for that matter. Could eternal storage of your voice traffic, travels, financial activity, and associations be about crushing political opponents who dare to question the regime? Could we ever see political retaliation in good ol America on this level??? No!!!!!!! The IRS and other intelligence gathering orgs would never go along with that! Why, ASK Tea Party members and organizations! But, then again, as our framers remarked, government is force, and We the People must maintain absolute and total control over it, or liberty will just be a faded dream. And, as our Lord stated, the heart of man is despicably evil. Combine the evil nature of man with technology and you have the new age of tyranny. Wake up before its too late.