Thursday, February 8, 2018

StingRays: A More Dangerous “Fish”

Brief Overview
     In the context of privacy and technology, the word “StingRay” has drastically different connotations than when talking to marine biologist or oceanic enthusiast. As defined by the ACLU, 
"Stingrays, also known as 'cell site simulators' or 'IMSI catchers,' are invasive cell phone surveillance devices that mimic cell phone towers and send out signals to trick cell phone in the area into transmitting their locations and identifying information. When used to track a suspect's cell phone, they also gather information about the phones of countless bystanders who happen to be nearby," [1]. The term StingRay comes from the metonymization of the Harris Corporation’s StingRay I and StingRay II, arguably the most popular of the IMSI catchers available to law enforcement and government agencies. Traditionally, law enforcement mounts the StingRay inside of their vehicles. It then connects to their laptops and an application allows them to interface with the device and begin tracking it. Although all IMSI catchers have various abilities, they share the ability of extracting the IMSI (International Mobile Subscriber Identity) and ESN (Electronic Serial Number. The StingRay I/II and other IMSI catchers can generally also track the location of the intended target, as well as everyone else within ~200 meters. The StingRay does both of these by simulating a cell tower and forcing phones to connect to it; as long as a phone is on and not currently calling another device, it is susceptible to tracking and data collection. 

Use Within the United States
  The ACLU and other related organizations have identified at least 72 state and local law enforcement agencies within 24 states and 13 different government organizations which actively use StingRays and other similar devices. However, the secrecy surrounding the use of StingRays and the difficulty in detecting their use makes it difficult to speak for the accuracy of this number. The ACLU estimates that “this number dramatically under represents the actual use of stingrays by law enforcement agencies nationwide,” [1]. The secrecy surrounding the use of StingRays stems from an non-disclosure agreement signed by all entities using Harris products and the FBI [5]. In a recent statement, the FBI has rescinded the mandated non-disclosure agreement, leaving local and state agencies more capable of discussing and disclosing the use of StingRays [6]. Recent court documents and agency admissions show that San Bernardino’s Sheriff's Department used the device 300 times in the short span of 17 months [3]. In 2014, Wired magazine disclosed the use of StingRay devices in over 200 cases by Florida police. From the same article, it notes that “an FBI agent described using a cell site emulator more than 300 times over a decade and indicated that they were used on a daily basis by U.S. Marshals, the Secret Service, and other federal agencies” [4].

Privacy Concerns and Implications
Until recently, the use of StingRay devices has been largely unregulated. In the case of the San Bernardino Sheriff’s Department, use of StingRays was disguised as pen/trap orders. A pen/trap order, more formally known as a pen register and trap and trace order, allows law enforcement to see the incoming and outgoing calls without seeing the content. Pen/trap orders require only a “reasonable suspicion”, rather than the “probable cause” required by a warrant [8]. Although originally limited to location tracking and metadata collection, software updates and “add-ons” offered by the Harris Corporation allow StingRays to collect data off of phones and intercept phone calls and text messages. However, both the warrant-less use and surreptitious data collection pale in comparison to the largest privacy concern related to the use of StingRays and other related devices; devices such as these have no control over who connects to them and what data is captured. The StingRay has an effective range of ~200 meters, which can be increased by addons like the “Harpoon”. The next generation in IMSI catchers, the “Hailstorm”, has a reported effective range larger than that [10]. In active mode, the StingRay can simultaneously simulate several cell towers and monitor multiple bands. In essence, it captures the IMSI/IMEI of every device within the effective radius, without consent or notice. 
The tracking and location gathering is not limited to phones. In a gross violation of privacy, the FBI used a StingRay device in conjunction with a cell provider to reprogram the data-only SIM of Daniel David Rigmaiden. The reprogramming allowed the FBI to interrupt his data service and place calls to the SIM card. In turn, this forced the SIM to reconnect to a cell tower, which the FBI substituted with a StingRay device. The connection allowed the FBI to track Rigmaiden to his apartment and later discover which apartment was his all without a warrant. Without the use of a StingRay device, Rigmaiden would have remained anonymous because he rented the room under a different name. After discovering his location, the FBI surveilled the apartment and waited for Rigmaiden to leave, upon which they arrested him for identity theft [7].

Law Enforcement Response
Law enforcement has long used StingRays and other similar devices as an integral part in drug and criminal investigations. Their efficacy is undeniable, and often cited as a reason to keep using them without changing how they are used, i.e. not requiring warrants. Other notable defenses of their warrantless use rely on their definition as a pen/trap device, rather than a wiretap or data collection device. By default, the devices only collect the IMEI, ESN, and relatively vague location data; however, software options allow the devices to also collect and intercept phone calls, text messages, and other private information. Law enforcement also contends regulations on the use of StingRays with the assertion that they help with counter-terrorism. The Electronic Frontier Foundation’s Jennifer Lynch disputes this assertion, noting that “[She is] not aware of any case in which a police agency has used a cell-site simulator to find a terrorist”. Recently, the FBI changed their policy to require warrants for the use of StingRays unless “exigent circumstance” dictates otherwise; twelve states have followed suit [12].

My Opinion
I feel strongly that all use of StingRays should require a warrant. In my opinion, the warrantless use of such devices completely violates my “reasonable expectation to privacy” while using my phone. The use of one in my general vicinity exposes me to an unwanted entity, and I have no way of determining if I am connected to one or not. The only real countermeasure involves disabling or abandoning one’s cell phone, which seems excessive for something that shouldn’t happen without my consent. Furthermore, the lack of formal training on how to use these devices, and more importantly, when to use these devices by local law enforcement agencies frightens me. Inadvertent data collection seems inevitable, given the frequency and variety of use by law enforcement agencies nationwide. Additionally, the ability of StingRay devices to track locations seems particularly invasive in an increasingly connected age. Many cars now come with internet connectivity; this gives the government the ability to track the location of a vehicle, much like they did with Rigmaiden’s “data-only” SIM card. Other internet connected devices have the same vulnerability, which allows the government and other agencies to track both myself and others, without our consent, almost everywhere we go. The potential for misuse, even with a warrant, seems high; however, by requiring a warrant judges gain access to how these devices are used, and can then place limits on their use. 

Interesting Links:
User Manuals published by the Harris Corporation: Quick Start Guide & Software Operation Manual, provided by The Intercept [2]
General information about StingRays: https://en.wikipedia.org/wiki/Stingray_phone_tracker 

Resources
  1. https://www.aclu.org/issues/privacy-technology/surveillance-technologies/stingray-tracking-devices-whos-got-them
  2. https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail-how-police-can-spy-on-phones/   
  3. https://arstechnica.com/tech-policy/2015/05/county-sheriff-has-used-stingray-over-300-times-with-no-warrant/ 
  4. https://www.wired.com/2014/03/stingray/ 
  5. https://www.documentcloud.org/documents/1727748-non-disclosure-agreement.html
  6. https://arstechnica.com/tech-policy/2015/05/fbi-now-claims-its-stingray-nda-means-the-opposite-of-what-it-says/ 
  7. https://www.wired.com/2013/04/verizon-rigmaiden-aircard/  
  8. https://www.voanews.com/a/cellphone-sweeping-stingray-technology/4137145.html 
  9. https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail-how-police-can-spy-on-phones/ 
  10. https://arstechnica.com/tech-policy/2013/09/meet-the-machines-that-steal-your-phones-data/2/ 
  11. https://motherboard.vice.com/en_us/article/wnjvq5/the-fbi-now-needs-a-warrant-to-use-stingray-cell-phone-trackers 
Posted by at

23 comments:

  1. UnknownFebruary 9, 2018 at 12:52 PM

    I am in agreement that warrants should be required for use of StingRays. To build on that, I also think which law enforcement agencies have StingRays, and how many, should be public information. I did a brief search and found that 24 states use them on local, state, or both levels, and it is unknown whether or not they're used in the remaining 26 states (1). I also found an article from the LA Times (2) which explained that despite a California state law requiring law enforcement agencies to report their possession and use of StingRays, not all agencies did, or they used loopholes by hiring other entities to use the StingRay for them so it wouldn't have to be reported. So, along with requiring warrants, I think possession and use of StingRays by law enforcement should be public knowledge that is completely enforced. To me, this would allow law enforcement to use StingRays to address crime, but still hold agencies accountable to the public.
    (1) https://www.aclu.org/issues/privacy-technology/surveillance-technologies/stingray-tracking-devices-whos-got-them
    (2) http://www.latimes.com/politics/la-pol-sac-cell-phone-surveillance-transparency-law-20170827-htmlstory.html

    ReplyDelete
    Replies
    1. Randy DryerFebruary 11, 2018 at 9:51 AM

      Thanks, Lily, for undertaking and sharing your research. The issue of the lack of transparency about the use of StingRays is an important issue.

      Delete
  2. UnknownFebruary 9, 2018 at 5:03 PM

    I think that your opinion is well stated but there are a few points I would like to bring up. First of all I have a problem with the warrant part of your opinion. I do agree that a warrant should be necessary but only if its used at all. I believe that stingrays shouldn't be used period. In your post you talked about how the sting rays would attract phone signals without consent as long as they were in range. This means a bunch of innocent bystanders could also have their privacy broken. Yes I believe the warrant is a nice idea, however I believe its unrealistic. I know for sure I would be upset if I was in the zone of a stingray and my private data was breached or my location was being tracked. This device reminds me of the batman movie In which he could detect the motion of all joker's minions. Which I believe in theory is the same concept.This shows how outstanding the technology we have is and I think thats super cool. I really like the point you made about more training with this equipment. I think for this to be used the technology needs to be better and there has to be a way to regulate It from abuse. The scary thing about this technology is that no one would ever know that they're being tracked. I think overall this is a technology that is a total breach of privacy and should not be allowed.

    ReplyDelete
  3. QGFebruary 10, 2018 at 4:51 PM

    I’m not the only one being reminded of movies while reading this post. I kept imagining the Jason Bourne movies as I read through this. The David Rigmaiden story you brought up was interesting, because if he was renting under a different name, and guilty of identity theft, then a tracking system like this seems both reasonable and necessary for catching someone like that quickly. That being said, I agree that at the very least any agency must acquire warrant before using this technology. But I also wanted to eco the concerns of Mason, who brings up the excellent point that this technology could violate the privacy of bystanders as well as the potential target. At the very least, we need some serious regulation place. Maybe more than just the requirement of a warrant prior to use.

    ReplyDelete
  4. UnknownFebruary 10, 2018 at 5:54 PM

    To me this is a perfect example of having to weigh public safety over personal privacy. I believe the use of StingRays at all is a breach of privacy. However, as you stated, "their efficacy is undeniable." At the very least I think a warrant should be required along with additional regulations, like increased transparency from law enforcement agencies concerning StingRay use. It bothers me that data is gathered from people who are simply in the vicinity of the target, but to me the benefits outweigh the concerns.

    ReplyDelete
  5. NYoungFebruary 10, 2018 at 6:59 PM

    In class it was once mentioned that warrants can be very specific in what they allow law enforcement to search and/or seize and that any evidence of criminal activity found while exercising the warrant but not specified in the warrant could not be used as evidence in a criminal case. I do understand that sting-rays could be a very useful tool for law enforcement and thus I think we should allow their use. However, I believe the use of sting-rays should require warrants written specifically for the phone of the person who is being investigated. This would hopefully protect the information of others in the area who's phones happen to connect to the device.

    ReplyDelete
  6. UnknownFebruary 10, 2018 at 7:27 PM

    The use of stingrays is difficult to encourage due to the people who are victim to the device. Law enforcement already has ways to gain information from people's phones, and the stingray seems like a way to gain even more information. While I would say that a warrant should be required for tracking a specific subject, this ignores the bystanders that are in close proximity to the suspect. The people who happen to be walking near the suspect haven't given a legitimate reason for law enforcement to investigative them. This is a complete breach of privacy. On the other hand, Stringrays have shown to be effective in use. Ultimately, I think that stingrays should be allowed under several rules, including gaining a warrant and informing the general public of which agencies use stingrays.

    ReplyDelete
  7. UnknownFebruary 10, 2018 at 8:03 PM

    This comment has been removed by the author.

    ReplyDelete
  8. UnknownFebruary 10, 2018 at 8:09 PM

    With the internet of things coming, the prospect of goverment agencies being able to veiw all your data without a search warrent is spooky dooky. Because of loose regulation and little data collection on the use of Stingrays, it seems ripe for abuse. Again, my distrust for police forces makes me wary of allowing the use of stingrays at all.

    ReplyDelete
    Replies
    1. QGFebruary 10, 2018 at 11:20 PM

      What if groups other than police forces specifically are allowed to use them? Just a thought (since we are embracing the distrust narrative).

      Delete
    2. Randy DryerFebruary 11, 2018 at 10:21 AM

      Good question, Quaid. Should private investigators hired by a spouse who suspects their spouse is engaging in an extramarital affair or parents wanting to track there children be allowed to use StingRays? Is there any legal remedy a person would have if they are subjected to StingRay location surveillance? Everyone come to class on Monday prepared to answer these questions.

      Delete
    3. UnknownFebruary 11, 2018 at 2:19 PM

      This comment has been removed by the author.

      Delete
    4. UnknownFebruary 11, 2018 at 2:24 PM

      Let me clarify; I have no trust in anyone. When given the opportunity, I believe all people will abuse power, so it's not just about the abuse of power in police forces. I don't see any person fit to have access to such technology and able to refrain from using it for unrighteous reasons. Plato's parable of Gyges is about a righteous good man who finds a ring that allows him to become invisible (just like in Lord of the Rings). At first he resists the urge to abuse this new ability but eventually what he has to gain from doing the "wrong" thing becomes too great and he cannot help himself. Furthermore, Plato mentions that people hearing this parable say that they too would follow in Gyges footsteps and that it would be a waste to not take advantage of his ability. So, Quaid would you trust me with a stingray if I built one? Because I'm already in the process of building one. https://www.theverge.com/2017/7/30/16058174/diy-cellphone-sniffer-gsm-imsi-catcher BEST $7 OF MY LIFE.

      Delete
  9. VYoungFebruary 10, 2018 at 8:50 PM

    Along with all of the replies so far, I too believe that at the very least a warrant should be necessary in order to use a stingray device. Also, I do not think that the information collected from bystanders should be used or recorded in any way as the warrant would only have been issued for the information provided on the suspect. It is clear to me that a warrant would be needed as a person's location and cell phone information could be collected whether that person is in a public place or somewhere that is accepted to be private such as a their home, a hotel room, or a restroom. It was deemed that a warrant was needed to use a thermal camera from the street to collect thermal data/images of a person's house, a stingray device is no different in that it uses electromagnetic frequencies to collect information on someone who is in their home.

    ReplyDelete
  10. Ivana MartinezFebruary 10, 2018 at 9:43 PM

    Understanding that stingrays are extremely invasive and the risks they pose to privacy is critical. Especially because regulations are different to each state. I think you make a good suggestion that law officials should require a warrant. While I agree that law enforcement should require a search warrant to use stingrays, Nicolo brings to light a good point, warrants are subjected to probable cause and are very specific to what is being searched and seized. But I went and did a little search on alternatives to this issue. I found that in New York they have been attempting to address the potential privacy invasion, “in most circumstances New York law is clear that law enforcement should be obtaining an eavesdropping warrant – a special type of warrant that comes with heightened privacy protections to ensure that law enforcement is not engaging in unnecessary and unjustified surveillance.” (https://www.nyclu.org/en/stingrays) So to conclude I think these type of warrants should be required. But I also acknowledge the shortcomings of this study as it is just a study on New York, and not inclusive of other states. Which may point to why law enforcement hasn’t been subjected to use warrants in these searches. One major concern I had while reading was when you mention that stingrays are used in criminal investigations when they are collecting the information of the suspect, this may also include bystanders. What would be the potential implications of data collections on bystanders and furthermore what happens to the data collected by the Stingrays?

    ReplyDelete
  11. Ethan CarterFebruary 10, 2018 at 9:47 PM

    I believe that it is okay for Stingrays to operate under reasonable suspicion over search warrants IF their use is made transparent. From Andrew's 1st source, there are 26 states that aren't clear about whether or not they employ cell site simulators (which honestly comes off as those states using them but not admitting it). One of the aspects of privacy that I value most is transparency--I feel a lot more comfortable having my phone records monitored if I know that it's being done! I'm not sure how this would be done though; maybe a disclaimer on the state/local law enforcement website?

    ReplyDelete
  12. UnknownFebruary 10, 2018 at 10:38 PM

    I believe that due to the efficiency of the Stingrays they should for sure be able to be used. Additionally, I think that the key to the Stingrays is the ability to be hard to detect. If the police have to spend time waiting for a warrant, the people they are trying to protect may be in jeopardy. I believe that the FBI and other agencies should be able to continue acting under "reasonable suspicion." However, they should set regulations on what they do with the data collected from the people surrounding the suspect. I think that they should be made to delete all data from the phones around the suspect and any data gathered off of those phones that could point to a separate crime should be invalid evidence. For me the safety of the public should outweigh the privacy of the a few persons.

    ReplyDelete
    Replies
    1. UnknownFebruary 11, 2018 at 3:25 PM

      Hey thats good to know. Im glad you're ok with your roommate tracking your every move. It took me one internet surch to realize how easy this technology is to use and implement. This article breaks every step down.

      "Nowadays, it’s so trivial it’s frightening. Any cell provider could take an intern and make it happen in 6 months. Gotta save some signal information? It’s already done. Gotta do a bit of algebra? Nothing difficult."

      https://thehftguy.com/2017/07/19/what-does-it-really-take-to-track-100-million-cell-phones/

      Delete
  13. Ian HarrisFebruary 10, 2018 at 10:41 PM

    Not to be dull, but I completely agree with you; warrants should be required for the usage of StingRay devices by law enforcement. Some other people have commented that StingRay devices should not be used at all, given the potential privacy disruptions they may cause. However, I can see that StingRay devices may be useful to law enforcement, both locally and nationally. I also believe that people should be made aware if their local law enforcement agencies use StingRay devices, although I'm not sure how much information could be released to the public beyond that before the usefulness of the StingRays would decrease. I also think it would be more ethical to place a limit on the range of the devices; 100m seems to be small enough that it wouldn't take in too many people.

    ReplyDelete
  14. UnknownFebruary 10, 2018 at 10:48 PM

    Although stingrays pose a major threat to individual privacy, I believe that if there is a warrant issued then law enforcement should be allowed to use this technology. Echoing many of the other comments I believe that the potential for abuse of this technology is too great to allow any officer to use it on a whim, as it could be used to track and gain significant information on any individual at anytime without their knowledge. However if there is a warrant that means there is actual reason for the stingray to try and locate this person versus just “fishing” for something that may or may not be there. As long as the information from the bystanders phones isn’t saved (essentially mass collecting data from the public while supposedly only searching for one person) then this technology should be used by law enforcement given that there is warrant issued.

    ReplyDelete
  15. Randy DryerFebruary 11, 2018 at 11:07 AM

    Andrew (and everyone else): Do law enforcement agencies in Utah use Stingrays? Are there any laws in Utah that govern use of the technology? Five extra credit points to the first person who correctly answers these questions.

    ReplyDelete
    Replies
    1. UnknownFebruary 11, 2018 at 4:52 PM

      In 2015 Utah passed a law requiring law enforcement to have a search warrent to use Stingrays. Utah law enforcement does use this technology. I searched utah's passed legislation for bills on this subject and couldnt find any bills restricting the use of this technology for individuals. But I hope I'm wrong and just didnt search thoroughly enough.

      Delete
  16. UnknownFebruary 11, 2018 at 9:15 PM

    My findings were similar to Logan's. According to the source I cited in my first comment, it was unclear whether or not Utah law enforcement used Stingrays, but I would presume they do based on the law Logan referenced (https://le.utah.gov/~2014/bills/static/HB0128.html) requiring a warrant for police to use technology such as a Stingray to determine someone's location.

    ReplyDelete

Subscribe to: Post Comments (Atom)