Seven Years After Discovering Rogue Stingray Devices In DC, The Federal Gov't Still Doesn't Have Any Idea What To Do About It

from the tfw-when-you-love-surveillance-way-more-than-countersurveillance dept

Seven years ago, wardriving security researchers discovered rogue cell tower simulators being operated near sensitive locations in Washington, DC, presumably by foreign governments.

The company used their ultrasecure CryptoPhone 500 to search for the interceptors, which can compromise phones through baseband hardware and are believed to have a range of roughly 1 mile. ESD America‘s phones allegedly detected telltale signs of call interception in the vicinity of the White House, the Russian Embassy, the Supreme Court, the Department of Commerce, and the Russell Senate Office Building, among other landmark buildings.

Three years later, Senator Ron Wyden sent a letter to DHS Undersecretary Christopher Krebs, asking him to look into this report. The DHS was told to find out where these were located, who was running them, whether the DHS was already aware of this problem, and what, if anything, the DHS planned to do about it.

The answer -- arriving four months later -- was "not much." The DHS agreed the possible use of Stingray-type devices by foreign operatives was indeed the sort of thing it should be concerned about (what with it being in the business of securing the homeland), but didn't appear to believe it should do much about it itself. It said it had detected several devices during a 90-day operation using ESD America equipment, but had no staffing or funding to do anything more than confirm what ESD America had discovered four years earlier.

Another three years have passed and nothing has changed but the list of federal entities that are apparently unable to do anything about these obvious threats to national security. Dell Cameron has the latest on the federal government (in)activity for Gizmodo:

It has been a matter of public record for decades that phones can be tracked and calls and text messages intercepted using a device called a cell site simulator, which exploits long-standing security vulnerabilities in phones by impersonating a legitimate phone company’s cell towers,” Sen. Ron Wyden wrote Thursday in a letter to the director of national intelligence; heads of the FBI and CISA—the agency charged with defending critical systems; and the presumptive next chair of the Federal Communications Commission.

“While the threat posed by this technology has been clear for years,” Wyden wrote, “the U.S. Government has yet to meaningfully address it.”

Among other concerns in the letter, both the Departments of State and Defense have confirmed to Wyden’s office, he said, “that they lack the technical capacity to detect cell site simulators in use near their facilities.”

"For years." That's the problem here. The threat to national security has been at least implied since 2014, when security researchers discovered cell site simulators that didn't appear to be operated by US agencies. That so many were clustered around sensitive areas of Washington DC suggested surveillance by inappropriately curious, if not actually malevolent, foreign agents or operatives.

And the tech itself is no secret either. Not only are Stingray devices widely used by US government agencies, they're also widely used by foreign governments -- many of which have no legal or moral compunction preventing them from using them as more than phone-tracking devices. The devices can also intercept communications and create attack vectors for cellphone-targeting malware. This is the sort of thing that should have been more than shrugged at by federal agencies.

And it doesn't take a government to get this dirty work done. Individuals and members of extremist groups can knock together cell tower simulators on the cheap -- powerful tools that don't rely on a support team of techs or a nondescript host vehicle to engage in tracking, eavesdropping, or hacking.

Researchers in the past have assembled devices for as little as $1,000, and have been able to carry out sophisticated attacks beyond the power of those licensed by state and local agencies. In recent years, international vendors have marketed versions small enough to wear undetected, allowing them to slip into the middle of a protest, for example, without raising alarm.

While it's true the government's offensive options might be limited, as attempts to knock out unknown cell site simulators might result in cell service disruptions in the immediate area, that doesn't mean the government is unable to mount a better defense.

Wyden's letter [PDF] asks who's really in charge out there, if anyone? While there may be no perfect agency to oversee the security of phone networks, one agency needs to step up and assume some responsibility while the details are sorted out. His letter hints that the FCC may be able to assist here.

If it can't oversee the entire process, it could at least institute requirements for cell phone providers that would make phones less susceptible to tracking and interception by these devices. Wyden suggests making it easier for phone users to locate and terminate support for 2G and 3G networks, which are more easily exploited by cell site simulators.

Wyden also suggests something practical that could be implemented quickly and at a minimum of expense: encrypting all voice and text communications by federal employees, which would make interception by Stingray devices mostly worthless.

Finally, Wyden wants to know who's doing anything to protect US government employees and facilities from these attacks, whether they occur in Washington DC, or elsewhere in the world.

These questions need answers. But they also need action. It's been seven years and we've seen very little of either from federal agencies that express their strong concerns about national security when they're playing offence (engaging in broad, intrusive surveillance, violating/ignoring citizens' rights) but seem far less concerned when they're asked to actually, you know, secure the goddamn nation from known threats.

Filed Under: imsi catcher, stingray, washington dc

Judge Shuts Down Vallejo PD's Illegally-Obtained Stingray

from the city-is-ping-free-until-further-notice dept

For the moment, police officers in Vallejo, California aren't allowed to use their cell site simulator. A tentative ruling [PDF] issued by a judge says the city violated the law by approving the purchase of a Stingray device without instituting a privacy policy governing its use -- a policy explicitly approved by the city council and subjected to public scrutiny prior to adoption.

The case challenging the new device's purchase and use was brought by Oakland Privacy. Matthew Gauriglia of the EFF breaks down the multiple ways the city and its PD skirted their obligations to Vallejo residents.

The City Council assembled via teleconference in spring 2020, amidst a state-wide pandemic related shelter-in-place order, to vote for the purchase of this controversial piece of surveillance equipment. It did so without adequately obtaining input from the public.

What’s worse, the city council approved the purchase in violation of state law (S.B. 741) regulating the acquisition of such technology. [...] The law prohibits local government agencies from acquiring cell-site simulators without the local governing body approving a specific privacy and usage policy that “is consistent with respect for an individual’s privacy and civil liberties.” This policy needs to be available to the public, published online, and voted on during an open hearing.

The Vallejo city council dodged its state law obligations to expedite the acquisition of the device, seemingly taking advantage of restrictions on gatherings to minimize objections from the public. That decision has led to this (tentative) decision: no tech toy for city cops until it follows the steps above.

This sort of deception is far too commonplace when it comes to law enforcement agencies and the acquisition of controversial tech. Assertions that law enforcement needs this secrecy to stay a step ahead of criminals often go unchallenged. This continues to happen even though Stingrays and other tech (like phone-cracking tools) have been in the public eye for years and their capabilities discussed openly -- not just by civilians, but by government agencies and officials.

It seems pretty short-sighted to take steps like these to dodge controversy. Bypassing obligations to the public tends to result in greater public scrutiny once these actions are exposed or, as in this case, directly challenged as violations of the law. This (tentative) victory for Vallejo-area transparency activists shows the city would have been better off doing it all by the book in the first place. Now it's going to have to retrace its steps and no longer has a COVID lockdown to abuse to minimize complaints from the pesky peasants.

Filed Under: 4th amendment, california, cell site simulator, privacy, stingray, surveillance, vallejo

DHS Probably Didn't Clone Phones To Intercept Protesters' Communications

from the more-fuckedupness-from-the-feds dept

More information continues to leak out about the federal government's ad hoc anti-riot strike force (or whatever) that made its nationwide debut in Portland, Oregon. The federal officers -- composed of DHS components, US Marshals Service, and Federal Protective Services -- made an immediate impression on the nation as unmarked officers hauled protesters off in unmarked vehicles to undisclosed locations for questioning.

The feds immediately made things worse, resulting in a restraining order being sought after federal officers refused to stop attacking journalists, lawyers, and observers present at the protests. The DHS also began compiling "intelligence reports" on journalists covering the Portland protests, as well as other journalists who had published leaks about the federal response in Oregon.

Information obtained by Ken Klippenstein for The Nation shows the DHS and other federal agencies acting like they were headed to a war with foreign combatants, rather than limiting themselves to protecting federal buildings in Portland.

A current DHS official described a colleague with expertise in electronic surveillance who was being deployed to Portland. But for what purpose? “Extracting information from protester’s phones,” the DHS official said. While in Portland, an interagency task force involving DHS and the Justice Department used a sophisticated cell phone cloning attack—the details of which remain classified—to intercept protesters’ phone communications, according to two former intelligence officers familiar with the matter.

Cell phone cloning involves stealing a phone’s unique identifiers and copying them to another device in order to intercept the communications received by the original device. The former intelligence officials described it as part of a “Low Level Voice Intercept” operation, declining to go into further detail—one of them citing the sensitive nature of the surveillance tool and the other an ongoing leak investigation within I&A [Intelligence & Analysis].

If this is accurate, there are some obvious First and Fourth Amendment issues here. Targeting protesters engaged in protected speech is already wrong, but seeking to intercept their communications is something that requires a whole lot of probable cause. Wiretapping requirements are more stringent (or at least, they're supposed to be) than they are for other types of searches because of the obvious subversion of privacy expectations.

Beyond that, engaging in sophisticated cloning attacks is not "Low Level Voice Intercept." This term -- at least when used by the US military -- simply means scanning airwaves to find radio and mobile transmissions. Once located, they can be listened to. This generally refers to radio chatter, not the cloning of phones to eavesdrop on private communications between individuals.

This suggests the use of Stingray device to snag device identifiers and (possibly) engage in call interception. Stingray devices are capable of intercepting communications, but we've never seen one used that way domestically. It may not have happened here either, but it certainly would have helped identify devices and locate surveillance targets. The DHS has a warrant requirement for Stingray deployment, but there's no mention of warrants in this article. Some exceptions apply, but the DHS would still need a pen register order and that would also require a judge's okay.

That this was used domestically to possibly spy on people engaged in peaceful protests is concerning. That it was used to try to find evidence to back President Trump and AG Bill Barr's ridiculous assertions that "anitfa" is an organized terrorist group is even worse. And if this is indeed what happened, it seems unlikely federal officers (which may have included "volunteers" from the DEA) had the probable cause necessary to snoop on private communications.

Even former spies are uncomfortable with the tactics used here.

The former intelligence officers agreed that the Low Level Voice Intercept operation had been conducted on the ground, was far more invasive than aerial surveillance, and involved equipment that I&A did not have access to.

“[There were] at least two federal agencies and there was some spooky shit going on,” one former intelligence officer said of the Portland operation.

It's still unclear what the DHS actually did here. The article refers to the same actions as both "intercepting communications" and "extracting information." Undoubtedly, there's some "spooky shit" going on, but none of the former officials were present for whatever spookiness the DHS engaged in. The DHS has Stingrays and could have used them illegally. But it seems more likely it sent out an expert to help federal agents pull information from devices seized from protesters. The "cloning" discussed most likely refers to cloning the device's contents, rather than the device itself. This is common when phones are seized by law enforcement. Again, a warrant is required but the cloning often occurs before the warrant is sought to ensure law enforcement has access to it.

Then there's this, which suggests a DOJ component brought in a phone-cracking device (GrayKey, Cellebrite, etc.) to make it easier to extract device contents.

A current DHS official described how a colleague who was being deployed to Portland had alluded to using the Drug Enforcement Agency (DEA), part of the Justice Department, for the purposes of accessing protesters’ phones. “He said he needed some sort of ‘special key’ in order to …He said that DEA has that capability and vaguely alluded to possibly borrowing or using one from another agency once he got to Portland.”

If the DHS actually engaged in the interception of cellphone communications, it would be breaking new domestic surveillance ground. But it seems more likely it accessed a bunch of devices' contents and made copies of the data. Until more information surfaces, it's probably safe to assume federal agencies weren't listening in on private communications.

Filed Under: 1st amendment, dhs, federal protective services, portland, protests, stingray, surveillance, us marshals

Appeals Court Tells Baltimore PD To Start Coughing Up Information About Its Cell Site Simulators

from the no-more-hanging-around-in-the-shadows dept

The Baltimore Police Department was an enthusiastic early adopter of cell site simulator technology. In 2015, a Baltimore detective admitted the department had deployed its collection of cell tower spoofers 4,300 times since 2007.

The best estimate on how many of those 4,300 deployments ever showed up in court documents remains near zero. The Baltimore PD hid its deployments behind pen register orders, ensuring judges and defendants never knew the departments was using cell site simulators to track down suspects.

A little bit of information has reached the public domain in recent years, showing the Baltimore PD was more willing to toss cases than expose its use of Stingray devices. Judges were willing to toss cases too, once it was determined these secret deployments violated the Fourth Amendment.

There are now three Supreme Court rulings that directly affect Stingray deployments, with the most recent being the Carpenter decision. If the government needs a warrant to obtain historical cell site location info, it stands to reason a warrant should be required to engage in real-time tracking using Stingrays, even if the court did not specifically address this.

There's also the Kyllo decision, which found the use of an infrared device to search a house for occupants violated the Fourth Amendment. An intrusion in which the government never actually enters the house is still an intrusion. Cell site simulators force phones inside houses to give up certain identifying information even if officers never approach the residence.

Finally, there's the Riley decision that implemented search warrants for cellphones. A Stingray device searches cellphones, even if the search is "limited" to identifying info and location data. (Stingrays can also be used to intercept communications, but there's been no confirmed use of this particular configuration by US law enforcement agencies.)

All of these are in play in this recent decision [PDF] by the Fourth Circuit Court of Appeals. The court does not explicitly find that a Hailstorm deployment by the Baltimore PD in 2014 was unconstitutional. But it does find that the lower court did not do enough fact-finding to determine whether it fell on the wrong side of the Fourth Amendment.

The Baltimore PD has pretty much conceded some of these points already.

Defendants concede that the Hailstorm simulator searched, at minimum, Andrews’s phone, and that its use thus required a warrant. Nor do Defendants controvert Andrews’s assertion that the Hailstorm simulator searched other cellular devices in the vicinity, or that it searched nearby homes by transmitting spoofed cell tower signals through the walls.

But the PD is still arguing that its use of a pen register order was the Constitutional equivalent of a search warrant.

Defendants instead argue that the Pen Register Order satisfied the warrant requirement and that any intrusions on third parties’ privacy interests are irrelevant to Andrews.

Those "third parties" would be everyone else in the vicinity of Andrews whose phone connected to the PD's fake cell tower and coughed up identifying info.

Andrews prevailed in the state court, resulting in the suppression of evidence. However, his federal civil rights lawsuit hit a wall when the lower court inexplicably decided "possibly relevant to an ongoing investigation" = "probable cause."

The federal district court found that the Pen Register Order constituted a warrant authorizing use of a Hailstorm simulator.

Pen registers do not require probable cause. If the judge had been informed that the PD was going to deploy a device that would search dozens of phones to find the one possessed by Andrews (and locate him that way), they would likely have demanded a higher standard than this bare minimum.

The Appeals Courts says there's not enough on the record to reach a conclusion about the Constitutionality of this cell site simulator deployment. So, it's handing it back to the lower court with a long list of questions that need to be answered before a decision can be reached.

Specifically, on remand, the district court is directed to conduct factfinding into the following characteristics of the Hailstorm cell site simulator:

(1) The maximum range at which the Hailstorm simulator can force nearby cellular devices to connect to it.

(2) The maximum number of cellular devices from which the Hailstorm simulator can force a connection.

(3) All categories of data the Hailstorm simulator may collect from a cellular device, regardless of whether such data is displayed to the Hailstorm simulator’s operator in the course of locating a target phone, including by way of example and without limitation: cellular device identifiers (such as international mobile equipment identity (“IMEI”) numbers, international mobile subscriber identity (“IMSI”) numbers, and electronic serial numbers (“ESN”)); metadata about cellular device operations (such as numbers dialed or texted, or webpages visited); and, most especially, the content of voice or video calls, text messages, emails, and application data.

(4) What data in (3) may be stored by the Hailstorm simulator.

(5) What data in (4) are accessible by law enforcement officers.

(6) All means by which the Hailstorm simulator was configured to minimize data collection from third party cellular devices not belonging to Andrews.

We'll see what the Baltimore PD chooses to do on remand. That's a lot of info it's not in any hurry to share with the general public. It may be able to keep some of this out of the public hand's with sealed filings but it can't keep all of this buried. It may decide it's time to settle. I hope it doesn't. This info should have been made public years ago. The PD spent years hiding this from everyone. It's time to open the books.

Filed Under: baltimore, baltimore police, cell site simulator, stingray, transparency

Florida Appeals Court Says Govt's Lack Of Good Faith Can't Save A 2012 Warrantless Stingray Deployment

from the lying-about-your-tools:-that's-going-to-cost-you dept

A good ruling [PDF] has been issued by a Florida Appeals Court -- one that not only affirms its earlier warrant requirement for Stingray use, but also reminds law enforcement that the good faith exception isn't as expansive as they think it is. (via FourthAmendment.com)

In 2018, the same court said the use of cell site simulators required warrants. Unlike collecting cell site location info from third parties (which was fine until the Supreme Court's Carpenter decision), Stingray devices turn the government into the second party, coercing location info from phone users by forcing them to connect to law enforcement's fake cell towers.

That decision doesn't bring precedential force to this case, which deals with events that happened six years before the state appeals court's 2018 ruling.

In 2012, the State charged the defendant with first-degree murder after his mother was found dead in their shared apartment. Detectives tracked the defendant using cell-site location information and a cell-site simulator. The defendant was found sitting in the victim’s parked car along with several pieces of evidence. The defendant moved to suppress the evidence, arguing it was obtained in violation of his Fourth Amendment rights. The trial court granted the motion to suppress, and the State appeals. We affirm the suppression order.

Six years later, a whole lot of evidence in a murder trial is going to be eliminated. The government's attempt to have the good faith exception applied dead ends here as well. The state argued detectives deployed the Stingray device without a warrant in good faith, since there was no binding precedent forbidding them from doing so. But the court points out it isn't willing to grant "good faith" to officers doing stuff just because no one has told them they can't yet.

The officers might have operated in good faith if their warrant request wasn't crafted in bad faith. The court notes precedent at that time (prior to the Supreme Court's Carpenter decision) allowed law enforcement to obtain cell site location info without a warrant.

Here, the State lacks the benefit of longstanding precedent authorizing the warrantless use of CSLI. However, Tracey I and the statutes authorizing law enforcements to access CSLI with a court order, taken together, provided sufficient precedent on which the detectives reasonably relied.

But investigators didn't actually obtain CSLI from a third party. They deployed a cell site simulator instead.

The cell-site simulator is another matter. Neither the application nor the court order mentioned a cell-site simulator.

The state might be technically correct, but technically correct isn't good enough in Florida.

In 2012, no binding case law addressed whether police must obtain a warrant to use a cell-site simulator. The good faith exception applies when binding precedent affirmatively authorizes a particular police practice.

Authorization is the key. And this court is one of the few that has applied the good faith standard this way. The government should not be able to operate freely in legal vacuums. That's what many choose to do, and far too many courts have decided good faith applies until something is expressly forbidden by a precedential decision. Not here.

The Fourth Amendment violation here is precisely the kind of violation the exclusionary rule seeks to deter. The CSLI data led detectives to a broad search area where the defendant was located. Unable to find the defendant’s exact location, the detectives went outside the scope of the court order and used a cell-site simulator to locate him.

This should be the standard for the good faith exception.

The government cannot rely on the absence of binding decisional law in this area to conduct a warrantless search.

The government should act cautiously in the absence of binding precedent. Instead, it exploits every gray area not sufficiently explored by courts. This is not how public servants should act when faced with a lack of specific guidance. Making up the rules as you go along is not "good faith." Neither is hiding the use of a cell site simulator behind a court order for cell site location info. The more the government acts this way, the less it can be trusted. Moving it back in line with the principles it's supposed to be upholding will take more decisions like this -- ones that call out bad faith for what it is, rather than pretend every under-explored area of the Fourth Amendment is covered by the good faith exception.

Filed Under: 4th amendment, cell site location info, csli, florida, stingray, surveillance, warrant

EFF Posts New White Paper On Stingray Device Capabilities

from the keeping-abreast-of-the-fuzz dept

The EFF has published a primer on IMSI catchers. Harris Corporation's success in this market has led to near-genericide, as almost every one of these cell tower spoofers is usually referred to as a "stingray."

The white paper [PDF], titled "Gotta Catch 'Em All," runs down what's known about cell-site simulators used by a number of government agencies. Most of this has been gleaned from secondhand info -- the stuff that leaks out during prosecutions or as the result of FOIA requests.

The technical capabilities of CSSs have been kept under wraps for years. The reasoning behind this opacity is that if criminals know how these devices work, they'll be able to avoid being tracked by them. There may be a few technical details that might prove useful in this fashion, but what is known about Stingray devices is that the best way to avoid being tracked by them is to simply not use a cellphone. But who doesn't use a cellphone?

The report is definitely worth reading, even if you've stayed on top of these developments over the past several years. It breaks down the technical subject matter in a way that makes clear what CSSs can and can't do -- and how they're capable of disrupting cellphone networks while in use.

While CSSs can intercept communications, it's hardly worth the effort. Unless the CSS can talk the phone into accepting a 2G connection (which eliminates encryption and severely limits the type of communications originating from the dumbed-down phone), it just doesn't work. This doesn't mean the devices are never used this way. But it does mean it's not a very attractive option.

On the other hand, CSSs impersonate cell towers, so they're able to pull all sorts of info from every device forced to connect with the faux cell tower. These devices are used most often to locate criminal suspects, meaning precise GPS location is a must-have. Operating on their own, cell-site simulators can't generate pinpoint accuracy. Working in conjunction with nearby towers, they can triangulate signals to provide better location info. But there's another option -- one rarely discussed in courtroom proceedings. CSSs can also force phones to give up precise location info.

First, the Stingray extracts info from nearby cell towers. Using this info (which the EFF points out anyone can access), the CSS alters its signal to become the highest priority connection in the area of operation. Once it's done this, GPS info can be coaxed from phones now connected to the fake cell tower.

[T]he attacker creates a “RRC Connection Reconfiguration” command, which contains the cell IDs of at least 3 neighbouring cell towers and their connection frequencies and sends this command to their target’s phone.

Usually, the “RRC Connection Reconfiguration” command is used to modify an existing connection to a base station, but the attacker is only interested in the target phone’s initial response to its message. This response contains the signal strengths of the previously specified cell towers, which can then be used to find the phone’s location via trilateration.

For newer phones and networks which support the “locationInfo-r10” feature, this report will also contain the phone’s exact GPS coordinates, meaning no trilateration calculations are required. The exact GPS coordinates are just a field in the response (Shaik et al, 2017).

There are few options available for people wanting to use a cellphone but are also wanting to avoid being swept up by a Stingray. As the report notes, there are a few cell tower spoofer detection apps on the market, but they may be more likely to generate false positives than detect IMSI catchers. There's no baseline for carrier behavior, much less "normal" Stingray use.

And, in any event, the EFF isn't publishing a handbook on how to evade detection by these devices. It's simply informing the public of the power of these devices, which are becoming as ubiquitous as the phones they track and trace. Since the public hasn't been invited to any these discussions by law enforcement agencies, it's up to everyone else to detail known capabilities and assess the potential damage to the public's expectation of privacy.

Filed Under: imsi catchers, stingray, surveillance

Court Documents Show Canadian Law Enforcement Operated Stingrays Indiscriminately, Sweeping Up Thousands Of Innocent Phone Owners

from the bleeding-edge-meets-zero-fucks-given dept

A wide-ranging criminal investigation involving eleven suspects has resulted in the reluctant disclosure of Stingray data by Canadian law enforcement. The Toronto PD and the Royal Canadian Mounted Police joined forces to deploy a surveillance dragnet that swept up thousands of innocent Canadians, as Kate Allen reports for the Toronto Star.

Toronto police and RCMP officers deploying controversial “Stingray” surveillance technology over a two-month period swept up identifying cellphone data on more than 20,000 bystanders at malls, public parks and even a children’s toy store.

As police sought cellphone data for 11 suspects in a 2014 investigation, they deployed a Stingray — also known as an IMSI catcher — at three dozen locations, including the middle of Yorkville, at the Dufferin Mall, at Vaughan Mills Mall, near Trinity Bellwoods Park, near Kensington Market, and at a Toys ‘R’ Us store in Richmond Hill.

These sweeps occurred years before either law enforcement agency admitted to possessing and deploying Stingray devices. In prior years, Canadian prosecutors dropped charges rather than discuss the devices in open court. This case must have been too big to let go. It involved 50 raids, 112 arrests, and a plethora of charges ranging from gun possession to murder.

Multiple defendants are now challenging the evidence derived from the multiple Stingray deployments, arguing that it was gathered unlawfully. The courts may decide to see it the defendants' way, but it's unlikely these deployments broke the agencies' own policies. Pretty much every law enforcement agency anywhere that has acquired a Stingray has deployed first and developed policies after their Stingray use could no longer be kept secret. The agencies involved here are no exception:

An RCMP spokesperson said that policy regarding deployment and resting time is “still being developed,” and that interim guidelines state that the devices will generally operate for three minutes, though may be operated for longer periods under certain circumstances and if permitted by a judge.

From what's contained in the tracking logs submitted as evidence in these cases, there appears to have been very little done to limit the tracking of non-suspects.

According to the logs, police deployed the device at three dozen locations between March 18 and May 23, 2014. In all, the device logged approximately 25,000 captures. The same cellphones may have been captured more than once in that time, since police used the device multiple times at some locations; with those repeat locations excluded, a minimum of 20,000 bystanders in Toronto and the GTA saw their cellphone data swept up.

At one location -- a condo where a target was suspected to live -- law enforcement operated the device for nearly ten minutes, sweeping up 1,400 cellphones.

Many of the logs show violations of the limitations law enforcement set for itself when applying for a warrant. The officer obtaining the affidavit failed to mention the device's ability to act as a tracking device. The officer also stated the device would only be operated for three minutes at a time, followed by two minutes of "rest" -- a minor concession meant to limit the impact on phone operation in the area. Instead of doing either of these things, officers switched frequencies every three minutes, running the device pretty much uninterrupted during each deployment.

This whole thing started out with the RCMP farming out the warrant request to a novice -- one who probably swore to his own "training and expertise" while combining boilerplate cribbed from other warrants with his subject matter inexperience.

According to court documents, the Toronto police sergeant who obtained the warrant testified he had never used an IMSI catcher before, and that he copied and pasted a set of “standard” wording used in a warrant for a previous case. The RCMP’s program manager for deployment of the technology testified that the standard wording was written “by people that are not operators of the equipment so they didn’t fully understand the capabilities and how it operated.”

To reiterate: the Stingrays were (and are) being deployed in an operational policy vacuum. According to a statement given to the Star, the policies the RCMP said it would draw up after it publicly admitted it owned and used Stingrays still aren't in place. An interim policy, instituted in 2017, is the only internal legal framework guiding Stingray use. In practice, this means the RCMP isn't controlling deployments. In this case, it also meant sending an amateur to do a professional's job when it came to securing a warrant. Put it all together and you have the mess both law enforcement agencies created by simply assuming no one would ever find out they'd been using these devices.

Filed Under: canada, law enforcement, privacy, stingray, surveillance

EFF Sues California Law Enforcement Agency For Refusing To Hand Over Stingray Documents

from the when-six-warrants-is-a-constellation-of-records dept

The EFF is taking the San Bernardino County Sheriff's Department to court. The dispute centers on Stingray warrants possessed by the agency. The Sheriff's Department likely holds more of these records than any other agency in the state. According to the Desert Sun's investigation -- based on state law-mandated reporting on electronic searches, San Bernardino residents were 20 times more likely to be subjected to an electronic search than residents elsewhere in state.

Even more troubling, a lot of these searches -- including Stingray deployments -- were performed by the department when it had no idea who it was looking for or whose devices it was searching.

If the situation is deemed an emergency, the judge can grant law enforcement the option to delay notification for up to 90 days.

A 90-day delay is also granted in cases when the identity of the person they are investigating is not known by the investigating agency.

[...]

Warrants are only reported to the California Department of Justice if the warrant receives the 90-day delay for notification. The department does not include records of warrants for electronic property, if the target is notified immediately.

Of the more than 700 warrants reported to the California Department of Justice by the San Bernardino County Sheriff’s Department, only 47 received emergency status, meaning 93 percent of their warrants were granted to investigate people whose identity was unknown to the department.

The department did not provide an explanation for why they are investigating the digital property of so many people before identifying them.

The numerous searches -- which apparently include a large number of fishing expeditions -- is an ongoing concern, especially with California's more stringent privacy laws in play. The Sheriff's Department has been a fan of Stingrays for a long time, but hasn't been very forthcoming about its deployments. This dishonesty extends to judges, who were handed pen register order requests that disguised the true nature of the search. The "insert probable cause" boilerplate pen register request obtained by Cyrus Farivar of Ars Technica suggests invasive searches were performed with plug-and-play paperwork that both laundered the evidence and utilized one-size-fits-all phrasing when seeking judicial approval.

What the EFF is seeking is a very small subset of Stingray warrants possessed by the Sheriff's Department. It's attempting to obtain copies of six warrants specifically identified by the state's Department of Justice in mandated publications. The search for these documents by the Sheriff's Department should be made even easier thanks to the inclusion of a noticeable typo.

EFF determined that the county has used cell-site simulators 231 times in the last year and filed a request under the California Public Records Act in August to obtain search warrant information for six specific searches that were made public by the DOJ. Each of the searches included authorization for the use of “cell-site stimulators” [sic], an apparent misspelling of the cell-phone tracking technology in the records submitted by San Bernardino to the DOJ.

EFF’s public records request sought court case numbers associated with the search warrants, which would enable researchers to locate court records like affidavits justifying the need for a warrant and other information vital to assessing whether police are following the law and their own policies when obtaining warrants. The request contained detailed information about each warrant, made public by the DOJ, such as the nature of the warrants, the precise start and end dates of the warrants and verbatim quotes about the grounds for each warrant.

The Sheriff's Department responded to this hyperspecific records request with more government agency boilerplate. It claimed the request was "vague" and "overly broad" and failed to describe an "identifiable record." This deliberate obtuseness will now have to be defended in court. Considering the request, the EFF's arguments aren't that difficult to make. From the filing [PDF]:

In an attempt to learn about Defendants’ use of these devices, EFF sent a request for records relating to six cell site simulator warrants that precisely identified each warrant using the information on the Department of Justice’s OpenJustice website, including the date range of the authorized search, the nature of the investigation, the items to be searched for, and the exact date and time Defendants electronically provided information about them to the Department of Justice.

Defendants refused to comply with the request, claiming that it failed to reasonably describe the records at issue and that the records are exempt from disclosure as records of an investigation under Government Code § 6254(f).

Neither of these is a legitimate justification for failing to provide the records:

The request more than reasonably described the target records. In fact, it uniquely identified the warrants in question, providing the exact time frame covered by the warrant, the exact date and time the Defendants provided information about the warrants to the Department of Justice, and other identifying information. Defendants’ claim in this regard is particularly weak because their own policy – which state law requires them to adopt and make public – requires their personnel to obtain high-level approval for, and then maintain a log of, all warrants like those here at issue. This log must contain the dates that the cell site simulator was used, which would mirror or be contained within the time frame covered by the warrant, and so would allow Defendants to easily identify and locate the requested warrants.

The EFF also points out the Sheriff's Department can't throw a blanket exception over court records -- which are presumptively public. In addition, the California DOJ has specifically instructed the EFF to obtain documents (like these warrants) listed on its OpenJustice website directly from the agency that created them.

Having been forced into openness by legislation, the Sheriff's Department is hoping to maintain some level of opacity even as it continues its record-setting pace for electronic searches of individuals it can even identify. It shouldn't take long for the court to decide the Sheriff's claims about vagueness and broadness are ridiculous. Hopefully, the court won't decide presumptively-public documents like court orders and warrant affidavits can be withheld just because a cop shop says they might reveal cop stuff.

Filed Under: foia, imsi catcher, lawsuit, san bernardino, san bernardino county sherriff's department, stingray
Companies: eff

Florida Appeals Court Tells Law Enforcement It Needs Warrants To Deploy Stingrays

from the also-deployed:-parallel-construction dept

The Florida Court of Appeals has upheld a suppression order for evidence obtained through the use of a Stingray device. This decision draws the line between third-party info and info gathered directly by the government, even if the info collected was roughly the same. (h/t Cyrus Farivar)

In the course of investigating an armed robbery that led to the killing of one of the robbery victims, law enforcement sought assistance from the suspect's cell service provider, asking for cell site location info and the placement of a trap-and-trace on the cellphone itself. The following comes from the appeals court decision [PDF]:

A judge signed the “CSLI Order,” which required the service provider to disclose “all cell-site activations and sectors for all incoming and outgoing calls/communications . . . call detail location records, ‘angle from the tower’ data, including contemporaneous (real-time) with these communications, and historical calls/communications detail records.” The judge also signed an order requiring the service provider to install a pen register and trap and trace device on the Defendant’s phone and transmit the information collected to the Broward Sheriff’s Office (the “Trap and Trace Order”).

Later, the State applied for a search warrant of a Fort Lauderdale residence. The affidavit filed in support of the warrant stated that “[m]obile tracking was activated on [the Defendant’s] cell phone pursuant to a lawful court order” and that the Defendant’s phone was “placed specifically” at the residence and had been “stationary overnight within this residence for several concurrent nights.” The search warrant was granted.

Law enforcement testified the cell provider could only provide "tower information," rather than precise GPS location. To make up for this lack of specificity, investigators decided to fire up a Stingray to pinpoint the location of the suspect's phone. This extra step -- performed without a warrant -- ultimately resulted in the suppression of evidence by the trial court. The government appealed, citing the subpoenas and the Third Party Doctrine. The state appeals court disagrees.

Combining the ruling on cellphone searches (Riley) and the invasiveness of new technology (Kyllo) [along with the recent Carpenter decision], the court comes to this conclusion:

Together these cases hold that, without a warrant, the government cannot: use technology to view information not visible to the naked eye, attach a device to property to monitor your location, search a cell phone in your possession without a warrant, or obtain real-time location information from the cell carrier.

With a cell-site simulator, the government does more than obtain data held by a third party. The government surreptitiously intercepts a signal that the user intended to send to a carrier’s cell-site tower or independently pings a cell phone to determine its location. Not only that, a cell-site simulator also intercepts the data of other cell phones in the area, including the phones of people not being investigated.

If a warrant is required for the government to obtain historical cell-site information voluntarily maintained and in the possession of a third party, see Carpenter, 138 S. Ct. at 2221, we can discern no reason why a warrant would not be required for the more invasive use of a cell-site simulator.

The court also notes law enforcement -- in deploying a Stingray -- went far beyond what was actually authorized in the judicial orders it obtained.

The CSLI Order did not authorize the State to act independently. But the sergeant and the Defendant’s expert testified that the information maintained by the service provider could not identify the exact location of the Defendant’s phone. So the State resorted to other means. In other words, the CSLI Order authorized indirect government surveillance.

But the State could not obtain the information it required through the authorized means. So the State conducted direct government surveillance by using a cell-site simulator. And it did so without a warrant. Based on controlling Supreme Court authority, the court correctly suppressed the evidence obtained as a result of the State’s warrantless actions.

The end result is suppression of evidence gathered with the Stingray device. Since it was this device that pinpointed the location of the suspect's cellphone, the evidence obtained from the search of the residence the phone was located at is going to disappear as well. And that's evidence the government likely can't do without. It includes three guns, a mask, ammunition, and a stun gun -- all of which likely played a part in the armed robbery.

That this happened nearly five years ago makes little difference. It may have preceded the Carpenter ruling that created a privacy right for cell site location info, but the other Supreme Court precedent on cellphone searches and the use of invasive technology (like thermal imaging) to cross the threshold of people's homes without ever setting foot inside predates the warrantless Stingray deployment.

And a Stingray does exactly that: it forces phones -- wherever located -- to connect to it and give up location data and identifying info. It's something law enforcement can't obtain without electronic coercement and it's far more precise than the coarse location info it can obtain without a warrant from cellphone providers. Of course, the Carpenter decision changed the math on location info, so if law enforcement really wants to locate a phone, it's now better off seeking warrants for Stingray deployment than approaching third parties for the same data if it's looking for something more "real time."

Filed Under: 4th amendment, florida, imsi catcher, stingray

Ron Wyden Wants The DOJ To Provide Answers On Stingray Devices' Disruption Of Emergency Call Service

from the gotta-risk-lives-to-save-lives-or-whatever dept

The FBI has admitted -- albeit not that publicly -- that Stingray devices disrupt phone service. Spoofing a cell tower has negative effects on innocent phone users as the device plays man-in-the-middle while trying to locate the targeted device. An unsealed document from a criminal prosecution and assertions made in warrant affidavits alleging "minimal" disruption are all we have to go on, at least in terms of official statements.

Supposedly, Stingrays are supposed to allow 911 service to continue uninterrupted. But it's hard to square that with the fact every phone in the device's range is forced to connect to the Stingray first before being allowed to connect with a real cell tower. In some cases, the device might force every phone in range to drop to a 2G connection. This may still allow 911 calls to take place, but almost any other form of communication will be impossible as long as the Stingray is in use.

Ron Wyden's staff technologist, Chris Soghoian (formerly of the ACLU), will be fielding answers from the DOJ and FBI about 911 service disruptions, if those answers ever arrive. Wyden's office has sent a letter [PDF] demanding to know the extent of cell service disruption when Stingrays are deployed. And he'd also like to know if these agencies are being honest about the negative side effects when agents seek warrants.

1. The Communications Act of 1934 prohibits willful or malicious interference with licensed radio communications. How is a federal law enforcement agency's use of a cell-site simulator not authorized by a court order consistent with the prohibition on interference with radio communications in 47 U.S.C. 333?

2. Is it the position of DOJ that a search warrant authorizing a federal law enforcement agency to use a cell-site simulator overrides the statutory prohibition on interference in 47 U.S.C. 333? If yes, please explain Why.

3. Does DOJ believe that it has an obligation under the duty of candor to notify federal courts considering an application for the use of a cell-site simulator that federal law prohibits interference with cellular communications? If not, please explain why.

4. Is it the position of DOJ that it is lawful, with or without a court order, for a federal law enforcement agency to interfere with licensed radio communications such that it disrupts a surveillance target's emergency cellular communications with 9-1-1? If yes, please explain why.

We'll see if Wyden gets his answers. The DOJ still has yet to answer similar questions Wyden asked last year, and there's little reason to believe its response time to questions it doesn't want to answer has improved since 2017.

There is evidence cell site simulators do interfere with 911 service, even if the US government has yet to admit it. A document obtained by the ACLU from the Royal Canadian Mounted Police clearly states cell site simulators have negative effects on emergency calls.

The MDI [Mobile Device Identifier] will shut itself off if a mobile within its range dials 911. However, recent testing at HQ revealed that more than 50% of the GSM mobile telephones tested had not automatically completed their 911 calls after the MDI had shut itself off.

This memo says the RCMP should inform judges of this possible side effect when seeking warrants and use a 3-minutes-on, 2-minutes-off cycle to minimize cell service disruption and overcollection of cell data from non-targets. If the DOJ has directed the FBI to engage in practices like these, it has yet to make that information public. From what little has been gleaned from public statements and begrudging answers to legislators and Congressional committees, the FBI's use of Stingrays appears to only be constrained by a warrant requirement that is merely the DOJ's internal policy, rather than codified by law.

Filed Under: doj, emergency calls, imsi catcher, interference, ron wyden, stingray, surveillance