Cell Phone Surveillance
Cellular communications are inherently vulnerable as they pass through the air. Whereas it was once required to physically tap into a wire based network in order to deploy surveillance methods, cellular transmissions allow practically anyone with the desire to intercept our voice, text, and data transmissions completely anonymously.
The concept of eavesdropping on cellular communications is nothing new, in the time of analog cellphones a basic scanner was all that was needed. In 1993 before a congressional committee a man presented a modified scanner that allowed everyone in the room to listen to nearby cellular conversations. Congress banned the sale of such scanners, but since then there hasn’t been much serious public policy debate on the issue.
Technology has obviously come a long way since 1993, and the cellular networks in place today are highly vulnerable to surveillance from criminals and governments alike. Many federal, state, and local law enforcement agencies have equipment designed for military use with surveillance capabilities that far exceed the scanners from the days of analog. They’re indiscriminate by their very nature, sometimes collecting data on tens of thousands of phones at a time. They’re used anonymously with virtually no oversight, with no record that they’ve been used, and often without a warrant.
The recent policy change announced by the DOJ last week is welcomed and long overdue, but is the cat already out of the bag rendering this policy change too little too late? Some say we need to systemically address current vulnerabilities in our cellular networks as a whole, as well as initiate a more thorough update to legislation of cellular surveillance.
This is especially true here in Michigan where local law enforcement agencies have the most highly sophisticated surveillance equipment with capabilities that raise a variety of Fourth Amendment and other Constitutional concerns.
Legislative bills were filed in Michigan last year by a former State Rep that would have provided much needed oversight and regulations regarding these technologies, but unfortunately they didn’t get any traction. Everyone is very tight lipped. Why are law enforcement and our legislators so unwilling to discuss this topic?
Guise of Secrecy
One major reason why there’s an utter lack of public debate on this surveillance is rooted under the guise of its supposed secrecy. I say guise because they’re not really secrets at all, this surveillance has been outlined in full detail in the Harvard Journal of Law and Technology, as well as a number of other sources.
However, law enforcement often hide behind non-disclosure agreements, and the Homeland Security Act which they claim prevent them from speaking publicly about these technologies, even going so far as withholding information from the courts. The government considers their use of this surveillance to be “law enforcement sensitive information”, and they’ve gone to great lengths to protect the shroud of secrecy. It wasn’t until after a decade after their initial use that this technology, in this case called Stingray, was first revealed in a pretrial criminal case. Rather than disclose information about it the government dropped the charges. The majority of what is known about this surveillance has been acquired through highly redacted Freedom of Information Act requests.
One might ask themselves how it’s possible that such powerful surveillance tools wouldn’t have come up in a criminal case sooner, and the answer is the use of this technology is often concealed by law enforcement with misleading source descriptions, often referring to their source as a “confidential informant” when in fact the evidence was acquired through cellular surveillance.
In some cases law enforcement and prosecutors have been shown to have mislead judges not only about their use of these technologies, but also the capabilities of the technologies themselves citing the need to do so based on proprietary non-disclosure agreements.
Equally indicative of the lack of oversight is that in some situations evidence has even been withheld from criminal defendants. The manufacturers of these devices themselves have even been less than forthright when representing their products to the FCC to secure licensing.
Regardless of law enforcement’s attempts to keep them secret these devices like the Stingray and others, as well as the vulnerabilities they exploit are widely known. They’ve been widely reported on, depicted in movies, can be purchased by anyone, and at this point they’re even produced at home by hobbyists for relatively little money.
Herein lies part of the problem. A device that costs law enforcement agencies over $100k to purchase can now be purchased online by anyone for less than $2000. Governments no longer monopolize the cellular surveillance market. The vulnerabilities in our networks are no longer secrets, and the prevention of serious public discussion about these technologies under the guise of non-disclosure agreements and DHS laws are in fact leaving all of us vulnerable to bad actors that extend well beyond our government. There has even been commercial interests from stores seeking to track their customer’s movements.
Here in Michigan we know at the very least Oakland County law enforcement have the most advanced military grade surveillance equipment available called Hailstorm.
According to statements made last year to the Oakland Press by Sheriff Michael Bouchard similar devices are believed to be in use elsewhere in the state too. Sheriff Bouchard claimed that: “It’s not a surveillance device … It’s not capturing metadata or personal data of any kind. It does not record calls of any kind.” When asked for further comment on how this technology works the sheriff’s department and the representatives of the company that make Hailstorm both cited Homeland Security Act and proprietary laws that restrict them from talking about it.
Sound familiar?
So what exactly is this super-secret technology that according to Sheriff Bouchard isn’t a surveillance device? On the purchase form Undersheriff Michael McCabe lists the description as “allows for pinpoint tracking of criminal activity”. Is that really all it does, or do these statements simply fall in line with the systematic misrepresentation of the all-you-can-eat surveillance buffet currently hidden under the guise of secrecy by law enforcement?
Carrier-Assisted Surveillance
Generally when we think of cellular communication surveillance we think of carrier-assisted surveillance where the telecommunications companies themselves provide and/or enable surveillance for law enforcement. They’ve been providing such services for over 100 years and generally have teams of compliance officers that help facilitate and keep record of these services which provide a necessary check to balance out law enforcement’s use of such surveillance powers.
This type of carrier-assisted surveillance is generally limited to specific telephone or other identifying numbers and legally requires a Pen/Trap order or a warrant depending on the type of surveillance. Carrier-assisted surveillance is not what we’re discussing here.
IMSI Catchers (aka Stingray/Hailstorm)
Here we’re discussing the ability of independent federal, state, and local agencies, as well as criminals, to set up fake cell sites indiscriminately monitoring all cellphones within their vicinity, tricking them into providing data and even complete control.
These devices are called IMSI catchers, the most widely used by law enforcement are the Stingray and Hailstorm manufactured by Harris Corp, and these are the machines stealing your cellular data. Contrary to Sheriff Bouchard’s claim that these are not surveillance devices and do not capture data, this is precisely what they do.
IMSI catchers are radio devices that can be used to capture and decrypt transmissions between cellphones and cell towers, as well as simulate cell towers constantly pinging cellphones within their vicinity in order to trick the cellphones into connecting to it whether the phone is in use or not. IMSI catchers can be used to identify, locate, monitor, gain access, and in some cases gain complete control of cellphones within their vicinity.
Despite law enforcement’s best attempts to keep it secret the IMSI catcher that has gained the most notoriety due to their widespread use of it is the Stingray. Its use and legal implication in criminal trials have been detailed in a document published by the ACLU. Many federal, state, and local agencies own and operate Stingray’s across the country.
Not even congress can get law enforcement to tell them exactly how many agencies use them. By itself the Stingray enables anonymous and indiscriminate collection of metadata like location, and the real-time collection of incoming and outgoing numbers of all cellphones within its vicinity without leaving a record that it’s ever been used.
More worrisome, when used with additional programs, or an array of additional products provided by the manufacturer, its surveillance capabilities extend into enabling the real-time monitoring of data, text, and voice transmissions. All of which can be enabled anonymously by the operator without anyone knowing they’ve done so. It’s kind of like a “look but don’t touch” policy towards surveillance and it’s currently being enforced on the honor system with no oversight. As is the case with Oakland County Sheriffs department, the capabilities of these devices are often downplayed and outright misrepresented, even to judges.
Even more egregious and powerful is the IMSI catcher called the dirtbox. The dirtbox has been flown over metropolitan areas across the country from planes operated by US Marshals who collect data on up to tens of thousands of cellphones at a time.
All without a warrant.
The most cutting edge and powerful IMSI catcher available to law enforcement (that we’re aware of) is the military grade Hailstorm. Despite Sheriff Bouchard’s claims, Hailstorm, along with the Pen-Link platform which Oakland County purchased at the same time as Hailstorm, is the most powerful surveillance technology available to law enforcement today. Hailstorm was used by the military in the Iraqi war, among other things to coordinate drone attacks.
Though it’s full capabilities have been kept very hush-hush, Hailstorm reportedly enables the operator to locate, collect data (including content), and even download Trojans onto cellphones garnering full access and even complete control of the cellphone to the attacker. But we’re expected to believe the Sheriff when he states that Hailstorm doesn’t do the very thing it was designed to do (for the military), and that Oakland County shelled out the extra cash for the most overreaching surveillance capabilities available while not actually using them.
These are only a few examples of the IMSI catchers in use by law enforcement. There are many others, including some available online to anyone. They can be operated secretly by anyone with the means to do so, and law enforcement is no longer alone in their interests of exploiting our cellular network vulnerabilities.
Anyone with $2000 to spend can purchase or build an IMSI catcher to monitor all of your cellular transmissions by exploiting vulnerabilities that could be easily fixed, but instead are left in place to help facilitate government surveillance.
Last week’s change in DOJ policy which now requires that federal agents secure a warrant and delete all non-target data daily is long overdue, but it’s not legally binding at the state or local level. It’s unclear whether law enforcement in Michigan believes they need a warrant or simply a Pen/Trap order to deploy an IMSI catcher.
According to Sheriff Bouchard and McCabe they require a warrant to use Hailstorm, but they also claim it’s not a surveillance device, so with no oversight it truly remains unclear. It appears there are legal grounds to argue that a warrant should be required, particularly depending upon where the individual is when the surveillance takes place. We can’t reasonably be expected to believe that we voluntarily give up the right to privacy simply by using a cell phone.
The continued roués of secrecy protecting law enforcement from exposing their overreach of unchecked power with military grade surveillance equipment, and their likelihood of inevitable violations of our Fourth Amendment and other Constitutional rights based on the very nature of this technology, needs to be addressed here in Michigan.
Hopefully someone resurrects the Hailstorm bills HB 5710 and HB 5712 which would require law enforcement to secure a warrant prior to use of this type of surveillance, inform innocent citizens when their data has inadvertently been collected, create penalties for misuse, as well as create a much needed oversight committee to ensure these devices are being used lawfully. It’s that or succumb to Sheriff Bouchard’s Jedi mind tricks when he essentially states that “these are not the droids you’re looking for”.
Interestingly enough, anyone with an Android phone can download a number of apps that identify IMSI catchers. These apps will alert a person when they might be connected to an IMSI catcher. Unfortunately, no such technology is available for iPhones.
There is however a free app for iPhones that allows end-to-end encryption of calls and texts. There are also a number of other types of cellular communications encryption that can help prevent a person from being as easily vulnerable to intrusive surveillance from criminals and the government alike. Many more than are listed here. If you’re at all concerned about the privacy of your communications adding additional layers of encryption is worth looking into, and if you live in Oakland County get rid of your iPhone and buy an Android.
Legal Implications of Cellular Surveillance
The previous article on Cellular Surveillance outlined the overall gist of the rampant deceit and the shroud of supposed secrecy cloaking law enforcement’s use of IMSI catchers.
Here we’ll examine some of the specific ways in which IMSI catchers can be used, the potential differences in legal implications of the way in which they’re used, and highlight some of the ways citizens can protect themselves from this type of surveillance.
Pen/Trap Order vs Warrant
A great deal of controversy surrounds the varying opinions from one jurisdiction to another about the legal steps needed to be taken by law enforcement to deploy an IMSI catcher. Some agencies have used IMSI catchers without any warrants or court orders whatsoever, others require filing for a Pen/Trap order, some hybrid orders, and some jurisdictions require a warrant.
The majority of state and local agencies, as well as federal agencies up until last week, only require that a Pen/Trap order be issued from a court in order to deploy IMSI catchers. One problem with this is that the Pen/Trap Statute was crafted to allow solely for the recording of incoming and outgoing numbers, and IMSI catchers are capable of much greater degrees of surveillance at the operator’s discretion.
Additionally, the legal threshold for issuing a Pen/Trap order is very low. In fact all that is required is for law enforcement is to state that “the information likely to be obtained is relevant to an ongoing investigation.” 18 U.S.C. § 3122(b)(2).
Passive vs Active Monitoring
IMSI catchers can be used passively or actively.
Passive monitoring exploits the lack of, or limited level of encryption used to transmit data from a cellphone to a cell tower. Passive monitoring collects the transmissions between a cellphone and cell tower without interfering with them, and then decrypts that transmission in real-time for analysis. The type of data collected from passive monitoring is limited to meta-data like location and incoming/outgoing numbers.
Active monitoring exploits another well-known vulnerability; the lack of authentication required by cellphones to validate cell towers. Active monitoring actually simulates a cell tower tricking cellphones into connecting to the IMSI catcher.
IMSI catchers can then launch “man in the middle attacks” actively posing as the carrier network, or the target cellphone, effectively controlling all incoming and outgoing transmissions. They can be used to identify cellphones within their vicinity whether they’re in use or not, intercept incoming and outgoing calls and texts, and initiate denial of service attacks blocking cell phone service.
The newest breed of IMSI catchers like the Hailstorm which was recently purchased in Oakland County can even download Trojans to a cellphone gaining complete control over it. It should be noted that Stingrays, which are the most common IMSI catcher used across the country, can do the same with the use of additional programs being run by the operator. All virtually without anyone knowing they’ve done so.
Both types of surveillance have some common characteristics: both methods can be performed with IMSI catchers, both exploit well-known vulnerabilities in our cellular networks, both are indiscriminate by their very nature performing dragnet like surveillance of entire areas, and unlike carrier-assisted surveillance both are often deployed without any warrants or court orders.
Though IMSI catchers have the capability to perform passive or active surveillance the distinction between the two may be important due to the varying interpretations of legal requirements needed to deploy IMSI catchers in either mode.
To make matters more confusing these interpretations vary from one jurisdiction to another. Additionally, it’s important to note that once law enforcement has an IMSI catcher like the Hailstorm, or Stingray, the type of capabilities and in turn the type of surveillance deployed is entirely in the hands of the operator.
There’s absolutely nothing stopping an operator of a Hailstorm who may have a court order to collect meta-data from simply flipping a switch and actively monitoring voice, text, and data content, or even gaining access and complete control of a cell phone.
Much of the problem is that our state and federal government have yet to draft appropriate legislation dealing with this highly invasive technology. The inadequacy of our current statutes to contend with this technology was first pointed out by a Federal Magistrate Judge 1995, but rather than address the concerns the “all you can eat surveillance buffet” was offered to law enforcement as they were coached how to keep it all very hush-hush.
The 1995 Digital Analyzer Magistrate Opinion
In 1995 a Federal Magistrate Judge issued the first legal opinion of the government’s application of digital analyzers (IMSI catchers used passively). In this case the government wanted to “analyze signals emitting from any cellular phone used by any one of five named suspects of a criminal investigation”.
At that point DOJ policy was presumed to be to file for a pen register order authorizing surveillance which the government was doing. Magistrate Judged Edwards denied the government’s application explaining that a Pen/Trap order wasn’t required because the statute limits its application to “a device which records or decodes electronic or other impulses which identify the numbers dialed or otherwise transmitted on the telephone line to which such a device is attached”. He explained that since this technology isn’t intended to be attached to the device that the Pen/Trap statute isn’t applicable.
Judge Edwards further stated that based on Smith v. Maryland that the government’s use of digital analyzers for location data and real-time collection of incoming and outgoing telephone numbers doesn’t constitute a search or raise any Fourth Amendment concerns. His basis was that telephone users willfully provide the numbers they dial to a third party the “numbers dialed by a telephone are not the subject of a reasonable expectation of privacy” and “no logical distinction is seen between telephone numbers called and a party’s own telephone number, device number, or serial number, all of which are regularly voluntarily exposed and known to others”.
While Judge Edwards asserted that current Pen/Trap statutes don’t expressly permit or prohibit the use of digital analyzers he personally expressed strong concerns regarding their use in law enforcement, particularly for the privacy rights of innocent third parties within the vicinity of these devices, the lack of congressional oversight, as well as the lack of required recordkeeping and in turn accountability.
So while the court couldn’t prevent the government from utilizing these technologies by law it was rightly concerned by the implications of the decision. Ultimately, this decision has in part resulted in an absolute surveillance free for all with indiscriminate Fourth Amendment violations rivaled only by the NSA surveillance revealed by Edward Snowden.
The difference is this surveillance isn’t limited to the federal government. At this point it’s not even limited to state and local law enforcement.
DOJ Policy
Up until last week DOJ policy towards IMSI catchers has been convoluted, self-contradictory, and like other law enforcement at times outright misleading to the courts and general public.
Based on Judge Edwards’s 1995 opinion the DOJ published a document in 1997 wherein they stated that provided law enforcement doesn’t intercept communications data, and they don’t require carrier-assistance, no warrants are required for the passive or active use of IMSI catchers. In the same document they stated that while agencies weren’t required by law to do so that they should probably continue to file for Pen/Trap court orders anyway when utilizing IMSI catchers for Pen/Trap purposes. So they clearly point out the loophole in the law while mentioning that prosecutors probably shouldn’t jump through it.
Surprisingly enough in 2001 the Patriot Act broadened the Pen/Trap statute by adding the term “signaling information” to the definition of pen register which was previously limited to “numbers dialed or otherwise transmitted”. Based on the new legal definition the 2005 Electronic Surveillance Manual published by the DOJ advises prosecutors that the new pen register definition “encompasses all of the non-content data between a cellphone and a provider’s tower.” While they pointed out this change they never officially state whether passive surveillance breached any Fourth Amendment limitations which would legally require securing a pen register, or whether it was simply a best practice for any IMSI catcher deployment. The fact that programs in 2007 started in which US Marshals began operating IMSI catchers from planes flying over cities collecting data on tens of thousands of people at a time might give us some insight.
The legal grounds for deploying IMSI catchers became even shakier after the 2012 Cellphone Simulator (Stingray) Magistrate Opinion was published.
Operating under the policy of filing for Pen/Trap orders for deployment of the active use of a Stingray device the government sought an order in which was ultimately denied by Magistrate Judge Owsley in Texas. Judge Owsley cited a lack of represented understanding of this technology on the part of the law enforcement and prosecutors involved, as well as a definitional concern whereby he stated the need for a known telephone, or other identifying number in order to issue a Pen/Trap order.
Based on the fact that the government did not have that information and indeed anticipated identifying that specific information through the use of the Stingray monitoring all cellular transmissions within the vicinity the targets were expected to be, Judge Owsley denied the application. He further expressed concerns regarding a lack of explanation for what would happen with the data collected from innocent cellphone users in the areas these Stingrays are deployed. Based on this opinion federal law enforcement would now first have to identify specific telephone or other identifying numbers prior to seeking a Pen/Trap order, at least for active surveillance. This legal opinion likely led to their lack of desire to clearly and officially state their policy towards IMSI catchers until last week.
A welcomed, while albeit systemically limited policy change was announce to take effect immediately last week on the part of the DOJ in regards to cell site simulators (IMSI catchers).
The new policy requires all federal agents to secure an actual warrant to deploy IMSI catchers. This certainly sets a more appropriate legal threshold for issuance than Pen/Trap orders for these highly invasive technologies with capabilities exceeding what Pen/Trap statutes were intended to encompass. This new policy also supposedly prevents the surveillance of content including conversations, text, data, as well as stored data on the phone. How exactly this might be enforced when nothing is stopping the operators of these devices from using them however they please is not mentioned. No penalties are put in place for misuse. Additionally, this new policy mandates that federal agents delete captured data from non-targeted individuals daily. While this policy change is a step forward in protecting our Fourth Amendment rights from the federal government, it doesn’t change the way state and local agencies will use these technologies.
Since the cat is already out of the bag some have the wonder if this policy change is too little too late.
State and Local Use
This suggested policy change from the DOJ is not legally binding for state or local law enforcement who have been documented in many cases to be deploying IMSI catchers passively and actively without any types of warrants for years.
So we’ve provided law enforcement with the equipment to enable surveillance without anyone other than the operators knowing they’ve done so, while hoping that they’ll resist temptation knowing there’s no oversight. This temptation has been too much to bear for many agencies here in Michigan
Secret Stingray
The government considers their use of this technology to be “law enforcement sensitive information”, and they’ve gone to great lengths to protect the shroud of secrecy.
It was only after a decade after their initial use that a Stingray came up in a pretrial case against Daniel Rigmaiden who was charged with fraudulently collecting hundreds of tax returns from deceased and other third parties. The government identified an IP address associated with a prepaid data-card used to file the tax returns, collected cellular tower history data from the carrier to identify the location of its use within a quarter square mile, and used the Stingray to track it to Rigmaiden’s apartment where it was plugged into his computer.
Prior to his arrest the government didn’t know Rigmaiden’s identity. Before locating the data-card with the Stingray the government obtained a search warrant pursuant to Fed. R. Crim. P. 41(b) authorizing the use of a cell site simulator.
By Joe Stone
Suggested reading for more in-depth analysis on IMSI catchers
Triggerfish, Stingrays, and Fourth Amendment Fishing Expeditions
FROM SMARTPHONES TO STINGRAYS: CAN THE FOURTH AMENDMENT KEEP UP WITH THE TWENTY-FIRST CENTURY?
IMSI Catchers and Mobile Security
Organizations on the frontlines with even more up to date information, including FOIA requests: EPIC, Electronic Frontier Foundation, and the ACLU.
Pell, Stephanie K., and Christopher Soghoian. “Your secret stingray’s no secret anymore: The vanishing government monopoly over cell phone surveillance and its impact on national security and consumer privacy.” Harvard Journal of Law and Technology, Forthcoming (2014).
Ooi, Joseph. “IMSI Catchers and Mobile Security.” (2015).
Owsley, Brian L. “Triggerfish, Stingrays, and Fourth Amendment Fishing Expeditions.” Hastings LJ 66 (2014): 183.
Hardman, Heath. “Brave New Wrold of Cell-Site Simulators, The.” Alb. Gov’t L. Rev. 8 (2015): 1.
Pell, Stephanie K., and Christopher Soghoian. “A Lot More than a Pen Register, and Less than a Wiretap: What the Stingray Teaches Us About How Congress Should Approach the Reform of Law Enforcement Surveillance Authorities.” (2014).
