Both the State of Washington and the United States Department of Justice (DOJ) have recently issued new policies regarding law enforcement’s use of cell site simulators. Colloquially known as StingRays, cell site simulators spoof cell towers and trick mobile devices in close proximity to the simulator into connecting with it and unveiling their unique location information. While it is possible to initiate more sophisticated attacks, such as deception and logging of message contents, the DOJ asserts in its new policy that its Stingrays are not configured with such capabilities in accordance with the pen register and trap and trace definitions in 18 U.S.C. §3127(3).
Previous use of StingRays, unveiled by research by privacy advocates, show that both federal, state, and local law enforcement entities have been previously approved under traditional pen register/trap and trace orders. While the DOJ argues that obtaining authorization pursuant to the Pen Register Statute is appropriate for these devices, critics say pen registers, which record the numbers dialed to and from a phone, are different than cell site simulator technology, which record a phone’s location and manipulate how a phone connects with its cellular network.Motivated by this discrepancy and cries from privacy advocates, Washington joined a series of other states in passing StingRay legislation. While not the first to require a warrant under probable cause for the use of a StingRay, Washington’s data regulation and deletion policies are the first of their kind in the nation. Signed into law May 11th, RCW 9.73 requires law enforcement to request an ex parte order authorizing the use of the device. The request must include the type of data being collected, and it requires that law enforcement take “all steps necessary” to permanently delete any information or metadata collected from any party not specified in the court order. Additionally, law enforcement must delete the data from the target within thirty days if there is no longer probable cause to support the belief that such data is evidence of a crime.
The DOJ issued their policy guidance on the use of cell site simulator technology on September 3rd. While defending its previous use of cell site simulators under the pen/trap framework, the new DOJ policy now requires law enforcement to either seek a warrant in addition to a pen register order, or seek a warrant that contains all the information required in a pen register oder pursuant to 18 U.S.C. §3123. The new DOJ policy does not require law enforcement to request a warrant under exigent circumstances. in order to receive a warrant, law enforcement requests must describe the general terms of the technique to be employed, including the description that the investigators plan to send signals that will cause both the target cell phone, as well as other non-target phones in the area, to emit unique identifiers and location information, and that the cell phones affected may experience temporary disruption of service from their service provider because of the technology in use.
The DOJ’s policy also follows Washington’s lead in requiring data retention and deletion standards. The guidance requires the warrant application to detail how the data collected will be used and disposed. All data must be deleted within thirty days, or once the target device is found, mirroring Washington’s law.
Perhaps this hints at a recipe as to how privacy and civil liberties policy can be affected; lead with state laws, which pressure federal policies to follow suit. Whatever the case, it is evident Washington State is, and can continue to be, a leader in this field.