New StingRay Policies for both Washington State and the Department of Justice

news-police-stingrayBy Matthew McCoy

Both the State of Washington and the United States Department of Justice (DOJ) have recently issued new policies regarding law enforcement’s use of cell site simulators. Colloquially known as StingRays, cell site simulators spoof cell towers and trick mobile devices in close proximity to the simulator into connecting with it and unveiling their unique location information. While it is possible to initiate more sophisticated attacks, such as deception and logging of message contents, the DOJ asserts in its new policy that its Stingrays are not configured with such capabilities in accordance with the pen register and trap and trace definitions in 18 U.S.C. §3127(3).

Previous use of StingRays, unveiled by research by privacy advocates, show that both federal, state, and local law enforcement entities have been previously approved under traditional pen register/trap and trace orders. While the DOJ argues that obtaining authorization pursuant to the Pen Register Statute is appropriate for these devices, critics say pen registers, which record the numbers dialed to and from a phone, are different than cell site simulator technology, which record a phone’s location and manipulate how a phone connects with its cellular network. Continue reading

The Hidden StingRay Within the Murky Waters of Surveillance

Screen Shot 2015-01-23 at 2.15.27 PMLaw enforcement use of IMSI catchers and their insidious efforts to hide it.

By Miriam Swedlow

Thanks to NPR’s radio program, Serial, thousands of Americans now know that a person’s movements can be verified by following the interaction between a cell phone and nearby cell phone towers. An International Mobile Subscriber Identity (IMSI) catcher, commonly referred to as a “StingRay,” takes this concept a step further. The device tricks cell phones to connect to it by masquerading as a cell phone tower. Once connected, the StingRay provides “real time” tracking of a phone’s location and is capable of obtaining data from the phone (including emails, photos, and contact files). Although Federal and local law enforcement increasingly use these devices as part of surveillance activities, they have been reluctant to disclose to judges and the public exactly how and when they use them. This is likely because IMSIs cast a broad net, gathering invasive data on scores of innocent people in the process of tracking a single suspect.

Law enforcement agencies have utilized a “smoke and mirrors” approach to keep their use of StingRay equipment a secret. After the 2001 Patriot Act, the Department of Justice declared that law enforcement would need a Pen/Trap order before using direct surveillance technology on communication systems, such as IMSI catchers. Almost fifteen years later, there have been only two published magistrate opinions on the use of IMSI catchers. The lack of judicial opinions is directly related to law enforcement’s pervasive practice of obfuscating the use of IMSI catchers in pen register applications without explicitly disclosing the nature of the technology. For example, officers in Sarasota, Florida referred to the StingRay as a “source” in official documents to obtain warrants. In Tacoma, Washington, judges learned that they had signed off on the use of IMSI catchers through local newspaper reporting. The result is that judges have unwittingly granted hundreds of orders to use IMSI catchers. Continue reading