Stingrays Another Poison to Privacy

Michael From our Perspective

In the ever expanding knowledge base of law enforcement tools for catching criminals a new device has recently been in the spotlight. It has long been known that law enforcement can locate a suspect’s location by triangulating their cell phone location from nearby towers. Which gave birth to the infamous scene in movies and TV shows where a person removes the battery and sim card from their phone. Developments only this year, however, have brought to light an even more exact, yet blunt, tool to locate cell phones.

Cell-Site Simulators aka Stingrays

The ‘new’ technology that goes by the code name of Stingrays is a cell-site simulator which falls under the broader category of IMSI catcher. As the official name suggests, it imitates a cell tower and through a typical ‘man-in-the-middle’ attack it forwards the signal to a legitimate tower while collecting data on all cell phones within its immediate area. Stingrays can also be used in a ‘passive’ mode to block any transmission of information via cell phones.

It comes as a surprise to many that this technology, sold by the Harris Corporation, has been in use since the late 1990’s. This device has been deployed not only in police vehicles on the ground, but also on airplanes, helicopters, and unmanned aerial vehicles (UAV).

For privacy advocates this sounds like a big deal. Not only do Stingrays act as a cell tower and gather incoming data and communication signals from all surrounding cell phones, but it also downloads the International Mobile Subscriber Identity (IMSI) or equivalent unique identifier. Although if the identifier is previously known the use of stingrays is slightly less intrusive, but this is not always the case.

Even more surprising is the existence of a similar device known as KingFish. Which is essentially a Stingray in handheld form. These two devices, especially when used in conjunction with a cooperating cell phone company like Verizon, are very effective in finding and tracking suspects.

…Or protestors. As Spiderman taught us; with great power comes great responsibility. And as the American and European public has seen time and time again, their governments didn’t get the memo. Not only have law enforcement been trying their damnedest to keep Stingray and KingFish hidden from everyone but they have also been using this technology for nefarious purposes.

Freddy Martinez, a 27 year old IT worker and activist originally became suspicious of the use of  these devices when his, and other activists’, cell phones began acting strange at protests. He and fellow activists noted increased battery drainage, inability to send and receive messages and calls, during 2009 Tea Party Protests as well as 2011 Occupy Chicago protests.

After filing a Freedom of Information Act request, Martinez was ignored for months (the law requires a response in 10 days). Finally, however, Martinez was successful at getting the Chicago Police Department in admitting that they were indeed involved in purchasing Stingrays at least six years earlier.

What’s most worrying is that this technology was initially developed for intelligence and military use. However, they have been easily purchased by at least 54 different local law enforcement departments in at least 21 different states (plus agencies have been known to borrow the equipment). Furthermore, the use of these devices has not been subject to any judicial oversight, until now.

Stingrays and IMSI Catchers New Guidelines

As mentioned before, law enforcement’s use of Stingrays and KingFish have not only been nefarious but downright deceitful. They have kept the use of these devices out of the public eye by purposely omitting the use of the devices from suspects, defense lawyers, as well as judges. This omission is largely due to the fact that non-federal law enforcement agencies had to sign a non-disclosure agreement upon purchase of Stingrays, KingFish, and other IMSI catchers.

In Maryland, as reported by The Guardian, the agreement between the state’s attorney and police commissioner reads:

…shall not, in any civil or criminal proceeding, use or provide any information concerning the Harris corporation wireless collection equipment/technology.

This agreement led prosecutors in Maryland- and all other jurisdictions nationwide- to withdraw or drop cases which threaten this agreement.

This policy will end up costing the agencies much more than the initial half a million dollar price tag (plus costs of subsequent upgrades). In Baltimore alone, 2,000 cases are being reviewed after a successful investigation by USA Today.

Only a week after USA Today’s article was published the Department of Justice (DOJ) has enacted new guidelines regarding the use of IMSI catchers. Unfortunately, these guidelines only apply to federal agencies like: the FBI, the Bureau of Alcohol, Tobacco and Firearms (ATF), the Drug Enforcement Administration, US Marshals, and others. The Department of Homeland Security (DHS) has been intentionally excepted. These agencies now require a warrant from a judge before Stingrays and other similar devices are used, barring ‘exigent’ and ‘exceptional’ circumstances.

The 7-page document also lays out consitutional protections by saying:

…consistent with the requirements and protections of the Constitution, including the Fourth Amendment…[and] including the Pen Register Statute.

As extremetech.com writes, further stipulations state that IMSI catchers must only be used as “pen registers, meaning they collect only metadata about contacted numbers and durations of a call, not text messages, IMs, emails, or the actual contents of a phone conversation.”

Although the guidelines are a monumental step forward they also leave much to be desired. It still leaves local and state law enforcement agencies to do as they wish with Stingrays and IMSI catchers. Plus, it is only suggested policy instead of being a legally binding document. A battle has been won, especially since more and more departments are admitting to the use of such devices, but we still have a long way to go.

feature image uncredited/AP

If you take your privacy as seriously as we do, then you should follow @LiquidVPN

You can follow the author @FreelanceTony

Share this article!