Given the amount of mobile phone traffic that cell phone towers transmit, it is no wonder law enforcement agencies target these devices as a rich source of data to aid their investigations. Standard procedure involves getting a court order to obtain phone records from a wireless carrier. When authorities cannot or do not want to go that route, they can set up a simulated cell phone tower—often called a stingray—that surreptitiously gathers information from the suspects in question as well as any other mobile device in the area.
These simulated cell sites—which collect international mobile subscriber identity (IMSI), location and other data from mobile phones connecting to them—have become a source of controversy for a number of reasons. National and local law enforcement agencies closely guard details about the technology’s use, with much of what is known about stingrays revealed through court documents and other paperwork made public via Freedom of Information Act (FOIA) requests.
One such document recently revealed that the Baltimore Police Department has used a cell site simulator 4,300 times since 2007 and signed a nondisclosure agreement with the FBI that instructed prosecutors to drop cases rather than reveal the department’s use of the stingray. Other records indicate law enforcement agencies have used the technology hundreds of times without a search warrant, instead relying on a much more generic court order known as a pen register and trap and trace order. Last year Harris Corp., the Melbourne, Fla., company that makes the majority of cell site simulators, went so far as to petition the Federal Communications Commission to block a FOIA request for user manuals for some of the company’s products.
The secretive nature of stingray use has begun to backfire on law enforcement, however, with states beginning to pass laws that require police to obtain a warrant before they can set up a fake cell phone tower for surveillance. Virginia, Minnesota, Utah and Washington State now have laws regulating stingray use, with California and Texas considering similar measures. Proposed federal legislation to prevent the government from tracking people’s cell phone or GPS location without a warrant could also include stingray technology.
Scientific American recently spoke with Brian Owsley, an assistant professor of law at the University of North Texas Dallas College of Law, about the legal issues and privacy implications surrounding the use of a stingray to indiscriminately collect mobile phone data. Given the invasive nature of the technology and scarcity of laws governing its use, Owsley, a former U.S. magistrate judge in Texas, says the lack of reliable information documenting the technology’s use is particularly troubling.
[An edited transcript of the interview follows.]
When and why did law enforcement agencies begin using international cell site simulators to intercept mobile phone traffic and track movement of mobile phone users?
Initially, intelligence agencies—CIA and the like—couldn’t get local or national telecommunications companies in other countries to cooperate with U.S. surveillance operations against nationals in those countries. To fill that void companies like the Harris Corp. started creating cell site simulators for these agencies to use. Once Harris saturated the intelligence and military markets [with] their products, they turned to federal agencies operating in the U.S. So the [Drug Enforcement Administration], Homeland Security, FBI and others started having their own simulated cell sites to use for surveillance. Eventually this trickled down further to yet another untapped market: state and local law enforcement. That’s where we are today in terms of the proliferation of this technology.
Under what circumstances do U.S. law enforcement agencies use cell site simulators and related technology?
There are three examples of how law enforcement typically use stingrays for surveillance: First, law enforcement officials may use the cell site simulator with the known cell phone number of a targeted individual in order to determine that individual's location. For example, officials are searching for a fugitive and have a cell phone number that they believe the individual is using. They may operate a stingray near areas where they believe that the individual may be, such as a relative's home.
Second, law enforcement officials may use the stingray to target a specific individual who is using a cell phone, but these officials do not know the cell phone number. They follow the targeted individual from a site to various other locations over a certain time period. At each new location, they activate the stingray and capture the cell phone data for all of the nearby cell phones. After they have captured the data at a number of sites they can analyze the data to determine the cell phone or cell phones used by the targeted individual. This approach captures the data of all nearby cell phones, including countless cell phones of individuals unrelated to the criminal investigation.
Third, law enforcement officials have been known to operate stingray at political rallies and protests. Using the stingray at these types of events captures the cell phone data of everyone in attendance.
How does law enforcement get permission to perform this type of surveillance?
Federal law enforcement agencies typically get courts to approve use of something like stingray through a pen register application [a pen register is a device that records the numbers called from a particular phone line]. With that type of application, essentially the government says, we want this information. We think it’s going to be relevant to an ongoing criminal investigation. As you can imagine, that’s a pretty low bar for them to satisfy in the eyes of the court. Just about anything could fit into that description. You don’t even have to show that such an investigation would lead to an arrest or prosecution. Law enforcement is telling the court, look, we’re in the middle of this investigation. If we get this information, we think it might lead to some other important information.
Different court orders have different standards for approval. The highest standard would be for a wiretap. A search warrant likewise has a much higher standard than a pen register, requiring law enforcement to prove probable cause before a judge will grant permission to use additional means of investigation. The problem that I have with a pen register to justify use of something like a stingray is that the standard for a pen register is much too low, given the invasive nature of a pen register. Instead, I think the use of a stingray should be consistent with the Fourth Amendment of the Constitution and pursuant to a search warrant.
Why not explicitly state the type of technology being used and its specific purpose when filing for a court order?
[When] law enforcement agencies seek to obtain judicial authorization through a pen register, they do not directly indicate that they are applying for authorization to use a stingray. Doing so might cause some courts to question whether the pen register statute [as opposed to some higher standard] is the appropriate basis for authorizing a stingray. In addition, law enforcement agencies typically have to sign nondisclosure agreements with Harris Corp. in order to receive the federal Homeland Security funding needed to purchase the technology. So there’s this concern, at least at the local law enforcement level, about revealing any information about it because that would violate the agreement with Harris and maybe subject them to losing the equipment or some other consequences.
Why would law enforcement agencies sign a nondisclosure agreement with a technology company?
I’m not sure whether the agreements are being driven by the FBI or by Harris, but these agreements seem to be getting less relevant insofar as [there is less] need to keep the public unaware of the existence of this technology. In the last three or so years there’s been a lot more awareness about the technology and its use. When agencies were first signing these agreements years ago, use of this technology wasn’t widely known. Now you are getting situations where criminal defense attorneys learn about stingray and similar technologies and the role they may be playing in the arrests of some of their clients. Defense teams are starting to ask questions and require the government to produce documentation such as court orders, and that’s creating the confrontation you’re now seeing.
Why have law enforcement agencies kept their use of cell site simulators so secretive?
Some of it is the cloudy legal issues surrounding the legitimate uses of this technology. Law enforcement agencies will also argue that the more information that’s available about this technology, the harder it is for them to use these devices to fight crime. Yet there’s a growing knowledge of this technology, and a serious criminal enterprise is already aware of it. People are already using prepaid disposable phones [sometimes referred to as “burner phones”] to some extent to defeat this technology. Sophisticated criminals are aware that there’s electronic surveillance out there in myriad ways, and so they’re going to take precautions. From a technology perspective, it’s sort of a cat-and-mouse game. There’s also a device that locates cell site simulators, something referred to as an IMSI catcher. There’s an arms race back and forth to get the best technology and to get the edge.
What does it say to you about the whole process that a prosecutor or a law enforcement agency is willing to sacrifice a conviction in order to keep their methods a secret?
I think it’s a very odd approach. You are throwing away some convictions or potential convictions for the sake of secrecy. But it’s even harder to understand now that knowledge of the technology is becoming so common. There have been documented cases in Baltimore and Saint Louis where stingray has supposedly been used. The use of stingray and related technologies is a roll of the dice in the sense that law enforcement is hoping that either the defense attorneys don’t have enough savvy or wherewithal to find out about the technology and ask the right questions or, even if that does happen, they’re hoping that the judge that they have is favorable to their approach and not going to order them to reveal information about its use. In the rare occasions when things go against them, they just dismiss it.
You yourself denied a law enforcement application three years ago to use a stingray. Under what circumstances would you approve its use?
I want to make clear: I don’t have a problem with stingray itself—I understand that this can be a valuable tool in law enforcement’s arsenal. My problem is that I want it to be used pursuant to a high standard of proof that it’s needed, and that I want the approval process to be more transparent. One of the reasons I’d like to see some more documentation of stingray applications and orders is because I have this suspicion—but there’s no way of confirming it one way or another—that some judges are signing approvals to use this technology thinking that they’re just signing a pen register. If a judge thinks it’s [just] another pen register application, they’re just going to sign it without giving it much pause.
Now that the use of this stingrays and related technologies has been made public, where will this issue be a year or a few years from now?
A year from now I think we’re in the same position. You’re dealing with outdated statutes concerning new and very different technology. It’s possible in five years maybe that Congress will step in and do something. More likely, state legislatures will take most of the action to monitor this type of surveillance. Washington State, California [and others] have already acted, and Texas is evaluating the standards for approving stingray use.