UNCOVERING THE SECRECY OF STINGRAYS - What Every Practitioner Needs to Know - American Bar Association
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
UNCOVERING
THE SECRECY OF
STINGRAYS
What Every Practitioner Needs to Know
NICOLE VALDES HARDIN
o n a cold night in February 1995, federal agents and a
computer hacker huddled together in a van. The hacker
and the Federal Bureau of Investigation (FBI) sought
a different at-large fugitive hacker named Kevin Mitnick.
And they sought him using a device called the Triggerfish.
The hacker noted, “I was able to extract that the Triggerfish
was a five-channel receiver, able to monitor both sides of a
Shimomura, Catching Kevin, W ired (Feb. 1, 1996), https://
tinyurl.com/y76q8zw6.) The next time the public heard
mention of such a device would be 16 years later, in 2012.
In 2013, when Edward Snowden revealed classified
surveillance programs by the United States government,
the revelations shook the country. But plenty of cell phone
surveillance by federal, state, and local law enforcement
conversation simultaneously.” The Triggerfish also pinpointed long preceded the revelations. And that type of surveillance
Kevin Mitnick’s location, leading to his arrest. (Tsutomu probably snared a client or two of practitioners—and no one
20 CRIMINAL JUSTICE nWinter 2018
had any idea. and searched for the strongest signal? That search caused the
The name brand Stingray has become synonymous with phone to check in with every cell tower in range to find the
international mobile subscriber identity (IMSI) catchers, also strongest signal. All those towers the phone checked in with
known as cell-site simulators. Each cell phone has an IMSI, “saw” that particular phone. All one needs for triangulation of
a unique number, usually 15 digits. The three components a cell phone is the location of those cell towers that can “see”
within the assigned IMSI number are the mobile’s country the phone—all of them. The more towers, the more accurate
code, the mobile’s network code, and the mobile subscriber’s it is. The tower with the strongest signal is the one that the
identification number. The IMSI number is stored in the phone will utilize, but all those other towers can also “see”
subscriber identity module (SIM) card located inside the the phone as it moves. The tracking is akin to a Venn diagram,
phone. where the cell phone uses one tower while being in range and
The Stingray is a specific IMSI catcher manufactured “seeing” other towers. Those towers begin overlapping in a
by Harris Corporation and sold solely to military and law smaller and smaller area, allowing the location of the cell
enforcement. But numerous IMSI catcher products exist to phone to be tracked more accurately.
track unsuspecting cell phone customers. As criminal law In traditional cell phone cases, the prosecution and law
practitioners, we must understand the tools law enforcement enforcement often cannot triangulate because cell phone
routinely use, and the constitutional implications of that use. companies only maintain records of the actual tower the cell
phone used—until an IMSI catcher is deployed. An IMSI
HOW IMSI CATCHERS WORK catcher works by mimicking a conventional cell phone tower.
The first step is to understand what an IMSI catcher is, and A user’s phone connects to an IMSI catcher because it offers
what it can do. To understand the method used to locate cell the strongest signal. The IMSI catcher then maintains the
phones, it is necessary to understand the basic way a cell connection, allowing police to track the cell phone’s location
phone operates. In theory, when a cell phone is turned on, it and leaving the cell phone owner none the wiser.
will search for the strongest signal and connect to that tower. Prior IMSI catchers worked by exploiting a vulnerability
Other factors can change that basic assumption, but typically in the country’s cell phone network. Though most newer cell
that occurs when a cell phone is turned on. Once the cell phones use 4G and 3G networks, the base network in this
phone powers on, the mobile switch determines what cell country is actually 2G. Cell phones operating in 2G cannot
tower will carry the call and assigns a vacant radio channel authenticate cell towers, so IMSI catchers appear to be part
within that cell tower to take the conversation. The switch will of an actual cellular network. Both 3G and 4G authenticate
select the cell tower to serve the phone based on measuring cell towers, but IMSI catchers jam those networks and force
signal strength and connecting the cell phone to the strongest cell phones onto the vulnerable 2G network. All cell phones
signal. are backward compatible—even the latest smartphones—
When a cell phone is on the move, it uses multiple towers. allowing the phone to function if it is taken to a rural location
When the cell phone handset moves from tower to tower, it is or foreign country where the only service offered is 2G. Most
called a handoff or handover. Managing handoffs or handovers phones are programmed to gracefully “fail over” to 2G when
is handled in a similar manner to when a cell phone is turned a 3G or 4G connection appears unavailable.
on. The original tower handling the call sends a handoff The 2G networks remain, particularly in rural areas, and so
request to the mobile switch after the signal drops below a do the vulnerabilities, regardless of how recently a smartphone
certain threshold. The cell site makes several scans to confirm was produced. (Stephanie Pell, We Must Secure America’s
this and then switches the call to the next cell. A person may Cell Networks—From Criminals and Cops, Wired (Aug. 27,
drive 50 miles, use eight different cell phone towers, and 2014), https://www.wired.com/2014/08/we-must-secure-
never once realize that his or her call has been transferred. americas-cell-networks-from-criminals-and-cops-alike/.)
At least, that is the goal of a cell phone company—seamless Because companies moved away from the 2G network,
use for the phone user. Harris Corporation released a new version of the Stingray
When the phone company keeps the information of the that can exploit 3G and 4G networks—the Hailstorm. (Tim
cell phone “checking in” with multiple towers, such as when Cushing, Law Enforcement Agencies Scramble for Pricey
a user powers on his or her cell phone, that data then can Cell Tower Spoofer Upgrades as Older Networks Are Shut
triangulate the cell phone’s location. After global positioning Down, T ech D irt (Sept. 3, 2014), https://tinyurl.com/
system (GPS) tracking, triangulation is the most accurate way y7z4nhhh.) The government obviously isn’t waiting for a
of locating a cell phone. The triangulation process is not that new vulnerability—they already have one. And they are not
complicated. Remember when the cell phone was powered on sharing the information.
Because each cell phone has a unique IMSI number, police
NICOLE VALDES HARDIN is an assistant federal defender can enter that IMSI number into their device and simply
in the Middle District of Florida, in the Tampa Division. She follow the signal, triangulating a user’s location. But police
is co-author of two publications attacking the science of cell may instead just request the device search the area, netting
phone tracking in criminal cases, and speaks nationwide on hundreds to thousands of innocent users’ locations. IMSI
tracking and surveillance by law enforcement. Ms. Hardin catchers allow law enforcement to obtain detailed location
is board certified in the area of criminal trial law. information of cell phones normally unavailable from a cell
phone company without a subpoena. But locating cell phones
CRIMINAL JUSTICE nWinter 2018 21turns out to be only the tip of the iceberg. Despite assurances eventually winning release. (Nathan Freed Wessler, Victory:
from various law enforcement agencies that the devices are Judge Releases Information about Police Use of Stingray Cell
used only to locate a cell phone, the machines have far greater Phone Trackers, ACLU (June 3, 2014), https://tinyurl.com/
capabilities. As noted earlier, the Stingray’s predecessor ybztyfr2.) The officer also testified that “[u]sing portable
Triggerfish had the capability to monitor the content of calls equipment we were able to actually basically stand at every
way back in 1995, 22 years ago. door and every window in that complex and determine,
In December 2015, a source in the intelligence community with relative certainty you know, the particular area of the
grew concerned at the immense surveillance capability of law apartment that that handset was emanating from.” (Transcript
enforcement. Acting on the concern, the source gave a copy of of Motion Hearing at 15, State v. Thomas, No. 2008-CF-3350A
an IMSI catcher device catalog to The Intercept. The catalog (Fla. Cir. Ct. Aug. 23, 2010), https://tinyurl.com/y9t2k9fj.)
contained numerous machines with far greater capabilities Such use pales in comparison to other jurisdictions such as
than previously known. Baltimore, where a detective admitted to the secret use of an
IMSI catcher on at least 4,300 occasions since 2007. (Justin
Fenton, Baltimore Police Used Secret Technology to Track
A few of the devices can house a “target list” of as many Cellphones in Thousands of Cases, Balt. Sun, Apr. 9, 2015.)
as 10,000 unique phone identifiers. Most can be used to Despite the Tallahassee officer’s physically holding the
geolocate people, but the documents indicate that some Stingray up to every window, the use was undisclosed—a
have more advanced capabilities, like eavesdropping commonplace occurrence. When law enforcement purchases
on calls and spying on SMS messages. Two systems, IMSI catchers, something else comes with the devices: a
apparently designed for use on captured phones, are nondisclosure agreement, which law enforcement signs
touted as having the ability to extract media files, to procure the IMSI catcher. The agreements explicitly
address books, and notes, and one can retrieve deleted prohibit law enforcement agencies from telling anyone,
text messages. even judges, about their use of the secretive equipment. The
agreement is a contract, signed by Harris Corporation and
local law enforcement officials, and the agreement mandates
(Jeremy Scahill & Margot Williams, Stingrays: A Secret extraordinary restrictions. For example:
Catalogue of Government Gear for Spying on Your Cellphone,
I ntercept (Dec. 17, 2015), https://tinyurl.com/hfzrms6.)
The Intercept released the catalog to the public through The [law enforcement agency] shall not, in any civil
its website. (Government Cellphone Surveillance Catalogue, or criminal proceeding, use or provide any information
Intercept (Dec. 17, 2015), https://tinyurl.com/jxlx5lj.) Not to concerning the Harris Corporation wireless collection
be outdone, Meganet Corporation advertises an IMSI catcher equipment/technology . . . including, but not limited to,
called the VME Dominator. Among the Dominator’s attributes during pre-trial matters, in search warrants and related
are interception of voice and text, voice manipulation, and affidavits, in discovery, in response to court ordered
text intercept and modification, as well as calling and sending disclosure, in other affidavits, in grand jury hearings,
text on behalf of the user. (VME—Cell Phone Interceptors, in the State’s case-in-chief, rebuttal, or on appeal, or in
M eganet C orp ., https://tinyurl.com/m643ebu (last visited testimony in any phase of civil or criminal trial, without
Dec. 3, 2017).) the prior written approval of the FBI.
SECRECY AND NONDISCLOSURE AGREEMENTS
An IMSI catcher can be found in vehicles, on drones, and even (Letter from Christopher M. Piehota, Special Agent in Charge,
in the arms of officers. In a case in Tallahassee, Florida, police FBI, to Scott R. Patronik, Chief, Erie Cty. Sheriff’s Office
entered an apartment during an investigation while tracking (June 29, 2012), https://tinyurl.com/yahslj62.)
a stolen cell phone. Police knocked on the door and asked to Additional provisions include that the agency will “at
enter. The suspect’s girlfriend cracked the door and refused the request of the FBI, seek dismissal of the case in lieu
to let them in. Police pushed the door open and searched the of using or providing, or allowing others to use or provide,
apartment, eventually locating the stolen cell phone. During any information concerning the Harris Corporation wireless
a motion to suppress, defense counsel asked police how they collection equipment/technology, its associated software,
tracked the phone. The officer refused to answer the question, operating manuals, and any related documentation.” (FDLE-
causing the judge to force an answer. However, that answer FBI Non-Disclosure Obligations/Guidelines (Mar. 8, 2012),
came only after the judge closed the courtroom and sealed https://tinyurl.com/y97v4anj.) And if the police think a
the transcript of the proceedings. prosecutor is “considering” including such information in
On appeal, one of the appellate judges questioned the a trial, they must notify the FBI, to allow the FBI sufficient
state about the use of the IMSI catcher, noting that as of time to intervene and prevent disclosure.
2010 the Tallahassee Police Department had used Stingrays Citing nondisclosure agreements, law enforcement
a staggering 200 times without ever disclosing their use to routinely cover up the use of IMSI catchers. In the rare case
any judge. The American Civil Liberties Union (ACLU) got where law enforcement gets caught using the devices, charges
involved, filing demands for the release of the transcript, become reduced and even dismissed rather than divulging
22 CRIMINAL JUSTICE nWinter 2018information on the devices. In 2014 in Sarasota, Florida, an catcher use because it is a basic or simple case. IMSI catchers
officer mistakenly listed the use of an IMSI catcher on a have been deployed in trivial and routine matters. Prior cases
sworn probable cause document. The ACLU successfully won with documented use involve a stolen cell phone from an
their public records request, and the records were set aside unlocked vehicle, a broken car window, and check forgery.
for them at the local police station. But when the ACLU (Brad Heath, Police Secretly Track Cellphones to Solve
attempted to pick up the records, they were gone, seized by the Routine Crimes, USA T oday , Aug. 23, 2015.) While police
US Marshals Service. The US Marshals claimed the records normally use the devices for suspects, no one is immune—
were federal property after deputizing the state detective, released documents show police have used the devices to also
and federal records were not subject to a state public records track down witnesses. “We’re out riding around every day,” said
order. The records were moved to an undisclosed location, and one officer, who spoke on the condition of anonymity because of the
have never been released. (Kim Zetter, U.S. Marshals Seize department’s nondisclosure agreement with the FBI. “We grab a lot of
Cops’ Spying Records to Keep Them from the ACLU, Wired people, and we close a lot of cases.” (Id.) Various organizations post
(June 3, 2014), https://tinyurl.com/ycuuntlm.) maps showing confirmed acquisition of an IMSI device by police.
In other cases where IMSI catcher use surfaced, criminal But it is safer to assume that local police have the device and use it
cases rapidly changed. On October 28, 2013, in Saint Louis, far more than is known.
seven people were victims of armed robbery during a two-
hour spree. One day before an officer was scheduled for a IMSI CATCHERS AND THE LAW
deposition involving the use of an IMSI catcher, all charges Case law remains scant for IMSI catchers, due to decades of intensive
were dismissed. A victim, who was pistol-whipped in one concealment. State legislatures lead the charge in requiring warrants,
robbery and required 18 stitches, reporting being “shocked” citing privacy concerns—at least 13 states passed laws requiring
when prosecutors told him the charges were dropped because warrants to track cell phones in real time: Arizona, California,
“legal issues” had developed. (Robert Patrick, Controversial Colorado, Illinois, Indiana, Maine, Minnesota, Montana, New
Secret Phone Tracker Figured in Dropped St. Louis Case, Hampshire, Utah, Virginia, Washington, and Wisconsin. The
S t . L ouis T oday , Apr. 19, 2015.) In Baltimore, Maryland, Department of Justice’s (DOJ’s) policy evolved slowly, beginning
an officer refused to answer questions under oath about in 1997 with interpreting the law to permit unmediated surveillance
tracking devices. After a judge threatened to hold the officer without the necessity of a pen register or trap and trace order. (Pen
in contempt of court, prosecutors withdrew key evidence registers record telephone numbers, e-mail addresses, and other
in a homicide case rather than disclosing the use of an dialing, routing, addressing, or signaling information, while trap and
IMSI catcher. (Justin Fenton, Judge Threatens Detective trace devices record similar information received by such instruments
with Contempt for Declining to Reveal Cellphone Tracking or facilities. Use of a pen register or a trap and trace device requires
Methods, Balt. S un , Nov. 17, 2014.) only a court order, based on a law enforcement officer’s declaration
Perhaps the closest a defense attorney got to viewing an that the information is relevant to an ongoing investigation.) In
actual Stingray happened in Tallahassee, Florida. After the 2005, the DOJ adopted the position that the pen register and trap
prior exposure of Stingray use, defense attorneys convinced and trace device statute, as amended by the 2001 PATRIOT Act,
a judge to issue a subpoena duces tecum to view the machine, “appears to encompass all of the non-content information passed
and access the manuals for the device. The case involved between a cell phone and the provider’s tower.” (Dep’t of Justice,
armed robbery, a life felony in Florida. Rather than revealing Electronic Surveillance Manual: Procedures and Case Law
the device as required by the court order, prosecutors offered Forms 46 (2005), https://tinyurl.com/yby2ppy6.) The current
the client six months’ probation in exchange for pleading policy, issued on September 3, 2015, now requires a warrant
guilty to a second-degree misdemeanor, the lowest-degree for IMSI catcher use. (Press Release, Dep’t of Justice, Justice
crime in the state. (Ellen Nakashima, Secrecy Around Police Department Announces Enhanced Policy for Use of Cell-Site
Surveillance Equipment Proves a Case’s Undoing, W ash . Simulators (Sept. 3, 2015), https://tinyurl.com/hfvds85.)
P ost, Feb. 22, 2015.) Courts, unfortunately, are slower to catch up. Not too many
Suffice it to say, practitioners will not receive notice if courts directly address the Stingray, partly because the government
police deployed cell phone surveillance in their case. Quite masks the applications in pen register requests. In Daniel
the opposite—recognizing its use takes constant vigilance and Rigmaiden’s case, the use of an IMSI catcher was deployed to
sometimes luck. IMSI catchers, after all, are undetectable. A track him through his airbus card in his computer. (United States
practitioner’s analysis begins with the origin of the stop or v. Rigmaiden (Rigmaiden II), No. CR 08-814-PHX-DGC, 2013
police contact. If the police pull over a client or find a client WL 1932800 (D. Ariz. May 8, 2013).) The card used cellular
in a place they would not know about, dig. For example, in a data to connect to the Internet. The interesting part is that the
prior initial meeting with a client, the arrest location seemed DOJ conceded that its behavior required a warrant because the
strange. When asked if the apartment belonged to a friend, the tracking was within a private space. The court found that because
client remarked that he had never been to the apartment before there was probable cause for a warrant, it did not matter how the
that night. Such reports should raise a red flag. Practitioners, tracking happened.
doing cases day in and day out, should trust their gut. If it United States v. Lambis became the first federal court decision
seems off or does not add up, work the case as if something to decisively rule that a search warrant is required to deploy an
is off—it probably is. IMSI catcher. (197 F. Supp. 3d 606 (S.D.N.Y. 2016).) US District
Do not assume that a case is an unlikely candidate for IMSI Judge William Pauley in the Southern District of New York ruled
CRIMINAL JUSTICE nWinter 2018 23that defendant Raymond Lambis’s rights were violated when the use by law enforcement. Practitioners dragging these cases into
US Drug Enforcement Administration (DEA) used such a device the light remains the only hope of receiving meaningful judicial
without a warrant to find his Washington Heights apartment. review of the practice.
The DEA had used a Stingray to identify Lambis’s apartment Despite IMSI catchers being around for decades, due to their
as the most likely location of a cell phone identified during a hidden use, the technology remains new to courts. Unlike other
drug trafficking probe. Judge Pauley said doing so constituted an forensic disciplines, such as fingerprints, DNA, and eyewitness
unreasonable search. “Absent a search warrant, the Government identification, IMSI catcher case law does not arrive with reams of
may not turn a citizen’s cell phone into a tracking device.” (Id. established case law. Knowing and understanding the technology
at 611.) are the first steps in recognizing and fighting the secret use of
The other recent case that dealt with an IMSI catcher punted IMSI devices by law enforcement. Practitioners are in a unique
on the IMSI catcher question. The Seventh Circuit in United position to shape the discussion on the intersection of the Fourth
States v. Patrick involved the police first telling Mr. Patrick they Amendment, privacy, and technology—and possible change
had relied on information obtained from an anonymous source Fourth Amendment jurisprudence for generations. n
to find him sitting in the passenger seat of a car parked in an
alley in Milwaukee. (842 F.3d 540 (7th Cir. 2016).) Officers
finally admitted to using a Stingray. The government argued that
they had an arrest warrant so there was no Fourth Amendment
violation. The court said the arrest and tracking took place in
public with a valid warrant and thus was not a violation of the
Fourth Amendment. The court declined to wade into the privacy
and Fourth Amendment issues any more than necessary, writing:
Questions about whether use of a simulator is a search, if so
whether a warrant authorizing this method is essential, and
whether in a particular situation a simulator is a reasonable
means of executing a warrant, have yet to be addressed by
any United States Court of Appeals. We think it best to
withhold full analysis until these issues control the outcome
of a concrete case.
(Id. at 545.)
On the state court level, appellate level courts diverged. The
Supreme Court of Wisconsin held that a pen register order was
good enough, while the Court of Appeals for both Maryland
and the District of Columbia held that’s IMSI catchers require
a warrant. (See Wisconsin v. Tate, 849 N.W.2d 798 (Wis. 2014),
cert. denied, 135 S. Ct. 1166 (2015); State v. Andrews, 134 A.3d
324, 348 (Md. Ct. Spec. App. 2016); Jones v. United States,
168 A.3d 703 (D.C. 2017).) Wisconsin’s decision lacks real-
world application though—the state legislature responded with
legislation requiring a warrant, rendering the court decision moot.
A NEW FRONTIER
Many argue, convincingly, that the United States Supreme Court’s
Fourth Amendment rulings lag behind technological advances.
However, recent cases give hope that the Court may rectify the
lapse. In the past five years, the Court ruled on location in 2012 and
cell phone searches in 2014, and is finally poised to rule on location
tracking through historical cell-site records in their October 2017
term. (See United States v. Jones, 565 U.S. 400 (2012); Riley v.
California, 134 S. Ct. 2473 (2014); United States v. Carpenter,
819 F.3d 880, 887–90 (6th Cir. 2016), cert. granted, 137 S. Ct.
2211 (2017).) It seems inevitable that an IMSI catcher case winds
its way up to the highest court. Unlike other technologies though,
IMSI catchers are not that new. The failure of getting case law on
the devices directly results from the relentless cover-up of their
24 CRIMINAL JUSTICE nWinter 2018You can also read
