Privacy advocates recently won a victory against the unrestricted use of “stingray” cell-site emulators. On November 9th, Illinois judge Iain D. Johnston ruled law enforcement agencies must take steps to minimize the impact on innocent bystanders caught up in the stingray surveillance dragnet and that law enforcement must “immediately destroy” collateral data collected. So how is all this data being collected and why?
Back in August, I spoke to a reporter at the Wall Street Journal about stingray devices. Stingrays, also known as dirtboxes, are surveillance tools used by law enforcement authorities in operations to gather the cell phone information of suspected criminals. By capturing surveillance data multiple times or directly observing the suspect, authorities can use a process of elimination to identify the correct phone and obtain phone records from the cellular carrier.
Details on cell-site emulator capabilities are sketchy because of non-disclosure agreements between the stingray device manufacturers, the FBI and local law enforcement officials. What is known is stingray devices simulate a cellular tower and can identify the phone and location of the user. They are also capable of uncovering who is being called and with some devices even the contents of the conversation.
Privacy Advocates Worry Over Surveillance Abuse
Local authorities typically use stingrays in illegal drug investigations, where criminals frequently change devices and phone numbers to avoid getting caught. However, many other government agencies also have stingrays, including the IRS, NSA and ATF.
Back in October, I wrote about low-cost cell phone detection actually helping protect privacy due to its non-invasive technological nature. While this technology is sometimes used in parallel to stingray surveillance gear, it is far less complex and sweeping in its data gathering abilities.
What really worries privacy advocates most is that stingrays can sweep up the information of unrelated parties along with the suspects. Cell phones are programmed to automatically prefer and connect to the strongest signal source, so stingray surveillance operations can inadvertently gather data from hundreds of non-target devices. The phone doesn’t even have to be on a call. Because cell phones periodically connect to the tower, just the act of having it on and bringing it within the range of the stingray device is enough.
There are indications that some law enforcement organizations are abusing cell-site simulators. The U.S. Marshals Service confiscated stingray records from local police in Florida after they agreed to show them to the American Civil Liberties Union. In April a Baltimore detective revealed local police had used a stingray device “thousands” of times while withholding information from prosecutors and judges. A judge threatened a different Baltimore detective with contempt after the detective refused to provide information about the equipment used in a case, citing a non-disclosure agreement with the FBI.
Illinois Judge Rules in Favor of Cell Phone Privacy
Judge Johnston’s ruling imposes three requirements on law enforcement agencies using stingray devices:
- Authorities must make “reasonable efforts to minimize the capture” of surveillance data from the phones of non-targets. They also cannot capture data from locations that would expose an inordinate number of people, such as a public ceremony or sports event.
- They must destroy all surveillance data that does not pertain to identifying the subject phone within 48 hours. The authorities must also provide evidence the data has been destroyed.
- Law enforcement cannot use surveillance data beyond what is necessary to identify the target device.
One thing is for certain, though. This isn’t the last time we’ll be hearing about stingrays and privacy issues. A case regarding protection for historical cell phone records is on its way to the Supreme Court, and could have ramifications for future stingray use.