Privacy advocates recently won a victory against the unrestricted use of “stingray” cell-site emulators. On November 9th, Illinois judge Iain D. Johnston ruled law enforcement agencies must take steps to minimize the impact on innocent bystanders caught up in the stingray surveillance dragnet and that law enforcement must “immediately destroy” collateral data collected. So how is all this data being collected and why?
Back in August, I spoke to a reporter at the Wall Street Journal about stingray devices. Stingrays, also known as dirtboxes, are surveillance tools used by law enforcement authorities in operations to gather the cell phone information of suspected criminals. By capturing surveillance data multiple times or directly observing the suspect, authorities can use a process of elimination to identify the correct phone and obtain phone records from the cellular carrier.
Details on cell-site emulator capabilities are sketchy because of non-disclosure agreements between the stingray device manufacturers, the FBI and local law enforcement officials. What is known is stingray devices simulate a cellular tower and can identify the phone and location of the user. They are also capable of uncovering who is being called and with some devices even the contents of the conversation.
Privacy Advocates Worry Over Surveillance Abuse
Local authorities typically use stingrays in illegal drug investigations, where criminals frequently change devices and phone numbers to avoid getting caught. However, many other government agencies also have stingrays, including the IRS, NSA and ATF.
Back in October, I wrote about low-cost cell phone detection actually helping protect privacy due to its non-invasive technological nature. While this technology is sometimes used in parallel to stingray surveillance gear, it is far less complex and sweeping in its data gathering abilities.
What really worries privacy advocates most is that stingrays can sweep up the information of unrelated parties along with the suspects. Cell phones are programmed to automatically prefer and connect to the strongest signal source, so stingray surveillance operations can inadvertently gather data from hundreds of non-target devices. The phone doesn’t even have to be on a call. Because cell phones periodically connect to the tower, just the act of having it on and bringing it within the range of the stingray device is enough.
There are indications that some law enforcement organizations are abusing cell-site simulators. The U.S. Marshals Service confiscated stingray records from local police in Florida after they agreed to show them to the American Civil Liberties Union. In April a Baltimore detective revealed local police had used a stingray device “thousands” of times while withholding information from prosecutors and judges. A judge threatened a different Baltimore detective with contempt after the detective refused to provide information about the equipment used in a case, citing a non-disclosure agreement with the FBI.
Illinois Judge Rules in Favor of Cell Phone Privacy
Judge Johnston’s ruling imposes three requirements on law enforcement agencies using stingray devices:
- Authorities must make “reasonable efforts to minimize the capture” of surveillance data from the phones of non-targets. They also cannot capture data from locations that would expose an inordinate number of people, such as a public ceremony or sports event.
- They must destroy all surveillance data that does not pertain to identifying the subject phone within 48 hours. The authorities must also provide evidence the data has been destroyed.
- Law enforcement cannot use surveillance data beyond what is necessary to identify the target device.
One thing is for certain, though. This isn’t the last time we’ll be hearing about stingrays and privacy issues. A case regarding protection for historical cell phone records is on its way to the Supreme Court, and could have ramifications for future stingray use.
- Stalking has never been easier so let’s change that - 02/08/2023
- This is why nobody is allowed a cell phone in classified debriefings - 11/18/2022
- Death of the VPN: A Security Eulogy - 08/24/2022
This is an extremely lightweight article. Man-in-the-middle interception of wireless communications of all types has been around for a very long time (I worked on some of the stuff in the early 80’s). Reading and regurgitating news stories found on the internet hardly makes someone an expert in the field. Do you have a long career in the telcom industry? What is your formal schooling and what positions and communications companies have you worked for?
Scott Schober says
First, thank you for taking the time to read my blog and share your comments/questions. Yes this is a ‘lighter weight’ blog posting and not a white paper or technical article. And I agree regurgitating new stories does not make one an expert. Certainly Man-In-The-Middle attacks have been around for a very long time and my company too worked on simpler implementations back in the eighties as you did. Of corse wireless technology and advanced modulation techniques have dramatically changed the landscape for surveillance and intercepting signals. My company has designed and manufactured cellular intercepters that we have sold to Title 3 authorized agencies, as well as 4G LTE (SDR) software defined radios where we can provide signal strength measurements, CINR, interference analysis etc… that are effectively used to make our smart phones work & thus allow them to handle the higher data throughput needed these days.
I do have a long career in the telecom industry and since you have worked back in the early eighties you would remember companies that we designed and manufactured test equipment for building out the first cellular networks; Bell Atlantic, AT&T, NYNEX, Ameritech, GTE, Southwest Bell, US West, Cellular One, AirTouch, Voice Stream, Nextel, etc. As the telecom industry changed rapidly, so did our development of test instruments so we provided companies such as Sprint, T-Mobile, Verizon, Clearwire with 3G analysis tools and we focused much of our efforts designing CDMA tools.
I was privileged to be part of the BVS team that developed a variety of FSK, BPSK, QPSK frequency hopping and direct sequence spread spectrum modulation systems. Back in the mid 90’s we were funded by Oki Electric of Japan to design both the RF and digital WCDMA which became the IS-665 spec. In the late 1990’s we were funded to develop WLL-Wireless Local Loop and we licensed to Daewoo and Sungmi Korea.
Over the past several decades I have led a team providing advanced propagation analysis tools to NASA, designing timing solutions for GlobalStar for worldwide deployment for their global satellite system. We were retained by the TV networks to develop an effective means to determine which commercial a household was watching.
My background/education is computer science, electronics, robotics, RF engineering, cybersecurity: Kean University, New York University. I sit on several cyber security advisory boards, present as a subject matter expert in several areas. I recently was able to testify at the state capital on drone threats to critical infrastructure so they can pass legislation to fine and imprison violators.
I would be happy to read some of the blogs or articles that you have authored. Please send me some links.
Thank you for taking the time to read my blog and visiting http://www.ScottSchober.com.
I’m sorry but Scott you are not good at this blog thing. Your articles are brief and smell like commercials. You are a smug person who I doubt is very knowledgeable if any recent security advances or news as it is clear you have moved onto an executive role.
Obviously you are marketing something here but its just not interesting enough for anyone to really care. So that leaves one possibility: you have this blog as a show for potential buyers of your services.
Very well. Perhaps a disclaimer or some sort of notice would be apropo? I feel cheated having read thru ten terribly deficient articles before having realized this. Good day to you sir.
Scott Schober says
They can’t all be gems and even if they were, I would never be able to please everyone. Why not give me another chance? You’re obviously interested in privacy and legal issues concerning our smartphones. I’ve just posted a new blog on Apple’s fight against the FBI and it’s got over 17,000 views on LinkedIn in just over a day. Feel free to check it out HERE. Thanks