Shrouded in Secrecy: Law Enforcement Use of Cell-Site Simulation Technologies
On December 19, 2016, the House Committee on Oversight and Government Reform released revealing its findings on the status, policies, and widespread use of Stingray cell-site simulation technologies. The Committee staff report, Law Enforcement Use of Cell-Site Simulation Technologies: Privacy Concerns and Recommendations, grew out of hearings in October 2015 that opened a Pandora’s box on lack of federal oversight and uniform policies concerning the use of cell-site simulators.
It is interesting to note that in part, the Committee began its investigation after “press reports alleged wide-spread use of cell-site simulation devices by federal, state, and local law enforcement” (p.1). The House Committee’s report cites numerous public investigations, academic papers, and use statistics by federal agency, state and local bodies.* Significant legal cases, such as United States v. Knotts, United States v. Karo, and United States v. Jones add to the Committee’s analysis. The Committee met “with each of the relevant component agencies of DOJ and DHS, the Internal Revenue Service (IRS), the Treasury Inspector General for Tax Administration (TIGTA), and the Department of Defense (DOD) to obtain “an in-person demonstration of this technology” (p.7).
Many of the Committee’s findings and recommendations are discussed elsewhere; in this post, I take a different road to outline and directly emphasize the most stunning sections of the report, ones that I find most problematic from an information rights and policy perspective.
For example, the Committee writes that (emphasis added):
At the outset of the investigation, the use of these devices by federal, state, and local law enforcement agencies was not well known, and in many instances, appeared to be shrouded in secrecy. This is partly due to the use of the technology by military and intelligence agencies and the need for sensitivity in national security matters. The Federal Bureau of Investigation (FBI), for example, avoided disclosing not only its own use of the devices, but also its role in assisting state and local law enforcement agencies in obtaining and deploying these devices. Indeed, the Committee’s investigation revealed that as part of the conditions for being able to sell cell-site simulators to state and local law enforcement, the manufacturers of these devices must first notify the FBI, and those agencies in turn must sign a non-disclosure agreement with the FBI that expressly prohibits them from publicly disclosing their use of this technology, even in prosecutions where the use of the technology was at issue (p.2-3, 31-32).
What are Cell-Site Simulators?
It is evident from the staff report the Committee sought to educate itself and the public at large on how cell-site simulators work in the real world. In this way, the Committee could draw conclusions as to the depth of covert surveillance and its impact on privacy. For example, the Committee describes cell-site simulators as
Devices that effectively transform a cell phone into a real time tracking device. A cell-site simulator—also known as an “IMSI catcher”—is a device that mimics a cell phone tower. These devices are commonly referred to as “Stingrays,” which is both a generic name and also refers to a specific type of IMSI catcher that is manufactured by the Harris Corporation. When the device is activated, cell phones in the surrounding area connect to the device in a similar way that the cell phones would connect to a cell tower. Once a phone connects to the cell-site simulator, the device is capable of obtaining specific identifying information for the phone, including information that enables law enforcement to determine the location of the phone and, more importantly, its user. The devices were initially designed for the military, but were later adapted for domestic law enforcement. Law enforcement agencies usually operate them from moving vehicles or, to a lesser extent, from airplanes (p.7).
Courtesy of Chicago Sun Times
Cell-site simulators work by impersonating a cell phone tower. Cell phones within range recognize the device as the strongest cell phone tower in the area and connect with the device. Every cell phone has a unique identifying number assigned by a device manufacturer or a cellular network provider called the International Mobile Subscriber Identity (IMSI). When the cell-site simulator connects with a cell phone, the simulator is able to identify that cell phone’s unique identifying number. In addition, most cell-site simulators have the ability to collect and store the IMSI numbers of all the phones they connect with in the area where they are deployed (p.9).
An IMSI catcher is an example of an active surveillance device. It ‘exploit[s] the lack of authentication of the base station by cellular phones,’ and ‘[a]s a result, phones have no way to differentiate between a legitimate base station owned or operated by the target’s wireless carrier and a rogue device impersonating a carrier’s base station.’ Most current phones—those on 3G and 4G networks—’now include the capability for phones to authenticate the network base stations,’ but even these current models ‘are backward compatible with older, vulnerable phone network technologies, which allows the phone to function if it is taken to a rural location or foreign country where the only service offered is 2G’ (p.10).
As The Intercept’s Secret Surveillance Catalogue illustrates, these “devices” are merely a few of the (secret) surveillance technologies available in the intelligence-spying toolbox.
Varying Standards, Non-Disclosure, Warrantless Surveillance, and Recordkeeping
Below is additional commentary from the Committee that expands knowledge of federal agency policies on surveillance, privacy, the right to know, and the dynamics of intelligence gathering:
During the course of the investigation, it became clear that the use of cell-site simulators by state and local law enforcement agencies was not governed by any uniform standards or policies (p.4).
Documents and information obtained by the Committee confirmed varying standards for employing cell-site simulation devices among federal, state, and local law enforcement. Notably, the documents and information revealed that when the Committee first began its investigation in April 2015, federal law enforcement entities could obtain a court’s authorization to use cell-site simulators by meeting a standard lower than probable cause — the standard to obtain a search warrant (p.4).
Documents and information obtained by the Committee also confirmed reports of the widespread use of non-disclosure agreements that bound law enforcement not to reveal their use of these devices and even went so far as to require local prosecutors to agree to dismiss any of their criminal cases if the FBI did not approve the disclosure of the devices in any particular case (p. 7-8).
From April to August 2015, Committee staff met with the component agencies and officials from DOJ and DHS leadership; from those meetings, two things became clear: (1) use of these devices was widespread; and (2) there was a lack of uniformity across the agencies regarding what court authority was required to deploy cell-site simulation technology under different operating scenarios (p.8).
To use the device as an investigative tool, law enforcement deploys the device at a known location of the target and obtains every IMSI number in the vicinity at the time of deployment. By deploying the device numerous times in numerous locations where the targeted individual is present, law enforcement collects a list of IMSI numbers for each cell phone present at every location where the device was deployed. The device analyzes this list to determine if there were common IMSI numbers at each location. By a process of elimination, the common IMSI numbers are identified as likely to be those of the target’s phone, and individuals associated with the target. Law enforcement can then work with cellular service providers to determine telephone numbers and billing information associated with specific IMSI numbers (p.12).
Following he Supreme Court’s decision in United States v Jones, where the installation of a GPS tracker on Antoine Jones’ Jeep without a warrant constitutes an unlawful search under the Fourth Amendment, the Committee notes that
then-FBI General Counsel Andrew Weissmann revealed that in light of the Court’s Jones decision, DOJ had generated two memoranda to be provided to its component agencies: 1) guidance to the field specifically on the use of GPS; and 2) guidance on what Jones means for other types of geolocation techniques beyond GPS (hereinafter, “the Jones Memos”) (p.17).
When the Committee began its investigation of domestic law enforcement’s use of cell-site simulation technology, the only publicly available information on the actual contents of the Jones Memos, aside from Mr. Weissmann’s comments, were two heavily redacted Guidance memoranda DOJ had released in response to a Freedom of Information Act request from the American Civil Liberties Union (p.17).
Prior to the Committee’s investigation into cell-site simulators, DOJ and its component agencies were using geolocation technologies under a less rigid set of guidelines for ensuring that citizens’ Fourth Amendment rights were adequately protected. Those guidelines, which are set forth below, were inadequate to protect the privacy interests of American citizens who found themselves within range of an active cell-site simulator (p.18).
When the Committee begin [sic, began] its oversight of law enforcement’s use of cell-site simulators, DOJ and its component agencies did not have to obtain a warrant based on probable cause. DOJ instead had generally obtained court authorization to use cell-site simulators by seeking an order under the Pen Register and Trap and Trace Statute (The Pen Register Statute). The Pen Register Statute establishes a framework by which the government can receive court authorization to obtain non-content information about outgoing and incoming phone calls. The Pen Register Statute governs law enforcement’s ability to obtain the specific telephone numbers of incoming and outgoing calls for a particular phone through the use of pen register and trap and trace devices. A “pen register” is a device which records the numbers a phone dials out, whereas a “trap and trace device” records the specific telephone numbers of incoming calls. While court authorization for pen registers and trap and trace devices is required, this authorization takes the form of an order, rather than a warrant (p.19).
The 2001 PATRIOT Act amended the Pen Register Statute and added the term ‘signaling information‘ to the definition of information that required court authorization before law enforcement could intercept it (p.20).
On September 3, 2015 DOJ announced its most recent, enhanced policy for use of cell-site simulators. This policy now governs each of its component agencies use of these devices. DOJ’s new policy requires its component agencies to obtain a search warrant supported by probable cause and issued pursuant to Rule 41 of the Federal Rules of Criminal Procedure or the applicable state equivalent, with some limited exceptions.The DOJ policy makes clear that not only is a warrant required for use of cell-site simulators, but that the warrant must meet certain cell-site simulator-specific requirements. Warrant applications must include sufficient information to ensure that courts are aware that it is an application to use cell-site simulator technology, and affirm that law enforcement will make no affirmative investigative use of any non-target data absent further order of the court. The warrant application must also disclose that there may be ancillary service disruption to non-target phones (p.21);
DOJ’s policy also creates an exception to the warrant requirement for exceptional circumstances where the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. In briefings with Committee staff, DOJ stated that this is an amorphous category that is not expected to arise frequently (p.22).
Additionally, unlike DOJ’s policy, DHS’s policy does not require the agency to keep statistics for cases of non-warrant use (p.23).
The IRS did not have an express agency-wide policy and been applying only the general guidelines that it had been using ‘for the use of pen registers and trap-and-trace devices, that is, technology used by cell-site simulators’ (p.25).
DHS allows the purchase of cell-site simulators through certain preparedness grant programs that are administered by FEMA. FEMA policy specifically states that use of such equipment is subject to the prohibitions contained in Title III of the Omnibus Crime and Control and Safe Streets Act of 1968, 18 U.S.C. §§ 2510-2522 (p.27).
The lack of uniformity at the state and local level currently creates the possibility that states and localities are deploying cell-site simulator technology in a manner that is less strict than the guidelines being adhered to by federal law enforcement agencies (p. 30).
Non-Disclosure Agreements as Secret Law
Through the institutionalized use of non-disclosure agreements between the FBI, purchasers, and manufacturers of cell-site simulation technologies, the House Committee identified an embedded layer of secrecy; (trade) secrecy, for example, further reinforced by “language asserting that certain technical information about the technology was confidential and exempt from requests made under the Freedom of Information Act (FOIA) (p. 32). Furthermore, the Committee reports
those state and local entities that do purchase a cell-site simulator frequently sign non-disclosure agreements with two entities, the company selling the device, and the FBI. In addition to the publicly available versions of the non-disclosure agreements, the Committee also obtained copies of non-disclosure agreements between the FBI and various state and local jurisdictions. As explained more fully below, these non-disclosure agreements actively prohibit the public from learning about the use or role that a cell-site simulator may play in a state or local criminal investigation (p. 31).
Because cell-site simulators operate over the airwaves, manufacturers of these devices must obtain a special license from the FCC to sell them. As part of its condition of approving any sale, the FBI imposed a requirement on state and local entities that in order to obtain the devices, they must sign a non-disclosure agreement with the FBI. These non-disclosure agreements impose significant secrecy requirements on the state and local entities seeking to obtain cell-site simulators.A review of these agreements showed that all contained similar language that prohibited state and local entities from disclosing any information about their use of cell-site simulators (p.31).
In Baltimore, for example, prosecutors reportedly withdrew evidence instead of disclosing the possible use of a cell-site simulator. In St. Louis, prosecutors reportedly dropped robbery charges against three co-defendants rather than have an officer from the police intelligence unit testify about the use of a cell-site simulator device in the case. In Erie County, New York, police reportedly used the device 47 times since 2010, but only once sought a court order to do so. The updated DOJ policy does not discuss the FBI non-disclosure agreements (p. 32).
In addition to non-disclosure agreements signed with the FBI, state and local entities also sign purchase agreements with manufacturers that include non-disclosure requirements. These purchase agreements include general language that the buyer would obtain all necessary court orders and comply with all constitutional, federal, state, and local privacy laws (p. 32).
One of the manufacturers included in its terms and conditions of a sale language that the purchaser ‘shall not disclose, distribute, or disseminate any information regarding Customer’s purchaser or use of’ the equipment ‘to the public in any manner, including but not limited to: in press releases, in court documents and/or proceedings, internet or during other public forums or proceedings.’ Additionally, as part of the condition of the sale, the manufacturer required that the purchaser ‘shall not in any civil or criminal proceeding, use or provide information concerning’ the equipment or software ‘beyond the evidentiary results obtained through the use of Equipment and/or Software without the prior written consent’ of the manufacturer (p. 33).
The Committee also reported that “bad actors” may deploy cell-site simulation technology for a myriad of nefarious purposes:
It is possible, if not likely, bad actors will use these devices to further their aims. Criminals and spies, however, will not be adopting the DOJ and DHS policies and procedures or any other ethics of surveillance. They will not be self-limiting in their use of these devices so as to not capture the content of others’ conversations. Criminals could use these devices to track potential victims or even members of law enforcement. One can imagine scenarios where criminals or foreign agents use this type of technology to intercept text messages and voice calls of law enforcement, corporate CEOs, or elected officials (p. 33).
While law enforcement in the United States has worked for years to keep its use of the device shrouded in secrecy, the outside world has been making, advertising, and discussing cell-site simulators for years. One security consultant was able to outfit his automobile with a “do-it-yourself” surveillance equipment, which included a cell-site simulator. IMEI and IMSI catchers appear for sale on the internet website Alibaba, a Chinese eBay-type online commerce (p. 33-4).
* Unfortunately, the Committee did not include use of cell-site simulation technology by tribal governments – or Joint Terrorism Task Forces/ Fusion Centers.