In recent months the New York Times and the Washington Post have run articles about cell tower simulators–devices which intercept cell phone data by “tricking” the target’s cell phone into believing it is communicating with a legitimate cell phone tower. These devices–also known as a “Stingray” or “Kingfish”–are able to locate a cell phone, download its metadata, and even eavesdrop on the calls or texts which are being sent. However, the law enforcement agencies which use cell tower simulators are doing their best to keep the details of their use (or even the fact of their use) secret, in accordance with non-disclosure agreements that the FBI requires local agencies to sign. In a particularly interesting development, prosecutors in a Florida case were ordered by a judge to provide details of their use of the device in an armed robbery case which carried a four-year minimum sentence. In order to avoid revealing the information, they allowed the defendant to plea to a second-degree misdemeanor and receive 6-months probation.
This secrecy has raised obvious concerns among privacy advocates. The ACLU has filed a number of lawsuits seeking more information about the use of cell phone simulators. Two senators have sent a letter to the FBI demanding more information about how and when these devices are used. But the secrecy may be justified given the types of countermeasures that are becoming available to thwart the cell tower simulators.
First, a brief description of the technology involved with cell tower simulators. Technically they are called International Mobile Subscriber Identity (“IMSI”) catchers, because they identify the IMSI of the suspect’s cell phone and use it to intercept outgoing information from the phone. As described in a recent Popular Science article, IMSI catchers are essentially
radio-equipped computers with software that can use arcane cellular network protocols and defeat the onboard encryption. Whether your phone uses Android or iOS, it also has a second operating system that runs on a part of the phone called a baseband processor. The baseband processor functions as a communications middleman between the phone’s main O.S. and the cell towers. And because chip manufacturers jealously guard details about the baseband O.S., it has been too challenging a target for garden-variety hackers….
But for governments or other entities able to afford a price tag of “less than $100,000,” says Goldsmith, high-quality interceptors are quite realistic. Some interceptors are limited, only able to passively listen to either outgoing or incoming calls. But full-featured devices like the VME Dominator, available only to government agencies, can not only capture calls and texts, but even actively control the phone, sending out spoof texts, for example. Edward Snowden revealed that the N.S.A. is capable of an over-the-air attack that tells the phone to fake a shut-down while leaving the microphone running, turning the seemingly deactivated phone into a bug.
Standard cell phone network protocol requires the cell phone to authenticate itself to the network, but does not require the network to authenticate itself to the cell phone, thus allowing an IMSI catcher to access the cell phone as long as it can decode the baseband operating system. This is the security hole that IMSI catchers are able to exploit.
Although these devices have caused consternation among privacy advocates, they do not really present any new or challenging legal issues. Under both statutory and constitutional law, it doesn’t matter what method law enforcement agents use to conduct their surveillance; what really matters is the type of information they are obtaining. If law enforcement officers are listening in on our cell phone conversations, or reading our text messages as they are sent through the network, they need to obtain a Title III order under the Wiretap Act, demonstrating probable cause, the ineffectiveness of alternate surveillance methods, and minimization procedures. If they are merely collecting our telephony metadata such as outgoing dialed numbers, they merely need to certify that the information is “relevant to an investigation.” These standards exist whether law enforcement officers are obtaining the information using a modern Stingray device or an old fashioned wiretap or pen register system. Thus, the warnings from some privacy advocates that these devices “allow cops to gather your data without a warrant or consent” are misplaced. Law enforcement agents have always had the ability to gather this type of information, and for decades they have faced more or less the same legal standards in obtaining court permission to gather it. IMSI catchers do allow them to obtain the information more quickly and (probably) more cheaply, but if they do so without meeting the proper legal standard, they are still violating the law and they are subject to civil penalties.
But what about the secrecy that shrouds the use of these devices? The FBI claims that disclosure of any details about the technology would assist criminals and terrorists who want to thwart the technology and use countermeasures to prevent law enforcement from conducting the surveillance. This turns out to be a legitimate concern; there are a number of devices already in existence that detect the use of IMSI catchers. Last year the Washington Post ran an article describing Cryptophones, which sell for $3,500 and will alert the user if an IMSI catcher has locked onto their cell phone.
This is only the most recent development in a technological arms race between police and criminals that has been going on for over a century. Telephones themselves were the first salvo in this battle, dramatically increasing our own privacy and at the same time allowing criminals to communicate quickly and confidentially with each other without leaving their home. Then police began to wiretap telephones, in order to be able to even the odds (and gain access to information they never might have been able to have before). Then came cell phones, and then disposable cell phones, again making it easier for criminals to avoid surveillance while conducting their activities. Now police have a cheaper, easier way to monitor cell phone activity after they obtain a court order allowing them to do so. It makes sense for the police to try to maintain this ability for as long as possible–though soon enough, devices like Cryptophones will neutralize this ability. But the less the police say about the details of the technology, they longer they can use the technology effectively.