Archives

All posts for the month March, 2015

Stingrays vs. Cryptophones: The cell phone surveillance arms race heats up

Posted by simmons.239@osu.edu on March 26, 2015
Posted in: Searches of New Technologies. Leave a Comment

In recent months the New York Times and the Washington Post have run articles about cell tower simulators–devices which intercept cell phone data by “tricking” the target’s cell phone into believing it is communicating with a legitimate cell phone tower.  These devices–also known as a “Stingray” or “Kingfish”–are able to locate a cell phone, download its metadata, and even eavesdrop on the calls or texts which are being sent.  However, the law enforcement agencies which use cell tower simulators are doing their best to keep the details of their use (or even the fact of their use) secret, in accordance with non-disclosure agreements that the FBI requires local agencies to sign.   In a particularly interesting development, prosecutors in a Florida case were ordered by a judge to provide details of their use of the device in an armed robbery case which carried a four-year minimum sentence.  In order to avoid revealing the information, they allowed the defendant to plea to a second-degree misdemeanor and receive 6-months probation.

This secrecy has raised obvious concerns among privacy advocates.  The ACLU has filed a number of lawsuits seeking more information about the use of cell phone simulators.   Two senators have sent a letter to the FBI demanding more information about how and when these devices are used.  But the secrecy may be justified given the types of countermeasures that are becoming available to thwart the cell tower simulators.

imsi-catcher

First, a brief description of the technology involved with cell tower simulators.  Technically they are called International Mobile Subscriber Identity (“IMSI”) catchers, because they identify the IMSI of the suspect’s cell phone and use it to intercept outgoing information from the phone.  As described in a recent Popular Science article, IMSI catchers are essentially

radio-equipped computers with software that can use arcane cellular network protocols and defeat the onboard encryption. Whether your phone uses Android or iOS, it also has a second operating system that runs on a part of the phone called a baseband processor. The baseband processor functions as a communications middleman between the phone’s main O.S. and the cell towers. And because chip manufacturers jealously guard details about the baseband O.S., it has been too challenging a target for garden-variety hackers….

But for governments or other entities able to afford a price tag of “less than $100,000,” says Goldsmith, high-quality interceptors are quite realistic. Some interceptors are limited, only able to passively listen to either outgoing or incoming calls. But full-featured devices like the VME Dominator, available only to government agencies, can not only capture calls and texts, but even actively control the phone, sending out spoof texts, for example. Edward Snowden revealed that the N.S.A. is capable of an over-the-air attack that tells the phone to fake a shut-down while leaving the microphone running, turning the seemingly deactivated phone into a bug.

Standard cell phone network protocol requires the cell phone to authenticate itself to the network, but does not require the network to authenticate itself to the cell phone, thus allowing an IMSI catcher to access the cell phone as long as it can decode the baseband operating system.  This is the security hole that IMSI catchers are able to exploit.

Although these devices have caused consternation among privacy advocates, they do not really present any new or challenging legal issues.  Under both statutory and constitutional law, it doesn’t matter what method law enforcement agents use to conduct their surveillance; what really matters is the type of information they are obtaining.  If law enforcement officers are listening in on our cell phone conversations, or reading our text messages as they are sent through the network, they need to obtain a Title III order under the Wiretap Act, demonstrating probable cause, the ineffectiveness of alternate surveillance methods, and minimization procedures.  If they are merely collecting our telephony metadata such as outgoing dialed numbers, they merely need to certify that the information is “relevant to an investigation.”  These standards exist whether law enforcement officers are obtaining the information using a modern Stingray device or an old fashioned wiretap or pen register system.  Thus, the warnings from some privacy advocates that these devices “allow cops to gather your data without a warrant or consent” are misplaced.  Law enforcement agents have always had the ability to gather this type of information, and for decades they have faced more or less the same legal standards in obtaining court permission to gather it.   IMSI catchers do allow them to obtain the information more quickly and (probably) more cheaply, but if they do so without meeting the proper legal standard, they are still violating the law and they are subject to civil penalties.

But what about the secrecy that shrouds the use of these devices?  The FBI claims that disclosure of any details about the technology would assist criminals and terrorists who want to thwart the technology and use countermeasures to prevent law enforcement from conducting the surveillance.  This turns out to be a legitimate concern; there are a number of devices already in existence that detect the use of IMSI catchers.  Last year the Washington Post ran an article describing Cryptophones, which sell for $3,500 and will alert the user if an IMSI catcher has locked onto their cell phone.

This is only the most recent development in a technological arms race between police and criminals that has been going on for over a century.  Telephones themselves were the first salvo in this battle, dramatically increasing our own privacy and at the same time allowing criminals to communicate quickly and confidentially with each other without leaving their home.  Then police began to wiretap telephones, in order to be able to even the odds (and gain access to information they never might have been able to have before).  Then came cell phones, and then disposable cell phones, again making it easier for criminals to avoid surveillance while conducting their activities.  Now police have a cheaper, easier way to monitor cell phone activity after they obtain a court order allowing them to do so.  It makes sense for the police to try to maintain this ability for as long as possible–though soon enough, devices like Cryptophones will neutralize this ability.  But the less the police say about the details of the technology, they longer they can use the technology effectively.

Another high-profile lawsuit against the NSA

Posted by simmons.239@osu.edu on March 13, 2015
Posted in: Circuit Court Cases, Searches of New Technologies. Tagged: , , , . Leave a Comment

This week the foundation that runs Wikipedia filed a lawsuit against the National Security Agency (“NSA”), arguing that the “upstream” internet surveillance conducted by the NSA violates the agency’s statutory authority, as well as the First and Fourth Amendments to the Constitution.  This is only the latest in a series of legal actions against the NSA in the wake of the revelations about its surveillance by Edward Snowden.  The organization Pro Publica has complied this helpful list which describes thirty-eight different lawsuits that have been filed since 2006 against the NSA, other branches of the Obama administration, or private companies who were complying with NSA orders.  Most of these lawsuits can be roughly divided into four different categories:

(1) The first wave of cases, from 2006 to 2008, which alleged that the government surveillance programs violated the First and Fourth Amendment.  These cases were all effectively disposed of by the 2008 Supreme Court decision of Clapper v. Amnesty International, in which the Supreme Court held that the plaintiffs lacked standing because they could not prove that they themselves had been surveilled by the government.

(2) Lawsuits which seek to release information–either forcing the NSA to reveal more information about its surveillance program, or permitting private companies to reveal the fact that they have provided information to the NSA.  For the most part, these lawsuits have been successful, although many are still pending.

(3) Criminal defendants who are challenging the use of covert NSA surveillance evidence in their case.  Many of these cases are still pending, but so far none have been successful.

(4) A second wave of cases, post-Clapper v. Amnesty International, in which various organizations claim that the NSA surveillance programs violate its statutory authority and the Constitution.  The new case filed by Wikimedia falls under this category.

There are three separate NSA programs that are being challenged by this second wave of lawsuits.  The first is the “bulk metadata collection” program, in which the NSA collects massive amounts of non-content data from private companies, such as telephone numbers, email addresses, and other “address” information.  Because the NSA was collecting this information pursuant to Section 215 of the USA Patriot Act, this surveillance is sometimes referred to as “Section 215 collection.”  The second program is codenamed “PRISM,” and it involves the NSA collecting information that is stored by private companies (Microsoft, Facebook, Google, Apple, etc.).  PRISM data included content information, but (allegedly) the surveillance would only take place if the NSA agent has a “reasonable belief” (defined as at least 51% assurance) that the specified target is a foreign national who is overseas at the time of the data collection.  Because this program is allegedly authorized by Section 702 of the Foreign Intelligence Surveillance Act (“FISA”), it is sometimes referred to as “Section 702 surveillance.”  The third program is codenamed “UPSTREAM,” and it involves realtime interception of data and communication flowing across the fiber cables and other infrastructure of the internet (sometimes called the “backbone” of the internet).  The UPSTREAM program collects large amounts of data as it is transmitted, but then uses software filters to filter out purely domestic transmissions and then further filters the data to look for specific target words that would make the message of particular interest to the NSA.

upstream-slide    prism-slide-2

With the new Wikipedia lawsuit, there are now five lawsuits pending in federal court which challenge these programs:

Jewell v. NSA (filed in 2008) — This case was filed in the Northern District of California by the Electronic Frontier Foundation, an advocacy group for digital privacy, on behalf of Carolyn Jewel and other AT&T customers.  The plaintiffs were seeking an injunction against the NSA’s bulk collection of telephone metadata and against the NSA’s UPSTREAM  surveillance program.  The case was originally dismissed in 2010 for lack of standing, but was re-instated by the Ninth Circuit in 2011.  Most recently, the plaintiffs suffered a setback in February of 2015 when the district judge granted the government’s motion for summary judgment on the issue of UPSTREAM surveillance, holding that the publicly available information was not sufficient to support the plaintiff’s standing in the case, or to adjudicate the substantive Fourth Amendment issues:

Notwithstanding the unauthorized public disclosures made in the recent past and the Government’s subsequent releases of previously classified information about certain NSA intelligence gathering activities since 2013, the Court notes that substantial details about the challenged program remain classified. The question of whether Plaintiffs have standing and the substantive issue of whether there are Fourth Amendment violations cannot be litigated without impinging on that heightened security classification. Because a fair and full adjudication of the Government Defendants’ defenses would require harmful disclosures of national security information that is protected by the state secrets privilege, the Court must exclude such evidence from the case.

The trial court noted that this was a “frustrating” ruling:

The Court is frustrated by the prospect of deciding the current motions without full public disclosure of the Court’s analysis and reasoning. However, it is a necessary by-product of the types of concerns raised by this case. Although partially not accessible to the Plaintiffs or the public, the record contains the full materials reviewed by the Court. The Court is persuaded that its decision is correct both legally and factually and furthermore is required by the interests of national security.

Notwithstanding this recent ruling, the Jewell case is still pending, since the court only granted summary judgment on the UPSTREAM surveillance question, not on the bulk collection of telephone metadata.
Klayman v. Obama (filed in 2013) — This case was filed in the District of Columbia District Court by customers of Verizon Wireless, and it challenges the NSA’s bulk metadata collection program.  In December of 2013, District Court Judge Leon ruled in favor of the plaintiffs and granted an injunction that would bar the NSA from continuing the surveillance.  The judge then stayed the injunction pending appeal.  The most controversial aspect of Judge Leon’s opinion was his rejection of the Supreme Court case Smith v. Maryland, which held that the Fourth Amendment does not protect telephone numbers that an individual dials, both because of the third party doctrine and because the telephone numbers are merely “address” information as opposed to “content” information.  The government understandably relied heavily on Smith in its argument that the surveillance program did not violate the Fourth Amendment, but Judge Leon essentially held that Smith‘s reasoning–and therefore, presumably, its holding–was hopelessly outdated:

The Government, in its understandable zeal to protect our homeland, has crafted a counterterrorism program with respect to telephone metadata that strikes the balance based in large part on a thirty-four year old Supreme Court precedent, the relevance of which has been eclipsed by technological advances and a cell phone-centric lifestyle heretofore inconceivable. 

The case is now on appeal to the D.C. Circuit, and oral argument took place in November of 2014.

 

ACLU v. Clapper (filed in 2013) — This case was filed in the Southern District of New York by the ACLU as Verizon subscribers, challenging the NSA’s bulk metadata collection program.  In December of 2013, just a few days after Judge Leon ruled against the government in Klayman, Judge William Pauley ruled in favor of the government in this case.   Judge Pauley cited Smith v. Maryland as binding Supreme Court precedent, and also noted the necessity of this kind of surveillance in the modern world:

No doubt, the bulk telephony metadata collection program vacuums up information about virtually every telephone call to, from, or within the United States. That is by design, as it allows the NSA to detect relationships so attenuated and ephemeral they would otherwise escape notice. As the September 11th attacks demonstrate, the cost of missing such a thread can be horrific, Technology allowed al-Qaeda to operate decentralized and plot international terrorist attacks remotely. The bulk telephony metadata collection program represents the Government’s counter-punch: connecting fragmented and fleeting communications to re-construct and eliminate al-Qaeda’s terror network.

The case is now on appeal to the Second Circuit, and oral argument took place in September of 2014.

 

Paul v. Obama (filed in 2014) — This is a lawsuit filed in the District of Columbia District Court  by Senator Rand Paul and FreedomWorks, challenging the warrantless collection of cell phone records and metadata by the NSA.  it is currently pending in the D.C. District Court.  Although this lawsuit has more political overtones than the others, since the lead plaintiff is likely to be a contender for the Republican nomination in the 2016 Presidential Contest, the plaintiffs claim it is different from the others because it has been filed as a class action on behalf of “all Americans.”

 

Wikimedia vs. NSA (filed in 2015) — This lawsuit was filed just this week in the District of Maryland.  Like the Jewel case, Wikimedia’s case challenges the NSA’s UPSTREAM surveillance program.  And like the Jewel case, this case could be dismissed in whole or in part because national security secrecy makes the plaintiffs unable to establish a cause of action.  However, if the case is able to go forward, the case will likely turn on when (if ever) the NSA is held to have “searched” and “seized” the data in the UPSTREAM program.  The following graphic (which comes from the Electronic Frontier Foundation’s website) explains the case from Wikimedia’s point of view, arguing that the internet traffic is “seized” when it is copied as it flows along the internet backbone, and then “searched” when the NSA’s computer software sifts through it to identify messages and data that include the suspicious words or terms.

backbone-3c-color

One question that a court will eventually have to decide is whether this information is actually ever being “seized.”  A seizure occurs when the government exercises “some meaningful interference” with an individual’s possessory interest in the property.  But merely copying data as it flows through the fiber-optic cables is not really a seizure–it does not interfere at all with the individual’s possessory interest.  Under current Supreme Court doctrine, merely making a copy of information does not constitute a “seizure”–although this doctrine has been criticized by some commentators, it is hard to see how any other rule would be consistent with existing law.

The real question is: when is the information “searched?”  If the government has copies of all of the data flowing across the internet, it does not help the government at all (nor does it meaningfully infringe on our privacy rights) unless the government actually looks at the data–and once the government looks, it has committed a search.

But what exactly constitutes “looking” at the data?  When a computer program sifts through the data looking for specific key words, can we classify that as a “search,” even if no human being ever sees the data?  In a 2005 article, I wrote that using software in this way could be a valuable new tool for police–increasing the efficiency of law enforcement with very little intrusion into our privacy.

As technology gets more sophisticated, software will be better able to focus on illegal behavior and thus narrow the scope of the surveillance—perhaps even to the point where the surveillance only alerts a human law enforcement agent when there is a near certainty of illicit conduct.  At that point, only the mindless computers  will “know” the private information about what we are writing, and they will quickly and unconsciously examine and discard any private innocent information they discover.  In the meantime, the human law enforcement agents will leave us alone. 

The NSA collection methods are coming close to reaching this point, but we are not there yet.  Unfortunately, the NSA filters still allow a large amount of innocent data to come through–and as soon as the NSA officers look at innocent information, they are conducting a “search.”  It may be a very efficient search, with a very high probability of leading to illegal activity, but it is still a search.  Perhaps the filters are refined enough such that there is probable cause to believe that any data that survives the filter is evidence of a crime.   Perhaps the filters are effective in removing all purely domestic communications, and so can all be justified under a FISA warrant.  But until we get a full, public review of the program, we will be unable to answer these questions.