Court Documents Show Canadian Law Enforcement Operated Stingrays Indiscriminately, Sweeping Up Thousands Of Innocent Phone Owners

from the bleeding-edge-meets-zero-fucks-given dept

A wide-ranging criminal investigation involving eleven suspects has resulted in the reluctant disclosure of Stingray data by Canadian law enforcement. The Toronto PD and the Royal Canadian Mounted Police joined forces to deploy a surveillance dragnet that swept up thousands of innocent Canadians, as Kate Allen reports for the Toronto Star.

Toronto police and RCMP officers deploying controversial “Stingray” surveillance technology over a two-month period swept up identifying cellphone data on more than 20,000 bystanders at malls, public parks and even a children’s toy store.

As police sought cellphone data for 11 suspects in a 2014 investigation, they deployed a Stingray — also known as an IMSI catcher — at three dozen locations, including the middle of Yorkville, at the Dufferin Mall, at Vaughan Mills Mall, near Trinity Bellwoods Park, near Kensington Market, and at a Toys ‘R’ Us store in Richmond Hill.

These sweeps occurred years before either law enforcement agency admitted to possessing and deploying Stingray devices. In prior years, Canadian prosecutors dropped charges rather than discuss the devices in open court. This case must have been too big to let go. It involved 50 raids, 112 arrests, and a plethora of charges ranging from gun possession to murder.

Multiple defendants are now challenging the evidence derived from the multiple Stingray deployments, arguing that it was gathered unlawfully. The courts may decide to see it the defendants’ way, but it’s unlikely these deployments broke the agencies’ own policies. Pretty much every law enforcement agency anywhere that has acquired a Stingray has deployed first and developed policies after their Stingray use could no longer be kept secret. The agencies involved here are no exception:

An RCMP spokesperson said that policy regarding deployment and resting time is “still being developed,” and that interim guidelines state that the devices will generally operate for three minutes, though may be operated for longer periods under certain circumstances and if permitted by a judge.

From what’s contained in the tracking logs submitted as evidence in these cases, there appears to have been very little done to limit the tracking of non-suspects.

According to the logs, police deployed the device at three dozen locations between March 18 and May 23, 2014. In all, the device logged approximately 25,000 captures. The same cellphones may have been captured more than once in that time, since police used the device multiple times at some locations; with those repeat locations excluded, a minimum of 20,000 bystanders in Toronto and the GTA saw their cellphone data swept up.

At one location — a condo where a target was suspected to live — law enforcement operated the device for nearly ten minutes, sweeping up 1,400 cellphones.

Many of the logs show violations of the limitations law enforcement set for itself when applying for a warrant. The officer obtaining the affidavit failed to mention the device’s ability to act as a tracking device. The officer also stated the device would only be operated for three minutes at a time, followed by two minutes of “rest” — a minor concession meant to limit the impact on phone operation in the area. Instead of doing either of these things, officers switched frequencies every three minutes, running the device pretty much uninterrupted during each deployment.

This whole thing started out with the RCMP farming out the warrant request to a novice — one who probably swore to his own “training and expertise” while combining boilerplate cribbed from other warrants with his subject matter inexperience.

According to court documents, the Toronto police sergeant who obtained the warrant testified he had never used an IMSI catcher before, and that he copied and pasted a set of “standard” wording used in a warrant for a previous case. The RCMP’s program manager for deployment of the technology testified that the standard wording was written “by people that are not operators of the equipment so they didn’t fully understand the capabilities and how it operated.

To reiterate: the Stingrays were (and are) being deployed in an operational policy vacuum. According to a statement given to the Star, the policies the RCMP said it would draw up after it publicly admitted it owned and used Stingrays still aren’t in place. An interim policy, instituted in 2017, is the only internal legal framework guiding Stingray use. In practice, this means the RCMP isn’t controlling deployments. In this case, it also meant sending an amateur to do a professional’s job when it came to securing a warrant. Put it all together and you have the mess both law enforcement agencies created by simply assuming no one would ever find out they’d been using these devices.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Court Documents Show Canadian Law Enforcement Operated Stingrays Indiscriminately, Sweeping Up Thousands Of Innocent Phone Owners”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re: Re: 'Bootleather', an acquired taste


I just hope for your sake that if you ever run afoul of the government surveillance umbrella that insists on prosecuting people on the basis of warrantless data, your defense attorney puts up a better fight than "welp, nothing we can do".

Never mind the fact that stingray deployment is so overused without a warrant, prosecutors have dropped cases rather than let the judge examine the technology.

That One Guy (profile) says:

Well that's reassuring

The RCMP’s program manager for deployment of the technology testified that the standard wording was written “by people that are not operators of the equipment so they didn’t fully understand the capabilities and how it operated.”

I can think of two possibilities to explain that, and neither of them are good.

The first is that they were just so eager to start mass-surveillance/tracking that they couldn’t be bothered to learn what the tool they planned to use actually did. Which, I mean, is fair, it’s not like we’re talking about something that could scoop up data(including location data) on hundreds if not thousands of phones at a time and therefore ‘knowing what it does’ would be of great importance before use.

The second, rather less generous explanation, is that of ‘that’s a feature, not a bug’, in that if someone doesn’t know what the device does they’re not likely to request a warrant in a way that a judge will know what exactly they plan to do, and if questioned aren’t likely to know just how invasive and wide-ranging stingrays actually are.

Anonymous Coward says:

Re: Well that's reassuring

I’d go for the second. I’ve seen it in practice throughout the business world. If you have something legally questionable you want done, you get the new guy to do it, wrapping up the actual doing in a "tool" that you haven’t fully trained them on.

They gather the data, assuming it is a limited and fully legal set, and assuming that their ignorance on protocol is due to them just "getting up to speed" on how things are done.

Then that data is retrieved and shared and used by others, who never bother to ask exactly how the data was acquired in the first place.

Then when someone blows the whistle, the new guy is fingered for not following procedure and not informing others as to what he was doing. Those who organized the data grab generally get off scott free.

DannyB (profile) says:

The best thing that could happen

Oh, how I hope and pray.

Becoming the subject of a litigation, I hope the Stingray will be able to be thoroughly reviewed by the defense, and as part of a public court record its workings exposed.

I’ve long said that Stingray works by one of two secrets:

  1. The mobile telecom system was designed before the Windows 95 days, and without so much security in mind. The secret of Stingray is that there exists some difficult to fix vulnerability which Stingray exploits.
  2. Stingray exploits some stolen or improperly disclosed certificate, crypto key or credentials. This is the entire secret. If the telecom companies knew what it was, they would revoke the secret and Stingray would no longer work. And the bully law enforcement toys would stop working and they would have to go back to their regularly scheduled donuts.

In the case of 1 above, every high school kid would soon have a Stingray and poor people would be listening to rich and powerful people.

Anonymous Coward says:

Re: The best thing that could happen

I thought #1 was already the case – the flaw is a lack of authenication and cells just connect to the closest. If you don’t act as a man in the middle it would intercept but they would realize they can’t connect to anything. However regardless of if you do it or not hosting one outside a Farraday Cage could get you in deep FCC trouble for operating an unauthorized device in licensed spectrum as non if you aren’t law enforcement.

Essentially the older Stingrays at least were likely just a tapper packaged for those unable to do the research, downloading and hardware design. That they use secrecy instead of patents implies that exposure would do serious business harm to them in addition to possibly leading to patching pressure for older gens.

Anonymous Coward says:

Re: Re: The best thing that could happen

I thought #1 was already the case – the flaw is a lack of authenication and cells just connect to the closest.

But there is mutual authentication now, since 4G or maybe 3G. At one time the stingrays were known to induce fallbacks to insecure standards (some phones could disable those fallbacks). It seems the new devices have some way around this; maybe telco cooperation, forced or otherwise.

It’s a major design flaw that telcos know where their customers are, and that they have access to any unencrypted content. Decades-old cryptographic techniques to fix those are known.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...