House Oversight Committee Calls For Stingray Device Legislation
from the and-only-two-decades-from-their-first-appearance dept
The Congressional Committee on Oversight and Government Reform has issued its recommendations on the use of cell site simulators (a.k.a. "Stingrays," presumably to Harris Corporation's trademark erosion dismay) by law enforcement. Its recommendations are… that something needs to be done, preferably soon-ish. (h/t Chris Soghoian)
Congress should pass legislation to establish a clear, nationwide framework for when and how geolocation information can be accessed and used.
Before it reaches this conclusion, the Committee spends a great deal of time recounting the history of both the devices' usage, as well as any steps taken (most of them very recently) to govern their use.
The report [PDF] points to the Supreme Court's Jones decision, albeit not in a very helpful way. The justices punted on the warrant question, leaving it up to lower courts' interpretation as to whether or not tracking someone with a GPS device violated their privacy. The only thing they did agree on was the intrusion onto the property to install the device on the petitioner's vehicle. Everything else was left unclear, including the lack of a bright line for how much location tracking equals unconstitutional tracking.
Cell site simulators can perform the same function and, until recently, every law enforcement agency in possession of the devices deployed them without seeking search warrants. The DOJ finally suggested warrants might be necessary in 2015, which would only be about 18 years since DOJ elements began using Stingray devices.
A 1997 DOJ guidance bulletin discussed the agency’s views on what legal authority governed the various law enforcement surveillance options, including “cell-site simulator.” According to the 1997 guidance, DOJ took the position that “it does not appear that there are constitutional or statutory constraints on the warrantless use of such a device.” According to a chart that was issued with the guidance, court orders, search warrants, and subpoena requirements were not applicable when deploying this device.
For most law enforcement agencies, the lack of a warrant requirement has allowed them to disguise their Stingray deployments. Most have sought pen register orders instead for this form of real-time location tracking. Others have used parallel construction to hide use of IMSI catchers from courts, defendants, and, in some cases, the prosecutors they work with. This was all heavily encouraged by the FBI's nondisclosure agreement, which it made law enforcement officials sign before allowing them to purchase the devices.
Now, they're everywhere. The IRS has its own devices and feds are attaching IMSI catchers to planes and flying them over cities in hopes of tracking down suspects. What's more concerning is the devices' capabilities, which federal and local law enforcement agencies all swear they've never used.
In testimony before the Committee, DOJ and DHS both confirmed the simulator devices they use do not intercept any communications or content from the cellular devices to which they connect. Specifically, DOJ confirmed that between January 1, 2010 and September 2, 2015, its component agencies using the technology—the FBI; the Drug Enforcement Administration (DEA); the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF); and U.S. Marshals Service (USMS)—only collected dialing, routing, signaling and addressing information in domestic criminal investigations and did not use the devices to collect the content of communications. While the current DOJ and DHS policies require the cell-site simulators to be configured as pen registers and to not collect content, some of the cell-site simulator models used by law enforcement components within DOJ and DHS would be capable of collecting content if the devices had the necessary software installed.
The Committee points out that if the federal government doesn't hand down universal controls for the deployment of these devices, the situation will only devolve from here.
Further, the Committee notes that these devices are available all over the world and with even fewer usage restrictions. And the tech is more widely available than the US government would hope, which means those who care little for policies, guidance, or federal law won't hesitate to deploy these themselves.
It is possible, if not likely, bad actors will use these devices to further their aims. Criminals and spies, however, will not be adopting the DOJ and DHS policies and procedures or any other ethics of surveillance. They will not be self-limiting in their use of these devices so as to not capture the content of others’ conversations. Criminals could use these devices to track potential victims or even members of law enforcement. One can imagine scenarios where criminals or foreign agents use this type of technology to intercept text messages and voice calls of law enforcement, corporate CEOs, or elected officials.
The report notes that devices are already for sale on foreign websites, and those selling them are suggesting purchasers set them up in high-traffic areas (near banks, restaurants, hospitals, etc.) for maximum effectiveness. On top of that, hobbyists and researchers have been able to put together their own IMSI catchers, all without the guidance or assistance of companies who sell their devices to a highly-restricted list of government agencies. The secret is out -- and has been out for years. While any legislation would do little to deter bad actors, it would at least allow the US to act as a role model for foreign governments to emulate and give it some sort of (belated) moral high ground to stand on when restricting US companies from selling surveillance tech to governments with human rights abuse track records.
If nothing else, the hope is that the legislation called for will result in a cohesive, coherent ruleset that's also Constitutionally-sound. Obviously, this will be met with law enforcement resistance, as anything that implements a warrant requirement generally does.