Court Documents Show Canadian Law Enforcement Operated Stingrays Indiscriminately, Sweeping Up Thousands Of Innocent Phone Owners

from the bleeding-edge-meets-zero-fucks-given dept

A wide-ranging criminal investigation involving eleven suspects has resulted in the reluctant disclosure of Stingray data by Canadian law enforcement. The Toronto PD and the Royal Canadian Mounted Police joined forces to deploy a surveillance dragnet that swept up thousands of innocent Canadians, as Kate Allen reports for the Toronto Star.

Toronto police and RCMP officers deploying controversial “Stingray” surveillance technology over a two-month period swept up identifying cellphone data on more than 20,000 bystanders at malls, public parks and even a children’s toy store.

As police sought cellphone data for 11 suspects in a 2014 investigation, they deployed a Stingray — also known as an IMSI catcher — at three dozen locations, including the middle of Yorkville, at the Dufferin Mall, at Vaughan Mills Mall, near Trinity Bellwoods Park, near Kensington Market, and at a Toys ‘R’ Us store in Richmond Hill.

These sweeps occurred years before either law enforcement agency admitted to possessing and deploying Stingray devices. In prior years, Canadian prosecutors dropped charges rather than discuss the devices in open court. This case must have been too big to let go. It involved 50 raids, 112 arrests, and a plethora of charges ranging from gun possession to murder.

Multiple defendants are now challenging the evidence derived from the multiple Stingray deployments, arguing that it was gathered unlawfully. The courts may decide to see it the defendants' way, but it's unlikely these deployments broke the agencies' own policies. Pretty much every law enforcement agency anywhere that has acquired a Stingray has deployed first and developed policies after their Stingray use could no longer be kept secret. The agencies involved here are no exception:

An RCMP spokesperson said that policy regarding deployment and resting time is “still being developed,” and that interim guidelines state that the devices will generally operate for three minutes, though may be operated for longer periods under certain circumstances and if permitted by a judge.

From what's contained in the tracking logs submitted as evidence in these cases, there appears to have been very little done to limit the tracking of non-suspects.

According to the logs, police deployed the device at three dozen locations between March 18 and May 23, 2014. In all, the device logged approximately 25,000 captures. The same cellphones may have been captured more than once in that time, since police used the device multiple times at some locations; with those repeat locations excluded, a minimum of 20,000 bystanders in Toronto and the GTA saw their cellphone data swept up.

At one location -- a condo where a target was suspected to live -- law enforcement operated the device for nearly ten minutes, sweeping up 1,400 cellphones.

Many of the logs show violations of the limitations law enforcement set for itself when applying for a warrant. The officer obtaining the affidavit failed to mention the device's ability to act as a tracking device. The officer also stated the device would only be operated for three minutes at a time, followed by two minutes of "rest" -- a minor concession meant to limit the impact on phone operation in the area. Instead of doing either of these things, officers switched frequencies every three minutes, running the device pretty much uninterrupted during each deployment.

This whole thing started out with the RCMP farming out the warrant request to a novice -- one who probably swore to his own "training and expertise" while combining boilerplate cribbed from other warrants with his subject matter inexperience.

According to court documents, the Toronto police sergeant who obtained the warrant testified he had never used an IMSI catcher before, and that he copied and pasted a set of “standard” wording used in a warrant for a previous case. The RCMP’s program manager for deployment of the technology testified that the standard wording was written “by people that are not operators of the equipment so they didn’t fully understand the capabilities and how it operated.

To reiterate: the Stingrays were (and are) being deployed in an operational policy vacuum. According to a statement given to the Star, the policies the RCMP said it would draw up after it publicly admitted it owned and used Stingrays still aren't in place. An interim policy, instituted in 2017, is the only internal legal framework guiding Stingray use. In practice, this means the RCMP isn't controlling deployments. In this case, it also meant sending an amateur to do a professional's job when it came to securing a warrant. Put it all together and you have the mess both law enforcement agencies created by simply assuming no one would ever find out they'd been using these devices.

Filed Under: canada, law enforcement, privacy, stingray, surveillance


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Gary (profile), 1 Apr 2019 @ 4:44pm

    Applolgy

    Yes, but they sent a nice note apologizing to everyone and a Timmy Ho gift certificate for their troubles, eh.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Apr 2019 @ 4:48pm

    So what?

    Seriously. Government has been doing this since the beginning of time.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 1 Apr 2019 @ 4:54pm

      'Bootleather', an acquired taste

      And if you ever want them to stop doing it the first step is to call them out on it, drawing attention to the problem, rather than just shrugging it off as 'that's just what government agencies do'.

      reply to this | link to this | view in chronology ]

      • icon
        Gary (profile), 1 Apr 2019 @ 5:21pm

        Re: 'Bootleather', an acquired taste

        Indeed. And a free press, unbeholden to the sitting asshat is an essential part of that.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Apr 2019 @ 6:11pm

        Re: 'Bootleather', an acquired taste

        Fighting governments is very risky. Take those risks on your own behalf, please, not mine.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 2 Apr 2019 @ 1:05am

          Re: Re: 'Bootleather', an acquired taste

          Sure.

          I just hope for your sake that if you ever run afoul of the government surveillance umbrella that insists on prosecuting people on the basis of warrantless data, your defense attorney puts up a better fight than "welp, nothing we can do".

          Never mind the fact that stingray deployment is so overused without a warrant, prosecutors have dropped cases rather than let the judge examine the technology.

          reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 2 Apr 2019 @ 2:06pm

          Re: Re: 'Bootleather', an acquired taste

          Enjoy your bootleather in that case, and while you're down there, pick up that can.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Apr 2019 @ 8:51am

      Re:

      "Government has been doing this since the beginning of time."

      Oh ... sorry - that makes it ok then.

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 1 Apr 2019 @ 4:59pm

    Well that's reassuring

    The RCMP’s program manager for deployment of the technology testified that the standard wording was written “by people that are not operators of the equipment so they didn’t fully understand the capabilities and how it operated.”

    I can think of two possibilities to explain that, and neither of them are good.

    The first is that they were just so eager to start mass-surveillance/tracking that they couldn't be bothered to learn what the tool they planned to use actually did. Which, I mean, is fair, it's not like we're talking about something that could scoop up data(including location data) on hundreds if not thousands of phones at a time and therefore 'knowing what it does' would be of great importance before use.

    The second, rather less generous explanation, is that of 'that's a feature, not a bug', in that if someone doesn't know what the device does they're not likely to request a warrant in a way that a judge will know what exactly they plan to do, and if questioned aren't likely to know just how invasive and wide-ranging stingrays actually are.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Apr 2019 @ 10:38am

      Re: Well that's reassuring

      I'd go for the second. I've seen it in practice throughout the business world. If you have something legally questionable you want done, you get the new guy to do it, wrapping up the actual doing in a "tool" that you haven't fully trained them on.

      They gather the data, assuming it is a limited and fully legal set, and assuming that their ignorance on protocol is due to them just "getting up to speed" on how things are done.

      Then that data is retrieved and shared and used by others, who never bother to ask exactly how the data was acquired in the first place.

      Then when someone blows the whistle, the new guy is fingered for not following procedure and not informing others as to what he was doing. Those who organized the data grab generally get off scott free.

      reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 1 Apr 2019 @ 5:24pm

    Well, it's nice to start seeing that our nice neighbors to the north actually have a bit of a visible dark side. I was starting to worry they were a nation of serial killers.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 1 Apr 2019 @ 8:10pm

    But we have this really cool toy!!!
    We totes should use it!!
    'But you are investigating a missing dog'
    We can scoop up 2000 phone numbers in the area and then work down the list to see if any of them have the dog, its totally not a problem!

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 2 Apr 2019 @ 6:49am

    The best thing that could happen

    Oh, how I hope and pray.

    Becoming the subject of a litigation, I hope the Stingray will be able to be thoroughly reviewed by the defense, and as part of a public court record its workings exposed.

    I've long said that Stingray works by one of two secrets:

    1. The mobile telecom system was designed before the Windows 95 days, and without so much security in mind. The secret of Stingray is that there exists some difficult to fix vulnerability which Stingray exploits.
    2. Stingray exploits some stolen or improperly disclosed certificate, crypto key or credentials. This is the entire secret. If the telecom companies knew what it was, they would revoke the secret and Stingray would no longer work. And the bully law enforcement toys would stop working and they would have to go back to their regularly scheduled donuts.

    In the case of 1 above, every high school kid would soon have a Stingray and poor people would be listening to rich and powerful people.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Apr 2019 @ 7:41am

      Re: The best thing that could happen

      I thought #1 was already the case - the flaw is a lack of authenication and cells just connect to the closest. If you don't act as a man in the middle it would intercept but they would realize they can't connect to anything. However regardless of if you do it or not hosting one outside a Farraday Cage could get you in deep FCC trouble for operating an unauthorized device in licensed spectrum as non if you aren't law enforcement.

      Essentially the older Stingrays at least were likely just a tapper packaged for those unable to do the research, downloading and hardware design. That they use secrecy instead of patents implies that exposure would do serious business harm to them in addition to possibly leading to patching pressure for older gens.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 2 Apr 2019 @ 9:18am

        Re: Re: The best thing that could happen

        I thought #1 was already the case - the flaw is a lack of authenication and cells just connect to the closest.

        But there is mutual authentication now, since 4G or maybe 3G. At one time the stingrays were known to induce fallbacks to insecure standards (some phones could disable those fallbacks). It seems the new devices have some way around this; maybe telco cooperation, forced or otherwise.

        It's a major design flaw that telcos know where their customers are, and that they have access to any unencrypted content. Decades-old cryptographic techniques to fix those are known.

        reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.