Arguments over whether internet connection metadata should be retained for law enforcement purposes are raging around the world, but nowhere more heatedly than in Australia, where a new law bringing in data retention is currently being rammed through parliament. This has provoked widespread criticism of the move as unnecessary, intrusive and ill thought-out. Defenses have been thinner on the ground, which makes this column in the Australian newspaper The Age particularly interesting. The author, David Wroe, seems to think that the problem is a failure to explain what's really going on here:

Plans to force telcos to keep people's phone and internet metadata for at least two years haven't been explained as thoroughly as they probably should, with the consequence that many Australians remain confused and vulnerable to excessive claims that their privacy is being trampled upon.

Well, it's certainly true that the Australian Attorney General George Brandis, who is responsible for bringing in the data retention law, was very confused when he was asked to explain metadata in a TV interview. But rather than dispelling that confusion by pointing to explanations of what metadata can do, Wroe simply makes the following claim:

A data retention regime of two years, with proper precautions around how that data it is accessed by authorities, is reasonable, proportionate and necessary.

No support is provided for that statement. That's not really surprising, because all the evidence we have is that data retention simply doesn't help. In Germany, for example, police records show that blanket data retention had no effect on crime statistics:

The national crime statistics recently published by Germany's Federal Crime Agency reveal that after the policy of blanket telecommunications data retention was discontinued in Germany due to a Constitutional Court ruling on 3 March, 2010, registered crime continued to decline (2007: 6,284,661; 2008: 6,114,128; 2009: 6,054,330; 2010: 5,933,278) and the crime clearance rate was the highest ever recorded (56,0%). Indiscriminate and blanket telecommunications data retention had no statistically relevant effect on crime or crime clearance trends.

In Denmark, police found that retaining huge quantities of internet connection data actually made things harder for them:

"Session logging has caused serious practical problems," the ministry's staffers write in the report. "The implementation of session logging proved to be unusable to the police; this became clear the first time they tried to use [the data] as part of a criminal investigation."

Leaving aside this inconvenient fact that there is no evidence that data retention helps, here's one of the author's arguments in its favor:

It is absurd to allow a situation in which police might need to establish whether one criminal suspect phoned or emailed another suspect last year only to find the telco has already wiped those records.

Not really: we don't expect DNA or fingerprints from the scene of a crime to be preserved years later. We hope they may be available soon afterwards, and in the same way there's no reason why the police might not ask ISPs to provide information about recent online activity of a suspect. But it is not reasonable to expect everything to be kept for years, just because it's possible -- not least because this allows the authorities to engage in fishing expeditions and thus apply the Cardinal Richelieu approach. There's also no reason why the police should not be required to obtain a warrant before doing so, despite what Wroe says:

Some have called for warrants to be required for accessing metadata. This would be too unwieldy.

Warrants have worked well enough in the past, so why discard them now in the digital field? Because they might put a brake on the routine use of stored metadata by the authorities? That's a feature, not a bug: it would help to ensure that its use were truly proportionate, unlike the system proposed by the Australian government. Here's another attempt to defend data retention:

Arguments that retention is pointless because ill-doers can use encryption programs to hide their identities, or because the regime won't capture overseas data – meaning Gmail, Hotmail and other US-based services are exempt – are silly. Nothing in a free society is foolproof; something is better than nothing.

But when that "something" is such a marginal improvement on nothing, and comes at such great cost -- both financially, in terms of the burden on ISPs and taxpayers, and socially, through the damage to the privacy and freedom of the public -- then it is hardly rational to proceed purely because it is "better than nothing," especially in the absence of any more compelling reasons.

As this indicates, the author's arguments in favor of data retention are weak; but what is most striking is his attack on those who defend their right to privacy, and dare to challenge the badly-planned rush to impose mass surveillance on Australians:

At the heart of the anti-retention argument is an attitude that everything to do with the internet should be free: free of charge, allowing unlimited downloading of pirated content, and free of responsibility, meaning that nothing we do on the web should be discoverable later on.

In other words, anyone against massive, disproportionate surveillance is probably just some kind of dirty copyright thief.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

With the abuses of asset forfeiture being loudly publicized, there has (finally) been some legislative pushback against these abusive programs. Wyoming's legislators -- hoping to institute asset forfeiture reform -- ran into pushback themselves from the state's governor, who vetoed the popular bill (which passed out of the Senate with an 80-9 vote) when it hit his desk.

Governor Matt Mead explained his reasons for doing so in a letter to the Senate president Phil Nicholas. According to Mead, he didn't agree that Wyoming has an asset forfeiture problem and saw no reason to curtail a program that is (supposedly) so effective in fighting the Drug War.

Now, while Wyoming hasn't made splashy headlines with bogus busts, it's more likely due to the limited population than better laws or better law enforcement. Mead's letter explaining his veto contains three examples he feels prove Wyoming is better-behaved than most when it comes to separating citizens from their possessions. But none of those are particularly persuasive.

One deals with $17,000 being returned after "procedural safeguards" were ignored. The other two simply assume the seizure of funds was completely justified, even though no corresponding conviction is noted in his explanation.

In one case, a car owner denied knowing whose $327,000 was found in his vehicle. Fully justified, of course, because as Mead explains, the seized funds were spent "to enforce drug laws." In the other case, $415,000 was found in a vehicle being carried on a semi trailer full of vehicles. This, too, was taken and the seizure fully justified because the money was obviously evil in and of itself. Here's Mead's actual sentence explaining what happened to these funds.

"The money was taken out of circulation so it could not be used for other illegal activity."

Stupid money. It's like it's a troubled teen in need of a grounding. "Don't let it out! It will probably just do illegal things!"

Not cited: the "illegal activity" prompting the seizure of the funds in either case.

The reform bill didn't ask for much -- just a conviction to go with every seizure -- but that was still too much for Mead, who still carries inside him the beating heart of a long-term prosecutor. To him, these means are perfectly acceptable because drugs are a problem. Case closed.

That's likely one of the factors playing into the deployment of his otherwise seldom-used veto power. This is the other: a meeting with the Wyoming Association of Sheriffs and Police Chiefs -- which occurred three days before the veto.

I enjoyed meeting w/ the WY Assoc.of Sheriffs & Chiefs of Police.Thanks for serving & protecting the citizens of WY. pic.twitter.com/TRzgXcMyru

— Governor Matt Mead (@GovMattMead) February 14, 2015

Beyond all that, Mead simply believes asset forfeiture is a law enforcement tool that simply cannot be questioned.

I believe civil asset forfeiture is important and it is right.

Too "right" to be even slightly curtailed by the addition of a small but logical stipulation: a conviction of the assets' owner before the assets can be claimed. Mead prefers the way it's been done for years: assets are presumed guilty, the burden of proof rests on those whose assets have been seized and anything not clearly associated with any criminal activity can still be repurposed to fight the Everlasting War on Drugs.

Wyoming may not have a history of forfeiture abuse, but it makes no sense not to head off a problem before it becomes one. Everything about its current program lends itself to abuse.

Wyoming has horrible civil forfeiture laws, with an F law grade. The state’s final grade is pulled up to a C only by limited use of equitable sharing (an evasion grade of A) to date. The government can seize and subsequently forfeit property with just probable cause that it is subject to forfeiture. This is the lowest standard, far easier for the government than proving criminal guilt beyond a reasonable doubt. A property owner who wishes to claim an innocent owner defense bears the burden of proof, effectively making owners guilty until proven innocent. All of the proceeds from civil forfeiture are distributed to the state Attorney General’s asset fund. In turn, those funds are used as matching funds for federal drug enforcement grants. Finally, although officials are required to collect information on the use of forfeiture, they did not respond to requests.

Gov. Mead's view of this program is rosy to the point of blindness. But that's the sort of thing we expect from career prosecutors who question very little if anything about the law enforcement under their purview and who wholeheartedly support strong drug enforcement tactics. Mead may not see any abuse occurring, but I get the feeling he's not looking too hard. Considering how low the bar is set in terms of burden of proof, you'd have to do some serious digging to find seizures not justified by this barely-there requirement. And, considering the funds flow into Mead's former office, I would imagine he's in no hurry to find anything that might threaten the state's revenue stream, or its attendant matching funds grants from the US government.

Researchers can program computers to play all kinds of games and even beat the best humans at them. So far, we're not worried about AI that can beat us at chess or Jeopardy, but maybe we'll be more worried when a computer can program another computer to play chess at a grandmaster level. Luckily, there's at least one billionaire willing to chip in a few million bucks to try to keep Terminators from destroying humanity.

• Google DeepMind has created software that can play old Atari games without humans teaching it how to play -- and the AI plays 22 out of 49 games better than expert human players. Those Atari games are more difficult than you might think, but it's not hard to imagine that humans will be no match for AI playing Pac-man in the near future. [url]
• A Civilization V match pitted 42 computer-controlled players against each other. It wasn't an endless match (sorry, no Wargames conclusion), and a winner of this "Battle Royale" emerged after 179 turns. [url]
• Flappy Bird is a pretty hard game for humans to play, but a robot can play it without getting tired or frustrated. It's not exactly a breakthrough in robotics, but this bot demonstrates a big difference in how computers play video games. [url]

If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.

Well, this is disappointing. Back in September, we were happy to see both Apple and Google announced that their mobile platforms would be encrypted by default (for local storage, not for data transmissions), which has kicked off something of a new round of Crypto Wars, as law enforcement types have shoved each other aside to spread as much possible FUD about the "dangers" of mobile encryption (ignoring that they also recommend mobile encryption to keep your data safe).

However, as Ars Technica reported earlier this week, it appears that while Google is encrypting by default on its own Nexus phones that have the latest Android (Lollipop), it slightly eased back the requirements for its OEM partners such as Motorola and Samsung who make their own devices. Default encryption is now "very strongly RECOMMENDED" rather than required. And even with that "very strong RECOMMENDATION," it appears that neither Samsung or Motorola are enabling default encryption on its latest devices.

While some will likely jump to the conclusion that law enforcement pressure is at work here, a much more likely explanation is just the performance drag created by encryption. Last fall, Anandtech did some benchmarking of the Nexus 6 both with encryption on and off, and as the site itself says, the results are "not pretty." Given the competitive market, there's a decent chance that the big phone manufacturers didn't want to get bad benchmark ratings when phones are compared, and those made the decision to go against the "very strong recommendation."

Hopefully this gets sorted out quickly, as phonemakers can optimize new phones for encryption. And, honestly, as the Anandtech report itself notes, these benchmarks are basically meaningless for real world performance:

The real question we have to ask is whether or not any of these storage benchmarks really matter on a mobile device. After all, the number of intensive storage I/O operations being done on smartphones and tablets is still relatively low, and some of the situations where NAND slowdowns are really going to have an effect can be offset by holding things in memory.

But, it appears, while mobile phone makers don't want to take the chance of bad benchmarks hurting their reputation, they're less concerned about leaving consumers' data exposed.

It's disappointing that this is where things are today, after so much focus on default encryption just a few months ago, but hopefully it's just a temporary situation and we'll get to default encryption very, very soon.

We lost one of the "good guys" when Magistrate Judge John Facciola retired late last year. Facciola was a leading figure in the small -- but important -- "Magistrates' Revolt" that emerged in the wake of the Snowden leaks. Multiple times the government approached Facciola for a signature on overly-broad warrants seeking the entire contents of a phone or an email account, only to find the judge unwilling to help it pack for its fishing trip.

More than once, the government was forced to rewrite its requests, and on one memorable occasion, it went "judge shopping" in hopes of obtaining the signature Facciola wouldn't give it, only to be rebuffed by the unamused judge on the opposite coast.

Zoe Tillman of the National Law Journal has a fascinating interview with the retired judge. Facciola was one of the few magistrates who actively attempted to understand the legal nuances inherent to today's interconnected world. According to Facciola, magistrate judges who allow technological advances to pass them by aren't doing the public any favors by not staying current. Law enforcement has moved on, and it's tough to act as a check against overreach if you don't understand the subject matter. The mental image of investigators dusting for fingerprints and tossing suspects' residences is completely outdated. Investigative work now involves -- almost exclusively -- more ethereal methods.

When asked how his job had changed since he took his post in 1997, Facciola responded:

[I]n March 2012, my criminal month, at the end of the month I realized something: I had not issued a warrant or an order for anything that was tactile. Everything I issued was for some form of electronically stored information. Whether it was a Facebook account or cell site information.

You almost look forward to the day when a guy will just want to break a door down and go in and get cocaine. Those days are gone forever apparently.

This would explain law enforcement's outspoken opposition to any form of electronic encryption. Today's law enforcement agencies seemingly have little stomach for old-fashioned police work. Searching something "tactile," like a suspect's residence, is almost always an afterthought. These agencies would rather dig through every communication they can obtain before they even think about utilizing methods that have worked for years. (And default mode for today's law enforcement has shifted the approach to physical searches as well. Increasingly, handling the "tactile" means going "tactical" with no-knock warrants, military rifles, full body armor, repurposed mine-resistant vehicles and a hell of a lot of guys shouting contradictory instructions/firing weapons in contradictory directions within moments of the "breach.")

This nearly-exclusive focus on digital searches poses a problem for the magistrates charged with vetting warrants for Constitutionality, not the least of which are the outdated laws and guidelines governing searches of citizens' communications and data. And this can't be fixed by the courts themselves.

[T]he problem is not a judicial one, the problem is Congress has not looked at the Stored Communications Act since 1986. My gosh. 1986. [...] If you look at the opinions about the Stored Communications Act, they are some of the most complicated opinions you will see because it's a classic example of the square peg not fitting in the round hole… There [is] out there a lot of wonderful thinking about how the act could be amended to bring it kicking and screaming into the 21st century. But no movement by Congress. That's deeply troubling.

Not that the judicial system hasn't tried. It's just that the conclusions are still unclear and mainly deal with warrantless searches. The Sixth Circuit Court ruled that email contents are covered by the Fourth Amendment, contrary to the claims of those who rely on the outdated SCA. The Supreme Court had a chance to weigh the SCA against the Fourth Amendment in 2010, but chose to carefully avoid the subject. So, if it's to be fixed, it's up to Congress, and there is only a very slim chance that it will be willing to alter a law so thoroughly exploited by law enforcement and intelligence agencies, even given the events of the past couple of years.

Particularization is what's needed in the digital realm, according to Facciola, but that's clearly not what the government wants. It wants to dump peoples' computers and devices on the metaphorical carpet and root through the pile until it finds what it's looking for. (Or, as has happened frequently, find something it wasn't looking for and pursue that angle instead/in addition, occasionally necessitating additional warrants.)

Particularized searches of ethereal contents is easier said than done, especially when one half of the parties involved has no interest in limiting its searches. Facciola has suggested searches of this type be handled by the third party that holds the data, but that has been shot down by other judges as "impractical." Facciola additionally suggests wholly separating the search team and the evidence review team (using a "Chinese wall") to help assure the search won't exceed the limitations provided by the warrant. The last resort is still the front line, however.

The third solution… is more careful supervision of the conduct of the search by the magistrate judge.

That's where Facciola fit in. He challenged the government on its broad search requests and forced it to reconsider its tactics. Unfortunately, there's usually been another judge willing to grant warrants that don't meet the standards of more demanding magistrates.

In his parting comment, Facciola points out that judges aren't the only technologically-resistant participants in the judicial system. Those on the other side of the bench have their issues as well.

We have to get across to lawyers that they really have to read outside of their fields. Every day I read the tech section of The New York Times. I find almost every article has to do with the law. And that's an important thing.

I learned from [a law professor] that — did you know this? — the telephone was in existence for 10 years before lawyers started to use it. They thought it was beneath their dignity. You wondered, did they use the elevator?

Back in January, we pointed out that just after US and EU law enforcement officials started freaking out about mobile encryption and demanding backdoors, that China was also saying that it wanted to require backdoors for itself in encrypted products. Now, President Obama claims he's upset about this, saying that he's spoken directly with China's President Xi Jinping about it:

In an interview with Reuters, Obama said he was concerned about Beijing's plans for a far-reaching counterterrorism law that would require technology firms to hand over encryption keys, the passcodes that help protect data, and install security "backdoors" in their systems to give Chinese authorities surveillance access.

"This is something that I’ve raised directly with President Xi," Obama said. "We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States."

This comes right after the US Trade Rep Michael Froman issued a statement criticizing China for doing the same damn thing that the US DOJ is arguing the US should be doing:

U.S. Trade Representative Michael Froman issued a statement on Thursday criticizing the banking rules, saying they "are not about security – they are about protectionism and favoring Chinese companies".

"The Administration is aggressively working to have China walk back from these troubling regulations," Froman said.

Those claims would sound a hell of a lot stronger if they weren't coming immediately after DOJ officials from Attorney General Eric Holder to FBI Director James Comey had more or less argued for the exact same thing.

Just last week, Yahoo's chief security officer Alex Stamos raised this exact issue with NSA director Admiral Mike Rogers, asking if Rogers thinks it's appropriate for tech companies to build backdoors for other countries if they build them for the US. Rogers ignored the question, just saying "I think we can work our way through this," which is not an answer. And now we're "working our way through this" by having to deal with other countries, such as China, leaping at this opportunity.

And the week before, President Obama himself claimed that he was all for strong encryption, but argued that there were tradeoffs worth discussing, and that some in his administration believed that demanding backdoors made sense to try to stop terrorist attacks. But it's tough to see how he can claim that it's okay to entertain those ideas on the one hand, while using the other hand to try to slap China for doing the exact same thing.

As security researcher Matthew Green rightly points out, "someday, US officials will look back and realize how much global damage they've enabled with their silly requests for key escrow." But that day is apparently not today. The administration keeps bleating on and on about how China is a massive cybersecurity "threat" out there, and then hands the country this massive gift by having a kneejerk reaction to better encryption that protects American citizens.

Techdirt has long operated on a homegrown content management system, but while we've been considering a switch to something open like Wordpress, many other media companies have been building their own proprietary platforms. What are the pros and cons of each approach, and are proprietary platforms necessary to be a "serious" media company in today's landscape?

Follow the Techdirt Podcast on Soundcloud, subscribe via iTunes, or grab the RSS feed. You can also keep up with all the latest episodes right here on Techdirt.

At this point, we probably don't need any more evidence that the emergence of publicity rights and its conflation with other forms of intellectual property, such as copyright, is a festering cancer in our culture that we'd do well to excise post-haste. Still, necessity isn't the mother of these stories that keep on a-coming anyway. The most recent example of how stupid this all has become is a small Connecticut town taking down a donated painting that includes an image of Mother Teresa over intellectual property concerns. More frustrating is how neutered the press covering the issue is in competently discussing the validity of the issues being raised.

Trumbull officials have temporarily removed artwork displayed at the public library over concerns that the use of Mother Teresa's image in the painting infringes on copyright. The painting, which Dr. Richard Resnick donated to the library, shows Mother Teresa and other women marching, holding signs that say messages including "Planned Parenthood," "Mission of Charity," "Feed the Poor," "Remember The Ladies," "Hospital Reform" and "Right to Vote," among others.

Let's get the easy stuff out of the way. Resnick had ownership of the painting when he donated it. There wouldn't be a valid copyright claim here even if the original artist was among those raising the issue, which doesn't appear to be the case. The library has every right to display the image. There aren't any copyright questions at all. All the reports this author has seen identify only "independent organizations" as claiming there is a copyright issue here at all. Should the actual claims center instead on publicity rights instead of copyright, that claim, too, would fail. First, there is no commercial use here. It is a painting rightfully owned and then donated to a municipality. Mother Teresa is a public and historical figure. And, again, there has been no indication that the estate of Anjeze Bojaxhiu, commonly known as Mother Teresa of Calcutta, is among those raising the issue. There is simply no applicable intellectual property concern here.

However, it seems that everyone involved (perhaps including the reporter) has no clue about any of this:

"Our initial research has shown that there is a doctorate of ‘Fair Use’ which allows a party to depict even someone of a public nature when it’s not designed for any commercial purpose," he explained.

It would be nice to be able to get a "doctorate" in "fair use" but it's likely the guy means (or even said) "doctrine." And while "commercial purpose" may have an impact on a fair use analysis it's not the only factor. But, more importantly, fair use isn't even an issue here because there's no copyright issue at all.

Which, of course, hasn't precluded Trumbull from pulling the painting proactively.

The town opted to remove the painting because the library lacks a written agreement with Resnick to protect the town against "any potential liability" from the copyright violation allegation, Herbst said.

“After learning that the Trumbull Library Board did not have the proper written indemnification for the display of privately-owned artwork in the Town’s library, and also being alerted to allegations of copyright infringement and unlawful use of Mother Teresa’s image, upon the advice of legal counsel, I can see no other respectful and responsible alternative than to temporarily suspend the display until the proper agreements and legal assurances are in place,” Herbst said in a written statement.

And, so, until such a time as the town and the donor can formalize a written agreement protecting themselves against all of this stupidity, stupidity prevails. It's hard to fault Trumbull officials too much for getting their protective documentation in place, I suppose. This is America, after all, the land of the lawsuit. Still, it's a tough pill to swallow to see a public entity bow even temporarily to the pressure of outside parties that have no standing, or apparent familiarity with the actual legal statutes they're pushing. Because, while none of the reports are naming the "independent organizations", everyone pretty much knows what's going on here. Resnick's attorney explains it nicely.

Elstein speculates that the controversy may have more to do with Catholic leaders' recent objections to Mother Teresa being depicted alongside a woman holding a "Planned Parenthood" sign.

Ah, so again intellectual property gets used to silence speech. Anyone still want to pretend that copyright and publicity rights aren't the favored tools of censors everywhere?

As you may have heard, the latest political "scandal" involving a major Presidential contender comes via the NY Times reporting that when Hillary Clinton was Secretary of State, she refused to have a government email address, and conducted all her work via a personal email account.

Hillary Rodham Clinton exclusively used a personal email account to conduct government business as secretary of state, State Department officials said, and may have violated federal requirements that officials’ correspondence be retained as part of the agency’s record.

Mrs. Clinton did not have a government email address during her four-year tenure at the State Department. Her aides took no actions to have her personal emails preserved on department servers at the time, as required by the Federal Records Act.

This is dumb on many, many levels and there appears to be no excuse for it happening. First off, using a personal email as Secretary of State seems like a massive privacy and security risk. While one hopes that there was at least some attempt to better secure her personal account by government security experts, it's still almost certainly less secure. Given how much sensitive information the Secretary of State has to deal with, it seems inexcusable that she was allowed to conduct official business via her personal account. That to me seems like an even bigger deal than the part that everyone else is focused on: the failure to preserve her emails as required by law.

Of course, the failure to preserve the emails is a big deal as well. But here's the really stunning thing: there is simply no way that Clinton and others in the administration didn't know that she was supposed to be using a government email address and preserving those emails. That's because both the previous administration and others in her own administration got in trouble for using personal email addresses. As Vox notes, towards the end of the Bush administration there was a similar scandal involving a variety of high level administration members using personal email to conduct government business and to avoid transparency requirements.

That scandal unfolded well into the final year of Bush's presidency, then overlapped with another email secrecy scandal, over official emails that got improperly logged and then deleted, which itself dragged well into Obama's first year in office. There is simply no way that, when Clinton decided to use her personal email address as Secretary of State, she was unaware of the national scandal that Bush officials had created by doing the same.

That she decided to use her personal address anyway showed a stunning disregard for governmental transparency requirements. Indeed, Clinton did not even bother with the empty gesture of using her official address for more formal business, as Bush officials did.

But that's not all. What the Vox report doesn't note is that the scandal actually carried over to the Obama administration also, as the White House's first Deputy CTO was reprimanded for using his personal email address as well, early in 2010. So there was both a scandal about the similar use of private email accounts in the previous administration and in the Obama administration. It's impossible to believe that Clinton or the other key people who worked for her in the State Department were unaware of one or both of these issues while she was using her personal email address.

While the White House's email system may be clunky and annoying to use (as I've heard repeatedly), there's simply no excuse for Clinton not to have used it at all -- and for the emails she did send not to be preserved as required under the law. A few years ago, we mocked Homeland Security boss Janet Napolitano for refusing to use email entirely -- though at least she was upfront about the reason. She didn't want to be held accountable for what she said -- though, the reality was she would still have staff members send emails for her. Clinton appears to have wanted to be free of that accountability as well, but to still have the benefits of direct electronic communication herself. In short, she purposely ignored the law for her own benefit.

A small crack in the FBI's Stingray secrecy has appeared. A 2012 pen register application obtained by the ACLU was previously sealed, but a motion to dismiss the evidence obtained by the device forced it out into the open. Kim Zetter at Wired notes that the application contains a rare admission that Stingray use disrupts cellphone service.

[I]n the newly uncovered document (.pdf)—a warrant application requesting approval to use a stingray—FBI Special Agent Michael A. Scimeca disclosed the disruptive capability to a judge.

“Because of the way, the Mobile Equipment sometimes operates,” Scimeca wrote in his application, “its use has the potential to intermittently disrupt cellular service to a small fraction of Sprint’s wireless customers within its immediate vicinity. Any potential service disruption will be brief and minimized by reasonably limiting the scope and duration of the use of the Mobile Equipment.”

Notably, the application (and the magistrate's approval) do not refer to the device by any of the common names (Stingray, IMSI catcher, cell tower spoofer, etc.), but rather as "mobile pen register/trap and trace equipment." While it does admit the device will "mimic Sprint's cell towers," it downplays the potential impact of the device's use.

The fact that Stingray devices disrupt cell service isn't new, but an on-the-record admission by law enforcement is. The warrant application claims that numbers unrelated to the ones being sought will be "released" to other cell towers. The unanswered question is how long it takes before this release occurs.

“As each phone tries to connect, [the stingray] will say, ‘I’m really busy right now so go use a different tower. So rather than catching the phone, it will release it,” says Chris Soghoian, chief technologist for the ACLU. “The moment it tries to connect, [the stingray] can reject every single phone” that is not the target phone.

But the stingray may or may not release phones immediately, Soghoian notes, and during this period disruption can occur.

The problem with the so-called "release" is related to the amount of disruption that occurs when the device is used. Advances in cell technology have surpassed the ability of Stingray devices to capture calling info and location data. Upgrades are available and law enforcement agencies are scrambling to get their cell tower spoofers up-to-date, but the general process still involves "dumbing down" everyone's connection to the least secure and most easily-intercepted connection: 2G.

In order for the kind of stingray used by law enforcement to work, it exploits a vulnerability in the 2G protocol. Phones using 2G don’t authenticate cell towers, which means that a rogue tower can pass itself off as a legitimate cell tower. But because 3G and 4G networks have fixed this vulnerability, the stingray will jam these networks to force nearby phones to downgrade to the vulnerable 2G network to communicate.

If a device is in operation nearby, all calls that can't find a better connection will be routed to the cell tower spoofer. This means calls won't be connected, texts won't be sent/received and internet service will be knocked offline. While Stingrays are supposed to allow 911 calls to pass through without interruption, these are far from the only type of "emergency" communications. If the device is deployed for any considerable length of time, citizens completely unrelated to the criminal activity being investigated may find themselves unable to communicate.

And while the targeted number apparently belonged to Sprint, the warrant application notes that all service providers in the area will be asked to turn over a large amount of subscriber information.

[D]irecting AT&T, T-Mobile U.S.A., Inc., Verizon Wireless, Metro PCS, Sprint-Nextel and any and all other providers of electronic communication service (hereinafter the "Service Providers") to furnish expeditiously real-time location information concerning the Target Facility (including all cell site location information but not including GPS, E-911, or other precise location information) and, not later than five business days after receipt of a request from the Federal Bureau of Investigation, all information about subscriber identity, including the name, address, local and long distance telephone connection records, length of service (including start date) and types of service utilized, telephone or instrument number or other subscriber number or identity, and means and source of payment for such service (including any credit card or bank account number), for all subscribers to all telephone numbers, published and nonpublished, derived from the pen register and trap and trace device during the 60-day period in which the court order is in effect…

This request seems to run contrary to what's asserted earlier in the warrant application, in reference to the Stingray device itself.

In order to achieve the investigative objective (i.e., determining the general location of the Target Facility) in a manner that is the least intrusive, data incidentally acquired from phones other than the Target Facility shall not be recorded and/or retained beyond its use to identify or locate the Target Facility.

It appears there is a "catch-and-release" policy when it comes to Stingray devices, but the FBI's data request to every cell phone service provider in the area contains no such assurances about minimization. Additionally, the request for data on "all subscribers to all telephone numbers" covers a 60-day period, while the use of the tower spoofer is limited to two weeks.

So, not only did the FBI potentially disrupt cell service while searching for the robbery suspects, it also collected a massive amount of data on every subscriber whose phone happened to connect with its fake tower. It's not really "catch-and-release" if additional call/location data on unrelated subscribers is obtained from from other providers. This broad request was granted without question or additional stipulations by the magistrate judge -- the only limitation applied (in a handwritten addition, no less) being that the FBI would not be able to use the device "in any private place or when they have reason to believe the Target Facility is in a private place." (This falls in line with the FBI's "warrant requirement," which is written in a way that ensures the FBI will never have to seek a warrant for Stingray use.)

The FBI, along with other law enforcement agencies, has refused to answer questions about the disruptive side effects of Stingray device usage. With the unsealing of this document, their silence no longer matters. These agencies are well aware of these devices' capabilities -- something they're clearly not comfortable discussing. The excuses deployed routinely involve "law enforcement means and methods" and claims about "compromising current and future investigations," but with more heat being applied by the nation's legislators, this code of silence may finally be broken. The use of these devices -- despite being fully aware that critical communications may be at least temporarily prevented -- sends a continual implicit message to the public: your safety and well-being is subject to law enforcement's needs and wants.