from the some-prime-ass-talking-going-on-here dept
Secrecy still continues to shroud law enforcement Stingray use, in large part because courts have been far too receptive to the government's insistence that the release of any details at all would result in the expensive tech being rendered instantly useless.
The NYPD has decided to go past the usual "law enforcement means and methods" obfuscatory tactics and push a rather novel narrative about why it would be "dangerous" for IMSI catcher info to make its way into the public domain. (I mean more so… I guess.)
Joseph Cox of Motherboard reports the NYPD's latest opacity play involves hoodie-wearing males operating laptops in underlit rooms and comic book supervillain-esque levels of coordinated criminal activity.
In a recent case, the New York Police Department (NYPD) introduced a novel argument for keeping mum on the subject: Asked about the tools it uses, it argued that revealing the different models of IMSI catchers the force owned would make the devices more vulnerable to hacking.
In the words [PDF] of the NYPD's Gregory Antonsen, hackers would be able to crack open Stingrays like OPM records if the department were to turn over Harris Corp. contract info and nondisclosure agreements to the New York branch of the ACLU in response to its FOIL request. Also: terrorism.
The purpose of this affidavit is to explain the reasons that disclosing the Withheld Records would cause grave damage to counterterrorism and law enforcement operations, and so could endanger the lives or safety of New Yorkers.
Additionally, disclosing the Withheld Records would reveal confidential and non-routine criminal investigative techniques, which would hamper ability to conduct operations and would permit perpetrators to evade detection. Moreover, disclosure of the Withheld Records would jeopardize the ability of NYPD to secure its information technology assets.
After detailing the use of Stingrays to perform a variety of heartwarming investigations (tracking down a missing elderly person, rescuing someone from sex trafficking, etc.), Antonsen gets down to business. According to the NYPD's theory, any information released about the NYPD's IMSI catcher contracts could be "scrutinized" by bad guys who would be able to infer from extremely limited information the extent of the department's cellphone-tracking capabilities. It's basically the mosaic theory, but without the mosaic.
But the far stupider assertion is the one made without any supportive citations -- just a far-fetched hypothetical.
The CSS technologies are also critical and essential information technology assets. As such, all CSS technologies require periodic software updates. Public disclosure of the specifications of the CSS technologies in the NYPD's possession from the Withheld Records would make the software vulnerable to hacking and would jeopardize ability to keep the technologies secure. Of great concern is that a highly sophisticated hacker could use the knowledge of CSS technologies to invade the CSS software undetected, thus creating a situation in which law enforcement personnel are lured into a situation based on a misleading cell-phone location and are then trapped and ambushed.
The ACLU's Chris Soghoian has responded [PDF] to the NYPD's assertions. As to the claims that providing contract information would somehow result in sophisticated criminals finding ways to route around this surveillance, Soghoian points out that every Stingray device -- no matter its capabilities -- can be defeated by even the dumbest thug… and all without having to scour a redacted invoice for clues.
The most effective countermeasure, which can be used by anyone at no cost is to simply turn off a phone or put it into airplane mode. This will thwart tracking by any model of Stingray. Knowing the models of Stingrays that the NYPD uses does not make this countermeasure more or less effective. It is 100% effective regardless of which models of Stingrays the NYPD uses.
Soghoian went easy on the "but criminals will beat our IMSI catchers" argument. The "but we'll be hacked" argument is treated with all the respect it deserves: none.
It would be a serious problem if the costly surveillance devices purchased by the NYPD without public competitive bidding are so woefully insecure that the only thing protecting them from hackers is the secrecy surrounding their model names.
He also chides the NYPD for making claims the federal government isn't even willing to make.
The Harris Corporation, which in addition to manufacturing Stingrays has been awarded public contracts for securing the President's communications and supplying secure radios used by the U.S. Army, is clearly capable of designing secure products for its government customers that does not rely on keeping secret the mere existence of the devices for their security.
Soghoian also points out that the release of other information would similarly have zero effect on the devices' capabilities. Because they spoof cell towers, it does criminals no good to know how many the NYPD has or even where they tend to deploy them. A cellphone can't tell it's connected to a BS "tower." And just because the NYPD may be more likely to deploy them in certain areas does not guarantee that avoiding those areas will allow criminals to avoid detection.
And this wonderful paragraph snarkily deflates the NYPD's paranoid ravings its tech officers deploy as justification for continued secrecy.
Inspector Antonsen also claims that knowing the number of Stingrays owned by the NYPD may enable an extremely well-resourced criminal group to orchestrate a greater number of simultaneous hostage situations than the number of Stingrays available to the NYPD. Even assuming that such a sophisticated criminal group made the unlikely decision to rely on its knowledge of the number of Stingrays in the possession to use cell phones in executing such a hypothetical event, knowing that number will not help them as it is almost certainly the case that one, if not multiple, federal law enforcement agencies would step in and assist the NYPD with their own cellular surveillance technology. Moreover, this hypothetical is no different from saying that at some point some criminal group may be able to overwhelm the number of police cars that the NYPD owns or the number of police officers on the force.
It's hard to believe law enforcement is still throwing out these tired arguments after nearly a decade of incremental exposure of Stingray information. The NYPD wants publicly-available information (Stingray names, suggested retail prices) to somehow be the first cat successfully stuffed back into the bag. Since it has no legitimate arguments to justify this cat stuffing, tech officers are resorting to hypothetical scenarios even the most-handwavingest of sci-fi writers wouldn't feel comfortable inserting into their speculative fiction.