Though they operate behind the scenes, Stingrays have been in the spotlight for quite some time as their use and capabilities expand and concern that they may trample privacy conventions becomes widespread.
Despite growing unease among lawmakers and privacy advocates, though, lawmakers have yet to pass federal legislation to regulate use of the device on all levels despite a December 2016 Congressional recommendation to establish clear national framework for when and how geological information can be accessed and used. But states are stepping up to fill the gaps with laws of their own.
Law enforcement expands use, skirts privacy
Cell site simulators that spoof cell phone towers to collect user data in the form of mass surveillance, swooping in all user data within its radius, have been used in emergencies to track people who have attempted suicide, kidnapping victims, murder suspects, missing people, and fugitives. However, the devices have found their way into less serious cases, raising the specter of law enforcement overreach.
Courts have been known to throw out cases entirely or drastically reduce sentences in cases where a stingray was used surreptitiously and without much detail as a result of non-disclosure agreements signed between local departments, the Federal Bureau of Investigation (FBI), and the maker of the devices, Harris Corporation.
The FBI claims that the NDAs are only to protect certain capabilities and proprietary information concerning the device however, there have been reports of these agreements explicitly instructing agencies to not reveal their use or existence, even to courts.
In 2015, the Department of Justice (DOJ) and the Department of Homeland Security (DHS) both issued stingray policies and that required the use of warrants and the deletions of any data as soon as the target is identified and no less than once every 30 days. The agencies also instated an audited procedure with designated executive-level contacts serving as direct lines of contact.
“The Department of Justice's new policy on cell-site simulators, or ‘Stingrays,' is a welcome first step and will help bring an invasive surveillance technology closer to our constitutional privacy standards,” Congressman Ted W. Lieu (D-Calif.) said in a Sept. 4, 2015, press release addressing the new policy. “As new technologies empower law enforcement with unique capabilities, stringent rules are needed to safeguard against abuse of our civil liberties – and Stingrays are no different.”
Lieu said that many questions remain about law enforcement's collection of geolocation and other data, and he was going to ask the House Oversight and Government Reform Committee to examine this issue.
The policy release was accompanied by a U.S. House Committee on Oversight and Government Reform hearing where representatives had an opportunity to ask for clarification from both the DHS and DOJ on their rules.
The Justice Department has since clarified its rules on Stingray use, saying that it's okay to disclose use of the device in court and that it believes that defendants have the right to challenge the use of the device. Some police departments have reportedly started disclosing their use of the devices after previously denying their existence in some cases.
While many legislators applauded the guidelines as a step in the right direction the policy had nothing to do with state and local level use of the devices. The guidelines apply only to federal law enforcement agencies as well as state and local agencies working with the federal government.
Even then, information is limited on exactly how many agencies currently use the devices, what protocols each agency follows for use, or what agreements have been signed with device makers.
While attempts at federal legislation have languished, states like New York, Missouri, and New Mexico have instigated their own efforts to regulate the Stingray. Each of the proposals include warrant requirements to use the devices, with the exception of predefined emergency scenarios, and vary in terms of details.
While many acknowledge the Stingray legislation in these states as stepd in the right direction, some privacy activists still feel they don't offer enough civilian protection. Furthermore, concerns have grown that the devices have been used to unfairly target communities of color.
A group of senators including Al Franken (D-Minn.), Patrick Leahy (D-Vt.), Ron Wyden (D-Ore.), Shen'od Brown (D-Ohio), Edward J. Markey (D-Mass.), Elizabeth Warren (D-Mass.) , Jeff Merkley (D-Ore.), Tammy Baldwin (D-Wis.), Bernie Sander (I-Vt.), Tom Udall(D-N.M.), Martin Heinrich (D-Minn.), and Christopher A. Coons (D-Del.) wrote in a letter to the Federal Communications Commission (FCC) Chairman Tom Wheeler, asking him to look into the matter.
“While we appreciate law enforcement's need to locate and track dangerous suspects, the use of Stingray devices should not come at the expense of innocent Americans' privacy and safety, nor should law enforcement's use of the devices disrupt ordinary consumers' ability to communicate,” the senators wrote. “Reliable access to telecommunications services is vital to Americans' ability to communicate and successfully engage in today's economy, and it is the FCC's responsibility to ensure that communications services are available to Americans of all backgrounds.”
There has been some success in regulating use of the device. The American Civil Liberties Union (ACLU) said that recent legislation passed in Illinois concerning use of the device is the gold standard that other states and federal agencies should look to emulate.
The bill is cause for celebration because to use the device, lawmakers required law enforcement to obtain a probable cause warrant, immediately delete any data collected which is not covered in the warrant within 24 hours, and to ensure that judges are made aware to what exactly they are granting access to, Chad Marlow, advocacy and policy counsel at the ACLU, tells SC Media.
Marlow says these factors are important because while existing Stingray legislation may require a warrant, the laws don't always account for surveillance warrants which law enforcement may interpret as a “blanket warrant” allowing or implying use of the device without specifically disclosing its use.
Stingray legislation in other states may vary the requirements to notify a judge specifically about a device's use or may not include clauses for the deletion of data, Marlow says.
Some of the biggest challenges to passing legislation that encompasses these elements is that lawmakers are often hesitant to sign any bill that everyone isn't on board with, Marlow says. While there aren't any particular groups or agencies opposed to the concept of regulating the use of Stingrays, there is sometimes resistance, he explained.
“General resistance of the bill is from law enforcement not wanting to be told how to do their job,” Marlow says, noting that the Illinois Police Department wasn't “active” in the process of drafting the legislation in their own state. “If law enforcement isn't in agreement then it may take time” to pass legislation that offers sufficient privacy protections in the eyes of the ACLU.
However, some say that the ACLU may be asking for too much and that the requirements in the Illinois model viewed as consumer protections aren't all feasible in real-world practice, Chris Roberts, chief security architect at Acalvio, tells SC Media.
Roberts has worked with European, and U.S. intelligence agencies on the local, state and federal levels. He says the backlog of data in FBI forensics labs can be anywhere between six months and eight months, depending on the jurisdiction, making the immediate deletion of extra data unlikely.
“So I take your data and you want me to delete it in 24 hours, no way that will be long enough to sort through all of the information gathered,” Roberts says. “And what happens if I have to prosecute you and I have to go to trail, I still need that data.”
Roberts agrees that there should be more regulation concerning the use of Stingray devices he said that the technology opens a new space of due process where everyone could potentially be incriminating themselves and that some sort of Safe Harbor-like provision is necessary to protect individuals' privacy.
Furthermore, he says that law enforcement should focus more on deescalating situations instead of letting situations escalate to the point where they need to even consider using technology such Stingrays.
Roberts also took issue with the secrecy that is still maintained concerning the devices even in light of the FBI's claims to protect trade crafts. Most of the public, or at least those it would be used against, already know what the device is, its capabilities, how it works and how to circumvent it adding that some of the bad guys aren't using standard cellular architecture, he said.
“Stop being covert about something that's not bloody covert, start being honest about it,” Roberts says.
Fred Wilmot, chief technology officer at Packetsled, says the U.S. could benefit from a adapting its own version of a notion of a European-style Safe Harbor when collecting data. He says there should be clear definition of what information can and can't be used in the event of Stingrays collecting relevant criminal information that law enforcement may not have been seeking or that wasn't specified in the warrant.
“Problem right now is that we have a bit of a technological revolution that's starting to break the chains of things that we have historically built structure around to privacy for,” Wilmot says.
Law enforcement, legislators and privacy advocates still have a long way to go before the use of Stingray devices are properly regulated to further transparency while simultaneously providing law enforcement with an effective tool to fight crime, save lives and protect the privacy of innocent citizens.