http://www.wired.com/2015/10/stingray-government-spy-tools-can-record-calls-new-documents-confirm/

Turns Out Police Stingray Spy Tools Can Indeed Record Calls

Kim Zetter

10.28.15

The federal government has been fighting hard for years to hide details about its use of so-called stingray surveillance technology from the public.

The surveillance devices simulate cell phone towers in order to trick nearby mobile phones into connecting to them and revealing the phones' locations.

Now documents recently obtained by the ACLU confirm long-held suspicions that the controversial devices are also capable of recording numbers for a mobile phone's incoming and outgoing calls, as well as intercepting the content of voice and text communications. The documents also discuss the possibility of flashing a phone's firmware "so that you can intercept conversations using a suspect's cell phone as a bug."

The information appears in a 2008 guideline prepared by the Justice Department to advise law enforcement agents on when and how the equipment can be legally used.

The Department of Justice ironically acknowledges in the documents that the use of the surveillance technology to locate cellular phones 'is an issue of some controversy.'

The American Civil Liberties Union of Northern California obtained the documents [1] (.pdf) after a protracted legal battle [2] involving a two-year-old public records request. The documents include not only policy guidelines, but also templates for submitting requests to courts to obtain permission to use the technology.

The DoJ ironically acknowledges in the documents that the use of the surveillance technology to locate cellular phones "is an issue of some controversy," but it doesn't elaborate on the nature of the controversy. Civil liberties groups have been fighting since 2008 to obtain information about how the government uses the technology, and under what authority.

Local law enforcement agencies have used the equipment numerous times in secret [3] without obtaining a warrant [4] and have even deceived courts about the nature of the technology [5] to obtain orders to use it. And they've resorted to extreme measures [6] to prevent groups like the ACLU from obtaining documents about the technology.

Stingrays go by a number of different names, including cell-site simulator, triggerfish, IMSI-catcher, Wolfpack, Gossamer, and swamp box, according to the documents. They can be used to determine the location of phones, computers using open wireless networks, and PC wireless data cards, also known as air cards.

The devices, generally the size of a suitcase, work by emitting a stronger signal than nearby towers in order to force a phone or mobile device to connect to them instead of a legitimate tower. Once a mobile device connects, the phone reveals its unique device ID, after which the stingray releases the device so that it can connect to a legitimate cell tower, allowing data and voice calls to go through. Assistance from a cell phone carrier isn't required to use the technology, unless law enforcement doesn't know the general location of a suspect and needs to pinpoint a geographical area in which to deploy the stingray. Once a phone's general location is determined, investigators can use a handheld device that provides more pinpoint precision in the location of a phone or mobile device--this includes being able to pinpoint an exact office or apartment where the device is being used.

In addition to the device ID, the devices can collect additional information.

Investigators also seldom tell judges that the devices collect data from all phones in the vicinity of a stingray--not just a targeted phone--and can disrupt regular cell service.

"If the cellular telephone is used to make or receive a call, the screen of the digital analyzer/cell site simulator/triggerfish would include the cellular telephone number (MIN), the call's incoming or outgoing status, the telephone number dialed, the cellular telephone's ESN, the date, time, and duration of the call, and the cell site number/sector (location of the cellular telephone when the call was connected)," the documents note.

In order to use the devices, agents are instructed to obtain a pen register/trap and trace court order. Pen registers are traditionally used to obtain phone numbers called and the "to" field of emails, while trap and trace is used to collect information about received calls and the "from" information of emails.

When using a stingray to identify the specific phone or mobile device a suspect is using, "collection should be limited to device identifiers," the DoJ document notes. "It should not encompass dialed digits, as that would entail surveillance on the calling activity of all persons in the vicinity of the subject."

The documents add, however, that the devices "may be capable of intercepting the contents of communications and, therefore, such devices must be configured to disable the interception function, unless interceptions have been authorized by a Title III order."

Title III is the federal wiretapping law that allows law enforcement, with a court order, to intercept communications in real time.

Civil liberties groups have long suspected that some stingrays used by law enforcement have the ability to intercept the content of voice calls and text messages. But law enforcement agencies have insisted that the devices they use are not configured to do so. Another controversial capability involves the ability to block mobile communications, such as in war zones to prevent attackers from using a mobile phone to trigger an explosive, or during political demonstrations to prevent activists from organizing by mobile phone. Stingray devices used by police in London have both of these capabilities, [7] but it's not known how often or in what capacity they have been used.

The documents also note that law enforcement can use the devices without a court order under "exceptional" circumstances. Most surveillance laws include such provisions to give investigators the ability to conduct rapid surveillance under emergency circumstances, such as when lives are at stake. Investigators are then to apply for a court order within 24 hours after the emergency surveillance begins. But according to the documents, the DoJ considers "activity characteristic of organized crime" and "an ongoing attack of a protected computer (one used by a financial institution or U.S. government) where violation is a felony" to be considered an exception, too. In other words, an emergency situation could be a hack involving a financial institution.

"While such crimes are potentially serious, they simply do not justify bypassing the ordinary legal processes that were designed to balance the government's need to investigate crimes with the public's right to a government that abides by the law," Linda Lye, senior staff attorney for the ACLU of Northern California, notes in a blog post about the documents.

Another issue of controversy relates to the language that investigators use to describe the stingray technology. Templates for requesting a court order from judges advise the specific terminology investigators should use and never identify the stingray by name. They simply describe the tool as either a pen register/trap and trace device or a device used "to detect radio signals emitted from wireless cellular telephones in the vicinity of the Subject that identify the telephones."

The ACLU has long accused the government of misleading judges in using the pen register/trap and trace term--since stingrays are primarily used not to identify phone numbers called and received, but to track the location and movement of a mobile device.

Investigators also seldom tell judges that the devices collect data from all phones in the vicinity of a stingray--not just a targeted phone--and can disrupt regular cell service.

It's not known how quickly stingrays release devices that connect to them, allowing them to then connect to a legitimate cell tower. During the period that devices are connected to a stingray, disruption can occur for anyone in the vicinity of the technology.

Disruption can also occur from the way stingrays force-downgrade mobile devices from 3G and 4G connectivity to 2G if they are being used to intercept the concept of communications.

In order for the kind of stingray used by law enforcement to work for this purpose, it exploits a vulnerability in the 2G protocol. Phones using 2G don't authenticate cell towers, which means that a rogue tower can pass itself off as a legitimate cell tower. But because 3G and 4G networks have fixed this vulnerability, the stingray will jam these networks to force nearby phones to downgrade to the vulnerable 2G network to communicate.

"Depending on how long the jamming is taking place, there's going to be disruption," Chris Soghoian, chief technology for the ACLU has told WIRED previously. "When your phone goes down to 2G, your data just goes to hell. So at the very least you will have disruption of internet connectivity. And if and when the phones are using the stingray as their only tower, there will likely be an inability to receive or make calls."

Concerns about the use of stingrays is growing. Last March, Senator Bill Nelson (D-Florida) sent a letter to the FCC calling on the agency to disclose information about its certification process for approving stingrays and any other tools with similar functionality. Nelson asked in particular for information about any oversight put in place to make sure that use of the devices complies with the manufacturer's representations to the FCC about how the technology works and is used.

Nelson also raised concerns about their use in a remarkable speech on the Senate floor. The Senator said the technology "poses a grave threat to consumers' cellphone and Internet privacy," particularly when law enforcement agencies use them without a warrant.

The increased attention prompted the Justice Department this month to release a new federal policy on the use of stingrays, requiring a warrant any time federal investigators use them. The rules, however, don't apply to local police departments, [8] which are among the most prolific users of the technology and have been using them for years without obtaining a warrant.

[1] https://www.aclunc.org/docs/20151027-crm_lye.pdf

[2] https://www.aclunc.org/our-work/legal-docket/aclu-v-doj-stingrays

[3] http://www.wired.com/2014/03/stingray/

[4] http://www.wired.com/2015/04/ny-cops-used-stingray-spy-tool-46-times-without-warrant/

[5] http://www.wired.com/2014/06/feds-told-cops-to-deceive-courts-about-stingray/

[6] http://www.wired.com/2014/06/feds-seize-stingray-documents/

[7] http://www.wired.com/2011/10/datong-surveillance/

[8] http://www.baltimoresun.com/news/maryland/politics/bs-md-stingray-oversight-20151021-story.html