Monday, September 07, 2015
Stingray and the Swiss Cheese of Electronic Privacy
The main distinguishing characteristic of Swiss cheese is that it's got holes in it. This image came to mind when I read a recent report about a cellphone tracking device colloquially known as Stingray. These expensive, sophisticated devices are contributing to a pernicious double standard about electronic privacy. Private citizens on the one hand, and local and state law enforcement authorities on the other hand, appear to be working under very different rules.
Ordinary U. S. citizens are forbidden to eavesdrop on private electronic communications over the airwaves. Back in the days when cellphones transmitted easily received analog signals, this meant you could not buy scanners that covered cell-phone frequencies. And wiretapping—connecting a listening device to a telephone wire—was something that only authorized law enforcement people could do. Back then, even the cops first had to get a court to issue a warrant for a wiretap, which was limited as to time and the target of the wiretapping. Just to make sure that these restrictions weren't overwhelmed by new technological developments, in 1986 Congress passed the Electronic Communications Privacy Act (ECPA), which extended restrictions on landline communications to the then-new wireless types.
Then there was 9/11 and a burst of foreign terrorism, and a need arose to track cellphones in foreign countries that were being used for nefarious purposes, like setting off improvised explosive devices. In response to this demand, the Harris Corporation developed a clever system that has come to be called the Stingray. In order to track and eavesdrop on a target cellphone, you set up the Stingray in the general vicinity of the target—a few dozen or hundred yards is probably sufficient. When the target phone is activated, the Stingray pretends it's a real cellphone tower, sending out a "pilot" signal that is stronger than the genuine tower's pilot nearby, and capturing not only the target phone, but many others in the vicinity. In its most sophisticated mode, the Stingray performs a real-time decryption of the encrypted cellphone data and relays the content of the phone call (or text message, or what have you) to the legitimate system, while making copies for the cops. In this mode, any calls the target phone originates go through as usual. Only, the law enforcement people using the Stingray can hear and read everything in the vicinity.
I can't refer you to an advertising brochure or an official website on the Stingray, because Harris cloaks the device in secrecy. Any agency buying one has to sign a non-disclosure agreement in which they promise not to divulge any details about it. Nevertheless, the technology has become quite popular among the better-heeled state and local law enforcement agencies that can afford up to a half-million-dollar price tag. And it is by no means clear that the agencies get proper court authorization before using the Stingray. So your phone call or text might be showing up on a police computer near you—without your knowledge, of course.
In recent months, considerable information has leaked out about the Stingray and how it is being used, and there's even a Wikipedia webpage devoted to the technology. It was most recently in the news when Deputy U. S. Attorney General Sally Yates announced on Sept. 3 that Federal investigators will now have to obtain a judge's permission before using cellphone trackers. As recently as six months ago, the Feds were arguing in court that no such permission was necessary. So on the federal level at least, some measure of protection has been restored to electronic privacy. However, the ruling does not apply to state and local jurisdictions, which can presumably still use the Stingray and similar devices with impunity.
This is only one of many situations in which technology has outrun the legal system's ability to adapt to it. Despite the blanket prohibitions of the ECPA, state and local law enforcement agencies are apparently using Stingrays frequently with or without court approval, depending on what the patchwork legal context in the specific region will let them get by with. Sometimes, use of the device is revealed only in a court case when defense attorneys start asking embarrassing questions. In Tallahassee, Florida, the state prosecutor gave an armed-robbery suspect a reduced sentence rather than being forced to disclose details of how a cellphone was tracked to the criminal's house—by use of a Stingray, presumably.
It may be the case that most, if not all, uses of this technology are approved by courts, although in some cases judges have complained that they were not aware of what exactly it was they were approving. In that case, we are in principle no worse off privacy-wise than we were under the old regime of wiretapping laws, in which a court order was required to allow the telephone company technicians to permit a wiretap.
We actually have two sets of Swiss cheese here: one is the public's Fourth Amendment protection against unreasonable searches and seizures, and the other is the Harris Corporation's attempts to keep its technology out of the public eye. Any system that has a 4500-word article on Wikipedia about it is no longer secret in any meaningful sense. But nobody can sit down and build one for themselves just from the information on Wikipedia, and as long as nobody steals a physical unit and tries to reverse-engineer it, Harris is probably safe from getting their prize cellphone-tracker knocked off.
There are two conflicting stakes here: one on the part of the general public not to have its private communications eavesdropped on at the whim of a local police force, and another on the part of Harris Corporation not to have their advanced and very profitable cellphone tracker either copied or rendered useless by equally sophisticated bad guys who figure out some way to foil the Stingray. One easy way to foil it is simply not to carry a cellphone, but for most people nowadays, that's like telling them not to breathe. For the forseeable future, anyway, many crimes will involve cellphones one way or another, and the Stingray will continue to be useful in tracking down criminals.
My metaphorical hat is off to Deputy Attorney General Yates, who has at least clarified the situation at the federal level so that Stingrays will be used only with the proper authorization—we hope. Maybe the state and local agencies will now follow the Federal lead and be more circumspect about how they use the devices, at least until the next round of electronic spy-and-counterspy warfare comes to pass.
Sources: The New York Times article "Justice Dept. To Require Warrants for Some Cellphone Tracking" appeared on Sept. 3, 2015 at http://www.nytimes.com/2015/09/04/us/politics/justice-dept-to-require-warrants-for-some-cellphone-tracking.html. I also referred to an earlier New York Times article "A Police Gadget Tracks Phones—Shhh-It's a Secret" at http://www.nytimes.com/2015/03/16/business/a-police-gadget-tracks-phones-shhh-its-secret.html. The Washington Post carried the article about the plea bargain in Florida at https://www.washingtonpost.com/world/national-security/secrecy-around-police-surveillance-equipment-proves-a-cases-undoing/2015/02/22/ce72308a-b7ac-11e4-aa05-1ce812b3fdd2_story.html, and I also referred to the Wikipedia articles "Stingray Phone Tracker" and "Telephone Tapping," and a How Stuff Works article on how wiretapping works at http://people.howstuffworks.com/wiretapping3.htm.