[cryptome] Re: FOIPA adventures

  • From: "Douglas Rankine" <douglasrankine2001@xxxxxxxxxxx>
  • To: <cryptome@xxxxxxxxxxxxx>
  • Date: Sun, 26 Jul 2015 17:07:21 +0100

Sorry about the delay. I have been away on holiday.

There is an interesting series of articles on appealing the "Glomar Response"
You may not have seen it...
See url:

-----Original Message-----
From: cryptome-bounce@xxxxxxxxxxxxx [mailto:cryptome-bounce@xxxxxxxxxxxxx] On
Behalf Of coderman
Sent: 13 July 2015 05:27
To: cryptome@xxxxxxxxxxxxx
Subject: [cryptome] Re: FOIPA adventures

On 7/12/15, Douglas Rankine <douglasrankine2001@xxxxxxxxxxx> wrote:

Are they giving reasons for the rejections?

Glomar all around. see also:

"What Is the Big Secret Surrounding Stingray Surveillance?"


What Is the Big Secret Surrounding Stingray Surveillance?

State and local law enforcement agencies across the U.S. are setting up fake
cell towers to gather mobile data, but few will admit it By Larry Greenemeier |
June 25, 2015

Stung: Law enforcement agencies sometimes use a device called a stingray to
simulate a cell phone tower, enabling them to gather international mobile
subscriber identity (IMSI), location and other data from mobile phones
connecting to them. Pictured here is an actual cell tower in Palatine, Ill.

Given the amount of mobile phone traffic that cell phone towers transmit, it is
no wonder law enforcement agencies target these devices as a rich source of
data to aid their investigations. Standard procedure involves getting a court
order to obtain phone records from a wireless carrier. When authorities cannot
or do not want to go that route, they can set up a simulated cell phone
tower—often called a stingray—that surreptitiously gathers information from the
suspects in question as well as any other mobile device in the area.

These simulated cell sites—which collect international mobile subscriber
identity (IMSI), location and other data from mobile phones connecting to
them—have become a source of controversy for a number of reasons. National and
local law enforcement agencies closely guard details about the technology’s
use, with much of what is known about stingrays revealed through court
documents and other paperwork made public via Freedom of Information Act (FOIA)

One such document recently revealed that the Baltimore Police Department has
used a cell site simulator 4,300 times since 2007 and signed a nondisclosure
agreement with the FBI that instructed prosecutors to drop cases rather than
reveal the department’s use of the stingray. Other records indicate law
enforcement agencies have used the technology hundreds of times without a
search warrant, instead relying on a much more generic court order known as a
pen register and trap and trace order. Last year Harris Corp., the Melbourne,
Fla., company that makes the majority of cell site simulators, went so far as
to petition the Federal Communications Commission to block a FOIA request for
user manuals for some of the company’s products.

The secretive nature of stingray use has begun to backfire on law enforcement,
however, with states beginning to pass laws that require police to obtain a
warrant before they can set up a fake cell phone tower for surveillance.
Virginia, Minnesota, Utah and Washington State now have laws regulating
stingray use, with California and Texas considering similar measures. Proposed
federal legislation to prevent the government from tracking people’s cell phone
or GPS location without a warrant could also include stingray technology.

Scientific American recently spoke with Brian Owsley, an assistant professor of
law at the University of North Texas Dallas College of Law, about the legal
issues and privacy implications surrounding the use of a stingray to
indiscriminately collect mobile phone data. Given the invasive nature of the
technology and scarcity of laws governing its use, Owsley, a former U.S.
magistrate judge in Texas, says the lack of reliable information documenting
the technology’s use is particularly troubling.

[An edited transcript of the interview follows.]

When and why did law enforcement agencies begin using international cell site
simulators to intercept mobile phone traffic and track movement of mobile phone

Initially, intelligence agencies—CIA and the like—couldn’t get local or
national telecommunications companies in other countries to cooperate with U.S.
surveillance operations against nationals in those countries. To fill that void
companies like the Harris Corp. started creating cell site simulators for these
agencies to use. Once Harris saturated the intelligence and military markets
[with] their products, they turned to federal agencies operating in the U.S. So
the [Drug Enforcement Administration], Homeland Security, FBI and others
started having their own simulated cell sites to use for surveillance.
Eventually this trickled down further to yet another untapped market:
state and local law enforcement. That’s where we are today in terms of the
proliferation of this technology.

Under what circumstances do U.S. law enforcement agencies use cell site
simulators and related technology?

There are three examples of how law enforcement typically use stingrays for
surveillance: First, law enforcement officials may use the cell site simulator
with the known cell phone number of a targeted individual in order to determine
that individual's location. For example, officials are searching for a fugitive
and have a cell phone number that they believe the individual is using. They
may operate a stingray near areas where they believe that the individual may
be, such as a relative's home.

Second, law enforcement officials may use the stingray to target a specific
individual who is using a cell phone, but these officials do not know the cell
phone number. They follow the targeted individual from a site to various other
locations over a certain time period. At each new location, they activate the
stingray and capture the cell phone data for all of the nearby cell phones.
After they have captured the data at a number of sites they can analyze the
data to determine the cell phone or cell phones used by the targeted
individual. This approach captures the data of all nearby cell phones,
including countless cell phones of individuals unrelated to the criminal

Third, law enforcement officials have been known to operate stingray at
political rallies and protests. Using the stingray at these types of events
captures the cell phone data of everyone in attendance.

How does law enforcement get permission to perform this type of surveillance?

Federal law enforcement agencies typically get courts to approve use of
something like stingray through a pen register application [a pen register is a
device that records the numbers called from a particular phone line]. With that
type of application, essentially the government says, we want this information.
We think it’s going to be relevant to an ongoing criminal investigation. As you
can imagine, that’s a pretty low bar for them to satisfy in the eyes of the
court. Just about anything could fit into that description. You don’t even have
to show that such an investigation would lead to an arrest or prosecution. Law
enforcement is telling the court, look, we’re in the middle of this
investigation. If we get this information, we think it might lead to some other
important information.

Different court orders have different standards for approval. The highest
standard would be for a wiretap. A search warrant likewise has a much higher
standard than a pen register, requiring law enforcement to prove probable cause
before a judge will grant permission to use additional means of investigation.
The problem that I have with a pen register to justify use of something like a
stingray is that the standard for a pen register is much too low, given the
invasive nature of a pen register. Instead, I think the use of a stingray
should be consistent with the Fourth Amendment of the Constitution and pursuant
to a search warrant.

Why not explicitly state the type of technology being used and its specific
purpose when filing for a court order?

[When] law enforcement agencies seek to obtain judicial authorization through a
pen register, they do not directly indicate that they are applying for
authorization to use a stingray. Doing so might cause some courts to question
whether the pen register statute [as opposed to some higher standard] is the
appropriate basis for authorizing a stingray. In addition, law enforcement
agencies typically have to sign nondisclosure agreements with Harris Corp. in
order to receive the federal Homeland Security funding needed to purchase the
So there’s this concern, at least at the local law enforcement level, about
revealing any information about it because that would violate the agreement
with Harris and maybe subject them to losing the equipment or some other

Why would law enforcement agencies sign a nondisclosure agreement with a
technology company?

I’m not sure whether the agreements are being driven by the FBI or by Harris,
but these agreements seem to be getting less relevant insofar as [there is
less] need to keep the public unaware of the existence of this technology. In
the last three or so years there’s been a lot more awareness about the
technology and its use. When agencies were first signing these agreements years
ago, use of this technology wasn’t widely known. Now you are getting situations
where criminal defense attorneys learn about stingray and similar technologies
and the role they may be playing in the arrests of some of their clients.
Defense teams are starting to ask questions and require the government to
produce documentation such as court orders, and that’s creating the
confrontation you’re now seeing.

Why have law enforcement agencies kept their use of cell site simulators so

Some of it is the cloudy legal issues surrounding the legitimate uses of this
technology. Law enforcement agencies will also argue that the more information
that’s available about this technology, the harder it is for them to use these
devices to fight crime. Yet there’s a growing knowledge of this technology, and
a serious criminal enterprise is already aware of it. People are already using
prepaid disposable phones [sometimes referred to as “burner phones”] to some
extent to defeat this technology. Sophisticated criminals are aware that
there’s electronic surveillance out there in myriad ways, and so they’re going
to take precautions. From a technology perspective, it’s sort of a
cat-and-mouse game. There’s also a device that locates cell site simulators,
something referred to as an IMSI catcher. There’s an arms race back and forth
to get the best technology and to get the edge.

What does it say to you about the whole process that a prosecutor or a law
enforcement agency is willing to sacrifice a conviction in order to keep their
methods a secret?

I think it’s a very odd approach. You are throwing away some convictions or
potential convictions for the sake of secrecy. But it’s even harder to
understand now that knowledge of the technology is becoming so common. There
have been documented cases in Baltimore and Saint Louis where stingray has
supposedly been used. The use of stingray and related technologies is a roll of
the dice in the sense that law enforcement is hoping that either the defense
attorneys don’t have enough savvy or wherewithal to find out about the
technology and ask the right questions or, even if that does happen, they’re
hoping that the judge that they have is favorable to their approach and not
going to order them to reveal information about its use. In the rare occasions
when things go against them, they just dismiss it.

You yourself denied a law enforcement application three years ago to use a
stingray. Under what circumstances would you approve its use?

I want to make clear: I don’t have a problem with stingray itself—I understand
that this can be a valuable tool in law enforcement’s arsenal. My problem is
that I want it to be used pursuant to a high standard of proof that it’s
needed, and that I want the approval process to be more transparent. One of the
reasons I’d like to see some more documentation of stingray applications and
orders is because I have this suspicion—but there’s no way of confirming it one
way or another—that some judges are signing approvals to use this technology
thinking that they’re just signing a pen register. If a judge thinks it’s
[just] another pen register application, they’re just going to sign it without
giving it much pause.

Now that the use of this stingrays and related technologies has been made
public, where will this issue be a year or a few years from now?

A year from now I think we’re in the same position. You’re dealing with
outdated statutes concerning new and very different technology.
It’s possible in five years maybe that Congress will step in and do something.
More likely, state legislatures will take most of the action to monitor this
type of surveillance. Washington State, California [and others] have already
acted, and Texas is evaluating the standards for approving stingray use.

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.6081 / Virus Database: 4392/10213 - Release Date: 07/12/15

Other related posts: