Happy “Back to the Future Day” as October 21, 2015, marks the date that Marty McFly and Doc Brown time-traveled to in the 1989 film Back to the Future II. Even the White House couldn’t resist celebrating; Google got into the action too by tweeting about 15 new Gmail themes while linking to a leaked “confidential” (pdf) document about “Project Flux” and its time-traveling car.
DHS testifies about stingray surveillance use, new policy
Elsewhere, not nearly so fun but deserving of much more scrutiny, DHS and DOJ officials testified before the Committee on Oversight and Government Reform and the Subcommittee on Information Technology about their “stingray” technology. In April, the Committee asked DHS (pdf) and DOJ (pdf) for more details about the agencies use of cell-site simulators that mimic cell phone towers and trick mobile devices into connecting to them. The Committee was “troubled” that DHS was hiding behind non-disclosure agreements to avoid providing information about the tech, “even in response to a court order.”
The Committee requested policies, including retention of information collected, allegations against any component of DHS regarding potential misuse, the number of stingrays, aka fake cell towers, being used, total cost and other documentation. DOJ received a similar request; both were reminded that “the Committee has authority to investigate ‘any matter’ at ‘any time’,” as in don’t attempt to pull the same game of hiding behind the non-disclosure agreements.
In September, DHS was “pressed” again to enact policy on stingrays. That same month, the Justice Department announced an “enhanced policy” with “increased privacy protections” to ensure the DEA, FBI, U.S. Marshals, Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) and others get a “search warrant supported by probable cause” before using an IMSI catcher, aka cell-site simulator. There are exceptions for “exigent circumstances or exceptional circumstances where the law does not require a search warrant and circumstances make obtaining a search warrant impracticable.”
The DOJ also stipulated that “the policy makes clear that cell-site simulators may not be used to collect the contents of any communication in the course of criminal investigations. This means data contained on the phone itself, such as emails, texts, contact lists and images, may not be collected using this technology.”
That last statement seems to be at odds with DHS testimony (pdf) given by Seth Stodder, Assistant Secretary of Homeland Security for Threat Prevention and Security Policy. To “dispel common misconceptions” about the tech’s capabilities, Stodder testified the tech is incapable of collecting personal information such as the account holder’s name, address or number:
This technology does not provide the subscriber’s account information; meaning no personal information, such as the account holder’s name, address, or telephone number, can be detected by this device. Additionally, cell-site simulators provide only the relative signal strength and general direction of a subject’s cellular telephone; the technology does not function as a GPS locator and cannot collect GPS location information from mobile devices. Cell-site simulators used by DHS do not collect the contents of any communication, including data contained on the phone itself, e.g., call content, transaction data, emails, text messages, contact lists, or images.
So which is it? Stingrays can’t collect personal info or policy now forbids it? Prepared DHS testimony states, “The scope of identification information collected when using cell-site simulator technology is limited to the phone manufacturer’s or service provider’s unique identifier (IMSI) for the device.”
More info is provided via Homeland Security’s newly released cell-site simulator “policy directive” (pdf):
By transmitting as a cell tower, cell-site simulators acquire the identifying information from cellular devices. This identifying information is, however, limited. Cell-site simulators provide only the relative signal strength and general direction of the subject cellular device; they do not function as a GPS locator, as they do not obtain or download any location information from the device or its applications. Moreover, cell-site simulators used by the Department's law enforcement Components must be configured as pen registers and may not be used to collect the contents of any communication, in accordance with 18U.S.C. §3127(3). This includes any data contained on the device itself: the simulator does not remotely capture emails, texts, contact lists, images or any other data from the device. Moreover, cell-site simulators used by the Department's law enforcement Components do not provide subscriber account information (for example, an account holder's name, address, or telephone number).
It would seem the capability is there, but is not permitted to be used by DHS.
Another interesting tidbit in DHS testimony included which agencies use “fake cell towers.” Within DHS, stingrays are used by “U.S. Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations (HSI) and the U.S. Secret Service (USSS).” Odd, considering the ACLU knows many more agencies use the technology.
Another nugget involved potential cell service disruption:
The DHS policy also requires that applications for the use of cell-site simulators inform the court that cellular devices in the area of influence of the cell-site simulator might experience a temporary disruption of service from the service provider. In the overwhelming majority of cases, any disruptions are exceptionally minor in nature and virtually undetectable to end users. To dispel another misconception–law enforcement use of cell-site simulator technology will not disconnect end users from calls in progress.
Older stingray technology reportedly knocks users down from 4G to 3G, but some interceptors claim to be undetectable.
The potential for cell service disruption is to be given to the court as well as “the underlying purpose and activities for which an order or authorization is sought;” additionally, DHS policy states, “An application for the use of a cell-site simulator should inform the court about how law enforcement intends to address deletion of data not associated with the target device.”
As mentioned previously, a warrant will be required before using a stingray unless there are exigent or exception circumstances which allow sidestepping the Fourth Amendment. In some jurisdictions, a warrant and pen register can be sought concurrently. DHS policy (pdf) states that an emergency pen register for the use of a stingray only comes into play when there is “immediate danger of death or serious bodily injury to any person; conspiratorial activities characteristic of organized crime; an immediate threat to a national security interest; or an ongoing attack on a protected computer (as defined in 18U.S.C. §1030) that constitutes a crime punishable by a term of imprisonment greater than one year.”
Data collection and disposal
DHS policy dictates that when on the hunt to “locate a known cellular device, a cell-site simulator initially receives the unique identifying number from multiple devices in the vicinity of the simulator. Once the cell-site simulator identifies the specific cellular device for which it is looking, it will obtain the signaling information relating only to that particular device. When used to identify an unknown device, the cell-site simulator obtains signaling information from non-target devices in the target's vicinity for the limited purpose of distinguishing the target device.”
Although a “typical mission may last anywhere from less than one day and up to several days,” an operator of a cell-site simulator “must delete all data immediately after a mission is completed….When the equipment is used to locate a target, data must be deleted as soon as the target is located….When the equipment is used to identify a target, data must be deleted as soon as the target is identified, and no less than once every 30 days….Prior to deploying equipment for another mission, the operator must verify that the equipment has been cleared of any previous operational data.”
There is also to be an auditing program to make sure the data was deleted; “to the extent feasible, this auditing program will include hardware and software controls, for example through an equipment sign-in process that will include operator badge number and an affirmative acknowledgement by the operator that he or she has the proper legal authority to collect and view data.”
The Committee had originally requested an inventory for each agency using stingrays; it was to include the “total number of such devices in possession of the agency,” the “name, make, and model of the devices used by or in possession of the agency,” the total number of devices in possession of the agency for each make and model of device; and, “the cost of each individual device and the total amount each agency spent in fiscal years 2010-2014 on acquiring and using cell-site simulation technology.”
If that information was given to the Committee, it was not included in the prepared testimony.