With the rapid advancement of surveillance technology used by increasingly militaristic law enforcement, public policy and privacy protections have struggled to keep pace. In this relatively uncharted tech landscape, the state can easily and indiscriminately spy on us, invade our privacy, and push the limits of democracy with little regard for the consequences of such widespread abuse.
Nothing epitomizes this kind of abusive law enforcement surveillance more than a cell site simulator (CSS) device, or StingRay—the brand name of a commonly used CSS made by the Harris Corporation.
“Stingrays are mobile surveillance systems the size of a small briefcase that emit a signal that is stronger than the signal of legitimate cell towers in their vicinity in order to force mobile phones and other devices to establish a connection with them and reveal their unique ID,” according to Wired magazine. The StingRay and devices like it not only collect meta data on unsuspecting cell phone users, but also determine a phone’s location and movement, as well as record calls and text messages. StingRays have even been used to interfere with or block cell phone communication.
Longstanding use of StingRays
According to the Electronic Privacy Information Center (EPIC), the Federal Bureau of Investigation (FBI) has been using CSS technology to “track and locate phones and users since at least 1995,” long before cell phones were in widespread use.
However, the technology did not generally become known to the public until a few years ago. Thanks to the dogged pursuit of privacy advocates and civil libertarians for more concrete information, the public is finding out that secrecy and obfuscation around CSS technology has been quite deliberate.
In 2004, while seeking retroactive approval for the purchase of a StingRay device, the Miami-Dade Police Department claimed that “wireless phone tracking systems utilized by law enforcement have proven to be an invaluable tool in both the prevention of [criminal] offenses and the apprehension of individuals attempting to carry out criminal acts.”
“Likewise, in 2012 the Charlotte, North Carolina, Police Department sought city council approval to purchase a StingRay to ‘assist in searches related to criminal and/or homeland security investigations.’ A spokesperson for the Gwinnett County, Georgia, Police Department has stated publicly that his agency uses its StingRay device ‘in criminal investigations with no restrictions on the type of crime.’ A member of the Oakland County, Michigan, Sheriff’s Office described using a Harris Hailstorm device to track and locate fugitives and criminal suspects.”
Despite claims by the Harris Corporation that it authorizes law enforcement officials to use the StingRay only in emergency situations, it’s clear that the device is used with far less restraint.
In 2010, EPIC determined from records released by the Tallahassee Police Department that “in nearly 200 cases since 2007 where the department used a StingRay, only 29 percent involved emergencies.”
Until a year ago, federal agencies were not even required to obtain permission from a judge in order to employ CSS devices and they still have considerable discretion to determine whether a search warrant is necessary.
In September 2015, with mounting public pressure, the Justice Department (DOJ) issued new guidelines on the use of CSS devices. The guidance states that “law enforcement agencies must now obtain a search warrant supported by probable cause” before using a CSS device.
Notably, the DOJ policy waives the warrant requirement for “exigent circumstances,” such as “the need to protect human life or avert serious injury,” or “exceptional circumstances” in which obtaining a search warrant is “impractical.” This leaves wide discretion to law enforcement and, with lack of adequate oversight, can do little to curb surveillance abuses.
Because the guidance is non-binding, it’s unclear how the DOJ policy will be enforced, how abusive surveillance practices will be detected, and what if any are the consequences for those who violate the policy. In addition, the guidance does not apply to local or state law enforcement and can be changed or rescinded by a new US Attorney General.
According to the American Civil Liberties Union (ACLU), sixty-six local and state law enforcement agencies in 23 states and the District of Columbia own CSS devices. But, that number is likely low due to the secrecy surrounding the purchase and use of the devices.
Earlier this year, the New York Civil Liberties Union obtained records indicating that the New York Police Department (NYPD) has used StingRays more than 1,000 times since 2008 “without a written policy and following a practice of obtaining only lower-level court orders rather than warrants.”
But, nowhere are StingRays used more ubiquitously than in Baltimore, Maryland.
Last year, in a criminal case involving a carjacking and robbery, a Baltimore Police Department (BPD) detective testified that BPD had used a StingRay device roughly 4,300 times since 2007.
Secrecy, obfuscation and non-disclosure agreements
The secrecy surrounding StingRays and CSS devices is deliberate and involves the longstanding cooperation of the Harris Corporation, the FBI and the Federal Communications Commission (FCC).
In some cases, law enforcement agents have intentionally deceived defense attorneys about the source of evidence used in criminal cases to avoid disclosing StingRay information, according to Wired magazine. Law enforcement has also deceived judges when seeking a court order to use a StingRay device. And, when faced with forced disclosure by a court, federal prosecutors have even dropped charges against defendants in order to avoid revealing information about their use of a StingRay.
In communication from 2011, the Harris Corporation requested that the FCC place confidentiality restrictions on law enforcement acquisition of its StingRay devices. According to the Harris Corporation, disclosure of information on the use of StingRays could “reasonably put public safety officials at risk, jeopardize the integrity and value of investigative techniques and procedures, reveal Harris trade secrets due to the nature of the equipment, and harm Harris’ competitive interests.” In March 2012, the FCC granted the Harris Corporation’s request.
During a 2014 court proceeding that stemmed from the appeal of a 2008 sexual battery case, police officials in Tallahassee, Florida admitted to using a StingRay device at least 200 times in four years without disclosing it to the courts and without obtaining a warrant.
Citing a non-disclosure agreement (NDA) as a reason for the secrecy, Tallahassee police officials put the issue of NDAs in the national spotlight.
Police in Tucson, Arizona signed an NDA in 2010 regarding their StingRay use, which was hidden until 2014 when it was disclosed pursuant to a public records lawsuit brought by the ACLU on behalf of an investigative journalist.
An affidavit filed in the Tucson lawsuit by the chief of the FBI tracking technology unit confirmed that the Bureau “has entered into a non-disclosure agreement (NDA) with our state and local law enforcement partners.”
A heavily redacted NDA was released to MuckRock in 2014 by the Tacoma Police Department, implicating the FCC and illustrating the compulsory nature of the NDAs.
“Consistent with the conditions on the equipment authorization granted to Harris Corporation by the Federal Communications Commission (FCC), state and local law enforcement agencies must coordinate with the Federal Bureau of Investigation (FBI) to complete this non-disclosure agreement prior to the acquisition and use of the equipment/technology authorized by the FCC authorization.”
A similar NDA was signed by the Baltimore Police Department in 2011, which instructs officials to withhold certain information from the public and the courts, and encourages local prosecutors to dismiss cases instead of divulging details about the equipment, according to WBAL News Radio. That arrangement, now several years old, has led police to believe that they can withhold evidence in criminal trials or ignore subpoenas in cases in which the devices are used.
But, the FCC has been disingenuous about its role in the NDA requirement. According to MuckRock, the FCC insisted in 2014 that it didn’t require police departments to sign an NDA with the FBI before acquiring or deploying StingRay devices, thereby contradicting the NDA produced by Tacoma police.
More recently, an FCC official said last month that local police agencies don’t need a license under the Communications Act to operate StingRay devices on frequencies reserved for wireless carriers, which is disputed by civil liberties groups and violates the licensing requirements imposed by the FCC.
SingRays chill dissent
While most of the attention on the use of StingRay and CSS technology has focused on routine criminal investigations and its impact on people’s Fourth Amendment rights, the First Amendment is also heavily impacted.
Civil libertarians argue that free speech is chilled by both the indiscriminate and targeted use of StingRays. Because the device can access all cell phone data in a given area, it is not necessarily particular about the information it gathers, which during heavily policed protests can chill participation. However, law enforcement can also target their intelligence gathering and pursue specific people such as known political organizers, based not on criminal activity but on the content of their speech.
ACLU principal technologist Christopher Soghoian told the Baltimore Sun there’s good evidence that the devices also disrupt cell phone service. StingRays can block data connections in order to force a cell phone to use a less secure connection, and can even block calls outright.
By blocking calls and making communication difficult or impossible, law enforcement can effectively disrupt political activity and stifle dissent.
When it was recently confirmed that law enforcement was using aerial surveillance over Baltimore during protests against the murder of Freddie Gray, it became clearer that advanced technology was being used in the same racialized and abusive ways that the BPD was patrolling neighborhoods of color.
In response to this racialized surveillance and alleged cell phone jamming by the BPD, three advocacy groups filed a complaint with the FCC last month, arguing that the BPD doesn’t have a proper license to use StingRay devices and is in violation of federal law.
The Center for Media Justice, Color of Change, and New America’s Open Technology Institute are challenging the BPD’s unauthorized radio operation and willful interference with cellular communications stemming from its use of StingRay technology in the City of Baltimore.
The complaint requests that the FCC “put an end to widespread network interference caused by rampant unlicensed transmissions made by BPD and other departments around the country.”
The complaint further states that “these disruptions of the cellphone network—including of emergency calls—disproportionately harm the residents of Baltimore’s Black neighborhoods.”
“New technological tools that amplify police power can amplify existing biases in policing. Lack of effective oversight and supervision…in the use of this technology may lead to even greater invasions of privacy and subversions of rights in communities of color that are already the targets of biased policing.”
More recently, the ACLU and the Electronic Frontier Foundation filed their own FCC complaint, arguing that other police departments have also used StingRay devices in violation of the Communications Act. “The extreme secrecy surrounding use of cell site simulators has stymied effective oversight and left Americans’ cellular communications without sufficient protections against interference,” the filing reads.
Both complaints are currently pending before the FCC.
Earlier this year, a Maryland appeals court upheld a lower state court ruling that police could not use CSS devices without a warrant. The trial court had suppressed evidence in an attempted murder case due to the failure of Baltimore police to obtain a search warrant before tracking the defendant, Kerron Andrews, with a CSS device.
In a 73-page decision, the three-judge panel also strongly rebuked the police for concealing their use of the StingRay from a judge when applying for a court order. Baltimore authorities withheld information about the StingRay because the city had signed an NDA with the FBI in 2011.
The Maryland appeals court found the NDAs and deception to be “inimical to the constitutional principles we revere.” To authorize a search, “it is self-evident that the court must understand why and how the search is to be conducted,” the ruling said.
Nathan Wessler, staff attorney for the ACLU’s Speech, Privacy, and Technology Project told Wired magazine that, “This is the first appellate opinion in the country to fully address the question of whether police must disclose their intent to use a cell site simulator to a judge and obtain a probable cause warrant.”
While the ruling is considered groundbreaking, it’s only binding in Maryland. But, Wessler says it still puts federal and local law enforcement on notice that they will face consequences if they deceive the courts.
“By being the first opinion really dealing with this issue, the Maryland court has set the tone for this debate…and I would fully expect courts elsewhere in the country to very seriously look at this opinion as a starting point for their own analysis.”
Last year, far right House Representative Jason Chaffetz (R-UT) introduced the Cell-Site Simulator Act of 2015, which would mimic the DOJ policy by requiring state and local law enforcement agencies to obtain a warrant before using StingRay devices. Earlier this month, Chaffetz announced a forthcoming investigation of StingRay use by the House Oversight Committee which Chaffetz chairs.
Most recently, in a blow to the Harris Corporation and its effort to keep information on the StingRay shrouded in secrecy, last week The Intercept revealed several Harris Corporation instruction manuals “meticulously detailing how to create a cellular surveillance dragnet.”
As technology enables ever-evolving surveillance methods, we must find ways to better protect privacy and free speech. Demanding transparency, holding law enforcement officials accountable, and keeping companies like the Harris Corporation in check are initial steps to curbing abuse.
* * *
Kris Hermes is an activist, legal worker and author of Crashing the Party: Legacies and Lessons from the RNC 2000 (PM Press).