Podcasts
Caveat
Ep 47
Caveat 9.23.20
Ep 47 | 9.23.20

Technology that allows cops to track your phone.

Show Notes
Transcript

Kim Zetter: There needs to be sort of a high-profile case. Lawmakers themselves need to get trapped in one of these devices before they care.

Dave Bittner: Hello, everyone. And welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, I have an update on Baltimore's spy plane, Ben describes concerns over violations by the FBI, CIA and NSA of FISA court rules and, later in the show, my conversation with Kim Zetter on her recent article in The Intercept titled "How Cops Can Secretly Track Your Phone." It's all about Stingrays and dirtboxes. So stick around for that. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, before we dig into our stories this week, we got a little bit of follow-up. A listener wrote in, a gentleman by the name of Mitch, about one of our past interviews. He said, you hit a particular hot button of mine with the cyber insurance in your interview. While we are not lawyers, we do review cyber policies for our clients. And we're honest. We tell them we're not lawyers. It's amazing what's there or not in there. In most states, maybe all states, cyber policies are nonstandard form policies. So every carrier does their own thing, and sometimes it even varies from product line to product line. He says one challenge is that businesses use the same broker for every kind of insurance. It's easier for them. 

Dave Bittner: I tell our clients to ask their broker one simple question, and if they don't get the right answer, then they need to move to a different broker. The question is, how many cyber risk policies, quantity and dollars of coverage did you write last month and the month before and the month before? If that broker is making $59 in commission from the one cyber policy he wrote three months ago, he is the wrong broker. He says, they have to write multiple policies every single month. If they do that, they will know whose policies have crap in it and which carriers don't pay. 

Dave Bittner: I think this is an interesting insight here from our listener. I think, you know, good advice all around. If you're getting a new roof on your house, you don't want to hire the guy who builds decks, right? (Laughter). 

Ben Yelin: Yeah. Yeah, I thought it was really great insight and just a good window inside that world, and I really appreciate Mitch writing into us. And, yeah, I think this is something that's going to evolve in the insurance industry as the years go forward here just because, you know, insurance is about evaluating risk. And because of all of these high-profile cybersecurity incidents, when you have Equifax, when you have OPM, when you have ransomware attacks, people are going to start to recognize that risk more and more and start to understand that they need specialists who really understand both the legal issues and the technological issues. 

Ben Yelin: So, yeah, I mean, I don't think when we look five to 10 years down the line, you're going to have insurance brokers who sell you your flood policy and your cyber policy, and it's all boilerplate language. I mean, I think it's going to have to evolve because - let's be honest - you know, floods don't change too much, but the cyberthreats do. And that's sort of the insight that I think Mitch was giving us here, and I think it was very valuable. 

Dave Bittner: No, it's a great point. Great point. So thank you, Mitch, for sending that in. We do appreciate it. 

Dave Bittner: All right, Ben, let's move on to our stories. Why don't you kick things off for us this week? 

Ben Yelin: So my story comes from the Twitter feed - my main news source... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Of Elizabeth Goitein or Goitein. She's the co-director of the Liberty and National Security Program at the Brennan Center for Justice, one of my go-to sources for all things national security and electronic surveillance related. And she talked about a just-released opinion from the FISA court. It was redacted by the Office of the Director of National Intelligence, ODNI. The opinion is from December 2019, and it concerns compliance with the provisions of Section 702 of the FISA Amendments Act, which allows for the targeting of non-U.S. persons reasonably believed to be outside of the United States but that their communications are held with U.S. companies. And this is the type of surveillance that's not supposed to capture the communications, the conversations of U.S. persons, but as we'll see from this Twitter thread and the story, that is not always the case. 

Ben Yelin: So this is a program that has to be reauthorized every single year by the FISA court. These opinions are secret when they come out. They're not publicly released. According to a bunch of different statutes, the ODNI is supposed to release them if they have novel interpretations of the law, and I think that's why they released the opinion here. What we found out is that the NSA, the FBI and the CIA have committed all sorts of violations of the letter of this statute. Nevertheless, the court, the FISA court, in its opinion in December 2019 allowed the program to continue, basically saying, yeah, you've made some mistakes here, but you know what? We're willing to trust you, and we authorize this program going forward. 

Ben Yelin: Before I get into the nitty-gritty, I mean, I think the context here is important because we just had this very high-profile public story about Michael Horowitz, the IG report about surveillance on Carter Page of the Donald J. Trump presidential campaign, where he found out that some of the material that went into that application had been falsified, had been incomplete. The FBI had cut corners in putting together that application. So it seems certainly bizarre in this case that the FISA court, you know, in December 2019 - this is actually, coincidentally, when that IG report came out - would not be more skeptical of what the government was telling them. So I think this is a story about the FISA court's leniency and its propensity to trust what our government agencies are doing, even when the government agencies themselves admit that they're violating federal statutes and internal policies. 

Dave Bittner: What options does the FISA court have here? I mean, is it an all-or-nothing type of thing? 

Ben Yelin: It's not. I mean, what the FISA court has done in the past when they reject these types of broad policy applications is to force the government to go back to the drawing board, to say we have - your minimization procedures are not rigorous enough. You're capturing too many U.S. persons' communications. Therefore, you need to revise your application for surveillance. We're not going to approve it until you submit those revisions. And that's happened many times in the past. Now, we as the public don't know about it until several years later, when these opinions are released. 

Ben Yelin: But, you know, on our last episode, we talked about the call detail records program. That's a program where there were a lot of compliance problems, and the FISA court told the FBI and the NSA that unless they make policy changes and document those changes in future applications, we're not going to improve the program. And so it does end up forcing those agencies to make policy improvements. And that's what's kind of mystifying about what happened here. 

Ben Yelin: Obviously, Section 702 searches are a valuable counterintelligence tool. I think anybody who's in the intelligence community would agree to that. So we're talking about a program that's very important. But, you know, in the context of what we've learned about the surveillance application process, I think it just is surprising and disturbing that the court was so deferential here. 

Dave Bittner: Do we have any sense of the degree to which these violations were serious? Were they - you know, was it a blatant disregard or an accidental overreach? Any indications there? 

Ben Yelin: I don't want to characterize whether it was accidental or purposeful because sometimes it's hard to know. But the violations themselves were very significant. They referenced previous FISA court opinion which found that the FBI, in a large number of cases, violated a key tenet of the law, as it was renewed in early 2018, that U.S. person queries of the database of 702 communications have to be reasonably likely to return foreign intelligence information or evidence of a crime. So that's a large number of inquiries where that rule was basically simply ignored. 

Ben Yelin: There was one case where the FBI ran 16,000 U.S. persons queries for a reason that has been redacted in the case, and an internal audit found that only seven of those queries were justified - seven out of 16,000. I'm not a math wizard, but I think that's a pretty small fraction. 

Dave Bittner: (Laughter) I'm with you. 

Ben Yelin: Yeah. You know, the other thing that was uncovered in this decision is when Congress amended the law in 2018, FBI agents are now required to get a court order before accessing U.S. persons' communications in most cases. And the reason they need to do that is - or the only way they'd not need to obtain a warrant is if there was some sort of foreign intelligence purpose. And from what we understand from this opinion, that's also something that just was not being done. 

Ben Yelin: So we're not talking about minor technical violations, where there was some technical problem in the minimization procedures, and incidentally, a hundred communications were collected that were not supposed to be collected. These are large-scale problems. And, you know, I think it's important for people who are in this field, who understand intelligence gathering and who are concerned about privacy and civil liberties, to read this opinion carefully and judge for yourself whether this program is being conducted pursuant to laws that have been authorized by Congress. And I think it's pretty clear, in my opinion, that it's not. 

Dave Bittner: All right. Well, it's interesting, for sure, and I suppose one we'll have to keep an eye on it as it continues. I guess it's kind of frustrating that there's the built-in sort of lag because of the secretive nature of it that, as you say, you know, it takes a long time for the information to be released to the public. 

Ben Yelin: Yeah, it's sort of like when you look at the stars - I hate to get all philosophical here - and what you're seeing is actually light that was emitted, you know, 1 billion years ago or whatever. 

Dave Bittner: Right. Right. 

Ben Yelin: That's sort of what we get with FISA cases. Like, it reflects - it largely reflects what was going on a year ago, two years ago. So, you know, we don't have a lot of information on what's happened in the last 10 months in terms of whether the court's gentle scolding here has caused FISA to amend some of its procedures. 

Dave Bittner: Interesting. 

Ben Yelin: Or the law enforcement agencies to amend some of their procedures. And we're not going to know, probably, for a long time. So, yeah, that lag is very frustrating. And I get it. You know, these opinions, for very legitimate reasons, have to be secretive, especially if they reveal sources and methods. But it also means that there really isn't a level of democratic accountability. If you and I don't like how this is going (laughter), you know, there's not a congressperson we can call to have this discontinued. And I think that's very frustrating. 

Dave Bittner: Yeah. Yeah, for sure. All right, interesting stuff. My story this week comes from Baltimore Brew, a local publication here in our hometown of Baltimore. This is written by Louis Krauss, and it's titled "In Appeals Court, Baltimore Surveillance Plane Suit Gets a Mixed Reaction." Now, Ben, you - we have covered this Baltimore surveillance plane many times. (Laughter) I would say it's an ongoing fascination of ours. 

Ben Yelin: Yes, it is. Yes. 

Dave Bittner: And this story covers how the ACLU filed suit. And this took place in a federal appeals court. The ACLU is claiming that this is an unconstitutional violation of privacy. But in this case, two of the three judges who were having the case made to them thought that it was fine. And I think it's really interesting to see their reaction to this. 

Dave Bittner: Now, a quick overview here. Baltimore law enforcement, they have a series of planes. I think it's three planes. They're like, you know, little Cessna-type planes, your general aviation type aircraft. And they are equipped with a bunch of cameras, and they fly over the city, and they're just taking footage of - high-resolution footage of the city as they fly over. And what this allows them to do is they can track vehicles - they can track people as they go about their business in the city. 

Dave Bittner: So, for example, let's say somebody robbed a convenience store. They can go look at this footage that they gathered and say, OK, who was at this convenience store? They could rewind the footage and track back everyone who was at that convenience store at the time, back to where they came from or where they were going or - and so on and so forth. And that can help them narrow their case. This article points out that they can also cross-reference that footage with footage on the ground, with security camera footage and so on and so forth. It's interesting to me how the judges kind of split here. Ben, can you describe where they came down on it? 

Ben Yelin: Yeah. So this was a three-judge panel of the 4th Circuit Federal Court of Appeals. We have - you know, not to make this a partisan thing. We have a couple of Republican appointee judges and one Democratic appointee. And it really comes down to the difference in how these judges see Fourth Amendment jurisprudence. From the perspective of what looks to be the majority in this case, this shouldn't fall under the Fourth Amendment whatsoever because this doesn't qualify as a Fourth Amendment search. 

Ben Yelin: You know, as we've talked about, the definition of a Fourth Amendment search is a violation of somebody's reasonable expectation of privacy. And what these judges are saying is, these cameras aren't going into people's houses. They aren't going into people - you know, inside people's cars, inside people's stuff or personal property. They are simply observing what's going on in the public view. And there's sort of been this long-held Fourth Amendment doctrine that once you put yourself in the public view, you have forfeited that expectation of privacy. And so that's what the majority seems to be saying here. 

Ben Yelin: What the one dissenting justice seems to be saying here is, that's an outdated view of the Fourth Amendment that would justify very pervasive surveillance programs like this one - that, basically, when that doctrine was created in a variety of courts, nobody could have anticipated that we were going to have a Cessna plane flying at, you know, 3,000 feet above the ground that's taking pictures every second, where you can zoom in and identify individuals at crime scenes. It just simply was not under consideration. So in light of that change in technology, this legal doctrine has to change. Otherwise, the slope gets very slippery, as they say. What else can we justify in terms of observing people in public? You know, I think, doctrinally, the majority seems to reflect, you know, where most courts are on this issue. 

Ben Yelin: One thing that I think supports their viewpoint is we already have a lot of surveillance cameras around Baltimore City and, really, everywhere else. Just 'cause they're not in airplanes doesn't mean they're not surveillance cameras. And those cameras and the footage that they take have not been found to be Fourth Amendment searches requiring any sort of warrant. So this plane is merely a difference in scale and not necessarily a difference in method. 

Dave Bittner: Yeah. And that's one of the things that fascinates me here - is that it seems like the core of this argument or the disagreement here is over the scope. It's not necessarily the act, the thing that's being done. I think everyone seems to agree that we're collecting footage in public and there's no reasonable expectation of privacy in public, but it's the scope of which - it's the amount of footage gathered, and it's the stitching together of multiple sources of information that have the privacy implications. And I suppose - I mean, is this a case, Ben, of if not the Fourth Amendment, then what? 

Ben Yelin: Yeah. I mean, if not the Fourth Amendment, then it's going to be incumbent upon Baltimore City to evaluate whether this program is worth it. The police commissioner in Baltimore City has identified two crimes that were solved using this technology in the six or so months that this plane has been in the sky. And they - he didn't seem to have any comment on whether it's aided in any other investigations. It's going to be up to Baltimore's leaders to determine whether this type of law enforcement advantage justifies what is clearly an invasion of privacy. 

Ben Yelin: Even if it's not a constitutional invasion of privacy, it is an invasion of privacy because you can't be outside in Baltimore City without knowing that there is a plane overhead taking pictures of you. It might affect the associations you have. It might affect whether you go to a religious institution, whether you go to a licensed therapist. Having that knowledge really could cause people to disrupt their everyday routines. 

Ben Yelin: But it seems, from this case, that this is not going to be solved in the judicial arena because it appears as if a majority of judges on this panel are willing to hold that this is not a Fourth Amendment search. And what that means is Baltimore policymakers are going to be the ones that have to make the decision. And one thing that always gets a little jumbled in the decision-making process is we often don't have access to all of the data to make that decision, either because it's not available or, in many cases, it's been classified by the policymakers themselves. 

Ben Yelin: So I think, you know, it's incumbent upon the public to put a lot of pressure on our public officials to justify this program. If they think it really works, give us the evidence, and allow us as Baltimore City residents to make the decision as to whether it is worth this very clear invasion of privacy, whether it's a constitutional invasion of privacy or not. 

Dave Bittner: What would it take for something like this to get in front of the Supreme Court? 

Ben Yelin: So, generally, you'd have to have a split among circuits. You know, justices are usually deferential to appeals courts on most cases, but if you see that two separate appeals courts have disagreed on an interpretation of an issue, that's when you see cases frequently come to the Supreme Court. The other way would be when you have a really novel issue that other courts haven't had the opportunity to consider, which is something that we have here. 

Ben Yelin: So, you know, I certainly think it's within the realm of possibility that if the ACLU loses, that they appeal this case. Before that, they might appeal to have the case heard en banc, meaning the entire Fourth Circuit, not just this three-judge panel - which was chosen randomly - will hear the case. And so as is always true with the legal system, we're always a long way from resolution here. And that's another reason why I think it's incumbent upon the city itself to evaluate the program and its effectiveness because it could eventually make it to the Supreme Court, but by that point, we'll have had years of this plane buzzing 3,000 feet above us... 

Dave Bittner: Right (laughter). 

Ben Yelin: ...And taking, you know, millions and millions of photos. So in some ways, the damage would have already been done. 

Dave Bittner: Yeah, yeah. A little buzzing anxiety engine, right? (Laughter). 

Ben Yelin: Yeah, the buzzing is something else. I mean, it is - it's a bizarre thing to listen to. I think they noted in this article that somebody created a Twitter parody account for the Baltimore plane that just buzzes. 

Dave Bittner: Right (laughter). 

Ben Yelin: I wish I had thought of that... 

Dave Bittner: Yeah. 

Ben Yelin: ...'Cause it's such a good idea, yeah (laughter). 

Dave Bittner: I have to say, when I worked in Baltimore City, one of the things that bothered me was that there were so many helicopters around. There was always a helicopter buzzing around. And I just - and it took me a little while to realize that it was triggering some anxiety in me, just this constant drone of helicopters, you know? And I don't know why, but it was true. 

Ben Yelin: I felt the exact same thing. I lived in Baltimore City for a long time. And, you know, in every neighborhood in Baltimore City, you can hear helicopters. And granted, it's - you know, it's needed because Baltimore, especially now, has a very serious violent crime problem. So eyes in the sky, you know, certainly could and, in some cases, certainly does help. But it does come at a cost. 

Dave Bittner: Yeah. 

Ben Yelin: And it's - I had the same reaction. And, you know, it's just hard to feel safe and secure and content when you're constantly hearing police helicopters. 

Dave Bittner: Right. 

Ben Yelin: And I think that's true no matter where you live in Baltimore City. 

Dave Bittner: Yeah. All right. Well, we'll keep an eye on that one as it surely will develop. 

Dave Bittner: We would love to hear from you. If you have a question for us, you can call us. The number's 401-618-3720. You can call and leave a message. We may use it on the air. You can also write us at caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Kim Zetter. She is a highly respected national security journalist. She's author of the book "Countdown to Zero Day." And she recently published an article over on The Intercept. It was titled "How Cops Can Secretly Track Your Phone." She really dug in to Stingrays and dirtboxes. And here's my conversation with Kim Zetter. 

Dave Bittner: What is some of your history with Stingrays? When did they first sort of come to your awareness? 

Kim Zetter: They came to my awareness - I couldn't tell you exactly what year, but it was the Daniel Rigmaiden case that brought it to my attention initially. This was a guy who was being prosecuted for filing false tax returns and stealing people's identities. And he had been really curious about how they had found him because he used a false identity. He was using an air card. And he was using a false identity to register the air card for his Verizon account. And so even though they could track the signals, they didn't know who it was or get a real address. 

Kim Zetter: So that's what was intriguing to me because he took this on as sort of this legal challenge in the way that no one had before. And so he started to - he did all of this research and investigation and was really, like, training his lawyers on the topic, who didn't understand the technology. 

Kim Zetter: And so he really challenged this in court, and it was really his pushback. I mean, I can remember this one response to the government was something like 400 or 600 pages long. And he actually had to ask the judge for permission to file an extra long filing. And he got it. But he was just so knowledgeable on it that it was the first time that we had some kind of public discussion about how these systems work and, more importantly, how they were able to track him. So that's really what pulled me in. 

Dave Bittner: Let's just sort of go over exactly what the technology is that we're talking about here. When we're talking about Stingrays, dirtboxes - they go by a number of names, but these are these cell tower simulators. What exactly are they up to? 

Kim Zetter: Yeah. So they have various names, like the IMSI-catcher, cell-site simulator. What they do is - it's an electronic device that emits the signal or it broadcasts to cellphones in their vicinity that they are a cell tower, and therefore the phone should ping them instead of a legitimate cell tower. And they do this by, in some cases - this is the way they used to work was they would emit a stronger signal than the signal of the towers around them. And so the phones will just naturally search for the strongest signal cell tower to get the best connection. And so they would just sort of broadcast a stronger signal. Now, they don't have to emit the signal. They can basically just announce, hey, I am broadcasting at this level. And if it's a higher level than other towers, the phones will just naturally connect to those cell towers, the fake cell tower instead. 

Kim Zetter: Once the cell tower connects to - so what happens is, it's not that the person is making necessarily making a call. You know, your phone is pinging cell towers all the time periodically and automatically saying, hey, I'm here, so that your phone company can find you when a text message or a phone call comes in and they know what cell tower to route it through. 

Kim Zetter: And so you're constantly - your phone is constantly communicating with these towers. And so what it does when it communicates with any tower, whether it's a rogue cell tower or a real one, is it identifies itself with the IMSI number that's identified with your SIM card. And the carrier - all they see is that IMSI number, but the carrier has the ability to identify you based on your carrier accounts, your name and address and things like that. 

Kim Zetter: Well, so what law enforcement is doing - the reason that they want to get your phone to connect is they want that IMSI number to, one, identify anyone in the vicinity. Let's say, in the case of protesters, they might want to know who is in that crowd. And so any phone that's in that crowd will connect to this IMSI device, this IMSI-catcher - the fake tower - and identify their IMSI number. And so then law enforcement can take those IMSI numbers and go to a carrier and get the identity of that person. 

Kim Zetter: But what they can also do is - in the Rigmaiden case, if they already know a specific device or phone that they want to track, they can program that into their device and then turn on the device, and the device will tell them if that particular phone or device is in the vicinity of the cell tower. And so in the case of Rigmaiden, they already knew what the unique ID was for his Aircard. He wasn't using a phone. He was actually using an Aircard with Verizon. They already knew the unique ID, and so they turned it on in the general vicinity. The phone company was able to tell them the general vicinity of where he was in San Jose. And they turned on this device, and they were able to sort of home in on where exactly he was located. So they can do that. 

Kim Zetter: They can do a number of things. They can identify you. They can identify phones in the region. They can then identify you through your carrier. But then they can also track your movements. If you are moving around, if they are moving around with that IMSI-catcher, then they can - that's not the most precise way to do it, but they can kind of track your movement. But more importantly, they can go back to the carrier and say, can I get a historical record of every location this phone has been in the last two weeks or so? 

Dave Bittner: Now, these devices started out being used by the military? 

Kim Zetter: Well, that's what we understand. Again, there's still a lot of mystery around these. But we know that Harris Company, which is based in Florida, which sells a lot of these devices to law enforcement, had devices for military and intelligence. And we know that they are used by the military and have been used by the military for a long time. But we do have - like, the first mention of one of these devices is actually in an article from the mid-'90s about law enforcement trying to track the hacker Kevin Mitnick. And they used a device that's sort of an early generation of this. It was very sort of a crude device that was using this, like, big antenna strapped to the top of a vehicle going around the neighborhood. So we know the technology has also been used by law enforcement at least since the '90s. But we don't know, like, when the first one of these was used by military intelligence or law enforcement. 

Dave Bittner: And how are they being used these days? I mean, what are the most popular uses for them? Do we know - do we have a sense for that? 

Kim Zetter: Yeah. So they are used by, for instance, the DEA, Drug Enforcement Agency, to track drug smugglers across the border. They're used by Border Protection, you know, ICE, to track illegal immigrants coming across the border from Mexico. They're used in some cases - well, as I said, to identify phones in the area, to identify people. 

Kim Zetter: But they can also be used to block the use of cellphones. So they can - if they can force the phones to connect to them instead of a real cell tower, you won't be able to make a phone call. You won't be able to get or receive texts. You won't be able to, let's say, upload videos. So if you're a protester - we don't know that they've been used in this way at protests, but protesters have suspected that they've been used in this way, where suddenly they find that they can't upload a video of, you know, a protest or a riot or something that's going on. And they believe that law enforcement is using one of these to block them and prevent that. So that's the way that they're used with law enforcement. 

Kim Zetter: But they do have the ability, also, separately, to intercept communication and even decrypt it. So our communications in 4G LTE are strongly encrypted. But 2G, our early generation, is not strongly encrypted. And so the way that these Stingrays will often work is they will downgrade the phone. They will instruct the phone, hey, I can only communicate you in 2G. Please switch to 2G for me. And they can do that because there are still 2G networks operating in the world. So all phones have to have the ability to communicate in 4G but also in 2G. So this fake cell tower will tell the phone, hey, downgrade to 2G and I can talk with you. And then they can actually intercept the communications, which is no longer encrypted, or no longer encrypted strongly, and then get the communications as well. 

Kim Zetter: I don't know - I mean, we assume that there must be also intelligence agencies out there that have the ability to crack stronger encryption. We don't know. No doubt they're working on that. So they can do that. 

Kim Zetter: And the article that I wrote for The Intercept, I talked with someone who used to advise military and intelligence. And he told me how they would use it to do sort of man-in-the-middle attacks so that a phone would connect to them and they'd be in the middle of it. And then they would sort of forward on the connection to a real cell tower. So someone talking on the phone wouldn't even realize that their voice call is being intercepted by a middleman tower. And so during that interception, someone could listen in on the phone call, if it's not encrypted, intercept text messages. They could also spoof that phone and send other phones text messages as if they're coming from the phone that they're spoofing. So there's a lot that they can do. It really depends on sort of the laws and what's allowed. So if it's military intelligence, obviously they have fewer restrictions than law enforcement has. 

Dave Bittner: Right. And so where do we stand when it comes to requiring a warrant? 

Kim Zetter: Well, for many years, law enforcement didn't need a warrant for these. And it was actually - I'll go back to Rigmaiden. We thank him for that. He got the government to admit that sending a signal into his private apartment to communicate with his Aircard and locate it was an actual invasion of his private domicile and was therefore a violation of Fourth Amendment search and seizure. So in acknowledging that, there was a lot of further pushback in other court cases. 

Kim Zetter: And ultimately, the Justice Department announced a policy in - I think it was around 2011. They announced this policy that going forward, they would require all federal law enforcement agencies who wanted to use this to obtain a court order or a warrant. And that is good, but a policy is not law, and policy can change. And it also doesn't apply to local law enforcement. It only applies to federal law enforcement agencies. So that warrant thing is a good thing, but we don't know what the current policy is, if it's changed, and we don't know if local law enforcement is doing this. 

Kim Zetter: And also, I want to point out that for a long time, even after law enforcement was getting warrants for these, they were lying to courts in order to get the warrants. So they would tell a court - they weren't calling it an IMSI-catcher. They weren't even actually describing what it was designed to do. They were calling it a pen trap and trace device, which is a sort of a lawful intercept device that's actually put on a phone carrier's network to intercept the phone numbers that a phone makes and the phones that call you. So it's very sort of - it's metadata that it's getting. But it's not very invasive, right? It's not actually connecting to the phone itself. And so law enforcement wasn't telling judges that this - weren't describing what this was really was. And so they were kind of couching it in this incorrect terminology. And so they were getting these warrants, and defense attorneys were clueless about what exactly was being used to surveil their clients. 

Kim Zetter: And so, again, I have to go back to Rigmaiden. You know, he was the one that really started to open the door on this. And then a lot of defense attorneys started to push back. And anytime that their client was surveilled, they would demand more discovery on exactly how that was done. And so we've gradually gotten a little more and more material about that deception that had gone on. And that was also part of the Justice Department's new policy. When they passed this policy about getting a warrant, they did say going forward that federal law enforcement, at least, will have to be transparent to judges about what they're doing. 

Dave Bittner: And am I correct that, you know, prosecutors were dropping cases when it was revealed that a Stingray may have been used rather than reveal more information about them? 

Kim Zetter: Yes. This was so wild. It's unclear who is initiating all of this cloak-and-dagger, whether it's the companies like Harris or if it's really law enforcement. There were some cases, as you point out, where when defense attorneys started pushing back on this, they were finding that prosecutors were just dropping the case rather than reveal information about what they were using. And when people started to dig in this more - the ACLU, the Electronic Frontier Foundation - and trying to get public records around all of this, then those were being blocked as well. And they were saying that they couldn't reveal information about how these devices work because then criminals would find sort of counterintelligence methods to thwart these devices. That worked for, you know, a long time but ACLU and EFF, you know, eventually broke through those barriers and forced these agencies to provide information. 

Kim Zetter: But what they also found were communications between the makers of these devices, like Harris Corporation and local law enforcement, whereby the makers of these devices would force law enforcement to sign a nondisclosure agreement when they purchased these devices. And those NDAs would require the law enforcement agency to notify these companies anytime someone filed a public records request on their equipment. And that would give the Harris Corporation and other companies a chance to fight that. They would basically tell the law enforcement agency you don't own the device, this is proprietary, we're leasing it to you or this is a trade secret, you can't release this information. And so it's hard to know, like, who initially initiated that - whether it was law enforcement going to the private companies and saying hey, we don't want to release this information publicly. If you force us to sign an NDA, we can use that to deny release or if it was the companies that initiated it from the start. I suspect it was probably (laughter) the law enforcement but I don't - I don't really know that. 

Dave Bittner: Yeah. There's something that has always left me scratching my head with these devices is that the FCC is OK with them. You know, the whole notion of someone coming in with a gadget that basically gets in the way of our cellular communications network, which is a fundamental utility these days, I'm left confused as to how the FCC is on board with this. 

Kim Zetter: Well, that is - that's actually been challenged as well because these devices can potentially - they're interfering with the cell towers around them, obviously, the people who are licensed to be using the airwaves. So they interfere with that and they also interfere, obviously, if you're trying to make a phone call, and they potentially interfere with 911 emergency calls. So they are supposed to allow - the devices are supposed to have the ability to recognize when a call coming through is a 911 call and disconnect the device and allow that phone to go through. 

Kim Zetter: But there was an interesting test that Canadian law enforcement did. It was just sort of a homespun test that they tried with their devices. And they found that the phones - the 911 calls actually weren't going through about - I think it was a little less than 50% of the time. I don't remember the exact percentage. So no one has done any oversight to determine whether or not these devices are letting 911 calls through or to determine exactly how much interference they're doing, are they with other cell towers in the region or what. 

Kim Zetter: And the FCC has not really been very clear on how they're policing all of this. Why do they just give sort of a blanket approval, what is the approval do they require when a device gets upgraded? Again, it's not very transparent. 

Dave Bittner: The devices would have to be licensed, right? 

Kim Zetter: They are licensed, yes. 

Dave Bittner: Yeah. 

Kim Zetter: But it's not clear what is happening to get them licensed. 

Dave Bittner: Right, right. So where do we stand today? I mean, it's my understanding we had recent news that I believe it was the EFF who's come out with an open-source project to be able to kind of detect these and make a run at tracking them. 

Kim Zetter: Yeah. There have been efforts like this before where people have developed an app that will be on your phone that will sort of alert you if it suspects a rogue cell tower is in the vicinity. The problem with most of these apps is that they are going to be false positives because all they're doing is saying we think this might be a suspicious tower. But it's unclear, like, what the criteria they're using to determine that, and then there's no way for you, actually, to verify, so they're kind of useless. 

Kim Zetter: And so EFF has come up with this system that they think is more robust that way, but there hasn't been any sort of proof of concept of it yet. So it's still sort of at the beginning stages, and I think we're going to have to wait some time to see if they can actually identify a legitimate tower. So they have done some cases where they've identified things that were suspicious, and then they went out into the field and tried to actually track down what that suspicious thing was. And it turned out, for instance, like, one of them was actually a roving mobile cell tower that was outside of a convention center that was put up by the convention center to sort of expand the cell network during a high-traffic convention. So it, you know, it does these by sort of recognizing new cell towers that suddenly pop up and aren't recognized as legitimate ones, so a lot of those are going to be false positives. 

Kim Zetter: And so I think that people should be suspicious any time - you know, there was a story a few years ago about rogue cell towers in Washington, D.C. I have no doubt that there are rogue cell towers in Washington, D.C. But a company that is promoting its product with a news release saying we've discovered rogue cell towers in D.C. but can't actually point out them to you so that anyone can verify them, that should be suspicious. So we've never had any sort of at least unclassified report that has actually said, OK, this is where there was a rogue tower and this is when it was operating, things like that. All we get are sort of suspicious rogue towers. 

Dave Bittner: And where do we stand in terms of the transition to 5G? Is that going to change the game any? 

Kim Zetter: With 4G and 5G, obviously, it's changed the game in terms of encrypting the communications. So there's stronger encryption there. 4G was supposed to sort of resolve the IMSI-catcher issue of tracking the IMSI number because what it does is it'll use the IMSI number the very first time that a phone registers with a carrier. But then, the carrier assigns it a unique identifier that is not the IMSI number. And so that's supposed to be more private. But what a researcher that I wrote about found out was that there's a loophole there and that this rogue cell tower can actually tell the device, I forgot your unique number. Can you give me your IMSI number one more time? And it will then send the IMSI number, and it can get that. And because that communication is not encrypted, the encryption doesn't kick in until after that handshake occurs. Law enforcement can get that IMSI number in the clear. 

Kim Zetter: So 5G is supposed to do sort of the same thing. But again, it has the same loophole. So I don't want to, you know, downplay 4G and 5G. The encryption is there for protecting communication, but it's not there for protecting the IMSI identifier. 

Dave Bittner: Is there anything happening on the policy front when it comes to this? Are there any legislators who are pushing back on the use? 

Kim Zetter: There was legislation introduced - I think it was 2012 was the last one - that was going to address a lot of this and require warrants. And it has never passed, so no. There have been occasional efforts to kind of revive it, and then it doesn't get enough backing. So I think that, obviously, EFF and ACLU have lobbied for this for a long time, but it just hasn't had any traction. There needs to be sort of a high-profile case. Lawmakers themselves need to get trapped in one of these devices before they care. 

Dave Bittner: (Laughter) That's right. 

Kim Zetter: And also, we need a Supreme Court case, which we haven't had. I mean, Rigmaiden's case, if he had taken it all the way, would have gone to the Supreme Court. And that would have given us pronouncement there - Supreme Court pronouncement. But he took a plea deal, so it never made it that far. And so we've never had a Stingray case get up to the Supreme Court. 

Dave Bittner: All right, Ben, interesting stuff, huh? 

Ben Yelin: Yeah. I first should say that I've been a fan of Kim's for a long time. I follow her on Twitter... 

Dave Bittner: Yeah. 

Ben Yelin: ...So it's very exciting that we're able to get her for the podcast. She's a wonderful reporter... 

Dave Bittner: Yep. 

Ben Yelin: ...And is just - is very bright. It was very interesting to hear about Stingrays. I mean, I think in some ways, Stingrays are emblematic of all of the surveillance problems we talk about on this podcast. It's invasive. It's not necessarily unconstitutional because it's unclear whether this is a search. And it's secretive. 

Ben Yelin: She talked about some of the nondisclosure agreements required by local police departments as it relates to these Stingray devices, meaning that the public really doesn't have an opportunity to engage in, you know, how the surveillance is being done in their communities. So I almost think of Stingrays as kind of the perfect test case for understanding surveillance, where you have something that's mysterious, secretive. Most people don't understand how it works technically. The legal questions are sort of nebulous and not easily solved. And so I just think it's a fascinating window into our world here. 

Dave Bittner: Yeah. You know, just yesterday, I was having a conversation with a future guest on our show who happened to have spent time working with the FCC. And I asked him about - you know, this question that I've asked many people - how in the world does the FCC approve a Stingray, (laughter). right? And he made the point that the FCC does not approve a device like this because it is in the realm of the DOJ. And so when the FBI comes to the FCC and says, hey, we've got this device we want to use, basically, the FCC is deferential to them because it's a national security issue, not a consumer device, not a commercial device, which is the things that really fall under the FCC's area of control. So that was an interesting insight, I thought - you know, related to all the things that Kim was talking about here - a good insight for me to get because that's something I've wondered about from the get-go. 

Ben Yelin: Yeah, you know, and I think that's true for a lot of programs where you have the federal law enforcement agencies going to agencies that aren't well-versed in national security or domestic security issues, saying, like, all right, well, we don't - you know, we don't want to tread on your territory here. If you tell us that this is effective, we're not going to be the ones to be the obstacle... 

Dave Bittner: Right. 

Ben Yelin: ...Because we don't want to be responsible for all of the crimes committed in our jurisdiction because Stingray devices were not approved. And so I think, you know, there is that deferential attitude on the part of the FCC, meaning that's just one fewer guardrail for a program like this to exist. 

Dave Bittner: Yeah. Well, our thanks to Kim Zetter for joining us. As Ben mentioned, a real treat to have her on the show. Her Intercept article is titled "How Cops Can Secretly Track Your Phone." And I'll also say if you have not yet checked out her book "Countdown to Zero Day," please do so. It's a real page-turner - definitely worth your time, a good read. I would suspect fans of this show will enjoy that book very, very much, so check it out. 

Ben Yelin: Absolutely. 

Dave Bittner: Yeah. And again, thanks to Kim for taking the time for us. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.