CyberWire Daily - Encore: Technology that allows cops to track your phone. [Caveat]
Episode Date: December 24, 2020Dave has an update on Baltimore’s spyplane, Ben describes concerns over violations by the FBI, CIA, NSA of FISA court rules, and later in the show our conversation with Kim Zetter on her recent arti...cle in The Intercept, titled “How Cops Can Secretly Track Your Phone.” It’s all about stingrays and dirtboxes, so stick around for that. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. Links to stories: Elizabeth Goitein on Twitter In appeals court, Baltimore surveillance plane suit gets a mixed reaction Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you. Thanks to our sponsor, KnowBe4. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
There needs to be sort of a high profile case. Lawmakers themselves need to get trapped in
one of these devices before they care.
Hello, everyone, and welcome to Caveat, the CyberWire's law and policy podcast. I'm Dave
Bittner, and joining me is my co-host, Ben Yellen,
from the University of Maryland's Center for Health and Homeland Security.
Hello, Ben.
Hello, Dave.
On this week's show, I have an update on Baltimore's spy plane.
Ben describes concerns over violations by the FBI, CIA, and NSA of FISA court rules.
And later in the show, my conversation with Kim Zetter on her recent article in The
Intercept titled, How Cops Can Secretly Track Your Phone. It's all about stingrays and dirt boxes,
so stick around for that. While this show covers legal topics and Ben is a lawyer,
the views expressed do not constitute legal advice. For official legal advice on any of
the topics we cover, please contact your attorney. All right, Ben, before we dig into
our stories this week, we've got a little bit of follow-up. A listener wrote in, a gentleman by the
name of Mitch, about one of our past interviews. He said, you hit a particular hot button of mine
with the cyber insurance in your interview. While we are not lawyers, we do review cyber policies
for our clients. And we're honest. We tell them we're not lawyers. It's amazing what's there or not in there. In most states, maybe all states, cyber policies
are non-standard form policies. So every carrier does their own thing. And sometimes it even varies
from product line to product line. He says, one challenge is that businesses use the same broker
for every kind of insurance. It's easier for them. I tell our clients to ask their broker one simple question,
and if they don't get the right answer,
then they need to move to a different broker.
The question is, how many cyber risk policies,
quantity, and dollars of coverage did you write last month
and the month before and the month before?
If that broker is making $59 in commission
from the one cyber policy he wrote three months ago,
he is the wrong broker.
He says they have to write multiple policies every single month. If they do that, they will
know whose policies have crap in it and which carriers don't pay. I think this is an interesting
insight here from our listener. I think, you know, good advice all around. If you're, you know,
getting a new roof on your house, you don't want to hire the guy who builds decks, right? Yeah. Yeah. I thought it was really great insight and just a good window
inside that world. And I really appreciate Mitch writing into us. And yeah, I think this is
something that's going to evolve in the insurance industry as the years go forward here, just
because insurance is about evaluating risk. And because of all these high-profile cybersecurity incidents, when you have Equifax, when you have OPM, when you have ransomware attacks, people are going to start to recognize that risk more and more and start to understand they need specialists who really understand both the legal issues and the technological issues.
So, yeah, I mean, I don't think when we look five to 10 years down the line, you're going
to have insurance brokers who sell you your flood policy and your cyber policy, and it's all boiler
plate language. I mean, I think it's going to have to evolve because let's be honest, floods don't
change too much, but the cyber threats do. And that's sort of the insight that I think Mitch
was giving us here. And I think it was very valuable. Yeah, no, it's a great point. Great
point. So thank you, Mitch, for sending that in. We do
appreciate it. All right, Ben, let's move on to our stories. Why don't you kick things off for
us this week? So my story comes from the Twitter feed, my main news source of Elizabeth Goitain.
She's the co-director of the Liberty and National Security Program at the Brennan
Center for Justice, one of my go-to sources for all things national security and electronic surveillance related.
And she talked about a just-released opinion from the FISA Court. It was redacted by the Office of
the Director of National Intelligence, ODNI. The opinion is from December 2019, and it concerns
compliance with the provisions of Section 702 of the FISA Amendments
Act, which allows for the targeting of non-U.S. persons reasonably believed to be outside of the
United States, but that their communications are held with U.S. companies. And this is the type
of surveillance that's not supposed to capture the communications, the conversations of U.S. persons,
but as we'll see from this Twitter thread and the story, that is not always the case. So this is a program that has to be reauthorized
every single year by the FISA court. These opinions are secret when they come out. They're
not publicly released. According to a bunch of different statutes, the ODNI is supposed to release
them if they have novel interpretations of the law. And I think that's why they released the opinion here.
What we found out is that the NSA, the FBI, and the CIA have committed all sorts of violations of the letter of this statute.
Nevertheless, the court, the FISA court, in its opinion in December 2019, allowed the program to continue basically saying,
yeah, you've made some mistakes here,
but you know what? We're willing to trust you. And we authorized this program going forward.
Before I get into the nitty gritty, I mean, I think the context here is important because we just had this very high profile public story about the Michael Horowitz, the IG report about
surveillance on Carter Page of the Donald J. Trump presidential campaign, where he found out that some of the material that went into that application had been falsified,
had been incomplete, had the FBI had cut corners in putting together that application.
So it seems certainly bizarre in this case that the FISA court, you know, in December 2019,
this is actually coincidentally when that IG report
came out, would not be more skeptical of what the government was telling them.
So I think this is a story about the FISA Court's leniency and its propensity to trust
what our government agencies are doing, even when the government agencies themselves admit
that they're violating federal statutes and internal policies.
What options does the FISA Court have here? I mean, is it an all or nothing type of thing?
It's not. I mean, what the FISA court has done in the past when they reject these types of
broad policy applications is to force the government to go back to the drawing board,
to say, your minimization procedures are not rigorous enough. You're capturing too many U.S. persons' communications.
Therefore, you need to revise your application for surveillance.
We're not going to approve it until you submit those revisions.
And that's happened many times in the past.
Now, we as the public don't know about it until several years later when these opinions are released.
But on our last episode, we talked about the Call Detail Records Program. That's a program where there were a lot of compliance
problems. And the FISA court told the FBI and the NSA that unless they make policy changes and
document those changes in future applications, we're not going to improve the program. And so
it does end up forcing those agencies to make policy improvements. And that's what's kind of mystifying
about what happened here. Obviously, Section 702 searches are a valuable counterintelligence tool.
I think anybody who's in the intelligence community would agree to that. So we're talking
about a program that's very important. But in the context of what we've learned about
the surveillance application process, I think it just is surprising and disturbing that the court was so deferential here.
Do we have any sense of the degree to which these violations were serious? Were they,
you know, was it a blatant disregard or an accidental overreach? Any indications there?
I don't want to characterize whether it was accidental or purposeful because sometimes it's hard to know.
But the violations themselves were very significant. renewed in early 2018, that U.S. person queries of the database of 702 communications have to be
reasonably likely to return foreign intelligence information or evidence of a crime. So that's a
large number of inquiries where that rule was basically simply ignored. There was one case
where the FBI ran 16,000 U.S. persons queries for a reason that has been redacted in the case.
And an internal audit found that only seven of those queries were justified, seven out of 16,000.
I'm not a math wizard, but I think that's a pretty small fraction.
I'm with you.
Yeah.
You know, the other thing that was uncovered in this decision is when Congress amended the law in 2018, FBI agents
are now required to get a court order before accessing U.S. persons communications in most
cases. And the reason they need to do that is, or the only way they'd not need to obtain a warrant
is if there was some sort of foreign intelligence purpose. And from what we understand from this
opinion, that's also something that just
was not being done. So we're not talking about minor technical violations where there was some
technical problem in the minimization procedures. And incidentally, a hundred communications were
collected that were not supposed to be collected. These are large scale problems. And, you know,
I think it's important for people who are in this field to understand
intelligence gathering and who are concerned about privacy and civil liberties to read this
opinion carefully and judge for yourself whether this program is being conducted pursuant to
laws that have been authorized by Congress. And I think it's pretty clear, in my opinion,
that it's not. All right. Well, it's interesting for sure.
And I suppose one will have to keep an eye on as it continues.
I guess it's kind of frustrating that there's this built-in sort of lag
because of the secretive nature of it that, as you say,
it takes a long time for the information to be released to the public.
Yeah, it's sort of like when you look at the stars.
I hate to get all philosophical here.
What you're seeing is actually light that was emitted, you know, one billion years ago or whatever.
Right.
That's sort of what we get with FISA cases.
Like it reflects, it largely reflects what was going on a year ago, two years ago.
So, you know, we don't have a lot of information on what's happened in the last 10 months in terms of whether the court's gentle scolding here has caused FISA to amend some of
its procedures or the law enforcement agencies to amend some of their procedures. And we're not
going to know probably for a long time. So yeah, that lag is very frustrating. And I get it.
These opinions, for very legitimate reasons, have to be secretive, especially if they reveal
sources and methods.
But it also means that there really isn't a level of democratic accountability.
If you and I don't like how this is going, there's not a congressperson we can call to have this discontinued. I think that's very frustrating. Yeah, yeah, for sure. All right,
interesting stuff. My story this week comes from Baltimore Brew, a local publication here in our hometown of Baltimore. This is written by Lewis Krauss, and it's titled, In Appeals Court, Baltimore Surveillance Plane Suit Gets a Mixed Reaction.
Now, Ben, we have covered this Baltimore surveillance plane many times.
I would say it's an ongoing fascination of ours.
Yes, it is.
And this story covers how the ACLU filed suit, and this took place in a federal appeals court.
The ACLU is claiming that this is an unconstitutional violation of privacy. But in this case, two of the three judges who were having the case made to them thought that it was fine.
And I think it's really interesting to see their reaction to this.
Now, a quick overview here.
Baltimore law enforcement, they have a series of planes.
I think it's three planes.
They're like little Cessna-type planes, your general aviation aviation type aircraft. And they're equipped with a bunch of cameras and they fly over the city and they're just taking footage of high resolution footage of the city as they fly over.
They can track people as they go about their business in the city.
So, for example, let's say somebody robbed a convenience store.
They can go look at this footage that they gathered and say, okay, who was at this convenience store?
They could rewind the footage and track back everyone who was at that convenience store at the time back to where they came from or where they were going and so on and so forth.
And that can help them narrow their case. This article points out that they can also cross-reference that footage
with footage on the ground, with security camera footage and so on and so forth. It's interesting
to me how the judges kind of split here. Ben, can you describe where they came down on it?
Yeah. So this is a three-judge panel of the
Fourth Circuit Federal Court of Appeals. We have, you know, not to make this a partisan thing, we
have a couple of Republican appointee judges and one Democratic appointee, and it really comes down
to the difference in how these judges see Fourth Amendment jurisprudence. From the perspective of
what looks to be the majority in this case, this shouldn't fall under the Fourth Amendment whatsoever because this doesn't qualify as a Fourth Amendment search.
You know, as we've talked about, the definition of a Fourth Amendment search is a violation of somebody's reasonable expectation of privacy.
And what these judges are saying is these cameras aren't going into people's houses.
They aren't going into, you know, inside people's cars, inside people's stuff or personal property. They are simply observing what's going on in the public
view. And there's sort of been this long held fourth amendment doctrine that once you put
yourself in the public view, you have forfeited that expectation of privacy. And so that's what
the majority seems to be saying here. What the one dissenting justice seems to be saying here is that's an outdated view of
the Fourth Amendment that would justify very pervasive surveillance programs like this
one.
That basically, when that doctrine was created in a variety of courts, nobody could have
anticipated that we were going to have a Cessna plane flying at, you know, 3,000 feet above
ground.
to have a Cessna plane flying at, you know, 3,000 feet above ground, that's taking pictures every second where you can zoom in and identify individuals at crime scenes. It just simply
was not under consideration. So in light of that change in technology, this legal doctrine has to
change. Otherwise, the slope gets very slippery, as they say. What else can we justify in terms of
observing people in public? You know, I think doctrinally, the majority seems to reflect where most courts are on this issue. One thing that I
think supports their viewpoint is we already have a lot of surveillance cameras around Baltimore
City and really everywhere else. Just because they're not in airplanes doesn't mean that they're
not surveillance cameras. And those cameras and the footage that they take have not been found to be Fourth Amendment searches
requiring any sort of warrant.
So this plane is merely a difference in scale
and not necessarily a difference in method.
Yeah, and that's one of the things that fascinates me here
is that it seems like the core of this argument
or the disagreement here is over the scope.
It's not necessarily the thing that's being done.
I think everyone seems to agree that we're collecting footage in public and there's no reasonable expectation of privacy in public.
It's the scope of which, it's the amount of footage gathered, and it's the stitching together of multiple sources of information that have the privacy implications.
And I suppose, I mean, is this a case, Ben, of if not the Fourth Amendment, then what? Yeah, I mean, if not the Fourth Amendment, then it's going to be incumbent upon Baltimore City to evaluate whether this program is worth it.
to evaluate whether this program is worth it.
The police commissioner in Baltimore City has identified two crimes that were solved
using this technology in the six or so months
that this plane has been in the sky.
And he didn't seem to have any comment
on whether it's aided in any other investigations.
It's going to be up to Baltimore's leaders
to determine whether this type of law enforcement advantage
justifies what is clearly an invasion of privacy.
Even if it's not a constitutional invasion of privacy, it is an invasion of privacy because
you can't be outside in Baltimore City without knowing that there is a plane overhead taking
pictures of you. It might affect the associations you have. It might affect whether you go to a
religious institution, whether you go to a licensed therapist. Having that knowledge really could cause people to disrupt their everyday
routines. But it seems from this case that this is not going to be solved in the judicial arena
because it appears as if a majority of judges on this panel are willing to hold that this is not
a Fourth Amendment search. And what that means is Baltimore policymakers are
going to be the ones that have to make the decision. And one thing that always gets a little
jumbled in the decision-making process is we often don't have access to all of the data to make that
decision, either because it's not available or in many cases it's been classified by the
policymakers themselves. So I think, you know, it's incumbent upon the public to put a lot of pressure on our public officials to justify this program. If they think it really
works, give us the evidence and allow us as Baltimore City residents to make the decision
as to whether it is worth this very clear invasion of privacy, whether it's a constitutional invasion
of privacy or not. What would it take for something like this to get in front of the Supreme Court?
So generally, you'd have to have a split among circuits.
You know, justices are usually deferential to appeals courts on most cases.
But if you see that two separate appeals courts have disagreed on an interpretation of an issue,
that's when you see cases frequently come to the Supreme Court.
The other way would be when you have a really novel issue that other courts haven't had the
opportunity to consider, which is something that we have here. So, you know, I certainly think
it's within the realm of possibility that if the ACLU loses, that they appeal this case. Before
that, they might appeal to have the case heard en banc,
meaning the entire Fourth Circuit, not just this three-judge panel, which is chosen randomly,
will hear the case. And so as is always true of the legal system, we're always a long way from
resolution here. And that's another reason why I think it's incumbent upon the city itself to
evaluate the program and its effectiveness, because it could eventually make it to the Supreme Court. But by that point, we'll have had
years of this plane buzzing 3000 feet above us and taking, you know, millions and millions of
photos. So in some ways, the damage would have already been done. Yeah, yeah, a little buzzing
anxiety engine, right? Yeah, the buzzing is something else. I mean, it's a bizarre thing to listen to.
I think they noted in this article that somebody created a Twitter parody account for the Baltimore plane that just buzzes.
Right.
I wish I had thought of that.
Yeah.
It's such a good idea.
I have to say, when I worked in Baltimore City, one of the things that bothered me was that there were so many helicopters around.
There's always a helicopter buzzing around.
And it took me a little while to realize that it was triggering some anxiety in me, just this constant drone of helicopters.
And I don't know why, but it was true.
I felt the exact same thing.
I lived in Baltimore City for a long time.
And in every neighborhood in Baltimore City, you can hear helicopters.
And granted, it's needed because Baltimore, especially now, has a very serious violent crime problem.
So eyes in the sky certainly could and in some cases certainly does help.
But it does come at a cost.
And I had the same reaction.
It's just hard to feel safe and secure and content when you're constantly hearing police helicopters.
I think that's true no matter where you live in Baltimore City.
Yeah.
All right.
Well, we'll keep an eye on that one as it surely will develop.
We would love to hear from you.
If you have a question for us, you can call us.
The number is 410-618-3720.
You can call and leave a message.
We may use it on the air.
You can also write us at caveat at thecyberwire.com.
Ben, I recently had the pleasure of speaking with Kim Zetter.
She is a highly respected national security journalist.
She's author of the book Countdown to Zero Day.
And she recently published an article over on The Intercept.
It was titled How Cops Can Secretly Track Your Phone.
She really dug into stingrays and dirt boxes.
And here's my conversation with Kim Zetter.
What is some of your history with stingrays?
When did they first sort of come to your awareness?
They came to my awareness, I couldn't tell you exactly what year,
but it was the Daniel Rigg maiden case that brought it to my attention initially.
This was a guy who was being prosecuted for filing false tax returns,
stealing people's identities. And he had been really curious about how they had found him
because he used a false identity. He was using an air card and he was using a false identity to register the air card for his Verizon
account. And so even though they could track the signals, they didn't know who it was or get a real
address. So that's what was intriguing to me because he took this on sort of this legal challenge in
the way that no one had before. And so he started to, he did all of this research and investigation and was really like
training his lawyers on the topic who didn't understand the technology. And so he really
challenged this in court and it was really his pushback. I mean, I remember this one response
to the government was something like 400 or 600 pages long. And he actually had to ask the judge
for permission to file an extra long filing
and he got it. But he was just so knowledgeable on it that it was the first time that we had some
kind of public discussion about how these systems work and more importantly, how they were able to
track him. So that's really what pulled me in. Let's just sort of go over exactly what the
technology is that we're talking about here. When we're talking about stingrays, dirt boxes, they go by a number of names, but these are these cell tower simulators.
What exactly are they up to? Yeah, so they have various names like an MC catcher,
cell site simulator. What they do is it's an electronic device that emits a signal or it
broadcasts to cell phones in their vicinity that they are a cell tower,
and therefore the phone should ping them instead of a legitimate cell tower.
And they do this by, in some cases, this is the way they used to work,
was they would emit a stronger signal than the signal of the towers around them.
And so the phones will just naturally search for the strongest signal cell tower to get the best connection.
And so they would just sort of broadcast a stronger signal.
Now they don't have to emit the signal.
They can basically just announce, hey, I'm broadcasting at this level.
And if it's a higher level than other towers,
the phones will just naturally connect to those cell towers, the fake cell tower instead.
Once the cell tower connects to, what happens is,
it's not that the
person is necessarily making a call, you know, your phone is pinging cell towers all the time,
periodically and automatically, saying, hey, I'm here, so that your phone company can find you
when a text message or a phone call comes in, and they know what cell tower to route it through.
And so you're constantly, your phone is constantly communicating with these towers.
And so what it does when it communicates with any tower,
whether it's a rogue cell tower or a real one,
is it identifies itself with the IMSI number that's identified with your SIM card.
And the carrier, all they see is that IMSI number,
but the carrier has the ability to
identify you based on your carrier accounts, your name and address and things like that.
Well, so what law enforcement is doing, the reason that they want to get your phone to connect is
they want that MC number to one, identify anyone in the vicinity. Let's say in the case of
protesters, they might want to know who is in that crowd. And so any phone that's in that crowd will
connect to this IMSI device, this IMSI catcher, the fake tower, and identify their IMSI number.
And so then law enforcement can take those IMSI numbers and go to a carrier and get the identity
of that person. But what they can also do is in the rigman case, if they already know a specific device or phone that they want to track,
they can program that into their device and then turn on the device and the device will tell them
if that particular phone or device is in the vicinity of the cell tower. And so in the case
of Rigman, they already knew what the unique ID was for his AirCard. He wasn't using a phone,
he was actually using an AirCard with Verizon. They already knew the unique ID. And so they turned it on in the general vicinity.
The phone company was able to tell them the general vicinity of where he was in San Jose.
And they turned on this device and they were able to sort of home in on where exactly he was
located.
So they can do that.
They can do a number of things.
They can identify phones in the region.
They can then identify you through your carrier,
but then they can also track your movement.
If you are moving around,
if they are moving around with that MC catcher,
then they can, it's not the most precise way to do it,
but they can kind of track your movement.
But more importantly, they can go back to the carrier and say, can I get a historical record of every location this phone has been in the last two weeks or so?
Now, these devices started out being used by the military?
Well, that's what we understand. Again, there's still a lot of mystery around these, but we know that Harris Company, which is based in Florida, which sells a lot of these devices to law enforcement, had devices for military and intelligence. And we know that they
are used by the military and have been used by the military for a long time. But we do have,
like the first mention of one of these devices is actually in an article from the mid-90s about law
enforcement trying to track the hacker Kevin Mitnick. And they used a
device that's sort of an early generation of this. It was very sort of a crude device that was using
this like big antenna strapped to the top of the vehicle going around the neighborhood. So we know
the technology has also been used by law enforcement at least since the 90s. But we don't know like
when the first one of these was used by military intelligence or law enforcement.
And how are they being used these days?
I mean, what are the most popular uses for them?
Do we have a sense for that?
Yeah, so they are used by, for instance, the DEA, Drug Enforcement Agency, to track drug smugglers across the border.
They're used by Border Protection, ICE, to track illegalugglers across the border. They're used by Border Protection,
ICE, to track illegal immigrants coming across the border from Mexico. They're used in some cases,
well, as I said, to identify phones in the area, to identify people, but they can also be used to
block the use of cell phones. So if they can force the phones to connect to them
instead of a real cell tower you won't be able to make a phone call you won't be able to get or
receive texts you won't be able to let's say upload video so if you're a protester we don't
know that they've been used in this way at protests but protesters have suspected that
they've been used in this way where suddenly they find that they can't upload a video of,
you know, a protest or a riot or something that's going on. And they believe that law
enforcement is using one of these to block them and prevent that. So that's the way that they're
used with law enforcement. But they do have the ability also, separately, to intercept
communication and even decrypt it. So our communications in 4G LTE are strongly encrypted,
but 2G, our earlier generation is not strongly encrypted. And so the way that these sting
rays will often work is they will downgrade the phone. They will instruct the phone,
hey, I can only communicate you in 2G, please switch to 2G for me. And they can do that because there are still 2G networks operating in the world. So all phones have to have the ability to communicate
in 4G, but also in 2G. So this fake cell tower will tell the phone, hey, downgrade to 2G and I
can talk with you. And then they can actually intercept the communications, which is no longer
encrypted or no longer encrypted strongly, and then get the communications as well. I don't know. I mean, we assume that there must be
also intelligence agencies out there that have the ability to crack stronger encryption. We don't
know. No doubt they're working on that. So they can do that. And in the article that I wrote for
The Intercept, I talked with someone who used to advise military and intelligence, and he told me how they would use it to do sort of man-in-the-middle attacks.
So that a phone would connect to them, and they'd be in the middle of it, and then they would sort of forward on the connection to a real cell tower.
So someone talking on the phone wouldn't even realize that their voice call is being intercepted by a middleman tower.
And so during that interception, someone could listen in on the phone call, if it's not encrypted,
intercept text messages. They could also spoof that phone and send other phones text messages
as if they're coming from the phone that they're spoofing. So there's a lot that they can do. It
really depends on sort of the laws and what's allowed. So for military intelligence, obviously they have fewer restrictions than law
enforcement has. Right. And so where do we stand when it comes to requiring a warrant? Well, for
many years, law enforcement didn't need a warrant for these. And it was actually, I'll go back to
Rig Maiden. We thank him for that. He got the government to admit that sending a signal into his private apartment to communicate
with his air card and locate it was an actual invasion of his private domicile and was therefore
a violation of Fourth Amendment search and seizure.
So in acknowledging that, there was a lot of further pushback in other
court cases. And ultimately, the Justice Department announced a policy in, I think it was around 2011,
they announced this policy that going forward, they would require all federal law enforcement
agencies who wanted to use this to obtain a court order or warrant. And that is good, but a policy is not law,
and policy can change. And it also doesn't apply to local law enforcement. It only applies to
federal law enforcement agencies. So that warrant thing is a good thing, but we don't know what the
current policy is, if it's changed, and we don't know if local
law enforcement is doing this. And also, I want to point out that for a long time, even after
law enforcement was getting warrants for these, they were lying to courts in order to get the
warrants. So, they would tell a court, they weren't calling it an MC catcher, they weren't
even actually describing what it was designed to do. They were calling it a pen trap and trace device, which is a sort of a lawful intercept device that's actually put on a phone carrier's network to intercept the phone numbers that a phone makes and the phones that call you.
So it's very sort of, it's metadata that it's getting, but it's not very invasive, right?
It's not actually connecting to the phone itself.
And so law enforcement wasn't telling judges that this weren't describing what this really was.
And so they were couching it in this incorrect terminology.
And so they were getting these warrants and defense attorneys were clueless about what exactly was being used to surveil their clients. And so again, I have to go back to Rigby and, you know, he was the one that
really started to open the door on this. And then a lot of defense attorneys started to push back
and anytime that their client was surveilled, they would demand more discovery on exactly how
that was done. And so
we've gradually gotten a little more and more material about that deception that had gone on.
And that was also part of the Justice Department's new policy. When they passed this policy about
getting a warrant, they did say going forward that federal law enforcement, at least, will have to be
transparent to judges about what they're doing. And am I correct that prosecutors were dropping cases when it was revealed that a stingray may
have been used rather than reveal more information about them?
Yes, this was so wild. It's unclear who is initiating all of this cloak and dagger,
whether it's the companies like Harris or if it's really law
enforcement. There were some cases, as you point out, where when defense attorneys started pushing
back on this, they were finding that prosecutors were just dropping the case rather than reveal
information about what they were using. And when people started digging this more, the ACLU,
the Electronic Frontier Foundation, and trying to get public records around all this then those were being blocked as well and they were saying that they
couldn't reveal information about how these devices work because then criminals would find
sort of counterintelligence methods to thwart these devices that worked for you know a long
time but aclu and eff EFF eventually broke through those barriers
and forced these agencies to provide information. But what they also found were
communications between the makers of these devices, like Harris Corporation and local law enforcement,
whereby the makers of these devices would force law enforcement to sign a non-disclosure agreement
when they purchased these devices. And those NDAs would require the law enforcement agency to notify
these companies anytime someone filed a public records request on their equipment. And that
would give the Harris Corporation and other companies a chance to fight that. They would
basically tell the law enforcement agency, you don't own the device,
this is proprietary, we're leasing it to you, or this is a trade secret, you can't release this
information. And so it's hard to know who initially initiated that, whether it was law
enforcement going to the private companies and saying, hey, we don't want to release this
information publicly. If you force us to sign an NDA, we can use that to deny
a release. Or if it was the companies that initiated it from the start. I suspect it was
probably the law enforcement, but I don't really know that. Yeah. There's something that has always
left me scratching my head with these devices is that the FCC is okay with them. You know, the whole notion of someone coming in with
a gadget that basically gets in the way of our cellular communications network, which is a
fundamental utility these days, I'm left confused as to how the FCC is on board with this.
Well, that's actually been challenged as well because these devices can potentially they're interfering
with the cell towers around them obviously the people who are licensed to be using the airwaves
so they interfere with that and they also interfere obviously if you're trying to make a
phone call and they potentially interfere with 911 emergency calls so they are supposed to allow
the devices are supposed to
have the ability to recognize when a call coming through is a 911 call and disconnect the device
and allow that phone to go through. But there was an interesting test that Canadian law enforcement
did. It was just sort of a homespun test that they tried with their devices. And they found that the
phones, the 911 calls actually weren't going through about,
I think it was a little less than 50% of the time.
I don't remember the exact percentage.
So no one has done any oversight to determine whether or not these devices are letting 911 calls through
or to determine exactly how much interference they're doing,
either with other cell towers in the region or what. And the FCC has not really been very clear on how they're policing all of this. Why
do they just give sort of a blanket approval? What is the approval? Do they require when a
device gets upgraded? It's, again, it's not very transparent. Because the devices would have to be
licensed, right? They are licensed, yes. Yeah. But it's not clear transparent. Because the devices would have to be licensed, right?
They are licensed, yes.
Yeah.
But it's not clear what is happening to get them licensed.
Right, right.
So where do we stand today?
I mean, it's my understanding, we had recent news that I believe it was the EFF who's come out with an open source project to be able to kind of detect these
and make a run at tracking them?
Yeah, there have been efforts like this before
where people have developed an app that will be on your phone
that will sort of alert you if it suspects a rogue cell tower is in the vicinity.
The problem with most of these apps is that there are going to be false positives
because all they're doing is saying,
we think this might be a suspicious tower,
but it's unclear what the criteria they're using to determine that.
And then there's no way for you actually to verify the criteria they're using to determine that. And then there's
no way for you actually to verify. So they're kind of useless. And so EFF has come up with this
system that they think is more robust that way, but there hasn't been any sort of proof of concept
of it yet. So it's sort of at the beginning stages. And I think we're going to have to wait
some time to see if they can actually
identify a legitimate tower. So they have done some cases where they've identified things that
were suspicious and then they went out into the field and tried to actually track down
what that suspicious thing was and it turned out for instance like one of them was actually a
roving mobile cell tower that was outside of a convention center that was put up
by the convention center to sort of expand the cell network during a high traffic convention.
So it, you know, it does these by sort of recognizing new cell towers that suddenly
pop up and aren't recognized as legitimate ones. So a lot of those are going to be false positives.
And so I think that people should be suspicious anytime, you know, there was a story a few
years ago about rogue cell towers in Washington, D.C.
I have no doubt that there are rogue cell towers in Washington, D.C., but a company
that is promoting its product with a news release saying we've discovered rogue cell
towers in D.C., but can't actually point out them to you so that anyone can verify them,
that should be suspicious. So we've never had any sort of at least unclassified report that has
actually said, okay, this is where there was a rogue tower. And this is when it was operating,
things like that. All we get are sort of suspicious rogue towers.
And where do we stand in terms of the transition to 5G? Is that going to change
the game any? With 4G and 5G, obviously it's changed the game in terms of encrypting the
communications. So there's stronger encryption there. 4G was supposed to sort of resolve
the MC catcher issue of tracking the MC number, because what it does is it'll use the MC number
the very first time that a phone registers with a carrier.
But then the carrier assigns it a unique identifier that is not the IMSI number.
And so that's supposed to be more private.
But what a researcher that I wrote about found out was that there's a loophole there.
And that this rogue cell tower can actually tell the device, I forgot your
unique number. Can you give me your MC number one more time? And it will then send the MC number and
it can get that. And because that communication is not encrypted, the encryption doesn't kick in
until after that handshake occurs, law enforcement can get that MC number in the clear. So 5G is
supposed to do sort of the same thing,
but again, it has the same loophole.
So I don't want to downplay 4G and 5G.
The encryption is there for protecting communication,
but it's not there for protecting the MC identifier.
Is there anything happening on the policy front
when it comes to this?
Are there any legislators who are pushing back on the use?
There was legislation introduced, I think it was 2012 was the last one that was going to address
a lot of this and require warrants, and it has never passed. So no, there have been
occasional efforts to kind of revive it, and then it doesn't get enough package. So I think that
obviously EFF and ACLU
have lobbied for this for a long time
but it just hasn't had any traction.
There needs to be sort of a high profile
case. Lawmakers themselves
need to get trapped
in one of these devices before they care.
That's right.
And also we need a Supreme Court case
which we haven't had. I mean,
Rig Maiden's case, if he had taken it all the way, would have gone to the Supreme Court.
And that would have given us pronouncement there, a Supreme Court pronouncement.
But he took a plea deal, so it never made it that far.
And so we've never had a stingray case get up to the Supreme Court.
All right, Ben, interesting stuff, huh?
Yeah, I first should say that I've been a fan of Kim's for a long time.
I follow her on Twitter.
So it's very exciting that we're able to get her for the podcast.
She's a wonderful reporter and is just very bright.
It was very interesting to hear about stingrays.
I mean, I think in some ways stingrays are emblematic of all of the surveillance problems
we talk about on this podcast.
It's invasive. It's not necessarily unconstitutional because it's unclear whether this is a search. And it's secretive. She
talked about some of the non-disclosure agreements required by local police departments as it relates
to these stingray devices, meaning that the public really doesn't have an opportunity to engage in,
you know, how the surveillance
is being done in their communities. So I almost think of stingrays as kind of the perfect test
case for understanding surveillance, where you have something that's mysterious, secretive.
Most people don't understand how it works technically. The legal questions are sort of
nebulous and not easily solved. And so I just
think it's a fascinating window into our world here. Yeah. You know, just yesterday I was having
a conversation with a future guest on our show who happened to have spent time working with the FCC.
And I asked him about, you know, this question that I've asked many people, how in the world does the FCC approve a Stingray?
And he made the point that the FCC does not approve a device like this
because it is in the realm of the DOJ.
And so when the FBI comes to the FCC and says,
hey, we've got this device we want to use,
basically the FCC is deferential to them
because it's a national security issue, not a consumer device, not a commercial device, which is
the things that really fall under the FCC's area of control. So that was an interesting insight,
I thought, you know, related to all the things that Kim was talking about here.
A good insight for me to get, because that's something I've wondered about from the get-go. Yeah, you know, and I think that's true for a lot of programs
where you have the federal law enforcement agencies going to agencies that aren't well-versed
in national security or domestic security issues, saying like, all right, well, we don't want to
tread on your territory here. If you tell us that this is effective, we're not going to be the ones
to be the obstacle, because we don't want to be responsible your territory here. If you tell us that this is effective, we're not going to be the ones to be the obstacle
because we don't want to be responsible
for all of the crimes committed in our jurisdiction
because Stingray devices were not approved.
And so I think, you know,
there is that deferential attitude
on the part of the FCC,
meaning that's just one fewer guardrail
for a program like this to exist.
Yeah.
Well, our thanks to Kim Zetter for joining us.
As Ben mentioned, a real treat to have her on the show. Her Intercept article is titled,
How Cops Can Secretly Track Your Phone. And I'll also say, if you have not yet checked out her
book, Countdown to Zero Day, please do so. It's a real page turner. Definitely worth your time.
A good read. I suspect fans of this show will enjoy that book very, very much.
So check it out.
Yeah.
And again, thanks to Kim for taking the time for us.
That is our show.
We want to thank all of you for listening.
The Caveat Podcast is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our coordinating producers are Kelsey Bond and Jennifer Iben.
Our executive editor is Peter Kilby.
I'm Dave Bittner.
And I'm Ben Yellen.
Thanks for listening.