The machines that police and other agencies use to spy on cell phones
Article first appeared in Arstechnica:
The Stingray has become the most widely known and contentious spy tool used by government agencies to track mobile phones, in part due to an Arizona court case that called the legality of its use into question. It’s a box-shaped portable device, sometimes described as an “IMSI catcher,” that gathers information from phones by sending out a signal that tricks them into connecting to it. The Stingray can be covertly set up virtually anywhere—in the back of a vehicle, for instance—and can be used over a targeted radius to collect hundreds of unique phone identifying codes, such as the International Mobile Subscriber Number (IMSI) and the Electronic Serial Number (ESM). Authorities can then hone in on specific phones of interest to monitor the location of the user in real time or use the spy tool to log a record of all phones in a targeted area at a particular time.
The FBI uses the Stingray to track suspects and says that it does not use the tool to intercept the content of communications. However, this capability does exist. Procurement documents indicate that the Stingray can also be used with software called “FishHawk,” (PDF) which boosts the device’s capabilities by allowing authorities to eavesdrop on conversations. Other similar Harris software includes “Porpoise,” which is sold on a USB drive and is designed to be installed on a laptop and used in conjunction with transceivers—possibly including the Stingray—for surveillance of text messages.
Similar devices are sold by other government spy technology suppliers, but US authorities appear to use Harris equipment exclusively. They've awarded the company “sole source” contracts because its spy tools provide capabilities that authorities claim other companies do not offer. The Stingray has become so popular, in fact, that “Stingray” has become a generic name used informally to describe all kinds of IMSI catcher-style devices.
First used: Trademark records show that a registration for the Stingray was first filed in August 2001. Earlier versions of the technology—sometimes described as “digital analyzers” or “cell site simulators” by the FBI—were being deployed in the mid-1990s. An upgraded version of the Stingray, named the “Stingray II,” was introduced to the spy tech market by Harris Corp. between 2007 and 2008. Photographs filed with the US Patent and Trademark Office depict the Stingray II as a more sophisticated device, with many additional USB inputs and a switch for a “GPS antenna,” which is likely used to assist in location tracking.
Cost: $68,479 for the original Stingray; $134,952 for Stingray II.
Agencies: Federal authorities have spent more than $30 million on Stingrays and related equipment and training since 2004, according to procurement records. Purchasing agencies include the FBI, DEA, Secret Service, US Immigration and Customs Enforcement, the Internal Revenue Service, the Army, and the Navy. Cops in Arizona, Maryland, Florida, North Carolina, Texas, and California have also either purchased or considered purchasing the devices, according to public records. In one case, procurement records (PDF) show cops in Miami obtained a Stingray to monitor phones at a free trade conference held in Miami in 2003.
The Gossamer is a small portable device that can be used to secretly gather data on mobile phones operating in a target area. It sends out a covert signal that tricks phones into handing over their unique codes—such as the IMSI and TMSI—which can be used to identify users and home in on specific devices of interest. What makes it different from the Stingray? Not only is the Gossamer much smaller, but it can also be used to perform a denial-of-service attack on phone users, blocking targeted people from making or receiving calls, according to marketing materials (PDF) published by a Brazilian reseller of the Harris equipment. The Gossamer has the appearance of a clunky-looking handheld transceiver.
One photograph filed with the US Patent and Trademark Office shows it displaying an option for "mobile interrogation" on its small LCD screen, which sits above a telephone-style keypad.
First used: Trademark records show that a registration for the Gossamer was first filed in October 2001.
Cost: $19,696.
Agencies: Between 2005 and 2009, the FBI, Special Operations Command, and Immigration and Customs Enforcement spent more than $1.3 million purchasing Harris’ Gossamer technology and upgrading existing Gossamer units, according to procurement records. Most of the $1.3 million was spent by the FBI as part of a large contract in 2005.
The Triggerfish is an eavesdropping device. It allows authorities to covertly intercept mobile phone conversations in real time. This sets it apart from the original version of the Stingray, which marketing documents suggest was designed mainly for location monitoring and gathering metadata (though software can allow the Stingray to eavesdrop). The Triggerfish, which looks similar in size to the Stingray, can also be used to identify the location from which a phone call is being made. It can gather large amounts of data on users over a targeted area, allowing authorities to view identifying codes of up to 60,000 different phones at one time, according to marketing materials.
First used: Trademark records show that a registration for the Triggerfish was filed in July 2001, though its “first use anywhere” is listed as November 1997. It is not clear whether the Triggerfish is still for sale or whether its name has recently changed, as the trademark on the device was canceled in 2008, and it does not appear on Harris’ current federal price lists.
Cost: Between $90,000 and $102,000.
Agencies: The Bureau of Alcohol, Tobacco, Firearms, and Explosives; the DEA; and county cops in Miami-Dade invested in Triggerfish technology prior to 2004, according to procurement records. However, the procurement records (PDF) also show that the Miami-Dade authorities complained that the device "provided access" only to Cingular and AT&T wireless network carriers. (This was before the two companies merged.) To remedy that, the force complemented the Triggerfish tool with additional Harris technology, including the Stingray and Amberjack, which enabled monitoring of Metro PCS, Sprint, and Verizon. This gave the cops "the ability to track approximately ninety percent of the wireless industry," the procurement documents state.
The Kingfish is a surveillance transceiver that allows authorities to track and mine information from mobile phones over a targeted area. The device does not appear to enable interception of communications; instead, it can covertly gather unique identity codes and show connections between phones and numbers being dialed. It is smaller than the Stingray, black and gray in color, and can be controlled wirelessly by a conventional notebook PC using Bluetooth. You can even conceal it in a discreet-looking briefcase, according to marketing brochures.
First used: Trademark records show that a registration for the Kingfish was filed in August 2001. Its “first use anywhere” is listed in records as December 2003.
Cost: $25,349.
Agencies: Government agencies have spent about $13 million on Kingfish technology since 2006, sometimes as part of what is described in procurement documents as a “vehicular package” deal that includes a Stingray. The US Marshals Service; Secret Service; Bureau of Alcohol, Tobacco, Firearms, and Explosives; Army; Air Force; state cops in Florida; county cops in Maricopa, Arizona; and Special Operations Command have all purchased a Kingfish in recent years.
The Amberjack is an antenna that is used to help track and locate mobile phones. It is designed to be used in conjunction with the Stingray, Gossamer, and Kingfish as a “direction-finding system” (PDF) that monitors the signal strength of the targeted phone in order to home in on the suspect’s location in real time. The device comes inbuilt with magnets so it can be attached to the roof of a police vehicle, and it has been designed to have a “low profile” for covert purposes. A photograph of the Amberjack filed with a trademark application reveals that the device, which is metallic and circular in shape, comes with a “tie-down kit” to prevent it from falling off the roof of a vehicle that is being driven at “highway speeds.”
First used: Trademark records show that a registration for the Amberjack was filed in August 2001 at the same time as the Stingray. Its “first use anywhere” is listed in records as October 2002.
Cost: $35,015
Agencies: The DEA; FBI; Special Operations Command; Secret Service; the Navy; the US Marshals Service; and cops in North Carolina, Florida, and Texas have all purchased Amberjack technology, according to procurement records.
The Harpoon is an "amplifier" (PDF) that can boost the signal of a Stingray or Kingfish device, allowing it to project its surveillance signal farther or from a greater distance depending on the location of the targets. A photograph filed with the US Patent and Trademark Office shows that the device has two handles for carrying and a silver, metallic front with a series of inputs that allow it to be connected to other mobile phone spy devices.
First used: Trademark records show that a filing for the Harpoon was filed in June 2008.
Cost: $16,000 to $19,000.
Agencies: The DEA; state cops in Florida; city cops in Tempe, Arizona; the Army; and the Navy are among those to have purchased Harpoons since 2009.
The Hailstorm is the latest in the line of mobile phone tracking tools that Harris Corp. is offering authorities. However, few details about it have trickled into the public domain. It can be purchased as a standalone unit or as an upgrade to the Stingray or Kingfish, which suggests that it has the same functionality as these devices but has been tweaked with new or more advanced capabilities. Procurement documents (PDF) show that Harris Corp. has, in at least one case, recommended that authorities use the Hailstorm in conjunction with software made by Nebraska-based surveillance company Pen-Link. The Pen-Link software appears to enable authorities deploying the Hailstorm to directly communicate with cell phone carriers over an Internet connection, possibly to help coordinate the surveillance of targeted individuals.
First used: Unknown.
Cost: $169,602 as a standalone unit. The price is reduced when purchased as an upgrade.
Agencies: Public records show that earlier this year, the Baltimore Police Department, county cops in Oakland County, Michigan, and city cops in Phoenix, Arizona, each separately entered the procurement process to obtain the Hailstorm equipment. The Baltimore and Phoenix forces each set aside about $100,000 for the device, and they purchased it as an upgrade to Stingray II mobile phone spy technology. The Phoenix cops spent an additional $10,000 on Hailstorm training sessions conducted by Harris Corp. in Melbourne, Florida, and Oakland County authorities said they obtained a grant from the Department of Homeland Security to help finance the procurement of the Hailstorm tool. The Oakland authorities noted that the device was needed for “pinpoint tracking of criminal activity.” It is highly likely that other authorities—particularly federal agencies—will invest in the Hailstorm too, with procurement records eventually surfacing later this year or into 2014.
http://arstechnica.com/tech-policy/2013/09/meet-the-machines-that-steal-your-phones-data/
Police don’t need a warrant to obtain cell phone data:
In a significant victory for police, a federal appeals court ruled that law enforcement authorities could obtain historical location data directly from telecommunications carriers without a search warrant, The New York Times reports.
According to the news report, “…the closely watched case, in the United States Court of Appeals for the Fifth Circuit, is the first ruling that squarely addresses the constitutionality of warrantless searches of historical location data stored by cell phone service providers. Ruling two to one, the court said a warrantless search was ‘not per se unconstitutional’ because location data was ‘clearly a business record’ and, therefore, not protected by the Fourth Amendment.”
The federal appeals court acknowledged the government’s argument that consumers knowingly give up their location information to the telecommunications carrier every time they make a call or send a text message on their cell phones.
For now, the ruling sets an important precedent: It allows law enforcement officials in the Fifth Circuit to chronicle the whereabouts of an American with a court order that falls short of a search warrant based on probable cause.
“This decision is a big deal,” said Catherine Crump, a lawyer with the American Civil Liberties Union. “It’s a big deal and a big blow to Americans’ privacy rights.”
The group reviewed records from more than 200 local police departments last year, concluding that the demand for cellphone location data had led some cellphone companies to develop “surveillance fees” to enable police to track suspects.
The Supreme Court has yet to weigh in on whether cellphone location data is protected by the Constitution. The case, which was initially brought in Texas, is not expected to go to the Supreme Court because it is “ex parte,” or filed by only one party — in this case, the government.
http://www.nytimes.com/2013/07/31/technology/warrantless-cellphone-tracking-is-upheld.html?_r=1&