by Anthony W. Accurso

A cell-site simulators (“CSS”)—often referred to as a “Stingray” device, after a popular brand—is one of the newest and most controversial law enforcement tools since the introduction of the wiretap. Its use represents the intersection of four trends in policing: (1) the increasing use of military tools being deployed by domestic police, (2) technology becoming more mobile, (3) the desire of police to use this technology to surveil people in order to circumvent the Fourth Amendment, and (4) using pervasive surveillance and technology to collect data on as many people as possible.

How and whether CSS devices continue to be a part of American policing is still being decided in courts and legislatures across the country. Being educated about this threat to our constitutional freedoms will help citizens understand the gravity of the situation and possibly motivate people to advocate for reining in or even ending their use.

Cellphone Technology

The ubiquity and myriad uses of smartphones mask the humble beginnings of cellphone technology, but the systems in use in America’s 4G and 5G high-speed networks relies on how earlier systems functioned—and in some scenarios, still functions today. Understanding these systems is crucial to understanding how CSS devices work and the legal ramifications of their use.

The first cellphones in use were little more than personal radios, using analog signals to transmit phone calls to towers. The towers themselves are also just radios and antennas mounted on tall scaffolding. Due to the way radio signals propagate through space, the most efficient way to design networks to maximize coverage and minimize dropped calls was to deploy these towers so that their coverage zones somewhat overlap. When visualized from above, this resembles biological “cells” with a nucleus at the tower’s location. When a person wants to make a call, the phone will determine the nearest tower, usually assessed by signal strength, and connect to it.

If it moves away from that tower, such as when a person is driving, the phone will automatically switch to the next nearest tower to maintain the call. A phone’s willingness to connect to any tower that will route its call is one vulnerability exploited by CSS devices.

As wireless technology has progressed, it has used progressively higher frequencies for transmitting signals. Early networks utilized frequencies between 310 MHz to 900 MHz. Newer 5G networks subsume these ranges but also use frequencies up to 71 GHz. However, higher frequencies are less able to penetrate certain kinds of barriers like trees or buildings. Consequently, in denser urban areas, cellular companies will deploy thousands of smaller antennas mounted on poles, buildings, and even disguised in trees. Carriers occasionally deploy mobile units to provide reliable connectivity at large gatherings such as professional sporting events.

This evolution has resulted in an explosion of the number of cell sites. There were “67,871 cell sites turned on between 2018 and 2020, totaling more than the previous seven years combined.” And this was just preceding the 5G roll-out, which requires many more small sites. The result is that phones (and curious researchers) cannot reliably keep track of legitimate towers to discover when someone is running a rogue “tower.”

To manage networks with thousands of towers—or “cell sites” since they can be mounted anywhere—carriers have the ability to get information from phones and to make changes to low-level phone settings, such as which servers route text messages. These “pings” occur at a low level, and users are rarely aware of them.

Though the first generation of wireless networks used only digital signals to initiate a call, the second generation (“2G”) was entirely digital. One consequence of this is that phones and towers will send and receive signals without a person ever making a call. These control signals always include a persistent identifier for the cellphone, and since the passage of e911 regulations in the United States, include the phone’s GPS coordinates.

Cell-site simulators are so named because they mimic a cell site/tower. Since the devices are mobile, and more interested in surveillance than efficiency, they can get closer to target phones and will broadcast the signal with far greater strength than a carrier’s cell sites do. This tricks phones into contacting the CSS, after which it exploits a network’s control signals to conduct a “man in the middle” attack—relaying data between the phone and the carrier’s network while recording the data it receives from the phone. This is the “active mode” operation of a CSS.

Devices can also operate in “passive mode.” Because radio communications can be observed by any nearby radio receiver with the proper antenna, a CSS can observe any nearby phones and obtain information such as the phone’s persistent identifier (usually the International Mobile Equipment Identity, a.k.a. IMEI number) and its location (from relayed GPS signals or by reporting the direction and signal strength).

This mode is also where the term “IMSI-catcher” comes from; the International Mobile Subscriber Identity (“IMSI”) is also transmitted in control signals and can be used to identify the owner of a device. To clarify, an IMEI is unique to the phone’s physical hardware and never changes, while the IMSI is unique to the SIM card, which can be moved to another phone.

According to the Electronic Frontier Foundation (“EFF”), CSS devices “are used by the FBI, DEA, NSA, Secret Service, and ICE, as well as the U.S. Army, Navy, Marine Corps, and National Guard.” State-level police in 17 states, sheriff’s offices in 17 counties across eight states, and 32 cities’ police departments across 17 states are also known to have purchased CSS for use. Just because your state or city is not known to have purchased a CSS, doesn’t mean one isn’t in use in your area. Groups like the EFF and the ACLU obtain information about CSS purchases and usage from open records requests, but not every jurisdiction has been queried yet or has been forthcoming with information. Even if a jurisdiction doesn’t own a CSS, law enforcement can contact the FBI and request the agency deploy one for a specific purpose (i.e., to track a fugitive).

We may never know how often agencies like the FBI, CIA, or NSA have used CSS devices, but open records requests from jurisdictions with better open records laws can be instructive. The ACLU found that “ICE used Stingrays more than 1,885 times over a four-year period between 2013 and 2017” and “at least 466 times between 2017 and 2019.” The Baltimore Police Department “used Stingrays a staggering 4,300 times over recent years,” wrote the ACLU in 2015. Even the Sheriff’s Office of Erie County, New York—which serves the City of Buffalo and about a million residents—used their CSS 47 times between 2011 and 2015.

It is not just Americans who are under surveillance by CSS devices. The Royal Canadian Mounted Police (“RCMP”) have also come under scrutiny for hiding their use of a CSS from Canadians. Reporting from OpenMedia in 2017 revealed the “RCMP ha[d] been purchasing and using CSS devices in 2005; [t]hat the RCMP made CSS devices available for use for other police forces; [t]hat the RCMP sometimes fail to receive prior judicial approval when using CSS devices; [and the] precise technological capabilities of RCMP owned CSS devices.”

There is simply no way to know how many even less-forthcoming governments are surveilling their own citizens or citizens of other countries by using CSS devices, especially considering the abuses these two Western democracies are allowing.

Early (Known) Uses

Though the commercial history and use of CSS devices has been a closely guarded secret, some information about their origins has come to light. In 1993, Congress held an oversight hearing on the integrity of telephone networks. Tsutomo Shimomura, a physicist and computer science researcher, made a presentation at this hearing that highlighted how easily the content of cellphone calls could be intercepted. Under the supervision of FBI agents, Shimomura deployed a “software hack” to turn an “analog cellular phone into a scanner that enabled all present in the room to hear the live conversations of nearby cellular phone users.”

Rather than require phone companies to fix such glaring holes in their network security and protect ordinary Americans, Congress instead mandated that radio manufacturers disable features on newly sold radio “scanners” to prevent casual eavesdropping. Even at this early stage, the groundwork was laid for corporations to enable government agents to deploy CSS devices against citizens for law enforcement purposes. “Such a law enforcement exemption had been requested by the Harris Corporation, and supported by the cellular industry association.”

This strategy of deciding that networks are secure enough while leaving gaping holes for police is a common occurrence in U.S. history. The FBI has pressured Congress for such “backdoors” every time a new product or service becomes commonly used in America. Cellphone networks are just one example. More recently, the FBI demanded Apple push a software vulnerability to iPhones that would allow the agency easy access to the phone belonging to the shooter behind the San Bernardino terrorist attack in 2015. The FBI has also pushed for backdoors into encryption protocols for securing peer-to-peer chat programs like Facebook messenger.

The controversy lies in the fact that any security hole will not only be used for legitimate law enforcement purposes, but it will also invariably be exploited by police acting outside the scope of the Constitution, hostile foreign governments, criminals, and curious Americans.

Take John and Alice Martin, a Florida couple who bought a radio scanner prior to the 1993 law banning scanners that could intercept cellphone calls. They were “self-described small town political junkies,” who were using their scanner and overheard a phone call in which then-Speaker Newt “Gingrich [was] discussing his ethics problems” with other leading House Republicans. They “taped the conversation to capture history” and turned a copy over to “the ranking Democratic member of the House Ethics Committee.” For their troubles, the couple were prosecuted and forced to pay $500 each, as well as cooperate in an investigation about how several news outlets also obtained a copy of the call.

One of the first known uses of a CSS to locate a criminal suspect was in 1995. An unknown person was using a homemade air card (a device that allows a computer access to cellular networks) to break into computer networks, steal software and data, and illegally modify phone company switching equipment. After tracing the network signals back to the originating device somewhere in Raleigh, North Carolina, the authorities knew it was an air card but were not sure who was using it.

Investigators, aided by Shimomura, could roughly identify the geographic area in which the device was being used because the cellular company could tell them which tower the card was attached to while in use. They also knew the IMSI of the SIM used in the air card. According to The Verge, “to zero in on [the suspect’s device] police used a passive cell-site simulator combined with a silent SMS from the phone company that forced [the device] to check in.” Once they were close enough, they used a Triggerfish—a portable CSS made for close-up direction finding—to determine from which apartment the signal originated.

They eventually arrested Kevin Mitnick who was on probation at the time for previous cybercrimes in California. An account of the investigation was published as The Fugitive Game by Jonathan Littman (Little, Brown 1996).

The next major (known) case was that of Daniel Rigmaiden in 2008. Authorities were investigating a string of identity thefts where someone was filing fraudulent tax returns for the recently deceased and funneling the payouts through bogus accounts. The suspect used a rotating cast of intermediaries to cash checks and pick up packages, but even these middlemen couldn’t identify the central organizer of the scheme. However, authorities knew the IP address of the device filing the fraudulent returns. They traced it back to a Verizon air card in use in the San Jose, California, area. Police arrested Rigmaiden outside of his apartment and later located the air card during a search.

Rigmaiden’s case was different from Mitnick’s, however, because Mitnick had been on probation when officers suspected him of misconduct. Rigmaiden, on the other hand, had a clean record, so police needed a warrant to search his apartment. When they applied for the warrant, they claim to have used “historical cell tower information” to pinpoint his location, but he was skeptical. He knew that cell-site location information wasn’t accurate enough to identify his individual apartment, so he suspected police of using something else—something they failed to disclose to the court—to obtain the information needed to support the warrant application.

During pretrial and in custody at a detention facility in Florence, Arizona, Rigmaiden was able to obtain a brochure from the Harris Corporation for a device called a “Stingray,” with capabilities that included precision tracking of cellphones. He also obtained the minutes of the Maricopa County board meeting showing an invoice for a Stingray, so he knew police had access to the device.

Rigmaiden began contacting privacy-oriented organizations like the EFF and the ACLU, as well as journalists, to expose the secret use of Stingray devices and draw attention to his case. Jennifer Valentino-Devries, a reporter with The Wall Street Journal’s (“WSJ”) Digits Blog, wrote an article in 2011 about Rigmaiden’s case and the police’s undisclosed use of the Stingray, which was published on the front page of the paper.

Not too many Americans were using cellphones in 1996 when the book was published about Mitnick’s case, but many more were using cellphones in 2011 when the WSJ article was published. This article drew a lot of attention to the use of Stingray devices by law enforcement, something the FBI was anxious to avoid.

Rigmaiden was offered a plea deal by the government in 2013, nearly five years after his arrest. He attributed this deal—which gave him time served in exchange for a guilty plea—to his persistent and overwhelming legal strategy rather than his having made the Stingray the focus of national attention.

“The reason they wanted to get rid of the case wasn’t because they were worried the Stingray was going to get exposed more, because at that point it was pretty much already out there,” he said. “The reason they wanted to get rid of me was because I was doing all that work. I was giving them so much work to do, and it was pushing their resource limit.”

Despite the attention drawn to Stingray devices as part of the case, the U.S. government has continued to pursue strategies to keep the capabilities and use of Stingray devices and other CSS devices out of the public eye. And it’s no wonder since these devices, produced primarily by the Harris Corporation, have been in continuous use for approximately two decades and have aided in countless law enforcement and intelligence actions. The government wasn’t about to stop playing with their toys just because of a little bad press.

Coordinated Secrecy

The amount of information available on CSS is extraordinary considering the amount of effort government agencies and corporations have expended to keep details about these devices under wraps. Even after being exposed as part of Rigmaiden’s case, the FBI would continue to deny that it, or any other law enforcement or intelligence agency, had or were using the devices. But their efforts went beyond mere denials, including a policy that may have resulted in the release of violent criminals.

Kerron Andrews was a Baltimore, Maryland, resident whom police believed had attempted to kill three people in April 2014. Police had the cellphone number they believed Andrews was using while on the run and sought a pen-register/trap-and-trace order to aid in locating him. The request to the court also referenced a “cellular tracking device” but provided no information about what it was or how it could be used.

This court order was not a warrant. Warrants require probable cause, especially where they involve police authorization to enter someone’s home and would be relevant here because police eventually located Andrews in an apartment. Even where police have obtained a warrant to arrest someone like Andrews, they must still obtain another warrant to go into a home to arrest him. This rule prevents police from going house-to-house in a neighborhood to find fugitive criminals.

A “pen register” is a device—or nowadays a piece of software—that records the phone numbers that a person dials, while a “trap and trace” performs the same function for inbound numbers. The Supreme Court ruled in 1979 that there is no reasonable expectation of privacy—and thus no warrant is required—where “petitioner voluntarily conveyed numerical information to the telephone company.” Smith v. Maryland, 442 U.S. 735 (1979). Federal authority for pen/trap orders codified in Title 18 of the U.S. Code, §§ 3121-3127, and requires police to merely demonstrate that “the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation.” § 3123. The probable cause standard is higher than this “relevancy” standard, so pen/trap orders are easier to obtain than warrants.

What the police omitted from their request to the court was that the “cellular tracking device” referenced in the order was a CSS, not a pen/trap (though a CSS has the capability to obtain outbound and inbound call metadata like a pen/trap does). Police intentionally hid from the court that they intended to force Andrew’s phone to function as a GPS tracker, and police must obtain a warrant to track a person in real time using GPS. Grady v. North Carolina, 575 U.S. 306 (2015) (though many lower courts had come to a similar conclusion well prior to this ruling).

It was only on the eve of trial, and under great pressure from defense counsel during a hearing, that the Baltimore PD revealed that it had used a CSS—a Hailstorm, a newer model from Harris Corporation able to operate against 4G phones—to track Andrews. The Court ruled that the police had failed to disclose details that were material to his defense and ultimately suppressed the gun found in the apartment where he was located.

Defense attorney Joshua Insley confronted Baltimore PD officer Cabreja about whether the department had signed a nondisclosure agreement regarding the agency’s use of the CSS. “Does this document instruct you to withhold evidence from the state’s attorney and Circuit Court, even upon court order to produce?” he asked.

“Yes,” was Cabreja’s shocking response.

This information was similar to an agreement eventually uncovered by the ACLU between the Harris Corporation and the Delaware State Police. That agreement stated officers could not “discuss, publish, release or disclose any information pertaining to the (cellphone tracking) products” to “the general public, to companies, to other governmental agencies, or even to other officers who do not have a ‘need to know.’” A letter from Harris Corporation’s Michael E. Dillon said “[o]nly officers with arrest authority are permitted to use them (Stingrays) or have knowledge of how they work” and that “[s]tealth, quiet approach and skilled execution are the glue that transforms weapons and technology investments into capabilities and results.”

Reporting from Wired magazine about these agreements states that “police are advised to pursue ‘additional and independent investigative means and methods’ to obtain evidence collected through use of a cell site simulator, though suggestions provided by the FBI on how this could be accomplished were redacted by the bureau.” This advice seems to encourage police to engage in a practice known as “parallel construction,” which is where evidence obtained in violation of the U.S. Constitution is laundered by having officers unconnected to the evidentiary violation act on it without revealing the true origin of the information for the purpose of misleading the courts.

Similar reporting from the NYCLU detailed one such NDA between the FBI and the Erie County Sheriff’s Office in New York state. “Its confidentiality agreement with the FBI also instructs the Sheriff’s Office that the FBI may request it to dismiss criminal prosecutions rather than risk compromising the secrecy of how Stingrays are used,” wrote the NYCLU. This means that whenever officers are at risk of providing information about how a CSS actually functions, the FBI may require the state prosecutor to drop the criminal case—allowing a possibly dangerous criminal to be released—instead of complying with court orders to produce the information.

In 1968, then-Chief-Justice of the U.S. Supreme Court Earl Warren said that “evidentiary hearings, where defendants are apprised of the evidence against them and scrutinize how it was obtained, is the only true defense Americans have against police misconduct.” He wrote that, without it, “the constitutional guarantee against unreasonable searches and seizures would be a mere ‘form of words.’” Alarmingly, law enforcement practices surrounding the use of CSS devices appear to constitute the very types of behavior Chief Justice Warren cautioned against.

The appellate court of Maryland that upheld the suppression of the firearm in Andrews’ case said that the “information embargo” produced by these NDAs “prevents the court from exercising its fundamental duties under the constitution.” State v. Andrews, 134 A.3d 324 (Md. Ct. Spec. App. 2016).

The Court also refused to apply the “good faith exception” to the warrant requirement where some procedural mistakes made by officers—who have obtained an ostensibly valid warrant but the law concerning its validity is unclear—are excused and evidence is admitted despite the violation. The Court noted that the good faith exception is unavailable where police have intentionally misled the courts. It then listed “the ways in which the police misled the lower court in its ‘overreaching’ application: failing to name or even describe the Hailstorm, failing to impose any geographical limitations on its use, failing to ‘fully apprise’ the judge of the information it might collect, failing to explain what would happen with that information, and concealing the fact that the technology could easily capture information about innocent users in Andrews’ vicinity.” Andrews.

The Andrews Court reiterated that “people have a reasonable expectation that their cell phones will not be used as real-time tracking devices by law enforcement” and have “an objectively reasonable expectation of privacy in real-time cell phone location information.”

Unfortunately, not all courts express this kind of outrage at being misled by law enforcement. Consider the case of Damien Patrick of Milwaukee, Wisconsin. United States v. Patrick, 842 F.3d 540 (7th Cir. 2016). Patrick was on state parole when a warrant for his arrest was issued due to failure to comply with his conditions of release. Police obtained a warrant and asked the court to authorize access to information from the cellphone company to track him. Instead of consulting with the cellphone company, the police used a CSS.

Police located Patrick sitting in a vehicle with a firearm, which formed the basis for a new federal charge. Patrick sought to have the gun suppressed based on the police misleading the court about how it intended to track him.

The Seventh Circuit denied Patrick’s request because “neither constitutional text nor precedent suggests that ‘search warrants also must include a specification of the precise manner in which they are to be executed.’” Quoting Dalia v. United States, 441 U.S 238 (1979). It continued, writing that “the manner of search is subject only to ‘later judicial review as to its reasonableness.’”

“A person wanted on probable cause (and an arrest warrant) who is taken into custody in a public place, where he had no legitimate expectation of privacy, cannot complain about how the police learned his location,” according to the Seventh Circuit. “From his perspective, it is all the same whether a paid informant, a jilted lover, police with binoculars, a bartender, a member of a rival gang, a spy trailing his car after it left his driveway, the phone company’s cell towers, or a device pretending to be a cell tower, provided location information.” Patrick.

But this opinion rested largely on two main premises: (1) that cell site simulators function in only the way that police told the court they do and (2) that having a valid arrest warrant for Patrick essentially blessed any method used to locate him.

In his dissent, Circuit Judge Frank Easterbrook wrote that “[w]e know nothing about the way in which the Stingray used in Patrick’s case was configured, nor do we know the extent of its surveillance capabilities.” With certain software, a Stingray can be configured to “capture emails, texts, contact lists, images, or any other data from the phone” as well as “eavesdrop on telephone conversations and intercept text messages.”

“Even if the Stingray revealed no information beyond Patrick’s location, we must know how it works and how the government used it before we can judge whether it functions in a manner sufficiently different from the location-gathering methods specified in the warrant that it amounted to a search outside the warrant’s scope,” he wrote. This is, in part, “because the authorization of the collection of location data cannot be expanded to permit a search of the contents of Patrick’s cell phone.”

Judge Easterbrook also criticized the majority’s reliance on Utah v. Strieff, 136 S. Ct. 2056 (2016). In Strieff, the police illegally initiated a traffic stop, but this was “excused” when the vehicle’s occupant was found to have a valid warrant for their arrest. Thus, evidence located during the unlawful stop was admitted into evidence.

He noted that there was a different sequence of events in Patrick’s case, where police were already aware of the arrest warrant and then attempted to otherwise circumvent the normal review procedure of obtaining a valid warrant, so they could apprehend him. He explained that “[p]urposeful evasion of judicial oversight of potentially illegal searches is exactly the kind of ‘police misconduct … most in need of deterrence.’”

Expanding on this idea, it would have been unlawful for the police to wiretap Patrick’s phone without a warrant, overhear details about his whereabouts, and then conceal that source by having an officer “randomly” stop his vehicle on some other pretext. Had police used a CSS for this purpose—which is well within the capability of such devices—and lied to the court, the court would have no idea. Further, it is exactly this kind of parallel construction in which the FBI appears to be counseling police to engage.

The FBI and other agencies claim that all the secrecy surrounding CSS is necessary. If the inner workings of various CSS devices were to be publicized, then violent criminals and terrorists would evade detection.

Except that this assertion is clearly nonsense. After approximately 30 years of this technology being used by the government, we have a pretty good idea of the technical capabilities of these devices, even if we don’t know the specifics.

The EFF and ACLU have obtained and republished information that has been “leaked” from public records requests, revealed in court hearings and documents, and from official sources speaking off-the-record to journalists. This includes marketing material from CSS manufacturers and DOJ policy documents about these devices.

They have also been discussed in popular media. Tsutomo Shimomura, the expert who helped police catch Kevin Mitnick, gave an interview to Wired in 1996 in which he not only described a CSS’ operation by the FBI but also precise physical characteristics of the device, including the size and shape of an antenna attached to it to increase its accuracy and range.

The 1998 movie, Enemy of the State, has actors Gene Hackman explaining to Will Smith that “in the old days, [the government] had to tap a wire into your phone line. Now calls bouncin’ around on satellite, they snatch right out of the air.” This movie was up front about digital surveillance (in multiple forms) before most Americans were using digital communications at all.

A more explicit display of a CSS came from the movie Zero Dark Thirty. It is a dramatization about the investigation and operation that led to the killing of Osama bin Laden in May 2011. In the movie, CIA agents receive a tip about a phone number belonging to bin Laden and traced it back to a phone in Abbottabad, Pakistan. Using a briefcase-sized computer, a CIA agent was able to determine in which direction the target phone was located and how strong the signal was, instructing the driver to follow the signal until agents were able to photograph the vehicle and its sole occupant. While the agents never explicitly refer to the device by any name, its main capability—tracking a phone’s location in real time was clear. This movie was released in January 2012, a mere four months after the front-page article in the Wall Street Journal detailing the use of a Stingray device in Daniel Rigmaiden’s case.

The idea that people can be tracked by the government using cellphone signals is so prevalent in the public psyche that even the pettiest of miscreants understands it. NPR reported in 2017 about an Australian electrician who would put his cellphone in a chip bag—which blocks wireless signals, a trick used in Enemy of the State—so his employers didn’t know when he snuck away from work to play golf.

“The FBI can track cell phones,” wrote Dell Cameron for Wired. “Unscrupulous golfers know it. Bank robbers and terrorists are presumably also clued in on this now. And no amount of silence that police or prosecutors ever agree to is going to diminish that.”

Known Devices and Capabilities

Up to this point, this article has used the terms “cell-site simulator” and “Stingray” interchangeably. But while Stingray was the first CSS, there are many other similar devices marketed under different trademarks. When researching the use or abuse of these devices by law enforcement, it can be helpful to know the various names and what each device is alleged to be capable of doing.

The Harris Corporation (now L3Harris after its 2019 merger with L3 Technologies) began producing the Rayfish family of cell-site simulators beginning with the Stingray sometime in the 1990s. “The principal operations made by the Stingray are: Data Extraction from cellular devices—Stingray collects information that identifies a cellular device (i.e., IMSI, ESN) directly from it by using radio waves; Run Man In The Middle attacks to eavesdrop on Communications Content Writing metadata to the cellular device; Denial of Service; [P]reventing the cellular device from placing a call or accessing data services; Forcing an increase in signal transmission power; Forcing an abundance of signal transmissions Tracking and locating.” Though pricing has varied somewhat over the years, one source quoted it “as much as $400,000 in the basic configuration, and its price varies with add-ons ordered by the agency.”

The Triggerfish, also made by L3Harris, “extends the basic capabilities of Stingray, which are more oriented to device location monitoring and gathering metadata.” In passive mode, it “allows authorities to monitor up to 60,000 different phones at one time over the targeted area.” The cost “ranges between $90,000 and $102,000.”

The Kingfish is built as a less capable version of the Triggerfish in that it does not appear to be able to track as many phones simultaneously. It is smaller too, as “it could be concealed in a briefcase” and “shows connections between phones and numbers being dialed” similar to a classic pen register. It costs “slightly higher than $25,000.”

Amberjack is the “direction finding system antenna” for “surveillance systems like Stingray, Gossamer, and Kingfish.” It costs “nearly $35,015.”

Harpoon is an amplifier for “Stingray and Kingfish devices to track targets from a greater distance,” which costs “between $16,000 and $19,000.”

Hailstorm is either sold as an upgrade to a Stingray or is a standalone system. The original Stingray only functions against 2G phones, while the Stingray II functions against 3G devices. The Hailstorm can operate against 4G devices. It costs “$169,602 if it is sold as a standalone unit, and it could be cheaper if acquired as an upgrade.”

Gossamer is a handheld unit that “provides similar functionality of Stingray” but “also lets law enforcement run a [Denial of Service] attack on a target, blocking it from making or receiving calls.”

Maryland-based Digital Receiver Technology is also known to produce a passive CSS that “can be configured to track up to 10,000 targeted IMSI numbers or phones.” These units, colloquially known as “DRT boxes” (pronounced “dirt”) were mounted to Cessna airplanes in 2007 by the U.S. Marshalls Service, though the DEA is known to have done something similar.

In 2020, L3Harris announced it would no longer sell CSS devices “directly to local law enforcement,” though they will likely still sell devices to federal agencies. This announcement came on the heels of the first announced deployments of 5G cellular technology, a protocol with features that plug many of the security holes that plagued earlier generations of networks. Since this discontinuation also covered replacement parts and software updates, many police departments that owned L3Harris products were forced to look elsewhere.

“The [Miami-Dade Police Department] and at least five other law enforcement agencies have turned to a North Carolina company named Tactical Support Equipment to supply new cell-site simulators known as the Nyxcell V800/F800 TAU,” wrote Dell Cameron and Dhruv Mehrotra for Gizmodo.

Gizmodo noted that Canadian firm “Octasic manufactures the Nyxcell line of cellular equipment” and that the “only vendor authorized to distribute Nyxcell hardware, software and associated training services in the United States is Tactical Support Equipment (TSE).”

Other companies are known to produce similarly equipped devices, and this list includes “Atos, Rayzone, Martone Radio Technology, Septier Communication, PKI Electronic Intelligence, Datong (Seven Technologies Group), Ability Computers and Software Industries, Gamma Corp, Rohde & Schwarz, and Meganet Corporation.”

The devices in use for domestic law enforcement, depending on their configuration, have the capability to observe all unencrypted data being sent or received from target phones and to jam signals, and they can “even spoof the identity of a caller in text messages and calls,” meaning the text messages received by the target can be made to appear to come from any number—possibly feeding disinformation to a target. Importantly, this appears to be a software-only function, and any CSS could be configured to do this if bundled with proper software.

These devices can also be used to load viruses onto a target device, giving the operator full control of a phone and access to its data. Sometimes this occurs through the text messaging feature or through a vulnerability in the device’s baseband software. This capability is particularly alarming as L3Harris has shown interest in similar technology.

The company was reported in July 2022 to have made a bid to purchase the Israeli firm NSO Group. NSO’s assets include an extensive database of “zero day exploits,” which are unpublished and unpatched security holes that can be used as entry points for viruses. The company is also known for a spyware program called “Pegasus,” which has been linked to high-profile murders of protesters, political opponents, and journalists, including Jamal Khashoggi.

The Biden Administration, “informed by an intelligence community analysis of the potential impacts” of the acquisition, said it would “pose a serious counterintelligence and security risk to U.S. personnel and systems.” This is likely due to “NSO Group’s close relationship with the Israeli government,” according to The Washington Post.

However, just because this particular deal fell through doesn’t mean a company like L3Harris has stopped seeking access to technologies that can compromise and gain full control of cellphones. Buying a company like NSO was simply the easiest way to do it. And when a large company wants this kind of tech, there’s a good chance its competitors are eyeing similar capabilities.

Case Law and Policy

Prior to October 2015, the U.S. Justice Department published policy documents that counseled law enforcement to seek a pen/trap order prior to using a CSS to identify or locate a mobile device.

According to the ACLU, the “DOJ’s 2005 Electronic Surveillance Manual states that a Pen/Trap order ‘must be obtained by the government before it can use its own device to capture the [unique numeric identifier] of a cellular telephone’ and that a Pen/Trap order would also suffice to obtain location information.”

The same manual states, however, that the DOJ does “not concede that a device used to receive radio signals, emitted from a wireless cellular telephone” and which “identif[ies] that telephone to the network”—in other words an IMSI-catcher or CSS—constitutes a “pen register” or “trap and trace” device. Nevertheless, it recommends law enforcement obtain a court order for a pen/trap “out of an abundance of caution.”

The manual also identifies a kind of “hybrid order” law enforcement should obtain if they want to use CSS to track a person in real time. In that case, it says officers should obtain an order authorizing a pen/trap but one that also authorizes “acquisition of location information from wireless carriers” per the Stored Communications Act, 18 U.S.C. § 2703(d).

The ACLU wrote that, “[a]lthough the template application refers to the device as a ‘pen register,’ the template’s brief allusions to the manner in which the device operates strongly suggests that the device at issue is actually an IMSI catcher.”

This guidance and training, though contained in a document from 2005, is consistent with long-standing behavior by the FBI and police departments going back to the 1990s when CSS devices were developed. Police departments have grown accustom to using them in everyday police investigations and have decades of habitual use of CSS devices while treating them as pen registers. Such a habit is not broken quickly or easily.

The legal landscape began to shift in 2015. The two important and conflicting cases discussed earlier, Andrews and Patrick, both were working their way through the courts when the federal government changed its policy in October 2015. Then-Deputy Secretary of DHS Alejandro Mayorkas issued a policy memorandum stating that the department, which includes DEA and ICE, “must use cell-site simulators in a manner that is consistent with the requirements and protections of the Constitution, including the Fourth Amendment, and applicable statutory authorities, including the Pen Register Statute.”

Around the same time, the DOJ said that while it previously “obtained authorization to use a cell-site simulator by seeking an order pursuant to the Pen Register Statute, as a matter of policy, law enforcement agencies must now obtain a search warrant supported by probable cause and issued pursuant to Rule 41 of the Federal Rules of Criminal Procedure (or the applicable state equivalent).”

The problem with such policies is that they are ambiguous and confusing, when considering situations where a warrant has been traditionally deemed unnecessary. These include: “the need to protect human life or avert serious injury; the prevention of the imminent destruction of evidence; the hot pursuit of a fleeing felon; or the prevention of escape by a suspect or convicted fugitive from justice.”

Reporting by TechCrunch covered a 2023 report by the DHS Office of the Inspector General (“OIG”), which found that ICE Homeland Security investigations (“HSI”) and the Secret Service “did not always obtain court orders” as required by policy or law and that the agencies “did not correctly interpret” the “internal policies governing the use of cell-site simulators in emergency situations.” ICE HSI asserted that, at least once, a warrant was not obtained because a party had “provided consent.”

In the absence of clear laws protecting the privacy of Americans, courts have attempted to provide guidance. Grady v. North Carolina, 575 U.S. 306 (2015), involved real-time tracking using a GPS device. But prosecutors have argued that a warrant is unnecessary where the defendant readily relinquishes the same information to a third party—such as a cellular carrier—and courts have granted access to this information without a warrant using authorization under the Stored Communications Act.

Carpenter v. United States, 138 S. Ct. 2206 (2018), held that seizure of seven days or more of cell-site location information (“CSLI”) constitutes a search requiring a warrant. But because the case centered around CSLI obtained from a cellular carrier, law enforcement has argued that the same information does not require a warrant when obtained from another source, such as an advertising broker. Several federal agencies—including DEA, ICE, and the IRS—have reportedly purchased access to location data obtained from commercial brokers without a warrant.

Freddie Martinez, a senior researcher with the Project on Government Oversight, recently stated that there is “still a lot of confusion about differences between cell-site data, real-time cell-site data, and emergency access, and so on.”

Referring to the DHS OIG report, Martinez said it “really does speak to the problems of unclear statutes” and that often times federal authorities are “relying on local partners to do the necessary paperwork” to obtain a warrant. “They’re not doing the paperwork that they need to be doing, and they’re putting cases at risk,” he said.

Meaningful federal legislation curtailing CSS use is unlikely anytime soon. Former Representative Jason Chaffetz (D-UT) introduced a bill in 2015 to regulate CSS use, and it went nowhere. More recently in 2021, Senator Ron Wyden (D-OR) and Representative Ted Lieu (D-CA) introduced a similar bill, which also didn’t make it out of committee. Even these bills had gaping loopholes, providing for a “national security exception,” among others. When agencies like the CIA are organized solely for the purpose of protecting national security, such an exception would provide no meaningful guardrails to domestic use.

Police at all levels of government use CSS devices way more than Americans truly understand. Annapolis, Maryland, police used a CSS device to locate someone suspected of stealing “$56 worth of submarine sandwiches and chicken wings.” Police were able to locate and arrest Michael Cohen and Ghislaine Maxwell by using CSS devices to pinpoint their locations. And a CSS device was integral in the investigation leading to the capture of Osama bin Laden. But they have also been deployed to track Dakota access pipeline protesters and Black Lives Matter protesters in Milwaukee and Portland.

Law enforcement clearly loves using CSS devices and will deploy one anytime they want to track someone down. They have, so far, been relying on obscurity and secrecy to keep using them without any real accountability. Prosecutors have dropped violent crime cases to protect this secret, while police have misled courts countless times. Even the “U.S. Marshalls have driven files hundreds of miles to thwart public records requests.”

Any meaningful change in their use will likely be initiated at the state level, and some states have begun to take action. Various states, including New York and Rhode Island, are considering laws that specifically address the use of CSS devices. Utah has already passed laws requiring a warrant before police can access “communication service provider networks,” obtain data from the “cloud,” or deploy drones that have “radar, sonar, infrared, or other remote sensing or detection technology.”

Such legislation is a good first step, but any bills ought to address other systemic issues such as requiring police to obtain a warrant anytime they intend to use a CSS or similar device and to specifically notify the Magistrate Judge that such a device will be used when executing the warrant. Further, anytime police use a CSS without a warrant—such as during an emergency—they should be required to obtain one within a reasonably short timeframe or forgo any evidence collected in connection with its use.

Police in California are currently required to collect and report anytime they seek a geofence reverse location warrant, and similar statistics should be required for CSS use. Police should be required to publicly report any use of a CSS, and the report should include when and where the CSS was deployed, linked to the warrant issued (or report that police failed to obtain one), and broadly categorized the kind of crime under investigation.

Specific uses should also categorically be banned such as deployment anywhere near a protest or a place where an otherwise constitutionally protected activity is taking place, e.g., churches and health clinics.

Violations of these provisions must also provide meaningful incentives for compliance. Record-keeping violations should result in fines or funding reductions, and evidence should be suppressed where police fail to comply with warrant requirements. Whenever police collect information using a CSS, there should be limits on its retention, and where it has been abused—such as being deployed near a protest, police should be required to notify anyone affected by the collection. In the interim, judges need more education about the specific capabilities of CSS devices and how they could run afoul of the Constitution.

Whenever a CSS device is used without a warrant to detect a cellphone inside a home, suppression should be automatic under Kyllo v. United States, 533 U.S. 27 (2001). The Court held that “[w]here, as here, the Government uses a device that is not in general public use, to explore details of a private home that would previously have been unknowable without physical intrusion, the surveillance is a Fourth Amendment ‘search,’ and is presumptively unreasonable without a warrant.” CSS devices cannot be “in general public use” where their operation is prohibited by law. Thus, their warrantless use to locate cellphones within residences should fall under Kyllo.

Further, warrantless use should result in suppression where the CSS forces a cellphone to divulge its GPS coordinates using an e911 ping. Police departments have claimed they are obtaining location information from the cellular carrier’s network when obtaining a pen/trap order but then proceed to only use a CSS. This has been legitimized under the third-party doctrine, but a cellphone user is willingly sharing their location only with the cellular carrier, not the police. This is no different than “hacking” into a suspect’s computer, which would be an illegal search.

And if police were to utilize the eavesdropping or spoofing capabilities of these devices without prior authorization, they would be violating the wiretap law and possibly other laws, depending on who the police impersonated (another government official), whether that person was harmed by the impersonation (defamation), or whether the police gained some benefit from the impersonation (fraud).

Countersurveillance

Due to the lack of meaningful legislation in this area, individuals concerned with being tracked should be aware of ways to protect themselves.

First and foremost, a CSS cannot track the location of a phone that is in airplane mode, is encased in a Faraday cage (e.g., a foil chip bag that blocks radio signals), or while the user is on a call (as long as the call was initiated before the CSS was activated). Investigators also have a more difficult time tracking moving targets, so any intentional connections (taking the phone out of airplane mode should) be done while on the move. These methods are the only sure ways to prevent or deter anyone from tracking a person in the physical world using a CSS.

Limiting the amount of information leaked to a CSS can occur using a combination of strategies. First, use a disposable device (burner phone) that cannot be tracked back to you. As of the writing of this article, big box stores like Walmart and Target sell smartphones for as little as $30 for the phone, with unlimited data plans for between $25 and $65, depending on the carrier. These can be purchased with cash and should be activated and used away from any place associated with your daily life (i.e., not at your home or work). Whenever a burner phone is transported to a private location, it should be in airplane mode or powered off.

This strategy will still allow police or an attacker to count your phone and obtain its IMEI/IMSI, but this information is less useful if they cannot determine to whom the phone belongs.

Second, all data should be encrypted in transmission. A CSS convinces the legitimate tower and the phone to communicate without encryption, so it can obtain the content or metadata of any communication. A VPN can encrypt all communications performed by other important apps but does not usually protect calls or texts. Do not use regular calls or texts on any device you suspect might be surveilled. Instead, use an app like Signal. When choosing which VPN or communications app to use, choose ones whose source code can be inspected so that bad actors cannot surreptitiously compromise an app without it being publicized.

One way that a CSS functions is by convincing a 3G or 4G device to “downgrade” to the less secure 2G protocols. All smartphones running version 12 of Google’s Android operating system or later can disable 2G operation in the “Network” section of the Settings app. Android 12 was released near the end of 2021, and some manufacturers are still selling phones running Android 11. Though the EFF has publicly pressured Apple to change this, 2G mode cannot currently be disabled on any iPhone.

Forcing a 3G or 4G device to communicate over 2G protocols is the preferred method for a CSS to engage in a man-in-the-middle attack, but 5G networks are not vulnerable to this exploit, as they do not allow this type of service downgrade. However, most coverage in the U.S. (measured by land area) is handled by 5G Non-Standalone (“5G NSA”) networks, which are a kind of 4G in disguise as opposed to true 5G Standalone (“5G SA,” also referred to as “5G NR”).

“The full picture, the full protections of 5G security come over time and do require the standalone to gain full benefit,” said Jon France, head of industry security at the telecom standards body GSMA. “We’re seeing the initial deployments which are already bringing the core benefits of low latency, high data transfers through the non-standalone method. That still has a 4G core in it, it’s the brain of the network, and until we get to a 5G brain in standalone mode we won’t get all of the security benefits.”

T-Mobile is the furthest along in the U.S. in replacing 4G/5G NSA with 5G SA, followed by Verizon, and then AT&T. An app like “Signal Spy” can tell you what kind of network you’re connected to, but nothing can really hurry this process along.

To fill the gap, some researchers have attempted to develop methods of detecting when a CSS is in use nearby, but these are difficult to implement as they require specialized hardware and software. Some apps that claim to detect Stingrays merely track whether the nearby tower is sending silent pings. But these are part of normal network operation, so this method results in a lot of false positives.

The EFF developed project Crocodile Hunter—a reference to Steve “Crocodile Hunter” Irwin, who died after swimming with a Stingray fish—that is designed to track nearby towers and determine whether a suspect tower performs all proper security checks or is in motion. While all the software is publicly available, it requires compiling from source, a procedure most users will find daunting. It also requires a dedicated computer and radio equipment, so it cannot run on a smartphone. Sadly, the project is no longer in development as of December 2022. Yet, even this method was not foolproof as not all towers operated by national carriers are properly configured, and carriers will sometimes deploy legitimate cell sites on vehicles to temporarily boost coverage in an area.

Conclusion

In the 1990s, Congress failed to enact meaningful legislation to protect the cellular networks that would come to be used by millions of Americans, instead choosing to outlaw non-governmental use of cellular scanners. We cannot rely on Congress to pass meaningful laws protecting Americans against police use and abuse of cell site simulators. Individual states, which can be more responsive to voters on privacy issues, may enact some beneficial legislation if lawmakers are educated about how these devices function and run afoul of the Constitution.

Courts have tried to provide some protections in the absence of legislative guidance, but case law doesn’t adapt to new technology trends quickly enough—nor is this process truly effective while police obfuscate their use of CSS devices to courts.

Wireless carriers are slowly migrating towards secure 5G networks, but many devices will continue to be susceptible to surveillance and interception until this transition is complete. Further, there is no guarantee that other security loopholes won’t be discovered and used by similar devices to compromise 5G networks.

As long as people are willing to submit to this kind of surveillance, lawmakers will not be held accountable for their failures, and police will be free to abuse their tools.  

Sources: theintercept.com, eff.org, techdirt.com, globenewswire.com, envistaforensics.com, theregister.com, digitalcommons.lmu.edu, techcrunch.com, wired.com, wisconsinexaminer.com, timesofisrael.com, aclu.org, brennancenter.org, cloudwards.net, blog.tenthamendmentcenter.com, theguardian.com, openmedia.org, scholar.valpo.edu, annualreviews.org, fierecewireless.com, forensicresources.org, Your Secret Stingray’s No Secret Anymore, resources.infosecinstitute.com, theverge.com, theatlantic.com, github.com, npr.org, gizmodo.com, nytimes.com, nyclu.org, washingtonpost.com, Sting Rays The Most Common Surveillance Tool the Government Won’t Tell You About, buzzfeednews.com

Subscribe today

Already a subscriber? Login