A Major Step Forward on Stingrays, But Concerns Remain

This month, the Department of Justice announced a major policy change on IMSI catchers (commonly called “stingrays”), instituting a warrant requirement for their general use. This is a significant step forward, and the agency should be lauded for enhancing privacy rights by placing a key check on use of this invasive technology. However, the DOJ policy does contain some major flaws, and leaves much work to be done to give due protection to individuals’ location data.

Why New Rules on Stingrays Are a Major Victory for Privacy

Stingrays are a highly invasive technology. These devices “spoof” cell towers—effectively hacking into phones by hijacking the signal the phones connect to—to suck up data about phones, most notably their location. Local rules on stingray use vary, but many law enforcement offices—including the federal government—have not always sought a probable cause warrant before deploying them. Furthermore, stringray use has been deeply shrouded in secrecy. This is troubling because the precise location data that stingrays gather can be extremely sensitive, revealing information such as religious and political affiliations, medical conditions, and romantic preferences and relationships.

The new policy goes a long way towards setting a balanced system for this technology to properly protect private information. Given its sensitivity and new abilities for the government to store and search it en masse, electronic location data should only be obtained pursuant to a warrant, as the DOJ rules require in most circumstances.

Additionally, the policy responds to the indiscriminate manner in which stingrays collect location data—one of the greatest privacy concerns they raise. Stingrays operate in a dragnet manner; they cannot home in on an individual device, but rather vacuum up the data for all phones in an area. The DOJ policy requires that any court application for use of a stingray include a description of how law enforcement will delete data from anyone other than the target device, and an affirmation that such individuals’ data will not be used for investigative purposes. Ensuring that a stingray is truly targeted at a suspect—rather than used as an excuse to gather data from a large group, such as during a protest – is essential to their responsible use.

Significant Loopholes Still Remain

Unfortunately, the stingray policy still contains significant flaws, and loopholes that will prevent its protections from applying in many cases. A major problem exists for entities other than the Department of Justice. While the policy requires full application of its rules when DOJ officers use stingrays “in support of other Federal agencies and/or State and Local law enforcement agencies,” it is silent on applying these rules when federally owned stingrays are loaned out to state and local police—which they frequently are. This creates a perverse incentive for local law enforcement and other agencies to not request DOJ’s support using stingrays, but rather simply ask for a stingray to be loaned out, and then operated without a warrant requirement or other key privacy protections. If the Department of Justice is giving other government agencies this powerful and invasive technology, they should be held to the same standards as DOJ itself regarding that technology’s use.

Why Warrants for Stingrays Is Not Enough, Even Without Loopholes

Although the stingray policy is a significant improvement for privacy rights, it does raise additional questions regarding restrictions on location tracking.

Although DOJ will now (often) require a warrant prior to use of a stingray, there are still other ways it engages in location tracking. Law enforcement frequently tracks individuals’ locations by demanding records from cellular service providers that show which towers a customer’s phone has connected to, and the federal government continues to argue in court that this practice should not require a warrant. At the same time, the Supreme Court’s landmark ruling in U.S. v Jones creates a warrant requirement for attaching a GPS tracking device to an individual’s property. This creates a bizarre “donut hole of location privacy,” where DOJ policy would have attaching a location device to a specific individual or deploying a stingray to scoop up data for a full city block require a warrant, but demanding cell site data or a “tower dump” from a company does not. Privacy protections should be based on the level of intrusion towards those affected, not the technique or technology used. If the federal government agrees that warrants should be required to gather location data from a distance via stingrays, it should also accept this rule when obtaining the same information by compelling companies to produce records.

Finally, it’s important to consider whether—because of their unique harms—we should limit use of stingrays even when probable cause is present. Although the DOJ policy requires deletion of data, stingrays still cause significant “collateral damage” to privacy by sucking up the data not only of the target, but everyone else in the immediate area. Additionally, stingrays interfere with the cell signals of other phones in the area - which can be especially problematic during protests - and can be misused to monitor communications content. Obtaining cell site location data can often provide the same information absent these extra intrusions. In such situations, why would the government ever choose to—or more importantly, be permitted to—use stingrays? There are, of course, circumstances when a stingray can aid investigations in ways cell site data cannot: they can provide more precise location data, and can also be used for reverse-tracking, where the device is used in combination with a known location to acquire a suspect’s phone number (such as when trying to track a burner phone). But absent such unique needs, it seems unreasonable to allow a stingray to be used when necessary location data could be obtained with cell site data, without gathering information on everyone near a surveillance target. Beyond probable cause, use of stingrays should require an exhaustion rule—law enforcement should first have to demonstrate why less intrusive methods would be insufficient.

Limiting DOJ use of stingrays is a big step forward, but we have many more steps to take to escape the Golden Age of Surveillance and establish rules that balance our government’s ability to monitor citizens. Hopefully this positive development on stingrays will encourage consideration of other reforms, and further progress on surveillance policy in the future.

Update - October 22, 2015: This post originally questioned whether the DOJ policy contained an overbroad exigent circumstances exception for use in organized crime investigations. Upon evaluation we believe this exception only refers to the additional requirement to satisfy the pen register law if an emergency situation supersedes the warrant requirement.  T

Author:

Jake Laperruque is an Open Technology Institute fellow. He writes on government surveillance and security issues.