Nearly four years ago, the Electronic Privacy Information Center released FBI documents discussing a controversial surveillance technique. Both federal and local authorities often have access to cell phone surveillance hardware, dubbed Stingrays (Harris Corp. refers to them as StingRays), that can be used to intercept and spy on communications from smartphones and other devices equipped with 3G or LTE modems.
Over the last four years, court cases and document leaks have slowly pried back the cloak of secrecy that the FBI and the Harris Corporation, which manufactures many of the devices in question, have fought to keep in place. We now know that these devices are often used in cases that have nothing to do with terrorism or national security, and that they have been collectively deployed thousands of times across the country without a warrant. We know that in one case, the FBI asked local police to lie rather than admit to using Stingrays. Now, thanks to a cache of documents released by The Intercept, we have another vital piece of the puzzle: The operating manuals for several pieces of Stingray equipment.
These documents describe the function of a number of Harris products. While we tend to refer to these devices as “Stingrays,” Harris has its own codenames for specific products: KingFish, RayFish, Gemini, Arrowhead, and so on. Many of these components are modular and designed to work together. What we refer to as a “Stingray” is, I think, better understood as a technology platform rather than a single device. This is an important distinction, and it explains why different Stingray stories and investigations have ascribed a variety of capabilities to the devices. A Stingray isn’t just one thing — its abilities vary depending on how you configure it and what you use it for.
The various manuals describe how a Stingray can be configured to sweep an area for individuals (it euphemistically refers to them as “subscribers,”) and then track those signals over time. Stingrays can be outfitted with directional antennas to locate specific persons, and can also interface with mapping software to plot the location of a specific device.
These products can be configured in several modes. In Zone Registration, Gemini (one component of the Stingray platform) will register all mobiles with the transceiver. As the guide states, this may result in missing subscribers if there are more people nearby than the device can handle. Alternately, the device can page the MSID (Mobile Station ID). This is a number associated with both a specific phone and the phone’s service provider. This isn’t the same thing as a phone number, but each device has a unique MSID. As the section above notes, this is the desired method for tracking a particular device in a heavily populated area.
Stingrays aren’t limited to any particular network. One of the documents leaked is an extensive overview of a product designed to spy on iDEN networks. iDEN is essentially defunct in the United States — the once-ubiquitous Nextel handsets (which chirped when you pushed the button to talk) ran on iDEN, and there are a handful of products that still rely on it, but now the US mainly relies on CDMA, GSM, and LTE, all of which are mentioned above.
One of the problems with monitoring LTE, however, is that it’s much more secure than older network standards like 2G. That’s not a problem for an appropriately tricked-out Stingray — it’s easy to tell a connected device to drop to a 2G signal.
We’ve combined two images from one of the manuals to illustrate how the redirect works. In the left-hand image, the Stingray operator configures the redirect for a particular “subscriber.” Once this is done, the device can be forced into 2G mode. The end-user may see a notification on their screen that they’ve been forced to a lower operating mode, but they won’t know why.
Using Gemini, law enforcement can configure the device to watch for specific subscribers, authenticate them automatically once they are in range, and notify the surveillance crew that a target has connected.
Over the past decade, many individuals (and some corporations) have fought back against the relentless extension of the surveillance state. In most cases, they’ve lost. The handful of court cases that pushed back against mass surveillance have been largely overturned, and companies like Harris continue to insist that their equipment is being used to fight terrorism and only in accordance with local law.
Reality has told a very different story. Multiple police departments in multiple districts have been forced to admit that they’ve lied to judges about where information came from, misrepresented the nature of the Stingray when applying for warrants, or flatly ignored the legal requirement to get a warrant in the first place. The fact that the FBI collaborated with the Harris Corporation and advised prosecutors to drop cases rather than admit to using Stingrays is extremely troubling in its own right, as are the non-disclosure agreements the police have signed. In one case, the FBI seized documents that a judge had ordered released, claiming they belonged to the US Marshals service.
Much of this has been justified by arguing that the mere act of owning a mobile phone is permission to publicly search that device’s information. But this argument seems in conflict with how Stingrays practically work. While the particulars vary, we know that Stingrays are capable of intercepting voice and call data, as well as intercepting all of the phone numbers that an individual calls or receives a call from. A person who purchases a cell phone may be aware that their data will be transmitted to AT&T — but does a person who buys a cell phone automatically consent to have their signal hijacked by a third party? Does the act of buying a cell phone mean consenting to be forced to an older, slower wireless standard for the express purpose of being spied upon?
Stingrays have been justified as anti-terror tools, but there’s not one single case of a Stingray being used to stop a terror attack. That hasn’t stopped police departments across the country from deploying them in thousands of cases. The Harris Corporation and the FBI have gone to extreme lengths to hide the use of this technology precisely because it raises constitutional questions they’d rather not see contested. A few states have already introduced laws requiring police to get a warrant before using Stingrays or similar devices — hopefully these latest leaks will spur other states to take similar actions.
We strongly recommend reading the Intercept article above and checking out the ExtremeTech and other stories we’ve linked to for more information on this topic.