Posts

Thursday: Bad Girls

One thing before I go any further…look just above these words, below this post’s title and to the right of the date of publication. See the name ‘Rayne’? That’s me, that’s my byline. Please note there are multiple contributors here at emptywheel. The entire site is eponymously named for its owner, Marcy Wheeler, whose online name and byline is the same as this blog. Check the byline on our posts if you haven’t done so in the past. You’ll note we have different voices and opinions, different writing styles. I tend to be the most open about my dislike for what the Republican Party has become since 1978, when I last toyed with being Republican. Marcy and the rest of the crew tend to be more generous or less open in their vituperation. Take note of the byline when when you read and comment, thanks.

Still indulging in female artist K-pop, choosing this video for a very specific reason…

TWO DAYS
That’s it, what’s left of today and all day tomorrow — that’s all the U.S. House will be in session for July. Outstanding job this week trashing the EPA with bullshit riders, GOP members. Way to fucking go with extending your run serving corporations ahead of the people.

Tick-tock.

BAD GIRL (UK edition)
After today’s wash list of badness, I can hardly wait to hear what comes of May’s visit on Friday to Scotland.

BAD GIRL (domestic edition)

PokéGone
The list of accidents resulting from distraction by Pokémon GO grows by leaps and bounds. These are among the worst so far. Just a matter of time before a fatality occurs.

Wheels

Keep an eye on this topic

Catch you tomorrow for the last in-session day in U.S. House.

Defining Stingray Emergencies … or Not

A couple of weeks ago, ACLU NoCal released more documents on the use of Stingray. While much of the attention focused on the admission that innocent people get sucked up in Stingray usage, I was at least as interested in the definition of an emergency during which a Stingray could be used with retroactive authorization:
Screen Shot 2015-11-08 at 9.27.59 AM

I was interested both in the invocation of organized crime (which would implicate drug dealing), but also the suggestion the government would get a Stingray to pursue a hacker under the CFAA. Equally curiously, the definition here leaves out part of the definition of “protected computer” under CFAA, one used in interstate communication.

(2) the term “protected computer” means a computer—
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

Does the existing definition of an emergency describe how DOJ has most often used Stingrays to pursue CFAA violations (which of course, as far as we know, have never been noticed to defendants).

Now compare the definition Jason Chaffetz used in his Stingray Privacy Act, a worthwhile bill limiting the use of Stingrays, though this emergency section is the one I and others have most concerns about. Chaffetz doesn’t have anything that explicitly invokes the CFAA definition, and collapses the “threat to national security” and, potentially, the CFAA one into “conspiratorial activities threatening the national security interest.”

(A) such governmental entity reasonably determines an emergency exists that—

(i) involves—

(I) immediate danger of death or serious physical injury to any person;

(II) conspiratorial activities threatening the national security interest; or

(III) conspiratorial activities characteristic of organized crime;

Presumably, requiring conspiratorial activities threatening the national security interest might raise the bar — but would still permit — the use of Stingrays against low level terrorism wannabes. Likewise, while it would likely permit the use of Stingrays against hackers (who are generally treated as counterinteligence threats among NatSec investigators), it might require some conspiracy between hackers.

All that said, there’s a whole lot of flux in what even someone who is often decent on civil liberties like Chaffetz considers a national security threat.

And, of course, in the FISA context, the notion of what might be regarded as an immediate danger of physical injury continues to grow.

These definitions are both far too broad, and far too vague.

The IRS Has Stingrays … But We Knew Stingrays Have Been Used to Chase Tax Fraud

The Guardian reports that the IRS is among the federal agencies that has a Stingray.

The Internal Revenue Service is the latest in a growing list of US federal agencies known to have possessed the sophisticated cellphone dragnet equipment known as Stingray, according to documents obtained by the Guardian.

Invoices obtained following a request under the Freedom of Information Act show purchases made in 2009 and 2012 by the federal tax agency with Harris Corporation, one of a number of companies that manufacture the devices. Privacy advocates said the revelation “shows the wide proliferation of this very invasive surveillance technology”.

The 2009 IRS/Harris Corp invoice is mostly redacted under section B(4) of the Freedom of Information Act, which is intended to protect trade secrets and privileged information. However, an invoice from 2012, which is also partially redacted, reports that the agency spent $65,652 on upgrading a Stingray II to a HailStorm, a more powerful version of the same device, as well as $6,000 on training from Harris Corporation.

I think it is troubling the IRS has Stingrays.

But it should not be surprising.

After all, the single solitary person we know who was convicted using a Stingray, Daniel Rigmaiden, was busted for tax fraud in 2008. Here’s the WSJ’s description of how the government used a Stingray to spy on Rigmaiden without a warrant.

Federal investigators say they pursued Mr. Rigmaiden “through a virtual labyrinth of twists and turns.” Eventually, they say they linked Mr. Rigmaiden to use of a mobile-broadband card, a device that lets a computer connect to the Internet through a cellphone network.

Investigators obtained court orders to track the broadband card. Both orders remain sealed, but portions of them have been quoted by the defense and the prosecution.

These two documents are central to the clash in the Arizona courtroom. One authorizes a “pen register” and clearly isn’t a search warrant. The other document is more complex. The prosecution says it is a type of search warrant and that a finding of probable cause was made.

But the defense argues that it can’t be a proper search warrant, because among other things it allowed investigators to delete all the tracking data collected, rather than reporting back to the judge.

[snip]

In the Rigmaiden example, investigators used the stingray to narrow down the location of the broadband card. Then they went to the apartment complex’s office and learned that one resident had used a false ID and a fake tax return on the renter’s application, according to court documents.

Based on that evidence, they obtained a search warrant for the apartment. They found the broadband card connected to a computer.

Indeed, much of what we know about Stingrays comes from Rigmaiden’s years-long effort to demand details of how they used the Stingray to find him, and since he got released for time served, he has continued his efforts to uncover how they’ve been used.

What’s interesting about the Guardian report, then, is that the IRS itself owned a Stingray, which they were updating in 2009 and 2012, even as the government was being exposed for improperly using Stingrays without a warrant to prosecute tax fraud. Reports on Rigmaiden had suggested an FBI Stingray was used to catch him — and that may well be the case — but we now learn that they owned one before 2009 (so early enough to capture him with, presumably).

In Rigmaiden’s case, IRS was clearly partnering with FBI, so could have (and may have) used their Stingray. That would seem to be the case for all proper uses of the technology. So, among all the other things we should demand on Stingray use, one of them should be to limit their use to the FBI, which will increase the likelihood they’ll get properly noticed in any prosecution.

Stingrays and Public Safety Operations

In my piece on the loopholes in the new Stingray policy, I noted that public safety applications for Stingray use might fall under what the policy calls the “exceptional circumstances” that aren’t exigent but nevertheless don’t require a warrant.

I’m not sure whether the exigent/emergency use incorporates the public safety applications mentioned in the non-disclosure agreements localities sign with the FBI, or if that’s included in this oblique passage.

There may also be other circumstances in which, although exigent circumstances do not exist, the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. In such cases, which we expect to be very limited, agents must first obtain approval from executive-level personnel at the agency’s headquarters and the relevant U.S. Attorney, and then from a Criminal Division DAAG. The Criminal Division shall keep track of the number of times the use of a cell-site simulator is approved under this subsection, as well as the circumstances underlying each such use.

In short, many, if not most, known uses are included in exceptions to the new policy.

We know there are public safety applications, because they are permitted even to localities by FBI’s Non-Disclosure Agreements.

Screen Shot 2015-09-07 at 4.52.54 PM

I suspect these uses are for public events to both track the presence of known targets and to collect who was present in case of any terrorist event or other serious disruption. Indeed, for a lot of reasons — notably the odd testimony of FBI’s telecom forensics witness, the way FBI’s witnesses were bracketed off from investigators, and some oddness about when and how they found the brothers’ phones (and therefore the brothers) — I suspect someone was running Stingrays at the Boston Marathon. A Stingray (or many) deployed at public events to help protect them (assuming, of course, the terrorists that attack such an event aren’t narcs for the DEA, as people have speculated Tamerlan Tsarnaev was).

Newsweek asked DOJ whether that exceptional circumstances paragraph covered the use of Stingrays in public places included in a policy released by the FBI in December and they confirmed it is (here’s my post on the December release, which anticipates all the loopholes in the policy I IDed the other day).

In December 2014, the FBI, which falls under Justice Department’s new policy, explained to members of Congress the situations in which it does not need a warrant to deploy the technology. They include: “(1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.”

Newsweek reached out to the Justice Department to determine whether its new policy allows the FBI to continue using stingrays without warrants in public places. In short, it does, fitting within the policy’s “exceptional circumstances” category.

“If somebody is in a public park, that is a public space,” Patrick Rodenbush, a Justice Department spokesman, says as an example, adding the condition that “circumstances on the ground make obtaining a warrant impracticable,” though he did not elaborate on what “impracticable” entails. But the dragnet nature of stingray collection means cellphone data of a person sitting in a nearby house may be picked up as well. “That’s why we have the deletion policy that we do,” Rodenbush responds. “In some cases it’s everyday that [bystander information] is deleted, it depends what they are using it for.… In some cases it is a maximum of 30 days.”

He adds: “The circumstances under which this exception will be granted will be very limited. Agents operating under this exception are still required to obtain a court order pursuant to the Pen Register Statute, and comply with the policy’s requirements to obtain senior-level department approval.”

Equally important as admitting that DOJ will use this in public places (like big sporting events) is Rodenbush’s confirmation that DOJ will obtain only Pen Registers for these uses.

That means they’ll virtually never get noticed to defendants, because the government will claim the evidence did not get introduced in court (just as no evidence collected from a Stingray was introduced, if they were used, in Dzhokhar’s case; in Dzhokhar’s case there was always another GPS device that showed his location).

The more I review this new policy and the December one the more I’m convinced they change almost nothing except the notice to the judge and the minimization (both still important improvements), except insofar as they recreate ignorance of Stingray use precisely in cases like public safety operations.

 

Did FBI Use Katrina as an Excuse for DIY Location Collection?

fisa-prtt-bar-graphLast week, Muckrock’s Shawn Musgrave wrote a piece showing that, in the wake of Katrina and a slew of other 2005 hurricanes, in 2006 FBI’s Wireless Intercept and Tracking Team said they needed more equipment from Harris Corporation, the maker of Stingrays. They justified it because the hurricanes degraded the capabilities of something, which remains redacted. But as Musgrave notes, the storms took out a lot of the telecom infrastructure, which may be what the redacted passages describe.

“In the summer of 2005, the U.S. Gulf Coast bore the brunt of several hurricanes, including Hurricane Katrina which severely degraded the capabilities of the [redacted],” the memo reads in part. Subsequent, heavily redacted sentences suggest that the storm crippled the FBI’s capacity to conduct certain types of cell phone tracking operations via equipment on-hand at the time of landfall.

[snip]

Hurricane Katrina incapacitated wide swaths of telecommunications infrastructure along the Gulf Coast, including thousands of cell phone towers. Power outages also meant many people were unable to recharge their mobile devices. It’s thus unclear which Harris Corporation product the FBI’s cell phone tracking team identified as a critical solution.

In other words, it appears that almost a year after Katrina, the FBI used the 2005 damage to telecom infrastructure as justification for getting an urgent purchase of Harris equipment, possibly Stingrays, approved.

I find the timing curious. After all, Congress approved a slew of funding right after Katrina. And Congress was debating budgetary issues in October 2005. While there’s nothing that ties this request to a budget request, it just seems odd that FBI would have identified a need in September 2005, and then sat on that urgent request until the following July. Though that July request specifically mentioning Katrina seems to be the same request that got filed in March and was in process in April that did not mention Katrina in unredacted sections. That’s not as distant from the hurricanes that purportedly identified the need, but still an odd delay for something urgent.

There’s something else that was happening in 2005 and 2006, though, that may have been as central in creating a need for Stingrays as damage to telecom equipment caused by hurricanes.

On October 14, 2005, a magistrate judge in Texas refused a request to yoke a Pen Register order onto a subscriber record subpoena to obtain location data from a telecom. Then some other magistrates started joining in. This created two problems. First, how would FBI get that location information in criminal cases. But also, in December 2005, Congress moved towards limiting the use of Section 215 orders to things that may be obtained with a subpoena, a move that would become official with the renewal of the PATRIOT Act on March 9, 2006. So even while magistrates were hashing out how the FBI might obtain such information from telecoms in garden variety criminal cases (a debate that is currently before SCOTUS), FISC and the government appear to have been having the same debate behind closed doors. In February 2006, FISC required briefing on what appears to be a parallel use of PRTT combined with a subpoena — a FISA PRTT yoked to a Section 215 order. And while the exact timing isn’t clear, we know those combined orders ended in 2006.

In other words, hurricanes may have damaged telecom infrastructure leading FBI to rely more on Stingrays. But at the same time, the legal landscape for location requests was changing, perhaps even more dramatically on the FISA side than on the criminal side.

And we know — yesterday’s change in policy admitted to FISA uses for Stingrays, though we knew this already — that FBI does use Stingrays to obtain location data under FISA as well as under criminal cases.

Katrina may have created part of the need for FBI to do more Do It Yourself location tracking, bypassing the telecoms. But legal issues created a need too, and I’d be willing to bet that the big urgency to expand FBI’s DIY location tracking abilities in 2006 had quite a bit to do with the need to find another way of location tracking, preferably one with a lot fewer people reviewing the paperwork involved.

If I’m right, then it would suggest some interesting things about the fluctuations in PRTTs (I stole the table above from EPIC). That is, in 2006, there were significant drops in PRTTs, followed by a huge drop in 2008.

On the criminal side, FBI still gets PRTT orders when it uses a Stingray. I assume the same is true on the FISA side (though it would be a lot harder to enforce here, especially because no defendant would ever get notice). But we also know the government has been hiding bulk collection under single orders, so it wouldn’t take too many orders to incorporate a lot of people.

Did FBI stock up on Harris equipment because of the weather, or because of the law?

The Loopholes in DOJ’s New Stingray Policy

DOJ just announced a new policy on use of Stingrays which requires a warrant and minimization of incidentally-collected data. It’s big news and an important improvement off the status quo.

But there are a few loopholes.

Exigent and emergency uses

First, the policy reserves exigent uses. The exigent uses include most of DOJ Agencies known uses of Stingrays now.

These include the need to protect human life or avert serious injury; the prevention of the imminent destruction of evidence; the hot pursuit of a fleeing felon; or the prevention of escape by a suspect or convicted fugitive from justice.

[snip]

In addition, in the subset of exigent situations where circumstances necessitate emergency pen register authority pursuant to 18 U.S.C. § 3125 (or the state equivalent), the emergency must be among those listed in Section 3125: immediate danger of death or serious bodily injury to any person; conspiratorial activities characteristic of organized crime; an immediate threat to a national security interest; or an ongoing attack on a protected computer (as defined in 18 U.S.C. § 1030) that constitutes a crime punishable by a term of imprisonment greater than one year.

We know the US Marshals constitute the most frequent users of admitted Stingray use — they’d be covered in prevention of escape by a fugitive. DEA seems to use them a lot (though I think more of that remains hidden). That’d include “conspiratorial activities characteristic of organized crime.” And it’s clear hackers are included here, which includes the first known use, to capture Daniel Rigmaiden.

And I’m not sure whether the exigent/emergency use incorporates the public safety applications mentioned in the non-disclosure agreements localities sign with the FBI, or if that’s included in this oblique passage.

There may also be other circumstances in which, although exigent circumstances do not exist, the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. In such cases, which we expect to be very limited, agents must first obtain approval from executive-level personnel at the agency’s headquarters and the relevant U.S. Attorney, and then from a Criminal Division DAAG. The Criminal Division shall keep track of the number of times the use of a cell-site simulator is approved under this subsection, as well as the circumstances underlying each such use.

In short, many, if not most, known uses are included in exceptions to the new policy.

Notice to defendants

The many known uses of Stingrays where warrants would not be necessary — and where DOJ would therefore just be using a PRTT — are of particular importance given the way new disclosure requirements work. There are, to be sure, admirable new requirements to tell judges what the fuck they’re approving and what it means. But nothing explicitly says defendants will not get noticed. DOJ has said no past or current usage of Stingrays will get noticed to defendants. And all these non-warrant uses of Stingrays will be noticed either, probably. In other words, this returns things to the condition where defendants won’t know — because they would normally expect to see a warrant that wouldn’t exist in these non-warrant uses.

Sharing with localities

The policy doesn’t apply to localities, which increasingly have their own Stingrays they permit federal agencies to use. Curiously, the language applying this policy to federal cooperation with localities would suggest the federal rules only apply if the Feds are supporting localities, not if the reverse (FBI borrowing Buffalo’s Stingray, for example) is the case.

The Department often works closely with its State and Local law enforcement partners and provides technological assistance under a variety of circumstances. This policy applies to all instances in which Department components use cell-site simulators in support of other Federal agencies and/or State and Local law enforcement agencies.

Thus, it may leave a big out for the kind of cooperation we know to exist.

National security uses

Then, of course, the policy only applies in the criminal context, though DOJ claims it will adopt a policy “consistent” with this one on the FISC side.

This policy applies to the use of cell-site simulator technology inside the United States in furtherance of criminal investigations. When acting pursuant to the Foreign Intelligence Surveillance Act, Department of Justice components will make a probable-cause based showing and appropriate disclosures to the court in a manner that is consistent with the guidance set forth in this policy.

BREAKING! FBI has been using Stingrays in national security investigations! (Told ya!)

This language is itself slippery. FISC use of Stingrays probably won’t be consistent on the FISC side (even accounting for the many ways exigent uses could be claimed in national security situations), because we know that FISC already has different rules for PRTT on the FISC side, in that it permits collection of post cut through direct dialed numbers — things like extension numbers — so long as that gets minimized after the fact. The section on minimization here emphasizes the “law enforcement” application as well. So I would assume that not only will national security targets of Stingrays not get noticed on it, but they may use different minimization rules as well (especially given FBI’s 30 year retention for national security investigation data).

Other agencies use of Stingrays for content

DOJ suggests that DOJ never collects content using Stingrays by stating that its Stingrays always get set not to collect content.

Moreover, cell-site simulators used by the Department must be configured as pen registers, and may not be used to collect the contents of any communication, in accordance with 18 U.S.C. § 3127(3). This includes any data contained on the phone itself: the simulator does not remotely capture emails, texts, contact lists, images or any other data from the phone. In addition, Department cell-site simulators do not provide subscriber account information (for example, an account holder’s name, address, or telephone number).

But the rest of the policy makes it clear that department agents will work with other agencies on Stingray use. Some of those — such as JSOC — not only would have Stingrays that get content, but can even partner within the US with FBI.  So DOJ hasn’t actually prohibited its agencies from getting content from a Stingray (domestically — it goes without saying they’re permitted to do so overseas), just that it won’t do so using its own Stingrays.

Funny definitional games

Finally, while not necessarily a loophole (or at least not one I completely understand yet), I’m interested in this definition.

In the context of this policy, the terms “collection” and “retention” are used to address only the unique technical process of identifying dialing, routing, addressing, or signaling information, as described by 18 U.S.C. § 3 I 27(3), emitted by cellular devices. “Collection” means the process by which unique identifier signals are obtained; “retention” refers to the period during which the dialing, routing, addressing, or signaling information is utilized to locate or identify a target device, continuing until tlle point at whic!h such information is deleted.

This definition (which only applies to this policy and therefore perhaps not to national security uses of Stingrays) employs an entirely different definition for collection and retention than other collection that relies on collection then software analysis. Under upstream collection, for example, the government calls this definition of “retention” something closer to “collection.” Don’t get me wrong — this is probably a better definition than that used in other contexts. But I find it funny that FBI employs such different uses of these words in very closely connected contexts.

So, in sum, this is a real victory, especially the bit about actually telling judges what they’re approving when they approve it.

But there are some pretty obvious loopholes here….


Update: ACLU also welcomes this while pointing to some of the limits of the policy.

Update: Here are some of my posts on the FISA uses of PRTT, including (we now know) Stingrays.

Why Do All the Stingray NDAs Date to 2011 to 2012?

The other day, the Baltimore Sun continued its great work on Stingrays with a report on the most recent court disclosure from the Baltimore Police Department, revealing that instead of the 4,300 uses of its Stingray that it testified to earlier this month, it had in fact used the Stingray 25,000 times, not counting the times it has used it in exigent situations.

While police said earlier this month that the agency had deployed a “Stingray” cell simulator device more than 4,300 times since 2007 Det. Michael Dressel testified Monday that the actual number of times used with a court order was north of 25,000 times. The lesser figure reflected the amount since the department changed the way it documents its use of the device.

[snip]

Dressel said there are a number of scenarios in which police can cite exigent circumstances and proceed without a court order or search warrant. He said he did not know the number of such instances.

The revelation, on its face, reveals two important points. That BPD, at least, doesn’t track all its uses of its Stingray. But also that at some point in time (the original count purported to date back to 2007), the department changed the way it counted Stingrays.

This post started as a reflection on the changing numbers Baltimore Police Department has given for its use of Stingrays. I learned after I posted that the Sun had retracted the 25,000 number.

That said, the now retracted article got me thinking about the data of all the Stingray NDAs.

The two complete non-disclosure agreements we’ve seen — from Erie (June 29, 2012) and Baltimore (July 13, 2011) — as well as some of the partial ones we’ve seen — Tacoma (December 19, 2012), Minneapolis (June 12, 2012), San Bernadino (December 7, 2012), Hillsborough, FL (around March 6, 2012) — all date to around the same 2011 to 2012 time period. But Stingray use goes back well before that, as the contracts released make clear. That’s all not long after the government started trying to protect its use of Stingray to find Daniel Rigmaiden (see the docket starting at document 465 and this contemporaneous coverage of it), which Stephanie Pell and Chris Soghoian point to as the first time use of a Stingray showed up in a criminal proceeding (see 29 ff).

That may not be the explanation — I can think of a number of other possibilities why, starting in 2011, the government changed how it approached Stingray secrecy — but it is a possibility. 2011 is also the year US v. Jones was briefed to SCOTUS, and also the year NSA ultimately gave up its efforts to get location as part of its phone dragnet. It at least appears possible that FBI started pushing out NDAs (or new NDAs) starting in 2011.

Is that what led to the change in how BPD counted these?

In any case, I’m increasingly wondering whether there’s a significant change that took place in 2011 with how the FBI administered Stingray use at the local level, which led, in that year and the next, to a whole new Nondisclosure regime.

 

Is There a Programmatic Stingray?

The NYT yesterday had a story on the secrecy surrounding Stingrays including these admissions from an FBI affidavit to explain the secrecy.

A fuller explanation of the F.B.I.’s position is provided in two publicly sworn affidavits about StingRay, including one filed in 2014 in Virginia. In the affidavit, a supervisory special agent, Bradley S. Morrison, said disclosure of the technology’s specifications would let criminals, including terrorists, “thwart the use of this technology.”

“Disclosure of even minor details” could harm law enforcement, he said, by letting “adversaries” put together the pieces of the technology like assembling a “jigsaw puzzle.” He said the F.B.I. had entered into the nondisclosure agreements with local authorities for those reasons. In addition, he said, the technology is related to homeland security and is therefore subject to federal control.

In a second affidavit, given in 2011, the same special agent acknowledged that the device could gather identifying information from phones of bystanders. Such data “from all wireless devices in the immediate area of the F.B.I. device that subscribe to a particular provider may be incidentally recorded, including those of innocent, nontarget devices.”

But, he added, that information is purged to ensure privacy rights.

In response, a bunch of smart people had an interesting conversation today about why the government is so secretive about them (start at this tweet).

My wildarseguess is that they’re hiding some kind of programmatic Stingray program. I think so for three reasons:

  • Any programmatic Stingray program would (have) been hidden by carve-outs in USA Freedom Act’s transparency provisions
  • At least one of the liberated non-disclosure agreements suggests ongoing obligations between localities and the FBI
  • FISC appears to have permitted more expansive versions of criminal PRTT programs

In past legislative debates the Intelligence Community revealed secret programs by defending them

I believe one of the best ways to see vague outlines of undisclosed domestic surveillance is to watch where the Intelligence Community is most intransigent on legislation.

When Michaels Mukasey and McConnell wrote a transparently bullshit response to a Russ Feingold effort to segregate incidentally collected  US person data under FISA Amendments Act in early 2008, I guessed they were doing back door searches of that data. 4 and 5 years later (with the report on the reauthorization and Snowden disclosures, respectively), that was proven correct.

When the IC repeatedly and successfully defeated efforts to require some real connection between a target and the records collected using Section 215 in 2009 all while boasting they had used it in the Najibullah Zazi investigation, I guessed they were using Section 215 to collect bulky data. I even guessed that they had migrated Bush’s illegal wiretap program to Section 215 and PRTT (though a former prosecutor friend soon dissuaded me from pushing my PRTT analysis because, she pointed out, there was no way in hell PRTT could authorize a dragnet).

There were 3 parts of the USA Freedom Act which struck me as particularly notable in the same way. First, the government’s insistence on expanding the chaining process to include “connections” in addition to contacts; I strongly believe that indicates they ask cell companies to match up the various identities with a particular handset.

Then there were two kinds of programmatic collection that would not only not be shut down by the prohibition on bulk collection in the bill, but which were specifically excluded from individualized transparency reporting (in addition to back door searches and upstream domestic collection, but we already knew about both of those), because transparency in the bill only covered “communications.” The first is any kind of dragnet tied to a non-communication corporate name, such as a financial dragnet or hotel records. See this post for an explanation. USAF would not require individualized reporting on this collection at all. Particularly given that the bill would permit using corporate names as identifiers and would exclude that from transparency, I think reasonable people should assume that kind of bulky collection would continue unabated.

More interesting, though, the transparency provisions also appear to exempt tracking device collection from individualized reporting, because those aren’t considered “communications” from individualized transparency reporting (I believe it would also exempt cloud data but I don’t understand what this is yet). I don’t think the government could use “Harris Corporation” as a identifier (they wouldn’t need to anyway, because the FBI would be using the tool not collecting all of Harris’ data). But they could collect the tracking data on 310 million people and only need to report targets (which currently number in the hundreds, though there already is some gaming of the required US person target reporting).

Like a Stingray, which looks for one phone, but obtains the records of everyone in a cell area.

Which is why I love this quote from the NYT article:

Christopher Allen, an F.B.I. spokesman, said “location information is a vital component” of law enforcement. The agency, he said, “does not keep repositories of cell tower data for any purpose other than in connection with a specific investigation.”

The government currently collects phone records of some significant subset of 310 million Americans for the purposes of “specific investigations.” It’s just that they consider enterprise investigations to be “specific” and therefore every American to be “relevant.” The same may well apply to location data.

FBI’s non-disclosure agreement(s) suggests ongoing cooperation between local and federal law enforcement

We’ve already seen plenty of evidence that local law enforcement retain their ties and obligations to federal law enforcement, largely in the demands the Marshal service puts on secrecy.

But as I lay out in this post, that seems to involve ongoing cooperation using the Stingray. An NDA liberated in MN specifically requires deconfliction of missions, indicating that multiple entities would use one Stingray at once.

That all seems to suggest a key part of this top-down hierarchical non-disclosure requirement involves that kind of mission-sharing.

Which is another way of saying that FBI probably relies on these local Stingrays.

FISC appears to permit more expansive PRTT programs than in criminal context

In this post and this one, I showed that the FISC-authorized use of PRTT relates the criminal context but may not be bound by it. That’s significant, because we know where the government has obtained permission for Stingray use in the criminal context, they’ve often relied on PRTT.

In both the use of combined PRTT/215 orders to get location data and in the collection of Post-Cut Through Dialed Digits, FISC has reconsidered PRTT orders after magistrates challenged similar criminal uses. At least in the latter example, FISC permitted FBI to continue a more expansive collection even after it was prohibited in the criminal context, requiring only that FBI comply with Fourth Amendment protections using minimization (as I’ll show when I finally write up the remainder of the FISC opinions, this practice has early foundation in other FISC applications).

What becomes clear reviewing the public records (these reports say this explicitly) is that the 2002 DOJ directive against retaining PCTDD applies to the criminal context, not the FISA context. When judges started challenging FBI’s authority to retain PCTDD that might include content under criminal authorities, FBI fought for and won the authority to continue to treat PCTDD using minimization procedures, not deletion. And even the standard for retention of PCTDD that counts as content permits the affirmative investigative use of incidentally collected PCTDD that constitutes content in cases of “harm to the national security.”

Whateverthefuck that is.

Which is, I guess, how FBI still has 7 uses of PCTDD, including one new one since 2008.

In other words, the Stingray use we see glimpses of in the criminal and fugitive context may be far short of what FISC has permitted in the national security context, if it tracks other practice. And accused terrorists (or spies) would not get notice of any such PRTT use so long as it wasn’t entered into a criminal proceeding (there have been several instances where the government has seemed to suggest PRTT was used, but evidence from it not entered into evidence).

All of this, of course, is speculative.

But there’s some reason the government is insisting on its expansive NDAs even while more and more people are discussing them. Hiding a more comprehensive program targeted at national security targets (terrorists and spies) might explain why the government is increasingly willing to forgo prosecutions of alleged criminals to keep what they’re doing with dragnets secret.

Update: Meanwhile, in NY, a judge has ordered the Erie County Sheriff to come clean on its Stingray use.

More Visibility on Stingrays

On New Year’s Eve, Chuck Grassley released details of ongoing discussions he and Patrick Leahy have had with the FBI about its use of Stingray (or IMSI catcher) technology, which the FBI and other agencies use to identify cell phone location. Also early last month, the Minneapolis Star-Tribune liberated copies of the documents Minnesota’s Bureau of Criminal Apprehension had to sign to get a Stingray (which is less redacted than an NDA released by the Tacoma Police Department to Muckrock in September). Together the documents provide new insight onto how the FBI manages the use of Stingrays around the country.

In his release on Stingrays, Grassley revealed that FBI had recently changed its policy on Stingray use — though the “changed” policy probably affects very little Stingray use.

[W]e understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.

We have concerns about the scope of the exceptions.  Specifically, we are concerned about whether the FBI and other law enforcement agencies have adequately considered the privacy interests of other individuals who are not the targets of the interception, but whose information is nevertheless being collected when these devices are being used.  We understand that the FBI believes that it can address these interests by maintaining that information for a short period of time and purging the information after it has been collected.  But there is a question as to whether this sufficiently safeguards privacy interests.

I say this probably doesn’t affect much Stingray use because we already know the US Marshal Service makes up a lot of the known Federal use of Stingrays (at least that use that obtains Pen Registers to use the Stingrays). They would presumably be hunting fugitives, which is one of the overly broad exceptions in FBI’s “new” policy. We discovered last year just how elastic the federal government’s interpretation of “imminent danger” can be. And the most common — and troubling — known use of Stingrays are in public spaces (like legal protests) to track participants.

Indeed, in the one known example where a Stingray was used to discover the identity of a suspect, Daniel Rigmaiden, the government got a warrant for its use, albeit one obtained without fully explaining how it works.

So it’s not clear that this “new” policy will change all that much. Moreover, Grassley is focused on federal use of the technology, and not the way federal use intersects with and controls local use.

Now couple that with this non-disclosure agreement (pages 10-15, h/t SanLeandroPrivacy) sent in June 2012. The NDA explains that,

Disclosing the existence of and the capabilities provided by such equipment/technology to the public would reveal sensitive technological capabilities possessed by the law enforcement community and may allow individuals who are the subject of investigation wherein this equipment/technology is used to employ countermeasures to avoid detection by law enforcement. This would not only potentially endanger the lives and physical safety of law enforcement officers and other individuals, but also adversely impact criminal and national security investigations.

If that’s such a big worry, then maybe it shouldn’t be so widely available in the first place? Also, I see how seamlessly the FBI moves from law enforcement to national security functions…

The NDA then goes onto tell the BCA the following (among other things):

  • BCA should only use it for “public safety operations or criminal investigations.”
  • BCA accepts liability for violations of Federal law, irrespective of the FBI approval, if any, of [redacted].
  • The BCA will [redacted] to ensure deconfliction of respective missions.

Then there’s a very long paragraph laying out something else the BCA “shall not” do.

So over the course of the NDA, we got from “law enforcement” purposes, to national security investigations, to “public safety operations.” The NDA clearly envisions FBI approval of some use of this technology, suggesting an ongoing relationship with this local agency. That is further established by FBI’s concern about “deconfliction of respective missions,” meaning FBI expects BCA to communicate about how it will use its Stingray with out agencies who might be using their Stingrays (or BCA’s Stingray?) in ways that might set off a turf war. Plus whatever that “shall not” paragraph says.

The point is, the FBI is not just demanding that BCA not tell anyone that it has a Stingray and how Stingray’s use (see this Chris Soghoian and Stephanie Pell paper for why that’s a futile fight anymore anyway). It is also demand certain things about cooperation between agencies. And while that makes sense from a bureaucratic standpoint, it also may suggest there’s more reason to keep FBI involved in these local operations than just secrecy. After all, as more and more local police departments get Stingrays and sign these agreements with FBI, the FBI is assured there’s a network of Stingrays across the country that will be deployed if necessary. Given the inclusion of national security investigations in this NDA (which, after all, is all that FBI thought it needed to get NSA to collect all our phone records), it at least introduces the possibility of a more systematic FBI program for which the FBI relies on local Stingrays.

That’s just a latent concern of mine — we don’t yet have the proof of it (we’ll have to liberate far more NDAs to get it). But it does seem logical, given the role FBI is playing in this process, all in the guise of futile secrecy.

Why Are the US Marshals at the Center of All These Pen Registers?

The US Marshal Service shows up prominently in two Pen Register stories from yesterday.

First, as part of a great story from WSJ’s Jen Valentino-Devries mapping out how many federal criminal electronic records requests never get unsealed…

In eight years as a federal magistrate judge in Texas, Brian Owsley approved scores of government requests for electronic surveillance in connection with criminal investigations—then sealed them at the government’s request. The secrecy nagged at him.

So before he left the bench last year, the judge decided to unseal more than 100 of his own orders, along with the government’s legal justification for the surveillance. The investigations, he says, involved ordinary crimes such as bank robbery and drug trafficking, not “state secrets.” Most had long since ended.

A senior judge halted the effort with a one-paragraph order that offered no explanation for the decision and that itself was sealed.

She released this summary of all the Federal Pen Register/Trap and Trace requests in 2012. As she pointed out on Twitter, the greatest number of requests don’t come from FBI. They come from the USMS, which submitted almost half of all requests that year, with 9,132.

Then, the ACLU revealed that, just before an appointment to view Sarasota, Florida’s requests under the Pen Register authority to use Stingray IMSI catchers to identify cell locations, the US Marshals declared control over the records, claiming they had deputized the local cop who had made the requests.

Over the past several months, the ACLU has filed dozens of public records requests with Florida law enforcement agencies seeking information about their use of controversial cell phone tracking devices known as “stingrays.” (The devices are also known as “cell site simulators” or “IMSI catchers.”) Stingrays track phones by mimicking service providers’ cell towers and sending out powerful signals that trick nearby phones — including phones of countless bystanders — into sending their locations and identifying information.

The Florida agencies’ responses to our requests have varied widely, with somestonewalling and others releasing records. The most recent request went to the Sarasota Police Department, and the fallout from that request has raised red flag after red flag.

RED FLAG #1: The Sarasota Police initially told us that they had responsive records, including applications filed by and orders issued to a local detective under the state“trap and trace” statute that he had relied on for authorization to conduct stingray surveillance. That raised the first red flag, since trap and trace orders are typically used to gather limited information about the phone numbers of incoming calls, not to track cell phones inside private spaces or conduct dragnet surveillance. And, such orders require a very low legal standard. As one federal magistrate judge has held, police should be permitted to use stingrays only after obtaining a probable cause warrant, if at all.

RED FLAG #2: The Sarasota Police set up an appointment for us to inspect the applications and orders, as required by Florida law. But a few hours before that appointment, an assistant city attorney sent an email cancelling the meeting on the basis that the U.S. Marshals Service was claiming the records as their own and instructing the local cops not to release them. Their explanation: the Marshals Service had deputized the local officer, and therefore the records were actually the property of the federal government.

[snip]

RED FLAG #3: Realizing we weren’t going to get hold of the Sarasota Police Department’s copies of the applications and orders anytime soon, we asked the county court if we could obtain copies from its files. Incredibly, the court said it had no copies. The court doesn’t even have docket entries indicating that applications were filed or orders issued. Apparently, the local detective came to court with a single paper copy of the application and proposed order, and then walked out with the same papers once signed by a judge.

Court rules — and the First Amendment — require judges to retain copies of judicial records and to make them available to the public, but the court (and the detective) completely flouted those requirements here.

Valentino-Devries notes that a lot of the records being kept secret also involve cell location.

In 2011, magistrate judges in California complained that investigators were applying for pen registers without explicitly saying they wanted to use sophisticated cellphone-location trackers, called “stingrays,” which can be used to locate suspects. Stingrays gather phone-number information, along with other data transmitted by cellphones, by acting as fake cellphone towers. The 1986 surveillance law doesn’t contemplate such technology.

Mr. Owsley, the former Texas magistrate judge, says he had similar concerns about applications for “cell-tower dumps,” in which agents can obtain records of all phones within range of specified cell towers over time—including people who aren’t suspected of a crime.

While we don’t yet know how many of the 9,000 requests the Marshals made in 2012 were for location data, the coincidence is mighty interesting.

The Marshals do have cause to search for suspects’ location. They claim they arrest over 300 wanted fugitives a day. That’s where stingrays would be particularly useful, as they would help to identify the location of a known suspect.

So how often are the Marshals using stingrays to do their work? And to what degree do they do so hiding behind even more obscure local pen register laws to do so?