Taking the sting out of the Stingray: the dangers of cell-site simulator use and the role of the Federal Communications Commission in protecting privacy & security.

• Author: Norman, Jason

TABLE OF CONTENTS I. INTRODUCTION II. BACKGROUND A. What is an IMSI Catcher, and How is it Used? B. Advanced IMSI Catcher Capabilities III. LEGAL LANDSCAPE OF STINGRAY USE A. Exponentially Expanding Use of Technology in Law Enforcement B. Judicial History of Cellular Communications Privacy 1. United States v. Rigmaiden--An Early Stingray Criminal Case 2. Judicial Reclassification of Stingrays as Mobile Tracking Devices That Are Subject to Fourth Amendment Scrutiny. C. Questionable Legality of Law Enforcement Practices 1. U.S. Marshals Service Requests That State and Local Police Departments Deceive Judges. 2. The FBI and the DOJ Go to Extraordinary Lengths to Protect the Secrets of the Stingray. 3. Judges and Legislators Have Responded Zealously to the Covert Use of Stingray Devices for Ordinary Criminal Law Enforcement Functions. 4. Riley v. California--the Supreme Court Unanimously Holds That the Search of a Cellphone by Law Enforcement Requires a Warrant. D. Department of Justice Releases Enhanced Federal Cell-Site Simulator Use Policy. 1. Stingray Data Collection Policy 2. Exigency Includes the Absence of Exigency a. A New Mix and Match Exigency Paradigm? b. Which Came First, the Conspiracy or the Exigency? c. Immediate Threat to National Security According to Whom? d. What is the Computer Fraud and Abuse Act Doing Here? 3. The Impossibility Exception IV. FCC REGULATIONS PROHIBIT CELLPHONE SIGNAL JAMMING BY STATE AND LOCAL LAW ENFORCEMENT AGENCIES. V. THE FCC SHOULD REQUIRE WIRELESS CARRIERS TO FOLLOW THE ENCRYPTION STANDARDS ESTABLISHED BY THE COMMUNICATIONS SECURITY, RELIABILITY, AND INTEROPERABILITY COUNCIL. A. Why the FCC Should Enact a Rule Requiring All New Cellular Devices to Comply with the Encryption Standards Established by the CSRIC Prior to License Issuance. B. Title II of the Communications Act Grants the FCC the Authority to Regulate the Encryption Standards of Cellular Device Manufacturers and Service Providers. VI. THE FCC SHOULD REQUIRE SIM CARD MANUFACTURERS TO ENABLE CONSUMER ACCESS TO EXISTING SECURITY OPTIONS THAT ARE CURRENTLY DISABLED. VII. CONCLUSION I. INTRODUCTION

"The decisions we make about communication security today will determine the kind of society we live in tomorrow."

--Whitfield Diffie, Cryptography Pioneer, May 11, 1993. (1)

Data-driven law enforcement has increased at an alarming rate in post9/11 America. The revelations of widespread data collection programs run by the National Security Agency ("NSA"), in the wake of classified information leaked by Edward Snowden, have given rise to serious public concern that government officials are covertly eroding the privacy of law abiding citizens in the name of national security. (2) The electronic surveillance culture that emerged in the wake of the 9/11 terrorist attacks has given credence to privacy invasion at all levels of law enforcement.

One pervasive surveillance tool is the Stingray. (3) The Stingray can intercept all cellular communications, voice and data, within its broadcast range. This interception can include conversations, locations, email, contacts, and any other private data that the phone has stored in its local memory, all without the user's knowledge or consent. (4) In a bygone era, the distribution and use of Stingrays were the sole providence of government agencies, but the decrease in cost combined with the increase in publicly available knowledge of the capabilities of the device have put the united States in a dangerous situation. (5) Setting aside for a moment the abusive uses of the Stingray by law enforcement that have recently come to light, and looking solely at the privacy and national security implications of having an insecure cellular network, there is an urgent need for a comprehensive security solution. The most sensible and efficient solution is for the Federal Communications Commission ("FCC") to mandate that wireless carriers utilize stronger encryption protocols to secure their networks, and that they enable customer access to existing security features that have been disabled by the SIM card manufacturers at the request of the service providers.

This note will provide background on how Stingrays work, discuss the impact they have on privacy and security, explain why their use undermines our justice system, and review the statutory authority that the FCC has to regulate them. Finally, this note will argue that the FCC should enact rules that mandate stronger wireless encryption standards and allow consumers to have access to existing security features to protect themselves against insecure transmissions.

2. BACKGROUND

   1. What is an IMSI Catcher, and How is it Used?

      An International Mobile Subscriber Identity ("IMSI" (/imzi:/)) catcher, the most popular brand of which is the Stingray, emulates a cellphone tower in a way that is impossible for a cellphone to distinguish from an authentic tower. (6) This allows the Stingray to capture any data that a cellphone would normally send to, or request from, a valid tower. (7) This data can include the cellphone's location, numbers dialed, text messages sent, websites requested, and any other data normally transmitted via airwaves. The use of these devices has become widely known in recent years in light of several lawsuits filed by the American Civil Liberties Union ("ACLU") and other watchdog organizations. As a result, it was uncovered that the warrantless use of Stingray devices by the Federal Bureau of Investigations ("FBI") and other agencies has been ongoing for approximately twenty years. (8) If not for the increased use of Stingrays for investigating domestic criminal activity, their rampant use might remain unknown to the public.

      The FBI refuses to release the specific capabilities of the device, even going as far as requiring state and local agencies to sign a non-disclosure agreement ("NDA") before they are allowed to purchase a Stingray. (9) This begs the question, if the Stingray's capabilities are so sensitive, why are local law enforcement agencies allowed to use them for domestic criminal investigations since the evidence that they garner will necessarily require disclosure to a defendant in a criminal trial?

      Until recently, public perception was that the capabilities of IMSI catchers were similar to devices known as pen registers, which connect to hard-wired telephone lines and record information such as the time, duration, source, and destination of incoming and outgoing phone calls to or from a specific number. (10) This is partly because the government has repeatedly obtained warrants authorizing the use of Stingrays under the dated Pen Register and Trap and Trace statutes, which implies that the technology serves the same purpose. (11)

      In 2012, at a technology security conference known as DefCon, Kristin Paget conducted a demonstration using a basic laptop computer and about $1,500 worth of antennas and broadcast equipment, which showed that Stingrays are capable of much more than a simple pen register. (12) Paget configured a laptop to run a freely available software program called OpenBTS, which is an open source version of a cellular base tower station. (13) Paget successfully tricked thirty cellphones into connecting to the fake tower, at which time the IMSI catcher disabled the encryption on the phones, collected text messages, intercepted actual phone calls, not just the numbers dialed, and captured the encrypted keys used to authenticate the phone to a valid tower. (14) A simple software technique will break the encryption keys, allowing the same laptop to connect to a valid cell tower to receive incoming call data as well. Once the tower verifies the IMIS and encryption key of the signal, the cellphone provider cannot distinguish the false signal from the real one, meaning that there is little to no risk that both phones will attempt to connect to a valid tower simultaneously potentially triggering an alert. (15) This demonstration clearly showed that Stingrays have a much broader range of capabilities than law enforcement officials have led us to believe.

   2. Advanced IMSI Catcher Capabilities

      IMSI catcher capabilities include the ability to monitor content as well as location, and the user has no reasonable method of detection. Until 2010, it was thought that when a cellphone was connected to a Stingray for the purpose of data interception that the phone would display being connected to a 2G (second-generation) tower, and the user would see that this has occurred because the 3G connection indicator would disappear. (16) This is no longer accurate. Modern cell-site simulators can trick a cellphone into reporting a 3G connection, which would normally use stronger encryption to secure its transmissions, while actually transmitting data in the less secure 2G format. (17) The mode of security that a cellular device uses is determined by the tower providing the uplink at the time, and so the Stingray downgrades the strength of encryption by sending a simple command to the device it seeks to access. (18) The type of network a cellphone connects to is important, because a 2G connection often sends data over the airwaves in "plain text", technically known as A5/0 format, which means that the data is not encrypted and can be read by a Stingray without needing to be decrypted first. The major issue with this is that the user has no way to disable 2G mode on his device, meaning that he cannot prevent insecure connections from being established.

      Because the cell-site tells a cellphone what encryption format to use and the user cannot disable an insecure protocol, there is no method available to prevent the transmission of unencrypted data upon a cell tower's request. There is an existing function on the Subscriber Identity Module ("SIM") card which, when enabled, will display a warning when a cellphone connects to an unencrypted tower. However, "GSM providers consider such a warning [to be] confusing for the users...