And how it might change what cops can do with our smartphones.
On a warm summer’s day in 2008, police spotted a man walking outside his
apartment in Santa Clara, California, one of the many bedroom communities
spread across Silicon Valley. Undercover FBI officers saw him outside the
building and began following him on foot, radioing to their colleagues nearby.
The man saw the agents, and so he began to walk quickly. They followed suit.
After months of tracking him via sting bank accounts and confidential
informants, the officers had their man. He had told the apartment complex’s
manager that he was Steven Travis Brawner, software engineer: a profile that
fit right in with many other tenants in the area. But at the time of his
arrest, officers didn’t know his real name: After watching his activities at a distance,
they called him simply the “Hacker.” Between 2005 and 2008, federal
investigators believed that the Hacker and two other men filed over 1,900 fake
tax returns online, yielding $4 million sent to over 170 bank accounts.
The Hacker was found out through the warrantless use of a secretive
surveillance technology known as a stingray, which snoops on cell phones.
Stingrays, or cell-site simulators, act as false cell phone towers that trick
phones into giving up their location. They have become yet another tool in many
agencies’ toolbox, and their use has expanded with little oversight—and no
public knowledge that they were even being used until the Hacker went on an
obsessive quest to find out just how law enforcement tracked him that summer
day. When he tugged on that thread, he found out something else: that police
might be tracking a lot more than we even know on our phones, often without the
warrants that are usually needed for comparable methods of invasive
surveillance.
The Hacker began breathing more heavily. He may have thought about
heading toward the nearby train station, which would take him out of town, or
perhaps towards the San Jose International Airport, just three miles away. The
Hacker couldn’t be sure if there were cops following him, or if he was just
being paranoid. But as soon as he saw the marked Santa Clara Police Department
cars, he knew the truth, and he started running.
But the Hacker didn’t get far. He was quickly surrounded, arrested and
searched. The police found the key to the Hacker’s apartment. Later, after
police obtained a warrant to search his apartment, they found there a folding
chair and a folding table that served as a desk. There was no other
furniture—his bed was a cot. Law enforcement also found his Verizon Wireless mobile
Internet AirCard, and false driver’s licenses with the names “Steven Travis
Brawner,” “Patrick Stout” and more. A 2010 FBI press release later stated that
the agency also “seized a laptop and multiple hard drives, $116,340 in cash,
over $208,000 in gold coins, approximately $10,000 in silver coins, false
identification documents, false identification manufacturing equipment, and
surveillance equipment.”
Investigators identified the Hacker, via his fingerprints, as Daniel
Rigmaiden, previously convicted of state-level misdemeanors. According to an
Internal Revenue Service special agent’s search warrant, Rigmaiden’s computer
also included “email regarding leaving the United States for the country of
Dominica . . . [and] documents regarding obtaining citizenship in other
countries; emails regarding paying off Dominican officials to get Dominican
birth certificates and passports; and a Belize residency guide.”
Rigmaiden’s case dates back several years. In 2007 and early 2008, the
IRS identified a bank account at Compass Bank in Phoenix that was receiving
fraudulent tax refunds under an LLC as being involved in the possible scheme.
Rigmaiden’s indictment was initially sealed, pending cooperation with a
federal investigation. But from the start, Rigmaiden declined to cooperate, and
moved to represent himself (after firing three attorneys), and the case was
subsequently unsealed in 2009.
“The question is what’s the law that governs its use?” Eric King, a
longtime London-based privacy activist, said when I asked him about the
stingray. “We know that the police have them and we know that the police use
them, not that they’ve ever admitted it, and have done so for 10 years. They
refuse to engage, they refuse to say that they bought them. We need a public
debate around this sort of stuff.”
That debate is very slowly starting to happen. And that is due, in large
part, to Rigmaiden’s unlikely exposure of the stingray.
***
Rigmaiden found out about fraudulent tax return schemes in the
mid-2000s. He quickly figured out that tax returns are largely voluntary. The
IRS simply doesn’t have enough agents and auditors to do a thorough check of
everyone. Most IRS personnel do the best they can, but a few slip through the
cracks. This meant that Rigmaiden could file a fake tax return for someone who
had died, and pocket the refund. He would file dozens at a time, sometimes
more, before one would come back with money. His first successful one netted
$9,000. “I was going to make a million and then I was going to stop,” he said.
(He told WNYC’s podcast Note to Self in 2015 that he was planning
on leaving the country after making the million dollars.)
In late 2007, Rigmaiden moved to Santa Clara. The city, then as now, is
home to students and lots of tech workers. He had a comfortable life in an
urban area, and lived near a train station and airport should he need to make a
quick getaway. But he knew that the longer he stayed in one place, the more
exposed to law enforcement he would be. Unbeknownst to the fraudster, federal
prosecutors in Arizona—one of the places where he had stashed his money—filed a
sealed indictment against Rigmaiden on July 23, 2008.
By the time he was arrested, Rigmaiden had made about $500,000. After
Rigmaiden was arrested in California, he was quickly transported to the
Florence Correctional Center, about 65 miles southeast of Phoenix. Despite
being incarcerated, Rigmaiden could not sit still. He knew that he had been
careful. He had used multiple fake identities, with fake documents, and paid in
cash. How could law enforcement have not only found him out, but found him in
his own apartment, where hardly anyone knew he lived?
Rigmaiden thought there might be something that the government wasn’t
telling him—there might be some secret surveillance tool afoot. He tried
pressing his federal public defenders to listen, but they wouldn’t. Within two
months, he’d fired one of his lawyers, and then another. In essence, he didn’t
feel that they were technically sophisticated enough to be able to help him get
the answers he needed. Eventually, the accused fraudster got permission to
represent himself (pro se), a legally risky move.
Once he was representing himself, he was allowed to use the law library
for five hours a day (up from the usual three hours a week). It became a full-time
job, immersing himself in legal procedures—but it was likely the most
productive way to spend his time behind bars. Fortunately, at the beginning, a
fellow inmate and disbarred attorney helped him out with some of the basics,
including general court procedure, how to draft a motion and correct legal
citation. By October 2009, Rigmaiden had received boxes and boxes (over 14,000
pages in total) of criminal discovery that would help him understand how the
government planned to prosecute its case. In the penultimate box, he saw the
word “stingray” in a set of notes.
As a prisoner, he wasn’t allowed Internet access, but sometimes a “case
manager,” a sort of guidance counselor, could be convinced to run online
searches for inmates who were pursuing legal research. Though this process,
Rigmaiden located a Harris Corporation brochure with the StingRay name. Bingo.
The device advertised various types of cellular interception.
Although Rigmaiden was pro se, he had a shadow counsel, or a
lawyer who was ready to step in if the pro se defendant wished
to take on formal counsel. That lawyer had a paralegal, a man named Dan
Colmerauer. Rigmaiden could call Colmerauer from a jailhouse pay phone and ask
him to run Google searches for him, and tell him the results by phone. Then
Colmerauer would print those webpages, and put them in the mail to Rigmaiden,
who in turn would have to make handwritten notes about which links to follow
and mail that back to Colmerauer. It’s how he found out everything he knew
about stingrays.
While StingRay is a trademark, stingray has since
become so ubiquitous in law enforcement and national security circles as to
also often act as the catch-all generic term—like Kleenex or Xerox. A stingray
acts as a fake cell tower and forces cell phones and other mobile devices using
a cell network (like Rigmaiden’s AirCard, which provided his laptop with
Internet access) to communicate with it rather than with a bona fide mobile
network. Stingrays are big boxes—roughly the size of a laser printer—like something
out of a 1950s-era switchboard, with all kinds of knobs and dials and readouts.
Stingrays can easily be hidden inside a police surveillance van or another
nearby location.
All of our cell phones rely on a network of towers and antennas that
relay our signal back to the network and then connect us to the person that
we’re communicating with. As we move across a city, mobile networks seamlessly
hand off our call from one tower to the next, usually providing an
uninterrupted call. But in order for the system to work, the mobile phone
provider needs to know where the phone actually is so that it can direct a
signal to it. It does so by sending a short message to the phone nearly
constantly—in industry terminology this is known as a ping. The message basically
is asking the phone: “Are you there?” And your phone responds: “Yes, I’m here.”
(Think of it as roughly the mobile phone version of the children’s swimming
pool game Marco Polo.) If your phone cannot receive a ping, it cannot receive
service. The bottom line is, if your phone can receive service, then the mobile
provider (and possibly the cops, too) know where you are.
Rigmaiden eventually pieced together the story of his capture. Police
found him by tracking his Internet Protocol (IP) address online first, and then
taking it to Verizon Wireless, the Internet service provider connected with the
account. Verizon provided records that showed that the AirCard associated with
the IP address was transmitting through certain cell towers in certain parts of
Santa Clara. Likely by using a stingray, the police found the exact block of
apartments where Rigmaiden lived.
This tracking technology is even more invasive than law enforcement
presenting a court order for location data to a mobile phone provider, because
rather than have the government provide a court order for a company to hand
over data, the stingray simply eliminates the middleman. The government, armed
with its own stingray, can simply pluck the phone’s location (and possibly the
contents of calls, text messages or any other unencrypted data being
transmitted at the time, depending on the configuration) directly out of the
air.
The Harris Corporation, a longstanding American military contractor,
won’t say exactly how stingrays work, or exactly who it’s selling to, but it’s
safe to say that it’s selling to lots of federal agencies and, by extension,
local law enforcement. The company’s 2017 annual financial report filed with
the Securities and Exchange Commission shows that in recent years Harris has
increased its sales of surveillance equipment and related tactical radio
systems. It works with not only the U.S. military and law enforcement, but also
Canada, Australia, Poland and Brazil, among other countries. The company has
profited over $1.8 billion from fiscal year 2013 through 2017.
A 2008 price list shows that its StingRays, KingFish and related devices
sell for tens to hundreds of thousands of dollars. But like everything else in
the tech world, they’re getting cheaper, smaller and better all the time.
Like many other enforcement tools, the federal government has used
grants to encourage local law enforcement to acquire stingrays in the name of
fighting terrorism. But, as the Rigmaiden case shows, over time, particularly
as these tools become cheaper and more commonplace—they’re used to bust
criminal suspects like him.
So far, judges and courts are not in universal agreement over whether locating
a person or device, as the stingray helps to do, should require a warrant.
Stingrays don’t necessarily mean that conversation will be picked up, so
wiretap laws, which require warrants, don’t apply. In most cases, police
officers would need at least a “pen register” court order, named for a kind of
technology that allows police to get call logs. The pen register court order
has lesser standards than a warrant: Rather than requiring that officers show
probable cause, a pen register court order requires that law enforcement only
needs relevance to an ongoing investigation. But stingrays are more invasive
than pen registers, and as Rigmaiden’s case would show, law enforcement didn’t
have any kind of specified protocol about what it needs to do to use this new
technology.
As 2010 rolled around, Rigmaiden decided that he needed allies. He began
sending his case details and research file out to various privacy and civil
liberties organizations, including the American Civil Liberties Union (ACLU)
and the Electronic Frontier Foundation (EFF). There were likely two major red
flags that led to him being ignored—he was representing himself without the
benefit of counsel, and believed that the government had used some secret surveillance
tool against him. They likely thought he was totally nuts—despite the fact that
there was already some evidence that the police were using phones as tracking
devices. None of the organizations ever responded.
One of the people Rigmaiden sent his file to was Christopher Soghoian, a
bearded and ambitious privacy researcher. At the time, Soghoian was a computer
science doctoral student always looking for another way to push the envelope,
as well as discover how surveillance was actually being conducted in the real
world. Years earlier, as a first-year doctoral student at Indiana University,
Soghoian figured out by futzing around with Facebook which of his classmates
likely moonlighted at local strip clubs. In 2009 and 2010, Soghoian worked at
the Federal Trade Commission, and at one point used his government ID to get
into a security industry trade show and made a surreptitious recording of
Sprint executives bragging about how they’d handed over customers’ GPS
information to law enforcement eight million times in a single year. In short,
Soghoian was the perfect match for Rigmaiden.
On Monday April 11, 2011, while visiting the offices of the EFF in San
Francisco, Soghoian received an unsolicited e-mail from Colmerauer.
Dear Mr. Sohoian[sic],
Daniel Rigmaiden instructed me to e-mail you the attached Memorandum. This
is in regard to cell phone tracking and locating. He thinks it may be of
interest to you but you may have to read past the introduction before
understanding why. If you want the exhibits please e-mail Dan Colmerauer at screenwriter2@earthlink.net and
make said request. Dictated but not read.
Daniel Rigmaiden
Soghoian tried to get other lawyers that he knew interested, but they
saw the extensive pro se filings as a huge red flag. Lots of
people think they’re being surveilled by the government with secret technology,
but hardly anyone can prove it. Soghoian didn’t dismiss it out of hand. “My
reaction wasn’t, ‘what is this strange device,’” Soghoian told The Verge in
2016. “It was, ‘oh I read about this in graduate school.’ But I read about it
as a thing that was possible, not a thing that the police . . . were using.”
But the grad student was skeptical.
Still, Soghoian asked Colmerauer to send what he had. What Soghoian
received back was a 200-page “meticulously researched” document that had been
originally handwritten in a jailhouse library.
Soghoian understood how to get lawmakers’ attention—through the media
and advocacy organizations. He eventually sent it on to a friendly Wall
Street Journal reporter, Jennifer Valentino-DeVries, as she was
boarding a plane bound for Las Vegas, where she was going to attend the 2011
DEF CON, the annual hacker conference. On September 22, 2011,
Valentino-DeVries’ story hit the paper: “‘Stingray’ Phone Tracker Fuels Constitutional
Clash.” (It was her first front-page story for the Journal.)
This was also the first time that a major American media outlet had
reported on the issue, and likely how many lawmakers first heard about the
device that had already been in use for years. In short, Rigmaiden unveiled a
new chapter in the story of sophisticated surveillance to the public—citizens,
journalists, lawyers, judges—that law enforcement had already known for years,
mostly without telling anyone.
***
In February 2012, the Electronic Privacy Information Center (EPIC)
filed a FOIA request, which resulted in a lawsuit. Its efforts definitively
showed that government law enforcement agencies have not been completely
upfront about using stingrays when they asked federal magistrate judges for
permission to conduct electronic surveillance. In fact, search warrants have
generally not been used at all. Most police applications of this era seeking
judicial authorization for a stingray did not even mention the name of the
device, nor did they describe how it worked.
The Rigmaiden story in the Journal hadn’t only grabbed
the attention of journalists, but also the attention of lawyers. One lawyer,
Linda Lye of the ACLU of Northern California, took particular notice. Lye was
new to the ACLU, having largely focused on labor and civil rights issues in her
previous decade as an attorney. Quickly, Lye pushed the federal court in San
Francisco to unseal the court orders that had authorized the initial use of the
stingray against Rigmaiden, as it was unclear from the Arizona case (where the
prosecution against Rigmaiden was unfolding) what the order specifically
authorized the government to do.
“What on Earth was this technology?” she told me years later. “It seemed
that there would be all kinds of novel and troubling issues. What sort of court
authorization was being obtained? How widespread was it? It was also just a
very unlikely story.”
Initially what drew her in wasn’t the technology itself, but the fact
that the government was keeping “novel surveillance orders” a secret. In
October 2012, Lye and other ACLU and EFF attorneys decided that they would
formally jump into the case, not as Rigmaiden’s lawyer, but rather as amici, or
“friends of the court”—in this case, attorneys who were not party to a case but
could file a brief to articulate the broader social concerns it raised. They
wrote to the court, noting that this case would “likely result in the first
decision to address the constitutional implications” of stingrays.
In early May 2013, the judge ruled in the government’s favor on the
issue that Lye raised in court, finding that Rigmaiden lacked a “reasonable
expectation of privacy” while shrouded under multiple false identities—after
all, his AirCard, his apartment and postboxes that he paid for were all done
under fake names.
By late January 2014, Rigmaiden and federal prosecutors reached a plea
deal: He’d plead guilty and prosecutors would recommend that he be given a
sentence of time served. The agreement
was signed on April 9, 2014.
While the Rigmaiden case wound down, Soghoian (who had
joined the ACLU as its chief technologist) and his colleagues were just getting
started. The ACLU, along with other privacy groups, including EPIC and the EFF,
spearheaded efforts to speak publicly, file record requests, sue and campaign
for meaningful legislative reform.
Several months later, in April 2015, the New York Civil Liberties Union
(the New York State chapter of the ACLU) managed to do what no one else could:
successfully sue to obtain an unredacted copy of the NDA that the FBI had law
enforcement agencies sign when they acquired stingrays. In essence, the document explained
that due to the authorization granted by the Federal Communications Commission
to the Harris Corporation, any law
enforcement agency had to sign an NDA with the FBI. The
six-page letter essentially said that agencies that acquired stingrays could
not talk about them “in any manner including but not limited to: press
releases, in court documents, during judicial hearings, or during other public
forums or proceedings.”
In May 2015, the FBI issued a bizarre public statement saying that
despite the NDA’s language to the contrary, it “should not be construed to
prevent a law enforcement officer from disclosing to the court or a prosecutor
the fact that this technology was used in a particular case.”
Later that same month, Washington Governor Jay Inslee signed a bill that
passed both houses of the state legislature specifically requiring that law
enforcement seek a warrant before using a stingray. Rigmaiden worked on the
drafting of this bill with Jared Friend of the ACLU of Washington. (Before its
passage, Soghoian even testified in support of the bill.) Months later,
California followed suit, with its comprehensive California Electronic
Communications Privacy Act, which, among other things, also required a warrant
for stingray use.
But the most prominent change regarding stingrays came in September
2015, when the DOJ said it would require a warrant in most situations in which
a stingray is used. The policy, which took effect the day it was announced
(September 3, 2015), applied to numerous agencies, including the FBI; the
Bureau of Alcohol, Tobacco and Firearms; the Drug Enforcement Administration;
and the U.S. Marshals Service, among others.
The new state laws and federal policies came as a result of dogged
activism by the ACLU and other privacy groups, which all stemmed
fromRigmaiden’s case. After all, it was Rigmaiden who had initially reached out
to Soghoian and presented him with a 200-page memo on a technology that few
outside the government had known about. “It was the most well-researched memo
I’d ever seen on this technology,” Soghoian later told WNYC. “Written by a guy
rotting in jail.”
Now that lawyers know what to look for and how to challenge them, some
of those efforts have been successful. Notably, in March 2016 a state appellate
court in Maryland took local law enforcement to task, and ruled unequivocally:
“We determine that cell phone users have an objectively reasonable expectation
that their cell phones will not be used as real-time tracking devices through
the direct and active interference of law enforcement.” The three-judge panel
in the State of Maryland v. Andrews case also noted that such
a non-disclosure agreement is “inimical to the constitutional principles we
revere.”
In other words, judges now seem to be resoundingly echoing the 1967-era
Supreme Court language—“reasonable expectation of privacy”—of a landmark
privacy case known as Katz v. United States, finding that the use
of a stingray does require a warrant. But as of this writing, no cases
challenging the use of stingrays have reached the Supreme Court, so this legal
theory hasn’t been cemented just yet, as stingrays continue to be used in
everyday law enforcement.
What these judges have realized is that there is now a turning point
with respect to smartphones: We carry them with us and they hold all of our
secrets. No wonder the police find them valuable during an investigation. But
should the police need to get a warrant to find our phones? And what other
opportunities for high-tech, low-oversight surveillance might they offer in the
future?
***This article was excerpted from HABEAS DATA: PRIVACY VS. THE RISE OF
SURVEILLANCE TECH by Cyrus Farivar. Copyright © 2018 reprinted by permission of
the publisher, Melville House Publishing, LLC.