Proposed Santa Clara County cellphone tracker has high potential for abuse, say critics
By Eric Kurhi firstname.lastname@example.org
A sheriff's proposal in Santa Clara County is placing new scrutiny on a surveillance technology already in use around the Bay Area -- a cellphone tracking system that may help in the war on crime but has the ability to infringe on innocent bystanders' privacy.
The technology in question -- which was quietly implemented in San Jose, Oakland and Fremont but will get a public hearing Tuesday when supervisors are asked to approve its purchase -- is a suitcase-sized device that mimics a cellphone tower to connect with all phones in a specific area. How large an area is one of many aspects that agencies have not made known, citing nondisclosure agreements regarding the technology. Sheriff's officials said it will be used purely to locate the subject of an investigation since it can find a phone through walls, even if the owner isn't making a call.
But privacy advocates argue that it can do far more than that -- for instance, scooping up details about the phone use of thousands of people at a demonstration -- and have called for greater public disclosure when law enforcement agencies seek to acquire the devices and strict limits on how they are used in the field.
Commonly known by its brand name "StingRay," the device is technically called an "International Mobile Subscriber Identity catcher." When cellphones within its range connect, it harvests the IMSI from all of them, which could include data from thousands of unsuspecting people. If the authorities have the IMSI of a subject -- which sheriff's officials said they wouldn't obtain without a search warrant -- they can focus on where the phone's signal is coming from and, after moving the device a few times, triangulate a location to within 10 feet.
Alan Butler, legal counsel for the Washington, D.C.-based Electronic Privacy Information Center, said researchers have successfully demonstrated it can be much more invasive.
"It could process calls, monitor what numbers are being called, reroute calls," Butler said. "There's a tech term called 'man-in-the-middle attack,' where if it's between me and the phone company tower, I would think I'm connected to AT&T but in reality in between is the phony tower."
Butler said it could also work to identify an unknown person of interest. The target's IMSI could be collected along with everyone else's in a given area, such as a street corner known as a hot spot for crime. Another sweep could be done when the person is at a new site and a comparison of codes found in both locations would reveal the repeated digits belonging to the subject.
"It's a unique ID that might as well be your Social Security number," Butler said. "It is tied to your device and your account, the thing that is always in your pocket. It's an identifier that can be used to track you wherever you go."
And Butler said it's not hard for authorities to find out who is behind that number.
"Typically subscriber information can be obtained by law enforcement without any court order whatsoever," he said.
That kind of function is of grave concern, said Nadia Kayyali of the San Francisco-based Electronic Frontier Foundation, which has been closely watching jurisdictions that have acquired StingRays, including Oakland, Fremont and San Francisco.
"Nationwide, there has been at least one agency that said it intended to use it to collect data on protesters," Kayyali said.
The ACLU has been pushing for local agencies to create a clear policy that would mandate a public vetting and evaluation of potentially invasive technology such as the cellphone interceptors and drones. Santa Clara County Supervisor Joe Simitian, who asked staff to look at such an ordinance in November, was concerned about the lack of opportunity for public input before the matter goes up for a vote Tuesday. Simitian said he would like to see the request -- which would be paid for by an approved $500,000 federal Homeland Security grant that expires in May -- put before a committee for discussion before returning to the board for a vote.
"Here we are at the point of approving it, and we don't have a draft policy and no real protections to prevent the misuse and abuse of technology," he said. "Without a complete understanding of what we are buying, how it will be used and what privacy measures will be in place, it's premature to say the least."
Kayyali said that while the StingRay in Oakland was quietly implemented, crowds raised a ruckus at City Council meetings last year when that city aimed to create a sort of one-stop shop for collected information called the Domain Awareness Center. The resulting backlash resulted in a scaled-down vision for the surveillance hub and a privacy ordinance moving through committee that if approved would be among the "strongest in the country." It would set very specific rules regarding collected information, including that from the StingRay, defining who can access it and how it can be used.
While such proposals are encouraging, Kayyali said it's been "incredibly frustrating to see this keep happening again and again in the Bay Area. If there's a silver lining, it's that when people do hear about these things the concern is real."