To be a human in modern society is to generate data. The things we carry on our bodies — as deliberate as smartwatches or fitness trackers, and as seemingly innocuous as a flip phone — are all collecting and transmitting data.
Most of this is functional data, the bits needed for a machine to work and interact with the other machines that together create a communications network. Yet even that incidental data is meaningful, and personally identifiable. And, as reported by the Associated Press earlier this week, the same tools used by domestic law enforcement and intelligence agencies to collect that data have been used by other, nefarious actors to pick up on that same ambient data.
The devices in question are “StingRays,” small machines that mimic the functions of cellphone towers in order to scoop up the data sent out from nearby phones. Here’s how Ars Technica explained the technology in 2013: It’s a box-shaped portable device, sometimes described as an “IMSI catcher,” that gathers information from phones by sending out a signal that tricks them into connecting to it.
The StingRay can be covertly set up virtually anywhere — in the back of a vehicle, for instance — and can be used over a targeted radius to collect hundreds of unique phone identifying codes, such as the International Mobile Subscriber Number (IMSI) and the Electronic Serial Number (ESM). The authorities can then hone in on specific phones of interest to monitor the location of the user in real-time or use the spy tool to log a record of all phones in a targeted area at a particular time.
For years, StingRays have attracted particular attention from civil liberties organizations within the United States. Both the ACLU and the Electronic Frontiers Foundation, for example, have primers on how StingRays work and the privacy concerns involved. And what makes a StingRay useful for law enforcement is what makes it useful for foreign intelligence: the machines can discreetly record tremendous amounts of information about people in an area or about a specific person in an area, and can do it unobtrusively by just relying on how cellphones operate.
The agency acknowledges that it has “observed anomalous activity in the National Capital Region (NCR) that appears to be consistent with International Mobile Subscriber Identity (IMSI) catchers,” though it does not identify specific types of devices discovered. Why is that? Well, the letter concludes by noting that in order to specifically detect StingRays, DHS will need more funding for new technology.
This is a curious challenge, because (as Wyden asks) StingRays that work on LTE and 4th generation networks are openly advertised by the companies that produce the surveillance tools, but DHS again reiterates that it does not have the ability to detect these surveillance devices in the wild. (While the D.C. area is the only named region where these anomalous StingRays have been observed, the letter notes in carefully couched language that this illicit cellphone data collection is likely happening in other American cities, too).
This is an entirely foreseeable asymmetry.
From the moment the first StingRays were developed and deployed, it should have been obvious that the tool’s data collection abilities would be of interest to anyone looking to track specific individuals in government, be they members of Congress or the various staffers and intermediaries that make Washington run. Figuring out the details of those lives, the patterns of movement, the in-person meetings between two people of interest, maybe even scooped and recorded calls, could all make the work of a foreign intelligence service much easier.
That DHS cannot at present even reliably detect if such devices are in place, much less figure out a way to mitigate their power, speaks to a lack of imagination. From the moment the first StingRay was tested and marketed to law enforcement, it would have made sense for DHS’s Science and Technology Directorate to set about devising countermeasure and detection tools.