
ACLU sues Homeland Security over 'stingray' cell phone surveillance - mindgam3
https://techcrunch.com/2019/12/11/aclu-cbp-ice-stingray-surveillance/
======
mLuby
If we had a crowd-sourced database of cell towers (picture & coordinates)
wouldn't it then be straightforward to know (and report) when your phone _wasn
't_ connecting to a legitimate tower?

I for one want to make sure the _criminals_ aren't intercepting my signal with
home-made stingrays; the police have other lawful ways to get what they need.

~~~
bluGill
No, because the cell carriers have "tower in a box" kits that they make
available to various people. These are real towers, but they move often. If
you go to a large event (something like burning man, though I don't know if
they do for that specific event) there is a good chance the carrier has
scattered a few of these around the venue because the fixed location towers
(often miles away) would be overwhelmed and nobody would be able to use their
phones.

~~~
Fenrisulfr
Agreed - there are companies that specialize in ad-hoc towers to provide
service. Example: Mobilitie in Chicago. Very important piece of mobile data
infrastructure, but a rogue tower is still a real security risk.

------
abeppu
Some informed person can probably tell us: are there any technical
developments on the horizon which could plausibly make stingrays unviable?
From a lay perspective, it seems like cell tech hasn't been designed to meet
some criteria that ought to be achievable.

\- Are there future cell technology standards being planned which would make
it harder for a 3rd party device to impersonate a cell tower? (e.g. the police
would actively need the cell network to help them sign something)

\- Why can't we encrypt calls and texts in a way which doesn't let all this
stuff get read? Like (handwaving) either trust the network and encrypt with a
key they provide, or else some form end-to-end encryption (where maybe
generating keys is part of what happens when you activate a sim card or
something)?

Like, sure the lawsuits are important, but why did we end up with a system
where these tools are possible?

~~~
PeterisP
The key factor is the compatibility with international roaming - customers,
manufacturers and operators really want the phone to "just work" when you step
out of a plane in a random place where the only cell tower in range is run by
an operator that was established after your phone was made. There can't be a
global list of 'trusted operators' for political reasons (long story), and in
order to make calls, your phone needs to work with that operator directly - it
can't do end-to-end to your home provider, your data streams won't get routed
halway across the world and back for no good reason, they'll route only the
billing info and metadata as per the roaming agreements.

The other problem IIRC is virtual towers - when operator A gains improved
coverage by renting capacity on a tower of operator B, they want the phone to
seamlessly connect to that tower as if it's run by operator A (even if it's
not) without the phone being able to inform the customer that hey, you're now
connected to operator B - because it might rise confusion about roaming
charges, and also give bad PR about coverage which might suggest the customer
to switch to that competitor.

What could work is the combination of (a) your phone being able to
cryptographically verify if it's _really_ connected to your 'main' operator or
someone they explicitly authorized (isn't this something that 5g and even 4g
protocol supports?) and (b) requiring explicit confirmation if connecting to
someone that's not. Of course, (a) would mean that police Stingrays _would_ be
recognized as legitimate cell towers, they'd need cooperation from the cell
network, but's IMHO not really a problem, just some paperwork whenever they
need to activate a new batch of intercepting devices.

~~~
tomlu
> The key factor is the compatibility with international roaming

You could have an encryption setting in the phone, and the handshake with the
network could have a bit telling you the setting isn't supported.

------
chishaku
Contribute to the ACLU here:

[https://action.aclu.org/give/now](https://action.aclu.org/give/now)

~~~
jammygit
Canadian equivalent: [https://ccla.org/give](https://ccla.org/give)

------
syshum
Hopefully, this puts to rest the idea that government can use "private
contracts" as a end-run around constitutional and legal restrictions on their
activity

They have been hiding behind the NDA as a reason they should not have to
follow federal disclosure laws, but never in the history of the law has a
private contract superceeded the law itself.

they also hide behind these same NDA's when criminal defendants get to court
and want to challenge the use of the tech on 4th amendment grounds

Hopefully the ACLU can put a end to that, the government should not be able to
contract with any organization that prevents them from disclosing their
activity to the public. Seems law enfrocement has lost sight of who they
awnser to, which should be the people of this nation

~~~
arminiusreturns
The third party doctrine loophole is huge and not likely to be impacted very
much by this, unfortunately.

Here's a relevant talk from the National Constitution Center, if you want to
hear some of the nuance:
[https://www.youtube.com/watch?v=hW32k7x7zE0](https://www.youtube.com/watch?v=hW32k7x7zE0)

~~~
syshum
Third party doctrine has little to with this case, I agree it is a problem,
but that is not what I was talking about in my post

The Thrid Pary doctrine allows the Government to end run the 4th amendment if
you discloused info to a 3rd party.

In this instance, the government is claiming they do not have to talk about
the technology at all, even to the point of proving it actually does what they
claim.

In criminal Trails they treat it as a black box that is magical.. this should
not be allowed evidence collected by it directly or as a result of his use
should be barred unless the defence has access to the technology fo
independent review

The government claims they do not have to disclose anything because they
signed a contract with the manufacturer saying they would not disclose
anything about the tech.

~~~
arminiusreturns
True, but I was talking about the actual issue primarily being that Stingrays
are mostly micro targeted, often with warrants due to costs, etc, while the
vast majority of cell providers have warrantless, sometimes even subpoena-less
web portals for LEAs to conduct spying operations on the public, or how the
vast majority of the cell tower companies (separate from the major providers)
themselves have the most useful information and do the same types of things.

While stingrays are an issue, the vast majority of spying on cell phone users
(read: vast majority of US pop) comes from those other mechanisms which do
employ the third party doctrine loopholes. I should have been more specific,
but you are right about Stingray.

~~~
syshum
Well some of that falls on Congress not the 4th amendment

We need to redefine data ownership in this country, not just to curb police
abuse, but to curb the abuse of corporations as well

That extends well beyond the 3rd party doctrine

------
calibas
Stingray use requires a warrant and every case should be dismissed where one
was used without a warrant. I'm sure that's the main reason they want to hide
the use of stingrays, they know they're doing something wrong.

Police having the ability to spy on everyone with little to no oversight is
nightmarish authoritarianism, it's completely against the spirit of American
democracy, not to mention in violation of The Constitution.

~~~
chaps
As part of some volunteer work I'm doing with Lucy Parsons Labs, I submitted a
FOIA request to every single state's largest city, asking for search warrant
records that would likely exist on complaints for search warrants, the
warrants themselves, or from any audit. About 100 requests in total.

After two months, only two cities have sent me their search warrant records.
All other states have given me rejections saying:

1\. The records are on paper and never transcribed.

2\. The records are digital, but there's no way to query from a frontend.

3\. The records are digital and queryable, but the agency considers the use of
queries "creating reports", where tons of states have case law backing this
up.

4\. Nothing, because they haven't responded yet.

So far I've received three enormous fee estimations of ~500k, ~400k and ~150k.
Obviously not affordable.

Chicago is one of the few cities that sent records (though, it took a _year_
). They've sent three separately sized files for the same timeframe - 11k
rows, 9k rows, and 20k rows. The data is messy, and there is some very
important info missing from their records. Can't speak too much about it yet,
since I'm still confirming the reasons. It's been blindingly frustrating
trying to get a consistent message about whether the data is even accurate.

All this goes to show that police agencies don't make records on search
warrants even remotely easily available to the public, and we have no way of
gauging whether our constitutional rights are being upheld throughout the US.
It's honestly very sad.

If you want to support this work and our other projects, please consider a
donation to Lucy Parsons Labs:
[https://lucyparsonslabs.com/support/](https://lucyparsonslabs.com/support/)

~~~
hanniabu
Ahhh, good ol' government inefficiencies and obfuscation. I have no faith in
there ever being efficient systems in place because it'll just make it harder
to hide shady behavior.

~~~
qrbLPHiKpiux
That’s how it’s been developed, continues, and planned. If it wasn’t, it
wouldn’t be like this.

------
RandomGuyDTB
Stingrays have been known to be used by law enforcement for a decade now. It's
about bloody time more information than just "they are used" is opened to the
public.

~~~
8bitsrule
Seems they were in use for about 15 years -before- cellphones became a thing.
(See '2009 Utah case' here:
[https://www.wired.com/2014/03/stingray/](https://www.wired.com/2014/03/stingray/)
)

------
caconym_
Presumably Homeland Security and its child agencies are targeting everybody
within 100 miles of a border (~65% of the population) with any and every form
of surveillance they can think of, because why not? It's very legal, and very
cool.

~~~
r00fus
> It's very legal, and very cool.

With who? I'd really like to know who is copacetic with this kind of
surveillance state.

~~~
whatshisface
Cool as in "tacticool," like driving military surplus IED-hardened vehicles
around for small town policing.

~~~
opportune
Or staging a shootout over property theft in an area full of civilians

~~~
caconym_
or taking a guy to the hospital in chains so that doctors can spend the night
inspecting the inside of his rectum and colon with increasingly invasive
procedures because you think he might be hiding drugs in there

------
zw123456
Generally if the RSRP or RSSI increases significantly that is a dead give away
you are on a stingray. You don't really need an app to see that (google how to
see it for your phone type). Of course, it is always possible that your
carrier just turned up a new site closer to you but that is not something that
happens often and you can usually notice it.

Some comments about mm-wave 5G, keep in mind that mm-wave != 5G. But on mm-
wave stingray becomes more difficult due to the high directionality of short
wavelengths. But at lower bands, there is no advantage of 5G over 4G in terms
of resilience over stingray types of attacks (which are basically a L1
middleman attack, similar to age old wifi types of spoofs).

~~~
_salmon
Watching signal strengths is all well and good, but you need historical data
to compare to. This is a viable option for a few sites (maybe near where you
live), but not an option when you're on the go.

------
jokoon
Knowing Bellard managed to build a 3G cell tower just by using a cheap
antenna, I guess it means anybody can build a stingray, although connecting to
the cellphone network might not be a trivial thing to do. No idea how
companies secure their networks, and I wonder if there are security standard
about it.

~~~
ColanR
Where might I find more information about this?

~~~
jokoon
[https://bellard.org/lte/](https://bellard.org/lte/)

Actually it's a 4G antenna. It's not a stingray, but to me, it's a big step
towards it if you're a black hat and can find a way to access the cellphone
network.

I have optimism and want to believe most big telco have good security
practices and make it extremely difficult or impossible to connect to their
network. Although one might be able to do some social engineering and do it,
since the cellphone network requires a lot of antenna and manpower to install
and maintain them.

For example, imagine you set up a fake company that installs those antennas.
How can the telco make sure the antenna is not being moved around (monitoring
GPS of the connected smartphones, maybe checking the residency of users to see
if something is statistically fishy)? So in short, I tend to think it's not
very hard to penetrate cellphone networks, unless the telco spends enough
money to secure it and triple check their contractors.

------
rolph
after reading through the comments i found this on hackaday, its from 2018;
seems germaine to the current topics in thread:

[https://hackaday.com/tag/stingray/](https://hackaday.com/tag/stingray/)

the first paragraph is an intro speech of sorts then the real content begins.
There is an interesting article linked in that part so i want to bring it to
the fore.

[https://www.eff.org/deeplinks/2018/04/dhs-confirms-
presence-...](https://www.eff.org/deeplinks/2018/04/dhs-confirms-presence-
cell-site-simulators-us-capitol)

it seems that a number of factions may have been using "stingray" devices and
thier contemporary equivalents for some time.

------
ga-vu
Source: [https://www.aclu.org/news/privacy-technology/ice-and-cbp-
are...](https://www.aclu.org/news/privacy-technology/ice-and-cbp-are-secretly-
tracking-us-using-stingrays-were-suing/)

For more insight and details.

------
greyhair
I have a femtocell in my home, because my small neighborhood sits in a dead
zone. Not a repeater, a full femtocell.

To the casual security conscious user, that is probably going to look like a
'stingray', since you will be walking down the street with a gradually
dropping RSSI, when all at once, boom, you walk into a five bar signal and
life is good.

It covers about a 300 ft radius with the most blessedly beautiful signal you
can imagine. Maxes out at 100Mb/S, since that is all the backhaul it gets from
the ISP where it is connected. (Not that I am complaining about 100/100 in the
house.)

But it isn't a Stingray. It is a fully secure registered femtocell base
station.

Given that it hasn't moved in five years, it may well be on someone's map of
established cell towers.

~~~
thatcat
Can you use this device to enumerate imei of passers-by?

~~~
greyhair
No. It is a closed secure box with ssl backhaul to the provider.

I was involved in the chip architecture for the silicon that is used in the
box as well as the software engineer involved in the secure boot path for the
cellular modems. It is one large chip with all the modems and application
processors in one chunk of silicon. No unencrypted data, air link or Ethernet
back haul, ever leaves the die.

From that, I am familiar with the physical design that the manufacturer
implemented. (We did a lot of support work to get the manufacturer up and
running)

They even go so far as to have a physical 'self destruct' button within the
box. If you try to physically open it, it will never boot again.

The service provider states in the documentation (when you get the box) that
if you tamper with the device such that the self-defeat gets activated, you
have to pay full retail for the now dead box (they provided the femtocell for
free if you live in a dead zone).

I laughed when I opened the retail box and that was the first thing in the
document stack. Basically a large font "you have been warned"

------
ljm
Watch Mr Robot and see this in action

------
tylerjwilk00
This made me wonder,

Do spoofed callers appear on a capture device as the spoofed number?

If so, you could in theory use law to target anyone by calling their number
using a spoofed number that is included on a surveillance order. Just keep
calling the numbers you want to monitor and the net keeps getting bigger.

Please tell me this is not the case?

~~~
_jal
Caller ID information is sent to the receiver by the switch.

If your switch is under your control (say, you're using Asterisk), you can
send whatever you want, as demonstrated nearly constantly by all those spam
calls.

------
kick
Is it just me, or has the ACLU been on a roll lately? I'm really enjoying its
current direction. It might have just been that the most controversial
headlines were getting the most airtime, but it seemed to be going off the
tracks for a while.

~~~
sachdevap
When was the ACLU going off the tracks exactly?

~~~
blotter_paper
I love the work that the ACLU does, but they've always been picking and
choosing which rights to actively support. See the opinion of the 2nd
amendment on their own website: [https://www.aclu.org/other/second-
amendment](https://www.aclu.org/other/second-amendment)

I personally don't hold the constitution as a sacred document, though I do
find that it aligns with my ideals more than the actual policies of modern
America. I could respect an organization being opposed to an amendment and
deciding not to defend it for that reason, but it's always been weird to me
that they have to hide behind a legal rationale rather than just admitting
their political opposition to individual gun rights.

I still love the ACLU, and in the past I've given them time (passing out
flyers, IANAL) and money despite these reservations. I'm really not trying to
hate on them, but I would consider them "off the tracks" in this regard.

~~~
ceejayoz
Are you concerned that organizations like the NRA are doing an insufficient
job defending the 2nd Amendment to the point where the ACLU desperately needs
to step in?

~~~
blotter_paper
The NRA is more an arm of the arms industry than it is an organization
actually interested in the rights of individual gun owners; for example,
they're in favor of making 3D printed guns illegal. This is good for the
industry, but would infringe on the currently recognised rights of
individuals. I think the Second Amendment Foundation would be a better example
of an organization that actually supports the 2nd. I do think our 2nd
amendment rights are slipping away (in the beginning we could own and sell
unregulated cannons), but I'm not presuming to tell the ACLU how to spend
their time and resources. As noted above, I _would_ appreciate a recognition
that their decision to not defend the 2nd is actually political rather than
legal in nature, which I believe is pretty obvious.

~~~
ceejayoz
> As noted above, I would appreciate a recognition that their decision to not
> defend the 2nd is actually political rather than legal in nature, which I
> believe is pretty obvious.

You're leaving out the third option, _practical_.

There are already well funded, effective organizations defending your
interpretation of the Second Amendment. It makes little sense for the ACLU to
divert resources to that endeavour as a result, even if they agreed with your
political view on the individual vs. collective right to bear arms.

~~~
blotter_paper
That would be fine, too! Knowing that the ACLU doesn't support the 2nd, I can
choose to support organizations that do in proportion to how much I care about
that amendment as opposed to the others. I'm totally cool with that. But
practicality is not their stated reason for not defending the 2nd, and if it
were their actual reason then I'm not sure what reason they would have to use
a legal rationale instead. If their actual reason is politics, it's pretty
obvious why they wouldn't want to admit that; it would alienate some people,
and make them appear more partisan.

------
no_opinions
Why not focus policies around using the surveillance tools?

The tools should be as powerful as possible. To keep people safe, shouldn't
infrastructure be powerful enough to tap anything instantly with proper
authorization, even backward in time? Why not?

Then we're focused on making rules better. Isn't that the best thing to do in
a system of laws and standards?

Imagine if you could change any aspect of the system to make it more
proportional, fair, ethical, whatever. Why not think about asking the right
questions, weighing the pros and cons, and tailoring a way to improve it with
minimum side effects?

Also, sometimes the regulations are so strict, it's dangerous.

For instance, here's an example where the rules around stingrays being so
strict led a guy to get away with murder (in eyes of the judge):

> Circuit Judge Yolanda Tanner said in court Monday that while she is
> suppressing the evidence “with great reluctance,” Copes is “likely guilty.”
> [https://arstechnica.com/tech-policy/2016/04/citing-
> unconstit...](https://arstechnica.com/tech-policy/2016/04/citing-
> unconstitutional-search-via-stingray-judge-suppresses-murder-evidence/)

I wonder what it would have been like had that case been in Florida. Which has
sweet inevitable evidence law.

~~~
abvdasker
> The tools should be as powerful as possible.

I think a lot of people would disagree with this premise. The argument against
it is basically that abuse of powerful surveillance technologies is inevitable
precisely because the technology is so powerful. In reality, law enforcement
is only incentivized to catch criminals, not necessarily to protect people's
privacy or personal freedoms, so LE will abuse these capabilities 100% of the
time they have access to them.

A more subtle argument is that bureaucratic oversight of LE is almost always
impotent to reign them in and has every reason not to due so due to a lack of
accountability. A "fair, ethical" system is fundamentally incompatible with
one in which law enforcement has sweeping surveillance capabilities and the
lack of oversight which always results from any sufficiently
large/slow/complex legal system.

~~~
no_opinions
> The argument against it is basically that abuse of powerful surveillance
> technologies is inevitable precisely because the technology is so powerful.

What would be some examples of an abuse?

What would be some examples of a powerful surveillance technology?

For instance, what "surveillance technology" isn't already an internal
diagnostic tool for day-to-day system administration for a telecom/service
provider?

Only difference is who picks the target and them having oversight (likely
having to provide a predicate/rationale). Why is this so bad?

If there's a lack of oversight, what rules and systems would you suggest to
prevent abuse, as you define it?

~~~
jimktrains2
I think that part of the issue is that blank surveillance is as easier than
surveillaning a single person used to be.

Also, it is possible to build systems where the admins can access the data or
metadata. End-to-end encryption, for example parent the admin from seeing the
contents of messages. Systems like Tor also prevent any one person from
knowing who everyone is and what's saying. Mutual authentication can also help
establish that mitm attacks aren't happening, but that's a slightly different
problem than when there is access to the back end of the system being used.

