Since May, as  protesters around the country have marched against police brutality and in support of the Black Lives Affair move, activists have spotted a recurring presence in the skies: mysterious planes and helicopters hovering overhead, apparently conducting surveillance on protesters. A press release from the Justice Department at the stop of May revealed that the Drug Enforcement Agency and U.Due south. Marshals Service were asked by the Justice Department to provide unspecified support to police enforcement during protests. A few days later, a memo obtained by BuzzFeed News offered a niggling more insight on the matter; information technology revealed that shortly later on protests began in diverse cities, the DEA had sought special authorisation from the Justice Department to covertly spy on Black Lives Affair protesters on behalf of law enforcement.

Although the printing release and memo didn't say what form the support and surveillance would take, it's likely that the two agencies were being asked to assist police for a particular reason. Both the DEA and the Marshals possess airplanes outfitted with so-called stingrays or dirtboxes: powerful technologies capable of tracking mobile phones or, depending on how they're configured, collecting information and communications from mobile phones in bulk.

Stingrays have been used on the ground and in the air by law enforcement for years merely are highly controversial because they don't simply collect data from targeted phones; they collect information from any phone in the vicinity of a device. That data tin can be used to identify people — protesters, for instance — and runway their movements during and subsequently demonstrations, too equally to identify others who associate with them. They also tin can inject spying software onto specific phones or directly the browser of a phone to a website where malware can be loaded onto it, though information technology's not clear if any U.S. constabulary enforcement agencies have used them for this purpose.

Although law enforcement has been using the technologies since the 1990s, the general public learned nigh them just in the last decade, and much about their capabilities remains unknown considering law enforcement agencies and the companies that brand the devices have gone to great lengths to go on details hugger-mugger. Stingrays are routinely used to target suspects in drug and other criminal investigations, only activists also believe the devices were used during protests against the Dakota Access pipeline , and against Black Lives Matter protesters over the final three months. The Justice Department requires federal agents to obtain a probable cause warrant to use the technology in criminal cases, but at that place is a cleave-out for national security . Given that President Donald Trump has referred to protesters every bit " terrorists ," and that paramilitary-style officers from the Department of Homeland Security have been deployed to the streets of Portland, Oregon , it'south conceivable that surveillance conducted at recent demonstrations has been deemed a national security matter — raising the possibility that the government may have used stingray technology to collect data on protesters without warrants.

To meliorate sympathize the kind of surveillance that may be directed at protesters, here'south a breakdown of what we know and nonetheless don't know about stingrays, and why their use is so controversial.

What is a stingray?

Stingray is the generic name for an electronic surveillance tool that simulates a prison cell phone belfry in order to force mobile phones and other devices to connect to it instead of to a legitimate cell tower. In doing so, the phone or other device reveals data almost itself and its user to the operator of the stingray. Other common names for the tool are "prison cell-site simulator" and "IMSI catcher."

Why is it called a stingray?

The proper noun stingray comes from the make name of a specific commercial model of IMSI catcher made by the Florida-based Harris Corporation. That company'due south StingRay is a briefcase-sized device that tin be operated from a vehicle while plugged into the cigarette lighter. Harris also makes products like the Harpoon, a signal booster that makes the StingRay more than powerful, and the KingFish, a smaller mitt-held device that operates like a stingray and tin can be used by a law enforcement agent while walking around outside a vehicle. About a dozen other companies brand variants of the stingray with unlike capabilities. The surveillance equipment is pricey and frequently sold as a package. For example, in documents obtained by Motherboard in 2016, Harris offered a KingFish bundle that cost $157,300  and a StingRay package that cost $148,000, non including training and maintenance. Documents obtained this year by the American Civil Liberties Matrimony indicate that Harris has upgraded the StingRay to a newer device information technology calls a Crossbow , though not a lot of data is known near how it works. Separately, a classified catalog of surveillance tools leaked to The Intercept in 2015 describes other similar devices.

FILE - This undated file photo provided by the U.S. Patent and Trademark Office shows the StingRay II, a cellular site simulator used for surveillance purposes manufactured by Harris Corporation, of Melbourne, Fla. Police departments across the country use military-developed technology that can track down suspects by using the signals emitted by their cellphones. Civil liberties groups are increasingly raising objections to the suitcase-sized devices known as StingRays that can sweep up cellphone data from an entire neighborhood. (U.S. Patent and Trademark Office via AP, File)

StingRay 2, a cellular site simulator used for surveillance purposes manufactured past Harris Corporation, of Melbourne, Fla.

Photo: U.S. Patent and Trademark Office via AP

How does the stingray work?

Phones periodically and automatically broadcast their presence to the cell belfry that is nearest to them, then that the telephone carrier'due south network tin provide them with service in that location. They do this even when the phone is not being used to make or receive a call. When a telephone communicates with a jail cell tower, it reveals the unique ID or IMSI number (International Mobile Subscriber Identity) associated with the SIM card in the phone. The IMSI number identifies that phone and its owner as a paying customer of a prison cell carrier, and that number can be matched past the carrier to the owner's name, address, and phone number.

A stingray masquerades as a cell tower in lodge to become phones to ping it instead of legitimate jail cell towers, and in doing then, reveal the phones' IMSI numbers. In the past, it did this by emitting a signal that was stronger than the betoken generated past legitimate cell towers effectually information technology. The switch to 4G networks was supposed to address this in part by adding an authentication footstep so that mobile phones could tell if a cell tower is legitimate. But a security researcher named Roger Piqueras Jover found that the authentication on 4G doesn't occur  until after the phone has already revealed its IMSI number, which means that stingrays can still take hold of this information before the phone determines it's non communicating with an authentic cell tower and switches to ane that is authenticated. That vulnerability notwithstanding exists in the 5G protocol , says Jover. Though the 5G protocol offers a feature that encrypts the IMSI when information technology's disclosed during pre-hallmark communication, police enforcement would simply be able to ask phone carriers to decrypt it for them. And a group of researchers from Purdue University and the University of Iowa also institute a fashion to guess an IMSI number without needing to get a carrier to decrypt it.

Because a stingray is not really a tower on the carrier'due south network, calls and messages to and from a phone can't go through while the telephone is communicating with the stingray. And so after the stingray captures the device's IMSI number and location, the stingray "releases" the phone so that it can connect to a real cell belfry. Information technology can do this past broadcasting a bulletin to that telephone that effectively tells the phone to find a different belfry.

What can law enforcement do with the IMSI number?

Law enforcement tin apply a stingray either to place all of the phones in the vicinity of the stingray or a specific phone, even when the phones are non in employ. Law enforcement tin can then, with a subpoena, enquire a phone carrier to provide the customer name and address associated with that number or numbers. They tin can also obtain a historical log of all of the cell towers a phone has pinged in the recent past to rail where it has been, or they can obtain the cell towers it's pinging in real fourth dimension to identify the user's current location. By communicable multiple IMSI numbers in the vicinity of a stingray, police enforcement can also potentially uncover associations between people past seeing which phones ping the same prison cell towers around the aforementioned time.

If constabulary enforcement already knows the IMSI number of a specific telephone and person they are trying to locate, they tin program that IMSI number into the stingray and it will tell them if that phone is nearby. Law enforcement can also dwelling house in on the location of a specific phone and its user by moving the stingray effectually a geographical area and measuring the telephone'southward signal forcefulness as it connects to the stingray. The Harris StingRay tin can be operated from a patrol vehicle equally it drives effectually a neighborhood to narrow a doubtable'due south location to a specific cluster of homes or a building, at which point constabulary enforcement can switch to the hand-held KingFish, which offers even more precision. For example, once police enforcement has narrowed the location of a phone and suspect to an office or flat complex using the StingRay, they can walk through the circuitous and hallways using the KingFish to find the specific function or flat where a mobile phone and its user are located.

Does the device just track mobile phones?

No. In 2008, authorities used a StingRay and a KingFish to locate a suspect who was using an air bill of fare: an internet-connectivity device that plugs into a calculator and allows the user to get online through a wireless cellular network. The doubtable, Daniel Rigmaiden , was an identity thief who was operating from an flat in San Jose, California. Rigmaiden had used a stolen credit card number and a simulated name and address to register his cyberspace account with Verizon. With Verizon's help, the FBI was able to place him. They determined the general neighborhood in San Jose where Rigmaiden was using the air card so they could position their stingray in the area and motion it effectually until they institute the apartment building from which his betoken was coming. They so walked around the apartment circuitous with a hand-held KingFish or like device to pinpoint the precise apartment Rigmaiden was using.

What is a dirtbox?

A dirtbox is the common name for specific models of an IMSI catcher that are made by a Boeing subsidiary, Maryland-based Digital Receiver Engineering science — hence the proper name "DRT box." They are reportedly used past the DEA and Marshals Service from airplanes to intercept data from mobile phones. A 2014 Wall Street Journal article revealed that the Marshals Service began using dirtboxes in Cessna airplanes in 2007. An airborne dirtbox has the ability to collect data on many more phones than a basis-based stingray; it can also move more hands and quickly over wide areas. According to the 2006 catalog of surveillance technologies leaked in 2015, models of dirtboxes described in that document can exist configured to track up to 10,000 targeted IMSI numbers or phones.

Do stingrays and dirtboxes have other capabilities?

Stingrays and dirtboxes can exist configured for utilize in either active or passive mode. In agile mode, these technologies broadcast to devices and communicate with them. Passive mode involves grabbing any information and communication is occurring in real time beyond cellular networks without requiring the phone to communicate directly with the interception device. The data captured tin can include the IMSI number too every bit text messages, email, and voice calls.

If that data or communication is encrypted, and so it would be useless to anyone intercepting it if they don't likewise take a way to  decrypt it. Phones that are using 4G apply strong encryption. Merely stingrays can force phones to downgrade to 2G, a less secure protocol, and tell the phone to use either no encryption or use a weak encryption that can be croaky. They can do this because even though most people employ 4G these days, at that place are some areas of the world where 2G networks are even so common, and therefore all phones have to have the ability to communicate on those networks.

The versions of stingrays used by the war machine can intercept the contents of mobile communications — text messages, email, and voice calls — and decrypt some types of this mobile communication. The war machine also uses a jamming or denial-of-service feature that prevents adversaries from detonating bombs with a mobile phone.

In addition to collecting the IMSI number of a device and intercepting communications, war machine-grade IMSI catchers can also spoof text messages to a phone, according to David Burgess, a telecommunications engineer who used to work with U.S. defense contractors supporting overseas armed services operations. Burgess says that if the armed forces knows the telephone number and IMSI number of a target, information technology can employ an IMSI catcher to send messages to other phones as if they are coming from the target'southward phone. They can also utilize the IMSI catcher for a and then-called man in the eye attack so that calls from one target pass through the IMSI catcher to the target phone. In this manner, they can record the call in real time and potentially listen to the conversation if it is unencrypted, or if they are able to decrypt information technology. The military systems tin too send a silent SMS message to a telephone to change its settings and so that the telephone will send text letters through a server the armed services controls instead of the mobile carrier'south server.

Can the devices be used to infect phones with malware?

Versions of the devices used by the military and intelligence agencies tin potentially inject malware into targeted phones, depending on how secure the phone is. They can do this in two means: They can either redirect the telephone'southward browser to a malicious web site where malware tin be downloaded to the telephone if the browser has a software vulnerability the attackers tin can exploit; or they tin can inject malware from the stingray directly into the baseband of the phone if the baseband software has a vulnerability. Malware injected into the baseband of a phone is harder to detect. Such malware can be used to turn the phone into a listening device to spy on conversations. Recently, Amnesty International reported on the cases of two Moroccan activists whose phones may have been targeted through such network injection attacks to install spyware fabricated by an Israeli company.

U.S. law enforcement apply of stingrays domestically is more curtailed, given that they, dissimilar the war machine, need to obtain warrants or court orders to utilise the devices in federal investigations. Simply in that location is trivial transparency or oversight around how the devices are used by federal agents and local police, so there is even so a lot that is unknown: for example, whether they've ever been used to record the contents of mobile phone communications or to install malware on phones.

News stories suggest that some models of stingrays used by the Marshals Service can extract text messages, contacts, and photos from phones, though they don't say how the devices do this. Documents obtained by the ACLU in 2015 also indicate such devices practise have the ability to record the numbers of incoming and outgoing calls and the date, fourth dimension, and duration of the calls, as well as to intercept the content of vocalization and text communications. But the Justice Section has long asserted publicly that the stingrays it uses domestically practise non intercept the content of communications . The Justice Department has stated that the devices "may be capable of intercepting the contents of communications and, therefore, such devices must be configured to disable the interception function, unless interceptions have been authorized past a Title III [wiretapping] order."

Equally for jamming communications domestically, Dakota Access pipeline protesters at Standing Rock, Northward Dakota, in 2016 described planes and helicopters flight overhead that they believed were using technology to jam mobile phones. Protesters described having problems such as phones crashing, livestreams beingness interrupted, and problems uploading videos and other posts to social media.

singray-theintercept-2-26

Why are stingrays and dirtboxes and then controversial?

The devices don't merely option upwardly data about targeted phones. Law enforcement may exist tracking a specific telephone of a known suspect, but any telephone in the vicinity of the stingray that is using the aforementioned cellular network as the targeted telephone or device volition connect to the stingray. Documents in a 2011 criminal case in Canada showed that devices used by the Royal Canadian Mounted Constabulary had a range of a third of a mile, and in but 3 minutes of apply, one device had intercepted 136 unlike phones .

Constabulary enforcement tin can likewise utilise a stingray in a less targeted way to sweep upwards data well-nigh all nearby phones. During the time a phone is connecting to or communicating with a stingray, service is disrupted for those phones until the stingray releases them. The connectedness should last only as long as information technology takes for the phone to reveal its IMSI number to the stingray, but information technology's non clear what kind of testing and oversight the Justice Section has done to ensure that the devices release phones. Stingrays are supposed to permit 911 calls to pass through to a legitimate prison cell tower to avoid disrupting emergency services, but other emergency calls a user may try to make while their telephone is continued to a stingray will not go through until the stingray releases their phone. It's also not articulate how constructive the devices are at letting 911 calls go through. The FBI and DHS have indicated that they haven't commissioned studies to measure this, but a written report conducted by federal police force in Canada found that the 911 bypass didn't ever work.

Depending on how many phones are in the vicinity of a stingray, hundreds could connect to the device and potentially take service disrupted.

How long has police force enforcement been using stingrays?

The engineering science is believed to have originated in the military, though it'due south not clear when it was first used in combat zones or domestically in the U.South. The earliest public mention of a stingray-like device existence used by U.S. law enforcement occurred in 1994, when the FBI used a crude, jury-rigged version of the tool to track former hacker Kevin Mitnick; authorities referred to that device as a Triggerfish. In a instance in Utah in 2009, an FBI agent revealed in a court document that cell-site simulators had been in use by police enforcement for more than a decade. He also said they weren't only used by the FBI but too by the Marshals Service, the Secret Service, and other agencies. Contempo documents obtained by the ACLU also indicate that between 2017 and 2019, the Department of Homeland Security's Homeland Security Investigations unit has used stingrays at least 466 times in investigations. BuzzFeed News had previously obtained records showing that from 2013 to 2017, HSI had used the technology 1,885 times .

Aside from the potential for widespread surveillance, are there other problems with the technology?

The other controversy with stingrays involves secrecy and lack of transparency around their utilise. Law enforcement agencies and the companies that make the devices take prevented the public from obtaining data about their capabilities and from learning how often the technology is deployed in investigations. Agencies sign nondisclosure agreements with the companies, which they apply as a shield whenever journalists or others file public records requests to obtain data about the technology. Law enforcement agencies merits criminals could arts and crafts anti-surveillance methods to undermine the technology if they knew how it worked. The companies themselves cite trade secrets and proprietary information to forbid the public from obtaining sales literature and manuals near the technology.

For years, police enforcement used the devices without obtaining a courtroom order or warrant. Fifty-fifty when they did seek blessing from a courtroom, they often described the technology in misleading terms to get in seem less invasive. They would often refer to stingrays in court documents equally a "pen register device," passive devices that sit down on a network and tape the numbers dialed from a certain phone number. They withheld the fact that the devices strength phones to connect to them, that they force other phones that aren't the target device to connect to them, and that they can perform more functions than simply grabbing an IMSI number. Most significantly, they withheld the fact that the device emits signals that tin rails a user and their phone inside a individual residence. After the FBI used a stingray to track Rigmaiden (the identity thief in San Jose) in his flat, Rigmaiden'due south lawyers got the Justice Department to acknowledge it qualified as a Fourth Amendment search that would require a warrant.

Law enforcement agents take not only deceived judges, even so; they've too misled defence attorneys seeking information about how agents tracked their clients. In some court documents, law enforcement officials have indicated that they obtained location information about the defendant from a " confidential source ," when in truth they used a stingray to track them.

To address this charade, the Justice Department in 2015 implemented a new policy requiring all federal agents engaged in criminal investigations to obtain a probable crusade search warrant earlier using a stingray. It also requires agents and prosecutors to tell judges when the warrant they are seeking is for a stingray; and it requires them to limit the use of the stingray's capabilities to tracking the location of a phone and logging the phone numbers for calls received and fabricated by the phone. They cannot collect the contents of communication, such as text messages and emails. And agents are required to purge the data they collect from non-targeted phones within 24 hours or 30 days, depending on the circumstances.

The problem, still, is that Justice Section policy is not police force. And although the policy includes state and local law enforcement agencies when they are working on a case with federal agents and desire to use the devices, it does not embrace those agencies when they are working on cases alone . To accost this loophole, lawmakers would need to pass a federal constabulary banning the use of stingrays without a warrant, but efforts to do so take so far been unsuccessful.

One bigger issue with the Justice Department policy is that, as noted to a higher place, information technology only applies to criminal investigations, not national security ones, and information technology also includes a carve-out for "exigent circumstances" that are not clearly defined. Federal agents are not required to seek a warrant to utilize the engineering in cases involving such circumstances. Whether the government has used the engineering against Black Lives Thing protesters without a warrant is likely something that will remain a secret for some fourth dimension.