Fake base stations have been used by the federal government for years but now have been adopted by local law enforcement agencies, and privacy advocates are not happy about it.
Local law enforcement in the San Francisco Bay Area have started deploying the fake cell sites, more accurately called "IMSI (International Mobile Subscriber Identity) catchers," in a vast area that stretches from San Jose to Sacramento, according to Sacramento News10. The TV station said USA Today has "confirmed that at least 25 other local police agencies across the country are using StingRays or similar devices."
StingRay is one of several brands of fake base station sold by Harris. Similar equipment from Digital Receiver Technology has been approved by the FCC for use in the United States.
When one of these types of devices is deployed correctly, every smartphone or portable computer served by a particular cellular network in a given area will recognize the stingray as just another cell site on that network, automatically connecting to it. The fake cell site can then gather information about those devices and the locations of their users.
Devices used by U.S. law enforcement are said to be configured so they cannot be used for eavesdropping. However, similar IMSI catchers that are sold around the world are regularly used for that purpose.
For example, Israeli vendor Ability advertises that its IBIS-II can "scan, analyze, intercept, monitor, record and track GSM mobiles, regardless if they are encrypted by A5.1 or A5.2 encryption" and notes that the device "is a stand-alone solution for off the air interrogation/interception/monitoring/deception of tactical GSM communication, in a seamless way, without any cooperation with the network provider."
By their nature, an IMSI catcher impacts every cellular user on a particular network in a given area. "From a privacy perspective, this is worrying because it collects information about the devices and whereabouts of innocent third parties, not just the target of an investigation," wrote Linda Lye, a staff attorney with the ACLU of Northern California, in a blog post.
One intriguing point that is not noted by the ACLU or media reports regarding the use of StingRays for tracking and surveillance is the impact their use might have on mobile network operators.
For example, if handsets in a given area are automatically connecting to a fake base station, that would likely mean they are not sending or receiving calls or data via the mobile network they are supposed to be operating on. That, in turn, might cause users to perceive that their mobile operator's network has a coverage gap or is delivering poor service in that area for some other reason.
The Northern California deployments have been aided by financial grants from the federal government. "Terrorism is used as the primary justification for purchasing StingRay technology in every grant application obtained by Sacramento News10," the station said. However, arrest records gathered from Oakland and Los Angeles have revealed that StingRays are being used for routine police work.
"Their actual use by local law enforcement reflects the all too common phenomenon of mission creep: Although the justification for acquiring these devices is "fighting terrorism," agencies seem to be using them for ordinary criminal law enforcement," Lye wrote.
"Once again, we see the proliferation of powerful new surveillance tools, but without any rules to constrain their use. The acquisition of these devices is shrouded in secrecy and driven by federal grant money, which undermines local democratic oversight," she added.
Lye noted that The Wall Street Journal in 2011 first reported on the use of such devices by the federal government.
FreedomPop unveils 'Privacy Phone' to focus on security for voice, texting
NSA review panel recommends changes to telephone metadata program
Report: NSA review task force calls for restricting phone records program
Apple, Google, Microsoft among tech giants calling for surveillance reform
NSA tracking location data on hundreds of millions of cell phones, according to Snowden leak
The Internet of Things could soon be regulated