AACJ Winter Seminar January 8-9, 2015 Stingray Talk by Daniel - - PowerPoint PPT Presentation

1

AACJ Winter Seminar January 8-9, 2015 Stingray Talk by Daniel Rigmaiden

Email: ddrigmaiden@freedomdujour.com | Twitter: @ddrigmaiden

• I. Background [Who am I and why does my
• pinion matter?]
• A. I was indicted in 2008 by the federal

government for filing fraudulent tax returns.

• B. To bring me to justice, the FBI used a

vehicle-portable StingRay and man-portable KingFish (both generically, "the Stingray") to locate my Verizon Wireless aircard.

2

• C. While in custody, I represented myself and

developed strategies to expose the FBI's use of the Stingray and challenge the court

• rder purportedly relied upon for its use.
• D. From August of 2008 to August of 2013, I

lived and breathed Stingray technology and Fourth Amendment law applied to use of the Stingray.

• E. I was highly motivated to figure out “all

things Stingray.”

3

• F. “Although Defendant is representing

himself... The Court has not seen better work product from criminal defense attorneys.” United States v. Rigmaiden, 844 F.Supp.2d 982, 992 (D.Ariz, 2012).

4

• F. “Although Defendant is representing

himself... The Court has not seen better work product from criminal defense attorneys.” United States v. Rigmaiden, 844 F.Supp.2d 982, 992 (D.Ariz, 2012). 1. I have never been to law school.

5

• F. “Although Defendant is representing

himself... The Court has not seen better work product from criminal defense attorneys.” United States v. Rigmaiden, 844 F.Supp.2d 982, 992 (D.Ariz, 2012). 1. I have never been to law school. 2. I am not a lawyer.

6

• F. “Although Defendant is representing

himself... The Court has not seen better work product from criminal defense attorneys.” United States v. Rigmaiden, 844 F.Supp.2d 982, 992 (D.Ariz, 2012). 1. I have never been to law school. 2. I am not a lawyer. 3. This presentation is not legal advice.

7

• F. “Although Defendant is representing

himself... The Court has not seen better work product from criminal defense attorneys.” United States v. Rigmaiden, 844 F.Supp.2d 982, 992 (D.Ariz, 2012). 1. I have never been to law school. 2. I am not a lawyer. 3. This presentation is not legal advice. 4. Take everything with a grain of salt.

Photo Credit: MTSOfan

8

What Have You Done Since Representing Yourself?

• Interned at the American Civil Liberties Union of

Northern California under Linda Lye, Senior Staff Attorney.

• Paralegal work for Philip Seplow, Attorney at

Law, in Phoenix, AZ.

• Assist both television and print journalists in their

news stories on cell phone tracking technology.

• Write articles about surveillance, etc. at:

www.FreedomDuJour.com

9

• II. Brief overview of how cell phones operate.
• A. Cell phones are sophisticated radio

communications devices.

Photo Credit: Marko Vallius (remix: Daniel Rigmaiden)

10

• B. Cell phones receive service via radio waves

sent to/from base stations (colloquially “cell tower antennas” or “cell sites”) used by Verizon, AT&T, T-Mobile, etc.

Photo Credit: ajmexico Photo Credit: Daniel Spiess $249.99 Verizon Femtocell “The Network Extender works like a miniature cell phone tower in your home providing enhanced coverage for up to a 5,000 square foot area.”

11

• C. An active cell tower transmits signals to

inform all cellular devices within range:

• 1. that it is providing cellular service under

a specific communication protocol (e.g., GSM, CDMA, UMTS, LTE, etc.);

• 2. which wireless carrier (e.g., Verizon,

AT&T, T-Mobile, etc.) is providing service via the cell tower; and

• 3. a whole lot of other information relating

to the cell tower and network (e.g., LAC, MCC, CID, Neighbor Cells, etc.).

12

• D. A cell phone scans the airwaves to:
• 1. locate cell towers providing service under

a compatible communication protocol (e.g., GSM, CDMA, UMTS, LTE, etc.);

• 2. locate cell towers “belonging” to the

wireless carrier that services the cell phone (e.g., Verizon, AT&T, T-Mobile);

• 3. locate the compatible cell tower providing

the strongest signal.

• E. A cell phone will establish a connection (e.g.,

“register”) with the compatible cell tower providing the strongest signal.

13

• F. During the connection process, the cell

tower will require the cell phone to provide its identifying data in the form of serial numbers (e.g., IMSI, ESN, and MEID).

• 1. The cell phone's identifying data is used

by the wireless carrier to link the subscriber account to the cell phone, and determine whether the phone is authorized to access service.

• G. Important: Cell towers are capable of

instructing cell phones to transmit at a specific power (i.e., signal strength).

14

• H. Once a cell phone is connected to a cell

tower, it will continue to scan the airwaves to find other compatible cell towers providing stronger signals. I. A cell phone will disconnect from its current cell tower and connect to a different compatible cell tower if it is providing a stronger signal.

To challenge the Stingray, I(A)-(I) is all you need to know about how cell phones operate.

15

III.Stingray / Cell Site Simulator / Cell Site Emulator / IMSI-Catcher / Over-the-Air device / Duplication of Facilities.

• A. Operated by law enforcement typically

without the knowledge or direct involvement

• f legitimate wireless carriers.
• B. What does the equipment do?
• 1. Performs the same functionality of a cell

tower.

16

• 2. Broadcasts a cellular network wholly
• perated by law enforcement (i.e., does

not communicate on the air interface with Verizon, AT&T, T-Mobile, etc.).

• 3. Spoofs identifying data used by a

legitimate wireless carriers (i.e., pretends to be Verizon, AT&T, T-Mobile, etc.).

• 4. Broadcasts a “strong” signal which

forces all compatible cellular devices within range to connect (aka “register”) to the equipment (limited to signal coverage area).

17

III(B)(4) REFERENCE:

Chen, Xi; Zhou, Kan; and Song, Yubo. Fake BTS Attacks of GSM System

• n Software Radio Platform. Journal of Networks, VOL. 7, NO. 2, p. 275-

281 (Feb. 2012).

18

• 5. Conducts surveillance on the connected

cellular devices including:

• a. device/user Identification;
• b. location tracking;
• c. denial of service (both deliberate and

incidental); and

• d. interception of communications (not

covered in this presentation).

Specific Stingray functionality will be further explained in parallel with legal arguments.

19

• C. Who manufactures the equipment used by

U.S. law enforcement?

• 1. Harris Corporation.
• 2. Digital Receiver Technology, Inc.
• 3. KeyW Corporation.
• 4. Possibly others?

20

• D. What does the equipment consist of?
• 1. Covert Base Transceiver Stations.

Harris WPG StingRay II Harris WPG KingFish Harris WPG Triggerfish Harris WPG StingRay DRT, Inc. 1183C

21

• 2. Direction finding antennas.

Harris AmberJack Vehicle Mounted Direction Finding Antenna DRT, Inc. DF520 Direction Finding Antenna DRT, Inc. DF280B Direction Finding Antenna System

22

• 3. Laptop and handheld controllers.

Laptop computer Photo Credit: Wilson Hui (remix: Daniel Rigmaiden) Handheld computer

23

• 4. Geolocation / interception software.

DRT, Inc. Geolocation Software

24

• 5. Other equipment to tie everything

together: additional antennas, amplifiers, cables, power supplies, etc.

25

+ = +

In basic terms...

26

• E. How does law enforcement deploy the

equipment?

• 1. Road vehicle mounted.
• 2. Aerial vehicle mounted.
• 3. Carried on foot.

27

IV.Determining whether a Stingray was used to identify and locate a defendant.

• A. Read Linda Lye's STINGRAYS: The Most

Common Surveillance Tool the Government Won't Tell You About (tutorial for criminal defense attorneys explaining how to assess whether a Stingray was used).

28

• B. Additional tips on how to determine if a

Stingray was used.

• 1. Use a “fine toothed comb” to go through

all pen register / trap and trace orders, stored data orders (e.g., Stored Communications Act), and “tracking device” orders and warrants for Stingray synonyms:

• a. over-the-air device;
• b. tracking device (if for targeting a cell

phone); and

• c. cell site simulator / emulator.

29

• 2. Use a “fine toothed comb” to go through

all pen register / trap and trace orders, stored data orders (e.g., Stored Communications Act), and “tracking device” orders and warrants for these descriptions of Stingray functions:

• a. duplication of facilities;
• b. interruption of service;
• c. initiate a signal on “the service

provider's network”; and

• d. forced registration.

30

31

• 3. Look for a directive in the order requiring

the service provider to force the target cell phone to operate under outdated 2G communications protocols such as GSM, “CDMA”, and iDEN.

• a. Having the service provider force the

cell phone to operate under older protocols allows for the following: i.

• lder 2G Stingray equipment can

be used on cell phones that

• rdinarily default to 3G or 4G

protocols;

32

ii. less experienced law enforcement personnel can

• perate the equipment; and
• iii. an overall less complex

surveillance operation.

33

EXAMPLE:

United States. v. Robert Harrison, 14-CR-00170-CCB, Doc. 29-1, p. 13 (D.Md., Oct. 10, 2014) (order relied upon to operate a Stingray).

34

• 4. Stingray orders are generally deceptive

and convoluted.

• a. Most directives are aimed at service

providers, not law enforcement.

• b. But there may be a directive

authorizing law enforcement personnel to “attach,” “install,” and/or “use” the “pen / trap device.”

• c. Contains veiled descriptions, if any,
• f the Stingray technology sought to

be employed.

35

IMPORTANT:

Just because an executed order fits all or even some of the criteria of a “Stingray order,” it does not necessarily mean that a Stingray was used during the course of the

• rder's execution.

36

IMPORTANT:

Just because an executed order does not fit all or even some of the criteria of a “Stingray order,” it does not necessarily mean that a Stingray was not used during the course of the order's execution.

37

• V. Fourth Amendment arguments.
• A. Conducting surveillance on a cellular device

using a Stingray triggers Fourth Amendment protections: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated...” U.S. Const., amend. IV.

• 1. What is searched and what is seized via

a Stingray?

38

• a. A Stingray searches the cell phone

in order to seize its identifying serial numbers (e.g., IMSI, ESN, and MEID), which is data digitally stored

• n the cell phone itself.

39

HELPFUL CASES:

Serial numbers stored on a phone are protected under the Fourth Amendment. See Arizona v. Hicks, 480 U.S. 321, 325 (1987) (“It matters not that the search uncovered nothing of any great personal value to respondent—serial numbers...”). It also matters not that law enforcement could have obtained (or did obtain) the cell phone's serial numbers from the service

• provider. See Riley v. California, No. 13-132, p. 24 (U.S. Sup.

Ct., Jun. 25, 2014) (Rejecting government argument that law enforcement should “always be able to search a phone’s call log” considering that same information is otherwise obtainable from the wireless carrier as a third-party record.).

40

• b. A Stingray searches the cell phone

in order to seize the cell phone's transmitted radio signals. i. The signals are transmitted in response to the Stingray sending location finding “interrogation signals” to the cell phone. ii. The signals are not being transmitted to wireless carrier cell towers.

• iii. The signals would not have been

generated/transmitted had it not been for the Stingray.

41

HELPFUL CASES:

?

42

• c. A Stingray uses penetrating radio

waves to search private areas (e.g., home residences) in order to seize information, i.e., that the cell phone is located within a specific private area.

43

44

HELPFUL CASES:

Information on the location of an object can be an “item” to be seized under the Fourth Amendment. See United States v. Karo, 468 U.S. 705, 719 (1984) (“[B]y maintaining the beeper the agents verified that the ether was actually located in the [] house... This information was obtained without a warrant and would therefore be inadmissible at trial against those with privacy interests in the house[.]” (emphasis added)). Kyllo v. United States, 533 U.S. 27, 40 (2001) (“Where, as here, the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a 'search' and is presumptively unreasonable without a warrant.”).

45

• d. A Stingray conducts a Soldal-style

seizure of the cell phone (i.e., a seizure not resulting from a search) because it meaningfully interferes with the user's possessory interest in the phone.

46

HELPFUL CASES:

In Soldal, the Supreme Court rejected the argument that the Fourth Amendment “protect[s] only against seizures that are the outcome of a search.” Soldal v. Cook County, 506 U.S. 56, 68 (1992). Interfering with one's possessory interest in property (e.g., a cell phone) is a Fourth Amendment seizure of the property. See United States v. McIver, 186 F.3d 1119, 1127 (9th Cir. 1999) (“A seizure of property occurs when there is some meaningful interference with an individual's possessory interests in that property.”)

47

How does a Stingray meaningfully interfere with a user's possessory interest in the cell phone?

48

i. If law enforcement is (1) only locating or identifying* a cell phone using a Stingray, and (2) no Title III wiretap order was obtained, the cell phone will not be able to place or receive calls while the surveillance is taking place (i.e., a denial-of- service attack / disruption of service).

* If only identifying a cell phone using a Stingray, the disruption of service may be so brief that it may not be considered “meaningful interference” with the user's possessory interests in the cell phone.

49

50

IMPORTANT:

Despite the position held by the FBI, a Stingray is not a pen/trap device—it is far more. But we can agree that if a Stingray accesses the communications content of a cell phone, it is a Title III intercept device.

51

• ii. Upon law enforcement instruction, if

the wireless service provider used

• ver-the-air provisioning to

reprogram the cell phone to be compatible with only 2G cellular communications standards, the user's calls will be susceptible to interception by hackers and the quality of cellular service will be diminished.

52

EXAMPLE:

United States v. Robert Harrison, 14-CR-00170-CCB, Doc. 29, p. 13 (D.Md., Oct. 10, 2014) (order relied upon to operate a Stingray).

53

54

• iii. If law enforcement is locating a cell

phone using a Stingray, it is forcing the phone to transmit at full power and draining the phone's battery faster than normal.

55

EXAMPLE:

Florida v. James L. Thomas, No. 2008-CF-3350A, Suppression Hearing Transcript RE: Stingray [testimony of Investigator Christopher Corbitt], p. 17 (2nd Cir. Ct., Leon County, FL, Aug. 23, 2010).

56

HELPFUL CASES – supporting all three seizure arguments:

Apply the reverse of United States v. Garcia, 474 F.3d 994, 996 (7th Cir. 2007) (attaching GPS device to car was not a seizure

• f the car because “[t]he device did not affect the car's driving

qualities...”). For the Stingray, preventing the cell phone from making calls, forcing it to operate at less secure 2G protocols, and draining the battery affects the quality of the phone's functions. Apply the reverse of United States v. Garcia, 474 F.3d 994, 996 (7th Cir. 2007) (attaching GPS device to car was not a seizure

• f the car because device “did not draw power from the car's

engine or battery...”). For the Stingray, power from the cell phone's battery is needed.

57

• B. Whether labeled as an “order” or a

“warrant,” a document relied upon to

• perate a Stingray must comply with the

Fourth Amendment.

• 1. What wording must the Stingray
• rder/warrant contain to comply with the

Fourth Amendment?

58

• a. The order/warrant must “particularly

describ[e] the place to be searched, and the persons or things to be seized.” U.S. Const., amend. IV. i. Searched: (1) the cell phone's data storage devices, and (2) unknown private areas.* ii. Seized: (1) the cell phone, (2) serial numbers identifying the cell phone, (3) radio signals generated by the cell phone, and (4) the location of the cell phone.

* Because “location” is one item sought through the search, street addresses of the private areas to be searched are not known and need not be specified. See United States v. Karo, 468 U.S. 705, 718 (1984).

59

• b. The order/warrant must contain a

court finding that the application affidavit establishes probable cause to believe that the items to be seized are: (1) evidence of crime, fruits of crime, or used in crime; and (2) concealed at / on / within the places to be searched.

60

EXAMPLE (fails to comply with 4th Amendment):

United States v. Robert Harrison, 14-CR-00170-CCB, Doc. 29-1, p. 11 (D.Md., Oct. 10, 2014) (order relied upon to operate a Stingray).

61

HELPFUL CASES:

“[I]t is certainly clear that probable cause to believe that a person's location is relevant to a criminal investigation cannot possibly meet the constitutional standard the government purports to invoke, that it is more likely than not that what is be seized is evidence, contraband, fruits of a crime or designed to be used to commit a crime.” In the Matter of The Application

• f the United States Of America For An Order Authorizing the

Release of Prospective Cell Site Information, 407 F.Supp.2d 132, 133 (D.D.C. 2005) (emphasis added).

62

• c. The order/warrant must authorize /

command law enforcement (not the cell phone service provider) to conduct the searches and seizures. i. Otherwise, law enforcement's use of a Stingray is outside the scope of the order.

63

VI.Dealing with cases the government uses to respond to the above Fourth Amendment arguments.

• A. In terms of particularity applied to "mobile

tracking devices," the government need

• nly "describe the object into which the

beeper is to be placed, the circumstances that led agents to wish to install the beeper, and the length of time for which beeper surveillance is requested." United States v. Karo, 468 U.S. 705, 718 (1984).

1. But use of a Stingray results in additional Fourth Amendment activity, not just locating and tracking.

64

• B. In terms of the “broader location / tracking
• peration,” there is “[n]othing in the

language of the Constitution or in th[e] [Supreme] Court's decisions interpreting that language suggests that... search warrants [] must include a specification of the precise manner in which they are to be executed.” United States v. Dalia, 441 U.S. 238, 257 (1979).

• 1. Dalia addressed the constitutionality of

law enforcement entering a premises to install an audio bug while the Title III wiretap order (18 U.S.C. §§ 2510-2522) failed to authorize the entry.

65

2. The Dalia court found the unauthorized entry to not be a “separate search,” but

• nly because “[t]he legislative history of

Title III underscores Congress' understanding that courts would authorize electronic surveillance in situations where covert entry of private premises was necessary.” Id. at 251. “It is understandable, therefore, that by the time Title III was discussed on the floor of Congress, those Members who referred to covert entries indicated their understanding that such entries would necessarily be a part of the bugging authorized under Title III.” Id. at 251-52.

66

• 3. In comparison, there is no legislative

history that would allow applying Dalia to the various searches and seizures carried out by a Stingray. In fact, the government's strenuous efforts to conceal the technology from both judges and the public further underscores the inapplicability of Dalia.

67

Questions?

Email: ddrigmaiden@freedomdujour.com | Twitter: @ddrigmaiden