Spying on Your Cell Phone Just Got a Little Harder

Judges and legislators around the country are making it a little harder for law enforcement to spy on you through cell phone.  All the recent activity revolves around a device called StingRay (and its main competitor, Triggerfish) which acts as a cell tower site simulator.  That means that when a StingRay is activated, all cell phones within the target area ping off the device instead of going through the normal cellular service provider towers (i.e., Verizon, Sprint, etc.).

At its most basic level, this lets the cops see all of the text and call data going through the targeted telephones (but not the content…meaning, they can see the numbers being called but can’t listen to what is being said).  Used with a little more planning and a little old-style physical surveillance, a StingRay allows the cops to figure out the number of the cell phone a person is using.  They just follow that person around and activate the StingRay at various locations.  Once they see the same cell number active at each of those locations…presto, they have your phone number.  And now they can get a wiretap, serve a search warrant on your cell provider for your text messages, start tracking your GPS location, and more.

In fact, recently discovered documents also suggest that it may also be possible to “flash the firmware of a cell phone” using a StingRay so that the actual conversations on the phone can be intercepted.

Discussion about these devices has only entered the public domain recently.  I remember when federal agents did not even want to tell federal prosecutors when they used a StingRay, fearing it might be disclosed in discovery once a criminal case was filed.  (And it sounds like that kind of subterfuge is still going on in Canada.)

But now that people are talking about it, the StingRay’s intrusive nature is being recognized.  In September 2015, the US DOJ announced that henceforth the devices would not be used without a warrant.

The next month, California’s Electronic Communications Privacy Act was signed into law, also requiring a warrant.

Last month, a federal judge ruled that using a StringRay without a warrant violates the Fourth Amendment.  And more recently, Illinois recently enacted legislation requiring state law enforcement to get a court order before using a StingRay.

In perhaps the most interesting development, yesterday a number of public interest groups filed a complaint with the FCC against the Baltimore City Police Department, arguing that the BPD is – when using StingRays – violating FCC rules by “operat[ing] a cellular transceiver on licensed spectrum reserved for operation of cellular networks” without a license (and allegedly doing so in a racially discriminatory manner).  Instead of arguing the privacy angle, the complaint takes a different tact, alleging that these devices interfere with regular cell service and illegally access the licensed cell networks.  It would be quite a coup if the petitioners succeed in their goal of obtaining “an enforcement advisory advising law enforcement agencies around the country that they must abide by the laws that protect wireless spectrum and emergency services from harmful interference.”  Expect some sort of work-around for law enforcement instead.

So what does all this mean for you?  Well, on the one hand it is just another reminder of how the digital age leaves us all open to invasions of privacy (and not only by law enforcement…do you really think the cops are the only ones with these devices?).  On the other, we can take heart that judges, legislators, and public interest groups are recognizing the risks and pushing for greater protections of our constitutional rights.  But if you really want to be anonymous, take the battery out of your phone.  (Turning it off might not even be enough).