1
Your Secret StingRay’s No Secret Anymore: The Vanishing Government
Monopoly over Cell Phone Surveillance and its Impact ...
2
Although the threat demonstrated by Shimomura was clear, Congress and the
Federal Communications Commission (FCC) took n...
3
In 1997, four years after the FCC enacted Congressionally mandated regulations
banning the sale of scanning equipment ca...
4
decades, US federal, state and local law enforcement agencies have employed
sophisticated cellular surveillance equipmen...
5
scanners,22 the American public is poised, quite unknowingly, at the threshold of a
new era of communications intercepti...
6
more ominously, can be purchased over the Internet from one of many non-US
based surveillance technology vendors or even...
7
to tap a traditional wireline telephone call must physically access the network
infrastructure transporting that call—su...
8
the growing ease of access to cellular surveillance technology, makes the universe of
private parties that can intercept...
9
software or purpose-built hardware.37 Moreover, although the competing “CDMA”
cellular networks (operated by Verizon and...
10
precision,42 to intercept outgoing calls and text messages,43 as well as to block
service, either to all devices in the...
11
phones and the w eless c e s’ base stations. Active surveillance devices, on the
other hand, exploit the lack of authen...
12
A. AN APPROXIMATE HISTORY OF CELLULAR PHONE INTERCEPTION
TECHNOLOGY55
Rohde & Schwarz, a German manufacturer of radio e...
13
simulators, which wireless carrier technicians operated to test cellular phones.63
Later, cellular equipment manufactur...
14
enforcement market, although several other companies also sell similar technology
to US military and intelligence agenc...
15
one hundred years, the telephone companies have provided such assistance.75 While
carrier performed or enabled surveill...
16
by a particular surveillance target by deploying an IMSI catcher to collect data about
ne by p nes t lt ple l c t ns, s...
17
installed devices that permit access to registered phones, such as those used by
guards and other staff, while blocking...
18
same logic, of course, applies to foreign governments conducting espionage in the
United States.90
III. “KNOWN KNOWNS”—...
19
Fourth Amendment constraints); (2) the frequency or regularity with which such
technology is used by federal, state and...
20
t e g ve n ent’s ppl c t n w t t p ej d ce, explaining that a Pen/Trap court
de w s n t eq ed bec se t e Pen/T p st t t...
21
congressional oversight.107 If the court were to authorize the government’s use of a
digital analyzer to identify the p...
22
digital analyzer, even if it advised prosecutors to seek court authorization in an
abundance of caution or as a matter ...
23
need for a warrant or other judicial process requirement for law enforcement use of
digital analyzers and cell cite sim...
24
seek Pen/Trap court process when using a digital analyzer/cell cite simulator as a
Pen/Trap device.123
The 1997 DOJ Gui...
25
nf t n sed by c n c t n syste t p cess c n c t ns.” Indeed,
DOJ nst cted p sec t s t t t e new pen eg ste def n t n “ p...
26
These expanded Pen/Trap definitions had implications for law enforcement direct
collection of mobile device serial numb...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Your Secret StingRay’s No Secret Anymore: The Vanishing Government  Monopoly over Cell Phone Surveillance and its Impact o...
Upcoming SlideShare
Loading in …5
×

Your Secret StingRay’s No Secret Anymore: The Vanishing Government Monopoly over Cell Phone Surveillance and its Impact on National Security and Consumer Privacy -Ssrn id2437678

4,027
-1

Published on

Your Secret StingRay’s No Secret Anymore: The Vanishing Government
Monopoly over Cell Phone Surveillance and its Impact on National
Security and Consumer Privacy

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,027
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
36
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Your Secret StingRay’s No Secret Anymore: The Vanishing Government Monopoly over Cell Phone Surveillance and its Impact on National Security and Consumer Privacy -Ssrn id2437678

  1. 1. 1 Your Secret StingRay’s No Secret Anymore: The Vanishing Government Monopoly over Cell Phone Surveillance and its Impact on National Security and Consumer Privacy Stephanie K. Pell1 & Christopher Soghoian2 “. . . [T]hou wilt not trust the air with secrets.” — Shakespeare, Titus Andronicus.3 I. INTRODUCTION During a 1993 Congressional oversight hearing on the integrity of telephone networks,4 security researcher Tsutomu used a “software hack” to turn an analog cellular phone into a scanner that enabled all present in the hearing room to hear the live conversations of nearby cellular phone users.5 Shimomura had been granted congressional immunity to perform this demonstration under the watchful gaze of a nearby FBI agent.6 The event was a practical demonstration of what Subcommittee Chairman Ed M key c lled “t e s n ste s de of cybe sp ce.”7 The demonstration illustrated a significant security vulnerability impacting then- widely used analog cellular phone networks: calls were not encrypted as they were transmitted over the air and could, therefore, be intercepted with readily available equipment, such as an off-the-shelf radio scanner or a modified cellular phone.  The authors wish to thank Matt Blaze, Ian Brown, Alan Butler, Susan Freiwald, Allan Friedman, Jean- Pierre Hubaux, Eric King, Susan Landau, Linda Lye, Aaron K. Martin, Valtteri Niemi, Karsten Nohl, Brian Owsley, Christopher Parsons, Christopher Prince, John Scott-Railton, Greg Rose, Seth Schoen, Jennifer Valentino-DeVries, David Wagner, Nicholas Weaver, several individuals who have asked to remain anonymous, and the attendees of our session at the 2013 Privacy Law Scholars Conference. 1 Principal, SKP Strategies, LLC; Non- es dent Fell w t t nf d L w c l’s Cente f Inte net nd Society; former Counsel to the House Judiciary Committee; former Senior Counsel to the Deputy Attorney General, U.S. Department of Justice; former Counsel to the Assistant Attorney General, National Security Division, U.S. Department of Justice; and former Assistant U.S. Attorney, Southern District of Florida. 2 Principal Technologist, Speech, Privacy & Technology Project, American Civil Liberties Union and Visiting Fellow, Information Society Project, Yale Law School. The opinions expressed in this article e t s t ’s l ne, nd d n t eflect t e ff c l p s t n f s e pl ye . 3 William Shakespeare, Titus Andronicus, act IV, scene II, l. 1862. 4 Telecommunications Network Security: Hearing Before the Subcomm. On Telecommunications and Finance of the H Comm. On Energy and Commerce, 103rd Cong. (April 29 & June 9, 1993) [hereinafter Telecommunications Network Security Hearing]. 5 Id. at 8-9. 6 See Immunity Needed; Markey Panel Sees Dark Side of Electronic Frontier, Communications Daily, April 30, 1993, https://w2.eff.org/Privacy/Newin/Cypherpunks/930430.communications.daily 7 See Telecommunications Network Security Hearing, supra note **, Opening Statement of Chairman Markey at 4.
  2. 2. 2 Although the threat demonstrated by Shimomura was clear, Congress and the Federal Communications Commission (FCC) took no steps to mandate improvements in the security of analog cellular calls.8 Such a technical fix would have required wireless carriers to upgrade their networks to support more secure telephone technology, likely at significant cost.9 Instead, Congress outlawed the sale of new radio scanners capable of intercepting cellular signals and forced scanner manufactures to add features to their products to prevent them from being tuned to frequencies used by analog cell phones.10 This action by Congress, however, did nothing to prevent the potential use of millions of existing interception-capable radio scanners already in the homes and offices of Americans to intercept telephone calls.11 8 See Telecommunications Network Security Hearing, supra note **, Statement of Chairman Markey t 12 (“L st ye we p ssed leg sl t n t b n sc nne s, b t we cle ly d d n t b n cell l p nes. However, cellular phones can be reprogrammed as a scanner with a relatively rudimentary kn wledge f t e tec n l gy. Tens f t s nds f pe ple kn w w t d t.”). In s b ss n t the FCC, the cellular industry association opposed proposals for the FCC to focus on the cellular interception vulnerabilities, rather than the availability of radio scanners capable of intercepting cellular phone calls. See Cellular Telecommunications Industry Association (CTIA) Reply Comments on Amending of Parts 2 and 15 to Prohibit Marketing of Radio Scanners Capable of Intercepting Cellular Telephone Conversations at 4 (March 8, 1993), http://apps.fcc.gov/ecfs/document/view;jsessionid=fTGkSn3c0CsJjGhv2ts5DQQktvyhfXkHpW2JPnr 9pPhxQ9sC88Cp!-1864380355!1357496456?id=1120040001 [hereinafter CTIA Reply Comments] at 4 (“R t e t n p p s ng t st engt en t e C ss n's p p sed les, weve , t ese p t es would have the Commission weaken or abandon its proposals and place the burden solely on cellular carriers or manufacturers to protect the pr v cy f cell l telep ne c lls… With the enactment of ect n 403( ), t e t e f s c n g ent s p st.”) 9 See Craig Timberg and Ashkan Soltani, By cracking cellphone code, NSA has capacity for decoding private conversations, Washington Post, December 13, 2013, available at http://www.washingtonpost.com/business/technology/2013/12/13/e119b598-612f-11e3-bf45- 61f69f54fc5f_st y. t l (“Upg d ng n ent e netw k t bette enc ypt n p v des s bst nt lly more privacy for users . . . But upgrading entire networks is an expensive, time-consuming nde t k ng.”). See also Babbage infra note ** (currently fn 256). Such network upgrades would also have neutralized analog interception devices then in use by US government agencies. 10 See FCC Report and Order, Amendment of Parts 2 and 15 to Prohibit Marketing of Radio Scanners Capable of Intercepting Cellular Telephone Conversations, adopted April 19, 1993, available at http://apps.fcc.gov/ecfs/document/view;jsessionid=CyspSn3R1KqpKlzyc9pwb5GyypnrQ4nnGMqFq tNpQyFYbhWZ2r1c!1357496456!-1864380355?id=1145780001, made in response to Sec. 403 of the Telephone Disclosure and Dispute Resolution Act, Pub. L. 102-556 (1992); codified at § 47 U.S.C. 302a(d) (requiring that within 180 days of enactment, the FCC shall prescribe and make effective regulations denying equipment authorization). However, as the FCC made clear in its report, this p b t n d es n t pply t c p n es t t “ ket[] [ n l g cell l nte cept n] tec n l gy t l w enf ce ent genc es.” See FCC Report and Order, at 7. Such a law enforcement exemption had been requested by the Harris Corporation, and supported by the cellular industry association. See CTIA Reply Comments, supra n te ** t 8 (“CTIA s pp ts t e H s C p t n's eq est t t t e Commission modify its proposed rules to clarify that scanning receivers that receive cellular t ns ss ns … y c nt n e t be n f ct ed f s le t [l w enf ce ent]”). 11 See CTIA Reply Comments, supra n te ** t 3 (“A n be f c ente s g e that the Commission's proposed rules are flawed because they will not effectively safeguard the privacy of cellular calls. These commenters point out that millions of scanning receivers capable of tuning cellular frequencies are already in use, and that such receivers will remain available for sale for n t e ye .”) See also Summary of Testimony Of Thomas E. Wheeler, Cellular Telecommunications
  3. 3. 3 In 1997, four years after the FCC enacted Congressionally mandated regulations banning the sale of scanning equipment capable of intercepting cellular signals,12 a couple from Florida recorded a conference call between several senior Republican politicians, including then Speaker of the House Newt Gingrich, which they were able to intercept because one of t e c ll’s p t c p nts w s using a cellular phone.13 Although the couple did not intend to impact US communications policy when they turned on their radio scanner, their act was high-profile proof t t C ng ess’s response to the analog interception threat was not successful.14 What ultimately fixed the analog phone interception problem was not further congressional action but rather, t e w eless nd st y’s migration away from easily intercepted analog phone technology to digital cellular phones—a decision motivated in part by the increase in cellular phone cloning fraud.15 Digital phone conversations were, at the time, far less likely to be intercepted because the necessary equipment was prohibitively expensive and thus available to fewer potential snoops.16 Governments with significant financial resources, however, have owned and used cellular phone surveillance equipment for quite some time. Indeed, for nearly two Industry Association, February 5, 1997 at 1, House Commerce Committee, Subcommittee on Telecommunications, Trade and Consumer Protection. 1997 WL 49420 [hereinafter Summary of Wheeler testimony], (“[T]rying to ban a specific type of eavesdropping gear after it has already bec e w dely v l ble s d ff c lt.”). 12 See FCC Report and Order, supra note 10. 13 The participants of the call—who included Republican Majority Leader Dick Armey, Republican Whip Tom Delay, New York Congressman Bill Paxon John Boehner—were discussing an investigation by the Congressional Ethics Committee of Gingrich. The Florida couple gave the recording to the ranking Democratic member of the Ethics Committee (and thus the leader of the Gingrich investigation). See The Gingrich Cellular Phone Call, PBS NewsHour, January 14, 1997, http://www.pbs.org/newshour/bb/politics/jan-june97/cellular_01-14.html. 14 This was not the only opportunity in 1997 for Congress to observe that cellular communications were still not secure. See Committee Report, for H.R. 2396 the Wireless Privacy Enhancement Act of 1998, http://www.gpo.gov/fdsys/pkg/CRPT-105hrpt425/pdf/CRPT-105hrpt425.pdf at 5 (“T e Subcommittee on Telecommunications, Trade, and Consumer Protection held a hearing on cellular p v cy n Feb y 5, 1997…. P t t e w tnesses’ test ny, tec n l g c l de nst t n w s conducted to highlight the ease w t w c sc nn ng eq p ent c n be ‘‘ e d ly lte ed’’ t nte cept cell l c n c t ns.”). 15 Cell p ne cl n ng s p cess by w c ne p ne’s n q e cc nt n be c ld be c pt ed and programmed into another phone for purposes of billing one p ne’s c lls t n t e p ne. See generally Jeri Clausing, Congress Moving Quickly to Try to Curb Cell Phone Abuses, New York Times, March 2, 1998, available at http://www.nytimes.com/1998/03/02/business/congress-moving- quickly-to-try-to-curb-cell-phone-abuses.html. 16 See David Wagner, Bruce Schneier and John Kelsey, Cryptanalysis of the Cellular Message Encryption Algorithm, Advances in Cryptology - CRYPTO'97, available at http://www.schneier.com/paper-c e .pdf (“[T] e l test d g t l cellp nes c ently offer some weak protection against casual eavesdroppers because digital technology is so new that inexpensive d g t l sc nne s ve n t yet bec e w dely v l ble.”). See also Committee Report, for H.R. 2396 supra n te 13 t 3 (“While digital cellular and PCS are not immune from eavesdropping, they are currently more secure than analog cellular because the equipment for intercepting digital calls is vastly more expensive and complex than existing, off-the-shelf scanners that intercept analog communications (e.g., $200 vs. $10,000–$30,000).”).
  4. 4. 4 decades, US federal, state and local law enforcement agencies have employed sophisticated cellular surveillance equipment that exploits vulnerabilities in cellular networks. Once only accessible to a few global powers at six-figure prices, similar technology is now available to any government—including those with a history of spying in the United States—and to any other interested buyer from surveillance companies around the world, often for as little as a few thousand dollars per device.17 Moreover, hobbyists can now build less advanced but functional interception equipment for as little as $100.18 The normal course of economics and innovation has destroyed the monopoly a select group of global powers once enjoyed over digital cellular surveillance technology, rendering surreptitious access to cellular communications as universally available as it once was in the analog world: surveillance has, once again, become democratized, this time with a much more expansive set of capabilities. During Congressional testimony in 1997, current Federal Communications Commission (FCC) Chairman Tom Wheeler, then the president of the cellular industry association (CTIA), warned the Committee of this outcome: “Unless Congress takes a forward-looking approach, history will likely repeat itself as digital scanners and decoders, though expensive now, drop in price in the future.”19 Mr. Wheeler’s prescient warning has come true. Although the technology has changed, we are rapidly approaching a future of widespread interception that feels much like the past, but with a much larger range of public and private actors with more diverse motives for snooping. Whoever employs this technology can obtain direct, unmediated access to information about and from a cellular phone without any aid from a wireless provider.20 In some cases, this technology can even intercept the contents of cellular phone calls, text messages and other communications data transmitted to and from the phone.21 In this Article, we will argue that policy makers did not learn the right lessons from the analog cellular interception vulnerabilities of the 90s: that is, the communications of Americans will only be secured through the use of privacy enhancing technologies like encryption, not with regulations prohibiting the use or sale of interception technology. Nearly two decades after Congress passed legislation intending to protect analog phones from interception by radio 17 See infra Part V. 18 See infra Part V. 19 See Summary of Wheeler Testimony, supra note ** at 2. 20 See John Kelly, Cellphone data spying: It's not just the NSA, USA Today, December 8, 2013, available at http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data-spying-nsa- p l ce/3902809/ (“T e t ng y c n g b s e d t f cellp nes n e l t e nd w t t g ng t g t e w eless se v ce p v de s nv lved.”) See also Ability, IBIS II - In-Between Interception System - 2nd Generation, http://www.interceptors.com/intercept-solutions/Active-GSM- Inte cept . t l (“T e IBI –II is a stand-alone solution for off the air interrogation / interception / monitoring / deception of tactical GSM communication, in a seamless way, without any cooperation with the network provider.”) (e p s s dded). 21 See infra Part **.
  5. 5. 5 scanners,22 the American public is poised, quite unknowingly, at the threshold of a new era of communications interception that will be unprecedented in its pervasiveness and variety. Foreign governments, criminals, the tabloid press and curious individuals with innumerable private motives can now leverage longstanding security vulnerabilities in our domestic cellular communications networks that were previously only exploitable by a few global powers. In spite of the security threat posed by foreign government and criminal use of cellular interception technology, US government agencies continue to treat practically everything about it as a closely guarded “source and method,”23 shrouding the technical capabilities, limitations and even the name of the equipment they use from public disclosure. The source and method argument is invoked to protect law enforcement genc es’ wn se f cell l nte cept n tec n l gy by preventing criminal suspects from learning how to evade surveillance.24 This secrecy is not only of questionable efficacy for that purpose, however, but it comes at a high collateral cost in that it keeps the American public in the dark about cellular network vulnerabilities and thus generally unaware of the need to secure their private communications. Indeed, at a time when cyber security threats are a top congressional priority, there has been no public discussion by policy makers about the exploitable vulnerabilities latent in our cellular networks and no corresponding policy debate about how to protect private communications from those threats. If the US and its close allies had a monopoly over this technology, policy makers could argue that certain national security interests furthered by the use of the technology—and thus the need to maintain the secrecy of all related information— trump the need to inform the American public about the vulnerability of cellular communications. This Article, however, dispels the myth that this technology is, in fact, secret at all. Indeed, it has been the subject of front page stories in leading newspapers,25 has been featured in Hollywood movies,26 television dramas27 and 22 See § 403 of the Telephone Disclosure and Dispute Resolution Act, Pub. L. 102-556 (1992); codified at § 47 U.S.C. 302a(d). 23 See infra Part IV. 24 See infra Part **. 25 See Jennifer Valentino-DeVries, 'Stingray' Phone Tracker Fuels Constitutional Clash, WALL ST. J., Sept. 22, 2011, http://online.wsj.com/article/SB10001424053111904194604576583112723197574.html. See also Ellen Nakashima, Little-known surveillance tool raises concerns by judges, privacy activists, The Washington Post, March 27, 2013, http://www.washingtonpost.com/world/national-security/little- known-surveillance-tool-raises-concerns-by-judges-privacy-activists/2013/03/27/8b60e906-9712- 11e2-97cd-3d8c1afe4f0f_story.html. 26 See Zero Dark Thirty (movie), at 83:00 27 See The Wire: Middle Ground, e s n 3, Ep s de 11 t XXX (HBO telev s n b dc st) (“Re e be those analog units we used to use to pull cell numbers out of the air? The C. F. something-something Ye , Cell F eq ency Ident f c t n Dev ce.” “T e t gge f s , ye .” “T t ne, t c ld fl g n be .” “R g t, b t t e ld n l g c nes? We sed t ve t f ll w t e g y und stay close while he sed t e p ne.” “New d g t ls b ng, we j st p ll t e n be g t ff t e cell t we s.”)
  6. 6. 6 more ominously, can be purchased over the Internet from one of many non-US based surveillance technology vendors or even built at home by hobbyists. We therefore argue that the risks to the American public arising from the US g ve n ent’s continued suppression of public discussion of vulnerabilities in our cellular communications networks that can be exploited to perform unmediated interception outweigh the now-illusory benefits of attempting to keep details of the surveillance technology secret. Congress should address these network vulnerabilities and the direct interception techniques they enable, as well as the necessity for responsive privacy enhancing technologies like strong encryption,28 as part of the larger cyber security debate, to which they are all inextricably linked. To date, however, this policy debate is not occurring, which is not beneficial either to privacy or cellular network security. Part II of this Article begins by naming this “secret” interception technology and describing its capabilities. Part III will then go on to address the limited Department of Justice (DOJ) guidance and case law pertaining to this technology. Part IV will discuss what appears to be a concerted effort by the US government to prevent the public disclosure of information about this technology. Part V will reveal, however, that the existence of the technology is both publicly known and acknowledged by governments in other countries. Part VI will describe how foreign governments and criminals can and do use cellular surveillance equipment to exploit the vulnerabilities in phone networks, putting the privacy and security of Americans’ communications at risk. Part VII will argue that the public is paying a high price for t e U g ve n ent’s pe pet t n f fictional secrecy surrounding cell phone interception technology. Specifically, such fictional claims of secrecy prevent policy makers from publicly addressing the threats to the security of cellular communications. Part VIII will argue that cellular network vulnerabilities should be addressed publicly in the larger cyber security policy process Congress is currently undertaking. Finally, Part IX will examine possible technical avenues through which solutions could come. II. AN INTRODUCTION TO CELL PHONE INTERCEPTION TECHNOLOGY Because cellular telephones send signals through the air, cellular communications are inherently vulnerable to interception by many more parties than communications carried over a copper wire or fiber optic cable into a home or business.29 This increased exposure to interception exists because anyone wishing 28 See L be ty nd ec ty n C ng ng W ld: Rep t nd Rec end t ns f t e P es dent’s Review Group on Intelligence and Communications Technologies 22 (2013), http://www.lawfareblog.com/wp-content/uploads/2013/12/Final-Report-RG.pdf (advising the US g ve n ent t “s pp [t] eff ts t enc ge t e g e te se f enc ypt n tec n l gy f d t n transit, at rest, in the cloud, and in storage.”). 29 See Craig Timberg and Ashkan Soltani, By cracking cellphone code, NSA has capacity for decoding private conversations, Washington Post, December 13, 2013, available at http://www.washingtonpost.com/business/technology/2013/12/13/e119b598-612f-11e3-bf45- 61f69f54fc5f_st y. t l (“Cellp ne c nve s t ns l ng ve been c e s e t nte cept t n
  7. 7. 7 to tap a traditional wireline telephone call must physically access the network infrastructure transporting that call—such as by attaching interception equipment to the telephone w es ts de t e e f t e t get t t e telep ne c p ny’s central office.30 In contrast, intercepting a cellular telephone call only requires sufficient geographic proximity to the handset of one of the callers and the right kind of wireless interception equipment. Moreover, the distance from which cellular calls are vulnerable to interception can be increased with bigger antennas and high- powered radio equipment.31 Cellular telephone calls can, of course, be intercepted by government agencies with the assistance of the wireless carriers via government mandated interception capabilities these companies have built into their networks.32 In fact, the vast majority of surveillance performed by law enforcement agencies in the United States is, almost certainly, carrier-assisted surveillance.33 But cellular phone transmissions can also be captured without the assistance, or even the knowledge, of the carriers. The unmediated nature of this kind of interception, combined with ones conducted on traditional telephones because the signals are broadcast through the air, making f e sy c llect n.”) 30 See id. Carrier assisted wiretaps once required that the interception take place near the target, such as at a call switching center. Today, telephone carriers have modern interception equipment that permits intercepts to be remotely initiated and controlled by a single dedicated surveillance team within the companies. See, for example, Utimaco Lawful Interception of Telecommunication Services (sales brochure), available at http://lims.utimaco.com/fileadmin/assets/brochures_datasheets_whitepapers/UTIMACO_LIMS_DA TASHEET_EN.pdf, (Utimac ’s L wf l Inte cept n M n ge ent yste “ s p ven s l t n f network operators and service providers to automate the administrative and operative tasks related to lawful interception. The system is based on a central management platform for the surveillance of communication services and implements electronic interfaces to various authorized law enforcement genc es nd t e n t ng… Key fe t es [ ncl de] Cent l d n st t n f nte cepts nd t get ss gn ents.”). See also Elaman government solutions, product brochure, https://www.wikileaks.org/spyfiles/files/0/188_201106-ISS-ELAMAN3.pdf t p ge 6 (“Lawful Interception provides access to calls and call-related information (telephone numbers, date, time, etc.) within telecommunications networks and delivers this data to a strategic Monitoring Center (MC)... Such an MC gives access to an entire country's telecommunications network from one central place, but it needs t e s pp t f pe t s...”). 31 As with cellular interception, WiFi signals can also be intercepted from a greater distance with the right equipment. See US National Security Agency, NIGHTSTAND - Wireless Exploitation/ Injection Tool, January 7, 2008, http://leaksource.files.wordpress.com/2013/12/nsa-ant- nightstand.jpg?w=604&h=781 ("Use of external amplifiers and antennas in both experimental and operational scenarios have resulted in successful NIGHTSTAND [WiFi] attacks from as far away as eight miles under ideal environmental conditions.") See also Xeni Jardin, DefCon WiFi shootout champions crowned: 125 miles, Boing Boing, July 31, 2005, http://boingboing.net/2005/07/31/defcon-wifi-shootout.html (describing a successful, record- setting 125 mile WiFi transmission by a team using 12 foot and 10 foot diameter satellite dishes). 32 See generally The Communications Assistance for Law Enforcement Act (CALEA), Pub. L. No. 103- 414, 108 Stat. 4279, codified at 47 U.S.C. §§ 1001-1010. 33 See Eric Lichtblau, Wireless Firms Are Flooded by Requests to Aid Surveillance, New York Times, July 8, 2012, available at http://www.nytimes.com/2012/07/09/us/cell-carriers-see-uptick-in- requests-to-aid-surveillance.html (describing the 1.3 million requests the wireless carriers received in 2011 from law enforcement agencies).
  8. 8. 8 the growing ease of access to cellular surveillance technology, makes the universe of private parties that can intercept a cellular call inestimably larger, and the range of their motives correspondingly broader, than the pool of potential law enforcement and national security actors who have both the legal capacity and technical capability to initiate a traditional wiretap of a wireline phone. The technologies that enable the direct interception of cellular phone calls without the assistance of a wireless carrier generally fall into two categories: passive and active.34 The former merely intercepts the signals sent between nearby phones and t e w eless p v de s’ network, while the latter transmits data to, and directly interacts with, the cellular phones under surveillance. Passive interception technology functions in two stages. First, the signals transmitted between a cellular phone and the wireless carrier’s netw k are intercepted as they are transmitted over the air. This process does not disrupt the signals in transit. Second, once intercepted, if the communications are encrypted, they must be must be decrypted for analysis.35 Not all communications are encrypted in transmission but, if they are, the ease of decryption varies based on the strength of the encryption algorithm chosen by the wireless carrier.36 As described in greater detail in Part V of this Article, t e j “G M” netw k pe t s n t e US, such as AT&T and T-Mobile, still use extremely weak encryption algorithms for t e lde “2G” netw ks w c can be easily deciphered with widely available 34 See Karsten Nohl and Chris Paget, GSM — SRSLY ?, 26th Chaos Communication Congress (26C3), December 27, 2009, page 11, http://events.ccc.de/congress/2009/Fahrplan/attachments/1519_26C3.Karsten.Nohl.GSM.pdf. 35 Encrypted cellular communications must be decrypted before they can be listened to, at least when encryption is used. In some countries, like India, encryption between phones and the network base stations is disabled. In India, this is a result of legislation prohibiting the use of encryption, likely intended to make interception by the government easier. See Pranesh Prakash, How Surveillance Works in India, New York Times India Ink blog, July 10, 2013, available at http://india.blogs.nytimes.com/2013/07/10/how-surveillance-works-in- nd / (“p v de s n Ind have been known use A5/0, t t s, n enc ypt n”). ee also Nehaluddin Ahmad, Restrictions on cryptography in India – a case study of encryption and privacy, Computer Law & Security Review, Volume 25, issue 2, pp173- 180, 2009. In the United States, there is no law requiring the carriers to use encryption to protect calls. The choice is left entirely up to the wireless carriers, who do use encryption in some cases, but not always. See supra Part V. 36 A number of encryption algorithms are supported by modern cellular telephone systems, but the spec f c lg t sed t enc ypt c n c t ns between telep ne nd t e c e s’ netw k s c sen by t e w eless c e . In t e Un ted t tes, t e A5/1 lg t nd A5/0 (t e “NULL” encryption option) are still used by the major GSM carriers, AT&T and T-Mobile for their 2G networks. See supra Part V. The major CDMA carriers, Sprint and Verizon, use different encryption algorithms for their 2G and 3G networks. The Long Term Evolution (LTE) 4G cellular standard, which is the next generation technology adopted by all US carriers, includes support for encryption algorithms that are much stronger. However, as with prior generations of cellular technology, w eless c e s c n st ll c se t n t se ny enc ypt n (t e “NULL” pt n) w th LTE. See http://business.verizonwireless.com/content/dam/b2b/resources/LTE_FutureMobileTech_WP.pdf (“T e 128-b t AE lg t s t e p efe ed pt n n t e Ve z n W eless 4G LTE netw k… AE s preferred because it has undergone more public scrutiny t n t e enc ypt n pt ns.”).
  9. 9. 9 software or purpose-built hardware.37 Moreover, although the competing “CDMA” cellular networks (operated by Verizon and Sprint) use different, incompatible cellular technology and encryption algorithms, surveillance companies offers products capable of intercepting and tracking CDMA phones too.38 Active interception, performed with a device known as an IMSI catcher or cell site simulator, works by impersonating a wireless base station—the carrier owned equipment installed at a cell tower to which cellular phones connect—and tricking t e t get’s phone into connecting to it.39 For some surveillance capabilities, such as intercepting communications content, the IMSI catcher can also impersonate the c e ’s network infrastructure, such that calls and text messages are transmitted through the IMSI catcher, once again without disrupting the communication and thus remaining imperceptible to the target.40 Depending on the particular features of the surveillance device and how they are configured by the operator, IMSI catchers can be used to identify nearby phones,41 to locate them with extraordinary 37 See supra Part V for a discussion of the software tools and commercial products now available to crack cellular encryption algorithms. 38 These include the Harris Corporation, and Elaman. See Lin Vinson, Major Account Manager, Wireless Products Group, Harris Corporation, letter to Raul Perez, City of Miami Police Department, August 25, 2008, http://egov.ci.miami.fl.us/Legistarweb/Attachments/48003.pdf t p ge 2 (“The Harris StingRay and KingFish systems are compatible with the CDMA standard...”). See Harris StingRay product sheet, http://files.cloudprivacy.net/Harris_Stingray_product_sheet.pdf at 1 (Desc b ng ne ve s n f t e H s t ngR y s “Transportable CDMA Interrogation, Tracking and Location, and Signal Collection Inf t n C llect n yste ”). See also Elaman government solutions, product brochure, https://www.wikileaks.org/spyfiles/files/0/188_201106-ISS- ELAMAN3.pdf t p ge 14 (“For operational field usage, off-air GSM monitoring systems are very powerful and essential....Systems for ... CDMA e [ ls ] v l ble.”). See http://en.intercept.ws/catalog/2197.html and http://www.ewa- gsi.com/Fact%20Sheets/Arrow%20CDMA%20Fact%20Sheet.pdf. 39 See Daehyun Strobel. IMSI Catcher, Seminar Work, Ruhr-Universitat Bochum, 2007, ttp://www.e sec. b.de/ ed /c ypt / tt c ents/f les/2011/04/ s _c tc e .pdf t 17 (“An IMSI Catcher exploits [the lack of authentication in GSM] weakness and masquerades to a Mobile [P ne] s B se t t n.”) 40 Ability Limited (Hong Kong), In-Between Interception System, Product Description, at page 4, ttp://www.t pl nkp c.c /pdf/IBI _B c e.PDF (“It s t e M n-In-The-Middle (MitM) attack n G M c n c t n w c s f lly ple ented n t e IBI ….D ng t e eg st t n nd authentication process compact BTS requests mobile phones to implement encryption A5/2 which they do. Real-time A5/2 decipher decrypts the information exchange and calculates Kc (ciphering Key). F t s ent IBI c n f lly t te t get’s p ne nd t lks w t GSM network on its behalf. So the target communicates with compact BTS which poses to be a real GSM network. The real GSM network talks to clone of the target phone. Computer collects information from the compact BTS and the clone. Such a scheme makes possible interception of incoming and outgoing calls.”) (e p s s added). 41 Cellxion, UGX Series 330, Transportable Dual GSM/ Triple UMTS Firewall and Analysis Tool, page 7 http:// s3.documentcloud.org/documents/810703/202-cellxion-product-list-ugx-optima- platf .pdf (“C p e ens ve dent f c t n f IM I, IMEI, nd TM nf t n ... s lt ne s g speed cq s t n f ndsets ( p t 1500 pe n te), c ss p t f ve netw ks.”). See also Septier IM I C tc e , ttp://www.sept e .c /146. t l (“ ept e IMSI Catcher allows its user to extract the IM I nd IMEI f G M M pe t ng n ts c ve ge e ”)
  10. 10. 10 precision,42 to intercept outgoing calls and text messages,43 as well as to block service, either to all devices in the area, or to particular devices.44 Cellular interception technology, by its very nature, tends to be invasive and overbroad in its collection of data.45 Active interception devices send signals, often indiscriminately, through the walls of homes,46 vehicles, purses and pockets in order to probe and identify the phones located inside.47 Both active and passive devices also pick up the signals of other phones used by innocent third parties, particularly when government agencies using them do not know the exact location of their target and thus must drive through cities and neighborhoods while deploying cellular interception equipment in order to locate her. Both passive and active telephone surveillance technologies exploit security flaws in cellular telephones. Passive devices exploit the weak or, in some cases, lack of any encryption used to protect calls, text messages and data transmitted between 42 See Anchorage Police Department, Memorandum, Sole Source Proprietary Purchase Request Harris KingFish Dual Mode System, June 24, 2009, http://files.cloudprivacy.net/anchorage-pd-harris- memo.pdf ("The system allows law enforcement agencies ... the ability to ... Identify location of an ct ve cell l dev ce t w t n 25 feet f ct l l c t n nyw e e n t e Un ted t tes”) See also Harris AmberJack product sheet, http://egov.ci.miami.fl.us/Legistarweb/Attachments/34769.pdf at 2 (“A be J ck s p sed y d ect n-finding (DF) antenna system capable of tracking and locating mobile phone users. The DF antenna array is designed to operate with Harris' Loggerhead nd t ngR y p d cts.”) See also “G M Cell l M n t ng yste s” b c e by PKI Elect n c Intell gence G bH t 12 (dev ce c n “l c t[e]... t get b le p ne w t n n cc cy f 2 [ete s]”), v l ble t http://www.docstoc.com/docs/99662489/GSM-CELLULAR-MONITORING-SYSTEMS---PKI- Electronic-#. 43 See Ability (infra fn 36)(noting the ability to intercept “ nc ng nd tg ng c lls”); See also Verint Sales Brouchure, 2013, http://s3.documentcloud.org/documents/885760/1278-verint- product-list-engage-gi2-engage-pi2.pdf t 15 (“Listen to, read, edit and reroute incoming and outgoing calls and text messages”). 44 See CellX n, UGX Opt Pl tf , nf (fn 37) t p ge 2 (“Gl b l Den l f e v ce: D s ble ll handsets except operationally friendly”) See also See Anchorage Police Department, Memorandum, Sole Source Proprietary Purchase Request Harris KingFish Dual Mode System, June 24, 2009, http://files.cloudprivacy.net/anchorage-pd-harris-memo.pdf ("The system allows law enforcement agencies ... the ability to ... Interrupt service to active cellular connection ... Prevent connection to dent f ed cell l dev ce”) 45 In some cases, this may be a selling point. See Verint Sales Brouchure, 2013, http://s3.documentcloud.org/documents/885760/1278-verint-product-list-engage-gi2-engage- pi2.pdf t 7 (“c llect ss G M t ff c ve w de e ”). 46 T e dev ces send s gn ls l ke t se e tted by c e ’s wn b se st t ns. T se s gn ls, f c se, “penet te w lls” (necess ly, t p v de c nnect v ty indoors). What You Need to Know About Your Network, AT&T, http://www.att.com/gen/press-room?pid=14003; see also E.H. Walker, Penetration of Radio Signals Into Buildings in the Cellular Radio Environment, 62 THE BELL SYSTEMS TECHNICAL JOURNAL 2719 (1983), available at http://www.alcatel- lucent.com/bstj/vol62-1983/articles/bstj62-9-2719.pdf. 47 See John Kelly, Cellphone data spying: It's not just the NSA, USA Today, December 8, 2013, available at http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data-spying-nsa- p l ce/3902809/ (“Typ c lly sed t nt s ngle p ne's l c t n, t e syste nte cepts d t f ll p nes w t n le, f t e , depend ng n te n nd ntenn s.”)
  11. 11. 11 phones and the w eless c e s’ base stations. Active surveillance devices, on the other hand, exploit the lack of authentication of the base station by cellular phones.48 As a result, phones have no way to differentiate between a legitimate base st t n wned pe ted by t e t get’s w eless c e nd g e device impersonating a carrier’s base station.49 Passive wireless surveillance devices do not transmit any signals.50 These devices are thus far more covert in operation—indeed effectively invisible51—but they can only detect signals of nearby phones when those phones are actually transmitting data.52 Active surveillance devices have the disadvantage of being relatively less covert because they produce tell-tale signals that are detectable using sophisticated, counter-surveillance equipment,53 but they possess a corresponding advantage in that they can rapidly identify and locate all nearby phones that are turned on, even if they are not transmitting any data.54 48 See Strobel infra n te ** t 17 (“An IM I C tc e expl ts [the one sided authentication] weakness [ n G M] nd sq e des t M b le t t n s B se t t n”). 49 More recent cellular phone systems, including so-called 3G and 4G networks, now include the capability for phones to authenticate the network base stations. See generally Muxiang Zhang; Yuguang Fang, Security analysis and enhancements of 3GPP authentication and key agreement protocol, Wireless Communications, IEEE Transactions on, vol.4, no.2, pp.734,742, March 2005, available at http://islab.iecs.fcu.edu.tw/GroupMeeting/PowerPoint/20050506_1.pdf. However, even the latest smartphones are backward compatible with older, vulnerable phone network technologies, which allows the phone to function if it is taken to a rural location or foreign country where the only service offered is 2G. As a result, modern phones remain vulnerable to active surveillance via a protocol rollback attack in which the nearby 3G and 4G network signals are first jammed. See Matthew Green, On cellular encryption, A Few Thoughts on Cryptographic Engineering, May 13, 2013, http://blog.cryptographyengineering.com/2013/05/a-few-thoughts-on-cellular- enc ypt n. t l (“T e b ggest s ce f c nce n f 3G/LTE s t t y y n t be s ng t. M st phones are programmed to gracefully 'fail over' to GSM when a 3G/4G connection seems unavailable. Active attackers exploit this feature to implement a rollback attack — jamming 3G/4G connections, and thus re- ct v t ng ll f t e G M tt cks.”). 50 See Ability, GTReS – GSM Traffic Recording System, http://www.interceptors.com/intercept- solutions/Passive-GSM-Inte cept . t l (“GTRe s lt -band fully passive GSM interception system designed to record the entire traffic occurring between Base Transmitting Stations (BTS) and Mobile Stations (MS) located w t n t e syste ’s pe t n l nge. T s e ns l te lly tens even nd eds f s lt ne s c lls…. GTRe d es n t ve ny t ns tt ng p ts… GTRe ’ pe t n s c pletely ndetect ble.”) 51 See Verint Sales Brouchure, 2013, http://s3.documentcloud.org/documents/885760/1278-verint- product-list-engage-gi2-engage-pi2.pdf t 7 (“Operate undetected leaving no electromagnetic signature”). 52 Any phone that is connected to a cellular network will regularly transmit data to nearby base stations, even if it is not making calls, sending text messages or using the Internet. Locating a phone that is not currently transmitting data with a passive interception device may, however, require w t ng s e t e nt l t e dev ce “c ecks n” w t t e cell l netw k r otherwise engages in a communication with a nearby base station. 53 T ese dev ces e kn wn s “IM I c tc e c tc e s”. See CatcherCatcher, Security Research Labs, https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/CatcherCatcher, (“T e C tc e C tc e t l detects b le netw k eg l t es nt ng t f ke b se st t n ct v ty…F IM I c tc e s t c eve t e g ls t ey w ll need t s w be v d ffe ent f n l b se st t ns”). 54 See Cellxion, supra note 38.
  12. 12. 12 A. AN APPROXIMATE HISTORY OF CELLULAR PHONE INTERCEPTION TECHNOLOGY55 Rohde & Schwarz, a German manufacturer of radio equipment, is generally believed to have created the first purpose-built active device capable of performing surveillance on cellular telephones.56 Their first model, introduced in 1996, identified nearby wireless telephones by forcing them to transmit their serial number, or International Mobile Subscriber Identity (IMSI).57 Within a year, the company had introduced a more sophisticated product that could also intercept outgoing phone calls.58 US government agencies have used both active and passive forms of cellular telephone surveillance technology since at least the early 1990s, if not earlier.59 Military and intelligence agencies were early adopters of this technology, with law enforcement agencies quickly following their lead.60 Passive devices, often referred to as digital analyzers, were used by law enforcement agencies as early as 1991.61 Active surveillance devices were also used by federal law enforcement agencies as early as 1995.62 Initially, US agencies used devices that were “general use” cell site 55 As telephone interception technology is also used by intelligence agencies and the military, it is impossible to tell a totally accurate history of the development of wireless telephone interception technology. As with many surveillance technologies, the military and intelligence community are the first to use them, and after time, they trickle down to law enforcement. Neither the manufacturers of this equipment nor their many intelligence and military clients advertise their use. This portion of our article is an attempt to paint an approximate picture, but it is quite likely that there are many aspects to this story that are missing, due to the fact that they remain classified. 56 The earliest public document describing IMSI catchers and the Rohde & Schwarz products is an article in 1997 by Dirk Fox, a German security consultant. See Dirk Fox, IMSI-Catcher, Datenschutz und Datensicherheit, 21:539–539, 1997, available at http://www.secorvo.de/publikationen/imsi- catcher-fox-1997.pdf (in German). Five years later, Fox published an updated, more in-depth article about the same technology. See Der IMSI-Catcher, Datenschutz und Datensicherheit, 26:212–215, 2002, http://www.secorvo.de/publikationen/imsicatcher-fox-2002.pdf (also in German). 57 See Strobel infra note ** at 17. See also, MMI Research Ltd v Cellxion Ltd & Ors [2009] EWHC 418 (Pat) (11 March 2009), http://www.bailii.org/ew/cases/EWHC/Patents/2009/418.html (describing a presentation of the Rohde & Schwarz GA-090 IMSI Catcher device to three German wireless carriers in December 1996.) 58 See Strobel infra note ** at 17. 59 As US law enforcement and intelligence agencies do not advertise their intelligence gathering sources and methods, there is no way to accurately determine when US government agencies first started to use active or passive wireless phone surveillance technology. 60 See John Kelly, Cellphone data spying: It's not just the NSA, USA Today, December 8, 2013, available at http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data-spying-nsa- p l ce/3902809/ (“In t lly devel ped f l t y nd spy genc es, t e t ng ys e n g ded sec et by l w enf ce ent nd t e n f ct e , H s C p. f Melb ne, Fl .”) 61 See Glen L. Roberts, Who's On The Line? Cellular Phone Interception at its Best, Full Disclosure, issue 24, 1991, archived at http://blockyourid.com/~gbpprorg/2600/harris.txt (describing the marketing by the Harris Corporation of TriggerFish passive surveillance devices to law enforcement agencies at the National Technical Investigators Association conference in 1991). 62 See Tsutomu Shimomura, Catching Kevin, Wired, Issue 4.02, February 1996, available at http://www.wired.com/wired/archive/4.02/catching_pr.html
  13. 13. 13 simulators, which wireless carrier technicians operated to test cellular phones.63 Later, cellular equipment manufacturers created and sold cell site simulators specifically designed for government surveillance. Infamous computer hacker Kevin Mitnick was located in 1995 by FBI agents using a combination of an active cell-site simulator and a passive TriggerFish, the brand name of a digital analyzer manufactured by the Harris Corporation.64 The active cell s te s l t w s ble t p ge M tn ck’s p ne without causing an audible ring,65 after which the passive TriggerFish was used to locate the phone.66 By 2003,67 Harris had introduced its more sophisticated StingRay product, which performed active surveillance of digital cellular telephones.68 The company now manufactures an extensive range of cellular telephone surveillance products,69 which can be mounted in vehicles, on airplanes and drones, or carried by a person.70 Harris sells its products to local, state and federal law enforcement agencies,71 intelligence agencies, and the military.72 The company dominates the US law 63 Id. 64 Id. 65 Id. This capability is commonly efe ed t s “s lent M ”. See generally Fabien Soyez, Getting the Message? Police Track Phones with Silent SMS, Owni, January 27, 2012, available at http://owni.eu/2012/01/27/silent-sms-germany-france-surveillance-deveryware. 66 Shimomura, supra note **. 67 US Trademark office registration of StingRay, 8/21/2001, registration # 2762468, describing a “ lt -channel, software-defined, two-way electronic surveillance radios for authorized law enforcement and government agencies for interrogating, locating, tracking and gathering information f cell l telep nes.” F st Use In C e ce: 20030302. 68 See Harris StingRay product sheet, http://files.cloudprivacy.net/Harris_Stingray_product_sheet.pdf t 1 (“ t ngR y s H s' l test ffe ng n l ng l ne of advanced wireless surveillance products. StingRay is a multichannel software defined radio that performs network base station surveys, Dialed Number and registration collection, mobile interrogation, and target tracking and location with Harris' AmberJack Direction-F nd ng Antenn .”). 69 See generally Ryan Gallagher, Meet the machines that steal your phone’s data, Ars Technica, September 25, 2013, http://arstechnica.com/tech-policy/2013/09/meet-the-machines-that-steal- your-phones-data/. 70 See Jennifer Valentino-DeVries, Judge Questions Tools That Grab Cellphone Data on Innocent People, The Wall Street Journal, October 22, 2012, http://blogs.wsj.com/digits/2012/10/22/judge- questions-tools-that-grab-cellphone-data-on-innocent-pe ple/ (“ t ng y eq p ent can be carried by nd nted n ve cles even d nes.”) See also Freedom of Information Act response from US Immigrations and Customs Enforcement to Christopher Soghoian, September 19, 2012, at 44, available at https://www.documentcloud.org/documents/479397- st ng yf . t l#d c ent/p44/ 14 (desc b ng t e p c se f “ t ng y II A b ne T n ng” sess n nd n “A b ne Fl g t K t”) 71 See John Kelly, Cellphone data spying: It's not just the NSA, USA Today, December 8, 2013, available at http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data-spying-nsa- p l ce/3902809/ (“At le st 25 p l ce dep t ents wn t ng y, s tc se-size device that costs as c s $400,000 nd cts s f ke cell t we ….In s e st tes, t e dev ces e available to any local police department via state surveillance units. The federal government funds most of the purchases, via anti-te g nts.”) 72 See US Marine Corps, Intelligence Training Enhancement Program, Course Program for SET017, https://www.mcis.usmc.mil/ITEP/Lists/ITEP%20Course%20Catalogue/DispForm.aspx?ID=31
  14. 14. 14 enforcement market, although several other companies also sell similar technology to US military and intelligence agencies.73 B. USES OF DIRECT INTERCEPTION TECHNOLOGY Law enforcement agencies perform most interception with the assistance of telecommunications and Internet companies using carrier-owned equipment or technology that enables surveillance—typically with the aid of dedicated electronic surveillance and compliance teams employed by these companies.74 For more than ( ncl des “H s C p t n: G ss e , L ng p, Bl ckF n, Bl ckF n II, H wksB ll, p D g, FishFinder, KingFish, StingRay, StingRay II, GSM Interrogator, CDMA Interrogator, iDEN Interrogator, UMTS Interrogator, FishHawk, Porpoise, FireFish, Tarpon, AmberJack, Harpoon, Moray, LanternEye, R yF s , t neC b”). See also NOTICE OF INTENT TO AWARD A SOLE SOURCE CONTRACT-HARRIS: KINGFISH DUAL MODE SYSTEM, U.S. Army Intelligence and Security Command, January 12, 2009, available at https://www.fbo.gov/index?s=opportunity&mode=form&id=fd03ebae781f3a3fdb7633699bc1e351 &tab=core&_cview=1. See also Interrogation, Tracking, Location and Signal Information Collection System Devices with Software and Training, United States Marine Corp, September 12, 2006, available at https://www.fbo.gov/index?s=opportunity&mode=form&id=6a5efbcce2b7bdf2f37448ad68d48e7e &tab=core&_cview=0, Harris Corp Blackfin Equipment, Space and Naval Warfare Systems Command, May 24, 2010, available at https://www.fbo.gov/index?s=opportunity&mode=form&tab=core&id=f34fc14f76e8744bfe75d41e 6d0242db. See also, U.S. Special Operations Command (Naval Special Warfare Group 1), Fishhawk Software, September 22, 2011, https://www.fbo.gov/index?s=opportunity&mode=form&tab=core&id=3176fb4a66f92793ac34e76 70205e2c5 ((“ t ngR y II - Special Equipment- Over-The-Air special signal software that is c p t ble w t t e H s t ngR y II yste .”) 73 Other manufacturers of cellular surveillance technology used by the US military and intelligence agencies include Boeing, Cellxion, and Martone Radio Technology. See Audrey L. Allison and Bruce A. Olcott, Comments of the Boeing Company, Technical Approaches to Preventing Contraband Cell Phone Use in Prisons, Docket No. 100504212-0212-01, Before the United States Department of Commerce, National Telecommunications and Information Administration, June 11, 2012, available at http://www.ntia.doc.gov/files/ntia/comments/100504212-0212- 01/attachments/Boeing%20and%20DRT%20Comments%20on%20NTIA%20Contraband%20Cell% 20P ne%20NOI%206%2011%2010.pdf, (“DRT n f ct es l ne f w eless l c t n nd management technologies that emulate a base station to detect and locate wireless handsets of interest in a limited geographic are .”). See also Darrell J. Patterson, Phoenix Global Support, Application for New or Modified Radio Station Under Part 5 of FCC Rules – Experimental Radio Service, Federal Communications Commission, March 21, 2011, available at https://apps.fcc.gov/oetcf/els/reports/442_Print.cfm?mode=current&application_seq=47486&licen se_seq=48001 (requesting a license to use transmitting devices made by Martone Radio Technology, Harris and Cellxion). Phoenix Global Support, the company that requested FCC that license, is located less than 15 miles from Fort Bragg, in Fayetteville, NC, the headquarters of the Joint Special Ope t ns C nd (J OC). T e c p ny’s webs te st tes t t t ffe s “c plete cl sses nd curriculum for Signals Intelligence (SIGINT) and Electronic Warfare (E/W) spanning the spectrum of w eless c n c t ns.” See Phoenix Global Support, www.pgsup.com. 74 See William B. Petersen, General Counsel, Verizon Wireless, Letter to Edward J. Markey, Congressman, May 22, 2012, available at http://web.archive.org/web/20121217111531/http://markey.house.gov/sites/markey.house.gov/f iles/documents/Verizon%20Wireless%20Response%20to%20Rep.%20Markey.pdf , Page 3 (“Ve z n W eless s ded c ted te f pp x tely seventy t t w ks . . . t esp nd t l wf l
  15. 15. 15 one hundred years, the telephone companies have provided such assistance.75 While carrier performed or enabled surveillance is generally the easiest, most efficient and covert way to intercept communications, it is not the only way.76 In spite of the user-friendly, often inexpensive, surveillance capabilities provided to the government by the wireless carriers,77 there are certain situations where governments may need or prefer to engage in direct, unmediated surveillance of telephones themselves using an active or passive device. These include: (1) Identifying unknown phones currently used by a known target. In situations where a surveillance target is believed to frequently switch phones (for example, by using so-called “b ne ” d sp s ble p nes),78 investigators may wish to learn the serial number of the phone currently in use, which is necessary in order to initiate a carrier-assisted wiretap79 or Pen Register/ Trap and Trace device (hereinafter Pen/Trap).80 Law enforcement can determine the specific phone used de nds f c st e nf t n.”). See also Timothy P. McKone, Executive Vice President, Federal Relations, AT&T, Letter to Edward J. Markey, Congressman, May 29, 2012, available at http://web.archive.org/web/20121228183409/http://markey.house.gov/sites/markey.house.gov/f les/d c ents/AT%26T%20Resp nse%20t %20Rep.%20M key.pdf, p ge 2 (“AT&T e pl ys more than 100 full time workers . . . for the purpose of meeting law enforcement demands.) 75 By 1895, the police in New York had the ability to wiretap any telephone in the city. See Wes Oliver, Wiretapping and the Apex of Police Discretion, Widener Law School Legal Studies Research Paper No. 10-14, April 22, 2010, available at ttp://p pe s.ss n.c /s l3/p pe s.cf ? bst ct_ d=1594282 (“In t e e ly ye s f p lice wiretapping, a police officer would simply go to the telephone company and request that the phone c p ny ss st t e w t w et p… F [ n ff ce n l we M n tt n], e be s f t e s x-man wiretap squad could listen-in on any telephone call in the C ty f New Y k”). 76 In fact, since the earliest days of the telephone, the police have directly performed wiretaps too. See Meyer Berger, Tapping the Wires, New Yorker, June 18, 1938, at 41, available at http://www.spybusters.com/History_1938_Tapping_W es. t l (“In t se d ys p l ce w e-tappers j st w lked nt t e Telep ne C p ny’s ff ces, sked f t e l c t n f t e w es t ey we e interested in, and got the information without fuss. Lines were usually tapped right in the cellar of the house or t n ts de w ll b x”). 77 See Christopher Soghoian, ACLU docs reveal real-time cell phone location spying is easy and cheap, Slight Paranoia blog, April 3, 2012, available at http://paranoia.dubfire.net/2012/04/aclu-docs- reveal-real-time-cell-phone.html (quoting Paul Taylor, Electronic Surveillance Manager, Sprint Nextel, st t ng: “[O web b sed GP t ck ng t l] s j st e lly c g t n f e w t l w enf ce ent. T ey ls l ve t t t s ext e ely nexpens ve t pe te nd e sy”). 78 See The Wire: Amsterdam, t 00:42:23 (HBO telev s n b dc st Oct. 10, 2004) (“T ey ke couple of calls with a burner, throw it away. Go on to the next phone, do the same. There's more of t se t ngs l y ng nd t e st eets f West B lt e t n e pty v ls.” “Well, how the fuck you s pp sed t get w e p n t t?” “Ye , well, f st t w s p yp ne nd p ge s. T en t w s cell phones and face-to-face meets. Now this. The motherfuckers do learn. Every time we come at them, t ey le n nd dj st.”). 79 See 18 U.S.C. §§ 2511–2520 (2012) (authorizing the interception of wire, oral or electronic communications—including communications content—by law enforcement to investigate crimes enumerated in the statute upon satisfying various elements set out in the statute). 80 See 18 U.S.C. §§ 3121–3127 (2012) (authorizing law enforcement to install and use a pen register dev ce t “ ec [d] dec d[e] . . . [n n-content] dialing, routing, addressing, or signaling information . . . transmitted by an instrument or facility for which a wire or electronic communication is t ns tted [ ] p v ded ” nd t nst ll nd se t p nd t ce dev ce t “c pt [e] t e nc ng
  16. 16. 16 by a particular surveillance target by deploying an IMSI catcher to collect data about ne by p nes t lt ple l c t ns, s c s t e t get’s e nd pl ce f b s ness, ultimately narrowing the search to only those phones that were present in all of the monitored locations.81 (2) Locating devices that cannot be found by the wireless carriers. Federal E- 911 regulations require that the carriers be able accurately to determine the location of cellular phones.82 As this technical obligation was mandated in the context of E-911,83 it only applies to devices capable of making a telephone call to 911. As such, there is no affirmative obligation that wireless carriers be able to accurately locate data-only devices, such as tablet computers and mobile data-cards. In cases where the government wishes to locate data-only devices that cannot be accurately located by the wireless carrier,84 they are likely to turn to active cellular interception. (3) Selectively blocking devices or dialed numbers. There are situations and environments where public safety officials may use a cell site simulator to selectively block the use of particular phones.85 Some prisons, for example, have electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication, provided, however, that such information shall not include the contents of any c n c t n”). 81 See United States v. Arguijo et al (Criminal Complaint), February 13, 2012, at 8, n.1 available at ttp://www.j st ce.g v/ s / ln/p /c c g /2013/p 0222_01d.pdf (“L w enf ce ent ff ce s f l w t C p ’s ppe nce, v ng p ev sly v ewed p t g p s f nd bse ved him during prior surveillance, used a digital analyzer device on three occasions in three different locations where Chaparro was observed to determine the IMSI associated with any cellular telephone being carried by Chaparro. Using the digital analyzer device, in conjunction with surveillance of C p , l w enf ce ent dete ned t t t e telep ne … w s n t e s e v c n ty n t e t ee sep te l c t ns w e e C p w s bse ved.”) 82 See 47 CFR 20.18(h). 83 Although the requirement that wireless carriers have the capability to locate handsets was mandated for purposes of locating cell phone subscribers making emergency calls (a situation in which the caller would presumably wish for her location to be known to the authorities), once the wireless carriers implemented this technical capability, law enforcement appropriated the resource to enable the tracking of targets through geo-location data, all without the knowledge of handset owners. 84 The FCC gave wireless carriers the choice of using handset-based or network-based technology to comply with the E-911 mandate. The handset-based solution involves the installation in telephone handsets of GPS chips that can be remotely queried. In contrast, the network-based solution requires the installation of specialized technology at the ca e s’ b se st t ns, w c c n t en l c te ny dev ce c nnected t t e c e ’s netw k, ncl d ng d t -cards and tablet computers. As such, carriers such as AT&T and T-Mobile, which have deployed network-based E-911 technology, are able to locate data-devices, while Verizon and Sprint, which deployed handset-based E-911 technology, cannot. See generally FCC Third report and Order, CC Docket No. 94-102, October 6, 1999, available at http://transition.fcc.gov/Bureaus/Wireless/Orders/1999/fcc99245.pdf. 85 See Anchorage Police Department, Memorandum, Sole Source Proprietary Purchase Request Harris KingFish Dual Mode System, June 24, 2009, http://files.cloudprivacy.net/anchorage-pd-harris- e .pdf (“T e K ngF s D l-Mode System ... is a Harris Government Communications System Division proprietary designed cellular phone surveillance and tracking system.... This system allows
  17. 17. 17 installed devices that permit access to registered phones, such as those used by guards and other staff, while blocking all unregistered phones, such as those smuggled in to the facility, from making or receiving calls.86 Law enforcement agencies may also, during high-security events like a hostage situation or a bomb threat, seek to redirect outgoing numbers dialed by particular phones or block incoming calls to all nearby phones. (4) Foreign intelligence and military operations. Although US government agencies can compel surveillance assistance from US wireless carriers, this power does not extend to telephone companies in foreign countries. Moreover, even if some level of assistance is available from foreign governments, US agencies may wish to keep their foreign surveillance activities covert, such as when the surveillance is aimed at that foreign government and its political leaders.87 As a result, when conducting surveillance abroad—and in some cases, even domestically88—direct surveillance technology may be the most effective surveillance (or even the only) tool available to US intelligence agencies and military units for intercepting certain communications or tracking particular phones.89 The law enforcement agencies ... to ...Interrupt service to active cellular connection. Prevent connection to identified cellular device ('No Service').”). 86 See National Telecommunications and Information Administration, US Department of Commerce, Report on Contraband Cell Phones In Prisons, Possible Wireless Technology Solutions, December 2010, pages 19-25, http://www.ntia.doc.gov/files/ntia/publications/contrabandcellphonereport_december2010.pdf (desc b ng “ n ged ccess” et ds f p event ng c nt b nd cell p nes f be ng sed n prisons). 87 See How NSA Spied on Merkel Cell Phone from Berlin Embassy, Der Spiegel, October 27, 2013, http://www.spiegel.de/international/germany/cover-story-how-nsa-spied-on-merkel-cell-phone- from-berlin-embassy-a-930205. t l (“F t e f f t e e b ssy, spec l n t f t e CIA nd NSA can apparently monitor a large part of cellphone communication in the government quarter. And there is evidence that agents based at Pariser Platz recently targeted the cellphone that [German C ncell Angel ] Me kel ses t e st.”). See also Duncan Campbell, Cahal Milmo, Kim Sengupta, Nigel Morris, and Tony Patterson, Revealed: Britain's 'secret listening post in the heart of Berlin,' The Independent, November 5, 2013, http://www.independent.co.uk/news/uk/home-news/revealed- britains-secret-listening-post-in-the-heart-of-berlin-8921548.html. 88 When performing surveillance on sophisticated targets with counter-intelligence expertise, such as foreign embassies and foreign intelligence services operating from foreign embassies in the US, US intelligence agents are likely to use passive cellular interception technology, because it is far more difficult to detect. See Matthew M. Aid, Spy Copters, Lasers, and Break-In Teams, Foreign Policy, November 19, 2013, http://www.foreignpolicy.com/articles/2013/11/19/spy_copters_lasers_and_break_in_teams_fbi_sp ies_on_diplomats (“The FBI not only endeavors to steal or covertly compromise foreign government, military, and commercial computer, telecommunications, and encryption systems being used in the United States, but the FBI and NSA work closely to intercept the communications of all diplomatic missions and international organizations located on American soil…The FBI also uses a wide range of vehicles and airborne surveillance assets to monitor the movements and activities of foreign diplomats and intelligence operatives in Washington and New York. Some of the vans, aircraft, and helicopters used by the FBI for this purpose are equipped with equipment capable of intercepting cell- phone calls and other electronic forms of communication.”) (e p s s dded). 89 See Jeremy Scahill and Glenn Greenw ld, T e N A’s ec et R le n t e U. . Ass ss n t n P g , The Intercept, February 10, 2014, https://firstlook.org/theintercept/article/2014/02/10/the-nsas-
  18. 18. 18 same logic, of course, applies to foreign governments conducting espionage in the United States.90 III. “KNOWN KNOWNS”—CASE LAW AND DOJ GUIDANCE US law enforcement agencies have used cellular interception technology for more than two decades91 and spent tens of millions of dollars acquiring these devices at federal, state and local levels.92 Notwithstanding this history, there is scant case law addressing its use in investigations. Indeed, when compared with traditional, carrier-assisted cellular phone tracking,93 there is limited case law and publically available internal agency guidance describing: (1) statutory authorities that may permit or preclude law enforcement use and how the Department of Justice (DOJ) interprets such authorities to permit or limit law enforcement use (to include any secret- le/ (“[T] e N A d esn’t j st l c te t e cell p nes f te s spects by nte cept ng communications from cell phone towers and Internet service providers. The agency also equips d nes nd t e c ft w t dev ces kn wn s ‘v t l b se-t we t nsce ve s’ – creating, in effect, a fake cell phone tower that can force a targeted person’s dev ce t l ck nt t e N A’s ece ve without their knowledge. That, in turn, allows the military to track the cell phone to within 30 feet of its actual location, feeding the real-time data to teams of drone operators who conduct missile strikes or facilitate night raids. The NSA geolocation system used by JSOC is known by the code name GILGAMESH. Under the program, a specially constructed device is attached to the drone. As the drone circles, the device locates the SIM card or handset that the military bel eves s sed by t e t get.”) 90 See infra Part VI, discussing surveillance by foreign governments in the United States. 91 See supra **, discussing the fact that law enforcement has used passive devices since at least 1991, active devices since at least 1995. 92 See Carl Prine, FBI closely guards details of spy gear technology, Pittsburgh Tribune-Review, February 16, 2014, http://triblive.com/news/allegheny/5548583-74/fbi-technology-projects (“P bl c ec ds kept by t e fede l dep t ents eve led … Harris alone secured 68 FBI contracts worth at least $23.7 million. Purchases included Harris devices such as the StingRay, Amberjack, K ngf s nd G ss e t cke s, pl s sp e p ts nd cl ss nst ct n.”) See also Freedom of Information Act response from US Immigrations and Customs Enforcement to Christopher Soghoian, September 19, 2012, at page 13, available at https://www.documentcloud.org/documents/479397- st ng yf . t l#d c ent (“ICE s nvested $5,000,000.00 t w ds t e nvest ent f eq p ent nd t n ng n H s C p t n e v ces.”) See also Marisa Kendall and John Kelly, Cell tower dumps not used locally, The News-Press, December 8, 2013, available at http://www.news- press.com/article/20131208/CRIME/312080049/Cell-tower-dumps-not-used-l c lly (“[T e Fl d Department of Law Enforcement] has spent more than $3 million buying a fleet of Stingrays, records s w”). See also John Kelly, Cellphone data spying: It's not just the NSA, USA Today, December 8, 2013, available at http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data- spying-nsa-p l ce/3902809/ (“T e fede l g ve n ent f nds st f t e [ t ngR y] p c ses, v anti-te g nts.”) 93 For a discussion of the statutory authorities used by law enforcement to acquire cellular phone location data along with an analysis of multiple court opinions addressing law enforcement access to location data, see generally Stephanie K. Pell & Christopher Soghoian, Can You See Me Now?: Toward Reasonable Standards for Law Enforcement Access to Location Data That Congress Could Enact, 27 Berkeley Tech. L.J. 117 (2012). For information about the frequency or regularity with which federal, state and local law enforcement make requests for location data from carriers, see generally collections of files posted at http://www.markey.senate.gov/documents/2013-10- 03_ATT_re_Carrier.pdf and http://www.markey.senate.gov/documents/2013-12- 09_VZ_CarrierResponse.pdf (describing carrier disclosure of real-time and historical location data to law enforcement agencies).
  19. 19. 19 Fourth Amendment constraints); (2) the frequency or regularity with which such technology is used by federal, state and local law enforcement; (3) the types of investigations or actual factual scenarios where law enforcement agencies have used the technology; and (4) any related prosecution-based and policy-driven considerations for the retention of data collected by an IMSI catcher. This Part will present and analyze the limited case law and publicly available DOJ guidance in an attempt to describe the policies and rules governing federal law enforcement genc es’ use of this technology. A. THE 1995 DIGITAL ANALYZER MAGISTRATE OPINION94 Despite their use since at least 1991,95 it was not until 1995 that a federal magistrate judge in California published the first decision analyzing a government application to use a digital analyzer.96 In this matter, the government wanted court authorization to use a passive surveillance device t “ n lyze s gn ls e tt ng f any cellular phone used by any one of five named subjects of a criminal nvest g t n.”97 The agents likely needed to use this technology because they did not know the particular phone numbers of the phones that the targets were using, and thus could not seek surveillance assistance from the t gets’ wireless carriers.98 It also appears that agents wanted to determine with whom the targets were communicating, information they could obtain in real-time by intercepting signals as calls took place.99 Following what was likely the DOJ policy at the time,100 the government sought a pen register order authorizing the surveillance. Magistrate Judge Edwards denied 94 Our analysis of this magistrate opinion draws from our previous article, Stephanie K. Pell & Christopher Soghoian, A Lot More Than A Pen Register, and Less than A Wiretap: What the StingRay Teaches Us About How Congress Should Approach the Reform of Law Enforcement Surveillance Authorities, 16 Yale J.L. & Tech 134, 157-160 (2013). 95 See Glen L. Roberts, Who's On The Line, supra **. 96 In the Matter of the Application of the United Sates of America for an Order Authorizing the Use of A cellular Telephone Digital Analyzer, 885 F.Supp. 197 (1995). The government submitted an ex parte application for an order permitting agents of the Orange County Regional Narcotics Suppression Program ("RNSP") to use a digital analyzer. Id. at 198-99. 97 Id. at 199. 98 The opinion notes that agents could not identify the particular cellular telephones they wished to n lyze. R t e , “ ppl c nt seeks t n lyze s gn ls e tt ng f ny cell l p ne sed by ny ne of five named subjects of a criminal investigation.” Id. 99 Id. Information about who targets are communicating with is often relevant to identifying the scope of the alleged criminal activity, to include the identity of additional criminal targets that may not be known to law enforcement. It would not, however, be necessary for the agents to continue to use a digital analyzer to determine the phone numbers the target phone was calling and was called by once the target phone was identified through its unique identifying number. Rather, agents could subpoena historical telephone toll records from the relevant cell phone provider(s) or obtain a Pen/T p de t c llect “ e l t e” ec ds f t e p v de (s) eflect ng t s nf t n. Indeed, once target phones are appropriately identified through their unique numbers, more traditional forms of carrier-assisted surveillance can proceed. 100 See discussion supra Part III B.
  20. 20. 20 t e g ve n ent’s ppl c t n w t t p ej d ce, explaining that a Pen/Trap court de w s n t eq ed bec se t e Pen/T p st t te l ts ts ppl c t n “t dev ce ‘w c ec ds dec des elect n c t e p lses w c dentify the numbers dialed or otherwise transmitted on the telephone line to which such device is attached . . . .’”101 Judge Edwards noted that, because the digital analyzer was not intended to be nor could be physically attached to the cellular phone, the Pen/Trap statute was not applicable to its use.102 Judge Edwards also found, pursuant to the third party doctrine as articulated in Smith v. Maryland,103 t t t e g ve n ent’s se f d g t l n lyze sed n Fourth Amendment concerns.104 The Court noted that “[n] be s d led by telephone are not the subject of a reasonable expectation of privacy . . . [and] no l g c l d st nct n s seen between telep ne n be s c lled nd p ty’s wn telephone number (or [device serial] number), all of which are regularly voluntarily exp sed nd kn wn t t e s.”105 Although Judge Edwards ruled that the Pen/Trap statute did not regulate the passive surveillance technology the government sought to use—that is, it neither authorized nor prohibited its use—the judge expressed serious reservations about its use by law enforcement.106 Specifically, the judge expressed concern about both the privacy of innocent third parties in range of the device and a lack of adequate 101 See In the Matter of the Application of the United States of America for an Order Authorizing the Use of A cellular Telephone Digital Analyzer, 885 F.Supp. at 200. 102 Id. T e C t f t e expl ned ts e s n ng: “T e st t t y def n t n f ‘t p nd t ce dev ce’ does not include the limitation in the definition of a pen register described above, limiting the devices to those that are attached to a telephone line. See 18 U.S.C. § 3127(4). Nonetheless, it appears from the construction of related sections of the statutes governing trap and trace devices that they include only devices that are attached to a telephone line. Specifically, 18 U.S.C. § 3123(b) requires that an de f se f b t pen eg ste s nd t p nd t ce dev ces ncl de ‘t e n be nd, f kn wn, physical location of the telephone line to which the pen register or trap and trace device is to be tt c ed....’ T s limitation on the proscription against pen registers and trap and trace devices to p b t nly dev ces t t e ‘ tt c ed’ t telep ne l ne c nn t be ss ed t be n dve tent. In other statutes relating to interceptions of telephone communications, Congress encompassed, generally, any types of interceptions of wire, oral, or electronic communications—regardless of w et e t e nte cept ng dev ce w s ‘ tt c ed’ t telep ne l ne. ee, e.g., 18 U. .C. § 2511. T t Congress did not impose equally comprehensive restrictions on lesser interceptions that do not raise 4th Amendment issues, such as those made with pen registers and trap and trace devices, is neither s p s ng n nc ns stent.” In ny event, t st be e e be ed t t t e p b t n g nst the use of pen registers and trap and trace devices without court order is found in a criminal statute. See 18 U.S.C. § 3121(d). Under well-settled principles, the statute should be strictly construed, and any ambiguity in its scope must be construed na wly.” Id. 103 Smith v. Maryland, 442 U.S. 735 (1979). 104 In the Matter of the Application of the United States of America for an Order Authorizing the Use of A cellular Telephone Digital Analyzer, 885 F.Supp. at 199. 105 Id. 106 Id. at 201.
  21. 21. 21 congressional oversight.107 If the court were to authorize the government’s use of a digital analyzer to identify the particular phones used by known targets, the judge acknowledged that such an order would essentially permit agents to intercept signals emitted from all phones in the t get’s area.108 Thus, in addition to the unique serial numbers identifying the targets’ phones, the digital analyzer would also identify the serial numbers of phones used by innocent third-parties.109 Judge Edw ds ec gn zed t t “depend ng p n t e effect ve nge f t e d g t l n lyze , telephone numbers and calls made by others than the subjects of the investigation c ld be n dve tently nte cepted.”110 The court also expressed concern that an order, if granted, would permit the government to collect data about large numbers of phones without any record keeping or reporting requirements, thus preventing effective congressional oversight of the surveillance tool. The c t c nt sted t s “l ck f ec d p d ct n” w t t e st t t y ep t ng eq e ents n t e Pen/T p st t te, such s “t e se f c t de s t t dent f ed p t c l telep nes nd t e nvest g t ve gency” nd “pe d c ep ts t C ng ess st t ng t e n be s f s c de s.”111 Noting these differences and others,112 the court found that the g ve n ent’s ppl c t n “w ld n t ns e s ff c ent cc nt b l ty.”113 Although clearly troubled by the surveillance capabilities of this technology, the court could not restrain its use by law enforcement.114 M e ve , t e c t’s determination that neither the Fourth Amendment nor the Pen/Trap statute authorized, restricted or otherwise regulated law enforcement use of the technology l kely e nf ced DOJ’s v ew that it did not need court authorization for use of a 107 Id. 108 Id. 109 Id. 110 Id. The court also noted that although the agents were not seeking to intercept communications content, the digital analyzer they used could be programmed for that purpose. Id. at 199. See also DOJ Electronic Surveillance Bulletin, September 1997 at 14 (“Alt g [ d g t l n lyze ] dev ce s also capable of intercepting both the numbers dialed from the cellular phones and the voice (wire) communications to and from cellular telephones, the digital analyzer is programmed so it will not intercept cellular conversations or dialed numbers when it is used for the limited purpose of seizing E Ns nd/ t e cell l telep ne’s n be .”). See also Electronic Surveillance Unit, Electronic Surveillance Manual: Procedures and Case Law Forms, U. . Dep’t f J st ce 40 (2005) at 40, http://www.justice.gov/criminal/foia/docs/elec-sur-manual.pdf. ( e e fte “2005 Elect n c ve ll nce M n l)(“D g t l n lyze s/cell s te s l t s/t gge f s nd s l dev ces y be capable of intercepting the contents of communications and, therefore, such devices must be configured to disable the interception function, unless interceptions have been authorized by a Title III de .”). 111 Id. at 201-02 citing 18 U.S.C. §§ 3123(b), 3126. 112 See In the Matter of the Application of the United States of America for an Order Authorizing the Use of A cellular Telephone Digital Analyzer, 885 F.Supp. at 201-202. 113 Id. at 201. 114 T e c t den ed t e g ve n ent’s ppl c t n bec se t f nd t t t e Pen/T p st t te w s n t applicable to a digital analyzer. The court noted that the government was seeking the application nly “ n n b nd nce f c t n.” Id. at 200.
  22. 22. 22 digital analyzer, even if it advised prosecutors to seek court authorization in an abundance of caution or as a matter of policy.115 This position was later articulated in an internal DOJ document in 1997. B. THE 1997 DOJ GUIDANCE A document published by DOJ in 1997, initially distributed nationally to prosecutors116 nd l te p bl s ed n DOJ’s webs te, is the earliest publically available DOJ document that describes the capabilities of passive and active wireless phone surveillance technology.117 The document ( e e fte “1997 DOJ Guidance”) also discusses, again for the first time, the legal policies governing t e tec n l gy’s use by federal law enforcement agents.118 In this document, DOJ took the position that, as long as (1) law enforcement agents were not intercepting communications content and (2) the acquisition of the non- c ntent d t d d n t nv lve t e ss st nce f c e s, “ t d es n t ppe t t t e e are constitutional or statutory constraints on the warrantless use of [an active or p ss ve s ve ll nce] dev ce.”119 In other words, DOJ appears to have recognized no 115 T e C t’s e s n ng ppe s t ll st te ts c nce n t t f t g nted s c n de —even “ n n b nd nce f c t n” —pursuant to a statute whose definitional elements did not conform to the surveillance technique at issue, it risked giving: (1) a potentially incorrect interpretation of a statute; or worse (2) judicial approval of a surveillance technique that Congress appeared neither explicitly t t ze n p b t nde t e st t t y t ty p esented n t e g ve n ent’s ppl c t n without the corresponding accountability mechanisms that Congress mandated in the statute cited in t e g ve n ent’s ppl c t n. 116 See Executive Office for United States Attorneys, Electronic Investigative Techniques, USA BULLETIN, Sept. 1997, http://www.justice.gov/usao/eousa/foia_reading_room/usab4505.pdf [hereinafter 1997 DOJ Guidance] (USA Bulletins are published by the Executive Office of United States Attorneys (EOUSA) nd d st b ted t Un ted t tes Att ney’s Off ces c ss t e c nt y. T ey c ve nge f t p cs and issues (like law enforcement surveillance methods) of interest to federal prosecutors, to include new case law, law enforcement tools and practices, statutory authorities and internal DOJ guidance.). 117 Id. at 13-14 (describing the types of information that digital analyzers and cell site simulators acquire). 118 Id. at 13-15. 119 pec f c lly, DOJ e s ned t t “T tle III’s p v s ns (18 U. .C. §§ 2510-2522) would not apply to the use of a digital analyzer or a CSS when they are used to capture call processing information (MIN, ESN, cell site location, status of call, etc.) because they do not intercept the contents of any wire, oral, or electronic communication as the term ‘contents’ is defined by Title III. Currently, Section 2510(8) st tes, ‘c ntents, w en sed w t espect t ny w e, l, elect n c c n c t n, ncl des ny information concerning the substance, purport, or meaning of that information.’ ESNs/MINs and other automatic call processing information that are technologically necessary for the service provider to process cellular calls are not the types of transmissions Congress included within Section 2510(8)’s def n t n f ‘contents’ when it was amended in 1986. [See S. Rep.No. 541, 99th Cong., 2d Sess. 13 (1986)].” M e ve , DOJ sse ts “t e e s n ‘electronic communication’ [as defined by 18 U.S.C. § 2510(12)] nless t e MIN E N s “t nsmitted in whole or in part by a wire, radio, electromagnetic, photo elect n c, p t pt c l syste t t ffects nte st te f e gn c e ce.” A t ns ss n normally contemplates a sender and a receiver. The ECPA legislative history regarding the definition
  23. 23. 23 need for a warrant or other judicial process requirement for law enforcement use of digital analyzers and cell cite simulators when they are only employed to intercept non-content data (including location data and real time numbers, called and received) without the assistance of carriers, whether in relation to specific targets or innocent third-parties. Although concluding that law enforcement use of these direct, unmediated interception devices did not require any legal process, the 1997 DOJ Guidance, as a matter of policy, advises that “t t e extent [cell s te s l t s] nd d g t l analyzers are used as pen registers or trap and trace devices, they should only be sed p s nt t c t de ss ed p s nt t t ese st t tes.”120 When law enforcement wants to determine in real time the calls made and received by a particular phone, the government can obtain a court order compelling a service provider to install a pen register or trap and trace device.121 This disclosure of information involving carrier assistance is regulated by statute, whereas the digital analyzer and cell site simulator technology enables government agents to obtain the same information directly from cell phones without any statutory process requirement. Perhaps in an effort to reconcile this disparity in regulation, arguably as early as 1995122 but certainly by 1997, DOJ advised prosecutors and agents to f w e c n c t n w ns g nst n p pe ec n c l e d ng f t e p se “ n w le n p t. . . by t e d f w e. . .” nd st tes t t t e p se “ s ntended t efe t w e t t c es t e communication to a significant extent from the point of origin to the point of reception, even in the same building. It does not refer to wire that is found inside the terminal equipment at either end of t e c n c t n.” [ . Rep. 99-541, 12.] Thus, it does not appear that MINs and ESNs ‘forced’ from the cellular telephone by the CSS or obtained by a digital analyzer are ‘electronic communications’ w t n t e c nte pl t n f 18 U. .C. § 2510(12).” DOJ further excludes collection of cell cite information from with a digital analyzer or cell site s l t f t ed C n c t ns Act ( CA) st t t y eq e ents: “If cell s te nf t n s treated as a subscriber record or other information rather than a contemporaneous electronic communication covered by Title III, then 18 U.S.C. § 2703 (regarding stored electronic communications) might apply. It should be noted, however, that Section 2703 controls disclosures by service providers to Government entities and does not prohibit the Government from obtaining such information on its own without involving the service provider. Additionally, because CSSs and digital analyzers do not access communications in electronic storage in a facility with electronic c n c t n se v ce, ect n 2703 d es n t pply.” Id. at 14. 120 Id. at 14 (noting that the g d nce t seek Pen/T p de s “Dep t ent p l cy.”) Id. 121 See 18 U.S.C. §§ 3121–3127 (2012) (authorizing law enforcement to install and use a pen register dev ce t “ ec [d] dec d[e] . . . [n n-content] dialing, routing, addressing, or signaling information . . . transmitted by an instrument or facility for which a wire or electronic communication is t ns tted [ ] p v ded ” nd t nst ll nd se t p nd t ce dev ce t “c pt [e] t e nc ng electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication, provided, however, that such information shall not include the contents of any communicati n”). 122 DOJ s g t Pen/T p de f J dge Edw ds “ n n b nd nce f c t n.” See supra note **.
  24. 24. 24 seek Pen/Trap court process when using a digital analyzer/cell cite simulator as a Pen/Trap device.123 The 1997 DOJ Guidance also recognized that digital analyzers and similar technologies could capture cell site location data (to include cell cite data for target phones as well as innocent third party phones).124 While the capability to acquire location data directly may not have raised significant Constitutional or policy- el ted “ ed fl gs” t DOJ n 1994125 or 1997, determining and fixing the proper legal standard(s) for authorizing law enforcement access to location data has become the subject of considerable debate in both the courts and Congress.126 C. 2001 USA PATRIOT ACT AMENDMENTS TO PEN/TRAP STATUTE AND GUIDANCE IN THE 2005 ELECTRONIC SURVEILLANCE MANUAL While the PATRIOT Act is generally not thought of as privacy-enhancing legislation, it did bring law enforcement use of passive and active cellular surveillance technology under some limited degree of judicial supervision and congressional oversight through specific definitional changes to the Pen/Trap statute. Whereas the pre-2001 pen eg ste def n t n nly ppl ed t “n mbers dialed or t e w se t ns tted,” t e PATRIOT Act dded t e te “s gn l ng nf t n.”127 T e 2005 ed t n f DOJ’s Elect n c ve ll nce M n l expl ns t t “‘[s] gn l ng nf t n’ s b de te t t enc p sses t e k nds f n n-content 123 The 1997 DOJ Guidance does not, however, give any similar guidance with respect to direct (non- carrier assisted) collection of cell phone location data. In other words it does not advise agents and prosecutors to obtain the same legal process used to compel location data from carriers. 124 1997 DOJ Guidance, supra note ** t 14. (D g t l n lyze s nd cell s te s l t s “c n c pt e t e cell site codes identifying the cell location and geographical sub-sector from which the cellular telep ne s t ns tt ng; t e c ll’s nc ng tg ng st t s; t e cell l telep ne s t ns tt ng; t e c ll’s nc ng tg ng st t s; t e telep ne n be s d led (pen register order required); and the date, time, and duration of the call. This cell site data is transmitted continuously from a cellular telephone (not by the user) as a necessary part of call direction and p cess ng.”). Id. 125 In 1994, the Office of Enf ce ent Ope t ns (OEO) p ned t t “ nvest g t s d d n t need t obtain any legal process in order to use cell phone tracking devices so long as they did not capture the numbers dialed or other information "traditionally" collected using a pen/trap dev ce.” 2005 Electronic Surveillance Manual, supra n te ** t 45. B ck n 1994, OEO c ncl ded t t t e “’s gn l ng nf t n’ t t c lly t ns tted between cell p ne nd t e p v de 's t we d es n t implicate either the Fourth Amendment or the wiretap statute because it does not constitute the ‘c ntents’ f c n c t n.” Id. M e ve , t e 1994 n lys s e s ned “t t t e pen/t p st t te d d n t pply t t e c llect n f s c nf t n bec se f t e n w def n t ns f ‘pen eg ste ’ nd ‘t p nd t ce dev ce.’” Id. T e ef e, “’s nce ne t e t e c nst t t n n ny st t te eg l ted t e se, s c dev ces d d n t eq e ny leg l t z t n t pe te.’” Id. 126 See generally Pell & Soghoian, supra note 94(Describing the current congressional debates over proper legal standard(s) and analyzing various magistrate opinions requiring different legal standards for law enforcement access to location data.). 127 See 18 U. .C. § 3127(3) def n ng pen eg ste s “ dev ce p cess w c ecords or decodes dialing, routing, addressing, and signaling information transmitted by an instrument or facility from w c w e elect n c c n c t n s t ns tted.”
  25. 25. 25 nf t n sed by c n c t n syste t p cess c n c t ns.” Indeed, DOJ nst cted p sec t s t t t e new pen eg ste def n t n “ ppe s t encompass all of the non-c ntent between cell p ne nd p v de ’s t we .”128 128 l ly, t e def n t n f “t p nd t ce” dev ce, w c g n lly ncl ded nly “t e g n t ng n be f n nst ent dev ce” exp nded t ncl de “t e g n t ng n be t e d l ng, routing addressing, and signaling information reasonably likely to identify the source of a wire or elect n c c n c t ns.” See 18 U.S.C. § 3127(4). Like the expanded definition of pen register, DOJ nst cts t t t e new t p nd t ce def n t n n w “ ppe s t ncl de s c nf t n s t e transmission of a MIN [or other type of unique identifying number], which identifies the source of a c n c t ns.” 2005 Elect n c ve ll nce M n l, supra note ** at 46. DOJ’s c ncl s n t t Pen/T p n w enc p sses ll n n-content data between a cell phone and a cell t we w s b sed, n p t, n ts n lys s f t e elev nt b t “sc nt” leg sl t ve st y w c s ggested t t t e new def n t ns we e ntended t pply t “ ll c n c t ns ed , nste d f f c s ng n t d t n l telep ne c lls.” Id. Ex n ng, f ex ple, H se l ng ge efe enc ng “ packet requesting a telnet session—a piece of information passing between machines in order to est bl s c n c t n sess n f t e n se ,” DOJ s ggests t t t e te “p v des cl se analogy to the information passing between a cell phone and a tower in the initial stages of a cell p ne c ll.” Id. at 47. Moreover, in contrast to earlier Pen/Trap definitions that referenced the attachment of a Pen/Trap device to a phone line, the House Report recognized that Pen/Trap devices “c ld c llect nf t n e tely.” Id. at 46. It s ld be n ted, weve , t t DOJ d ew d st nct n between st nd ds t z ng “ ff ” collection of cell phone location data via digital analyzers and IMSI catchers and the collection of these data through compelled disclosures from carriers. Indeed, in 1994, the Communications Ass st nce f L w Enf ce ent Act (CALEA) nst cted t t “ ny nf t n t t y d scl se t e p ys c l l c t n f [ telep ne se v ce] s bsc be ” y not be cq ed “s lely p s nt t t e authority for pen registe s nd t p nd t ce dev ces.”( ee 47 U. .C. § 1002( )(2) (2010)). DOJ p ned t t, “[b]y ts ve y te s, t s p b t n ppl es nly t nf t n c llected by p v de and not to information collected directly by law enforcement authorities. Thus, CALEA does not bar the use of pen/trap orders to authorize the use of cell phone tracking devices used to locate targeted cell p nes.” 2005 Elect n c ve ll nce M n l, supra note ** at 47. As applied to compelled disclosures of prospective location information from carriers, the CALEA dictate meant that DOJ had to find another authority to pair with or replace Pen/Trap authority.128 Since at least 2005, DOJ has been advising prosecutors to obtain both a Pen/Trap order and an 18 U.S.C. § 2703 (d) order (D Order). (See Pell & Soghoian, supra note 94 at 135-37). Moreover, some g st te j dges ve eq ed “p b ble c se” se c w nts bef e ss es de s t z ng law enforcement to compel a provider to track a cell phone in real time. Id. at 137-39. As referenced earlier, the appropriate standard(s) for law enforcement compelled disclosures of historical and prospective location data remains an unresolved issue for the courts and Congress. See supra **. For purposes of this discussion, however, t s s ff c ent t n te t t b t D O de nd “p b ble c se” w nt st nd d s e st ngent t an Pen/Trap. To obtain a Pen/Trap order, the g ve n ent need e ely “ce t fy” t t t e nf t n s g t “ s elev nt nd te l t n ng ng cri n l nvest g t n.” See 18 U. .C. § 3122(b)(2) (2012). c “ce t f c t n” d es n t eq e ny fact finding by a magistrate judge. See Pell & Soghoian, supra note 95 at 155-56. In contrast, to obtain a D Order, the government must assert and a judge m st f nd “spec f c nd t c l ble f cts” t t t e l c t n nf t n s g t “ s elev nt nd te l t n ng ng nvest g t n.” See 18 U.S.C. § 2703(d). The requirement for a search warrant is even more stringent, as the government must show and a magistrate must find that there is probable cause to believe that the location information w ld be “ev dence f c e.” See Fed. R. Crim. P 41(c)(1). Notwithstanding that compelling location data from a carrier would require a more stringent standard than that found in the Pen/Trap st t te, DOJ’s 2005 G d nce t k b t t e leg l nd p l cy p s t n t t Pen/T p de w s
  26. 26. 26 These expanded Pen/Trap definitions had implications for law enforcement direct collection of mobile device serial numbers, the real-time monitoring of numbers called and received, as well as acquiring location information. Specifically, post- PATRIOT Act, DOJ took the position that all forms of non-content data collected directly required prosecutors to obtain a Pen/Trap court order.129 D. 2012 CELL SITE SIMULATOR (“STINGRAY”) MAGISTRATE OPINION130 With the passage of the PATRIOT Act in 2001, DOJ took the position that a Pen/Trap order was necessary to authorize law enforcement use of direct surveillance technology, like a StingRay, to intercept non-content data. It would take more than a decade, however, for a federal magistrate judge to publish an opinion evaluating an application for law enforcement use of a direct, active interception device.131 In 2012, a federal magistrate judge from Texas issued an order denying an application submitted by agents from the Drug Enforcement Agency for the use of a StingRay.132 The government s g t Pen/T p de “t detect d s gn ls emitted from wireless cellular telephones in the vicinity of the [Subject] that identify t e telep nes.”133 Agents submitted their application pursuant to 18 U.S.C. §§ 3122 (a)(1), 3127(5) (the Pen/Trap statute) and 2703(c)(1) (a provision of the Stored Communications Act)134 and the government informed Magistrate Judge Owsley sufficient for direct collection of cell phone location data by law enforcement. 2005 Electronic Surveillance Manual, supra note ** t 47. (“CALEA [t e C n c t ns Ass st nce f L w Enforcement Act] does not bar the use of pen/trap orders to authorize the use of cell phone tracking dev ces sed t l c te t geted cell p nes.”). Id. 129 2005 Electronic Surveillance Manual, supra note ** at 45-47. 130 Our analysis of this magistrate opinion draws from our previous article, Stephanie K. Pell & Christopher Soghoian, A Lot More Than A Pen Register, and Less than A Wiretap: What the StingRay Teaches Us About How Congress Should Approach the Reform of Law Enforcement Surveillance Authorities, 16 Yale J.L. & Tech 134, 160-163 (2013). 131 One likely reason for this time gap is the default sealing of all pen register applications and orders with no corresponding requirement that they be unsealed o ts de f t e p sec t n’s d sc ve y obligations to indicted criminal defendants as part of the criminal discovery process. See generally, Stephen Wm. Smith, Gagged, Sealed and Delivered: Reforming ECPA’s Secret Docket, 6 H v. L. & P l’y Rev. 313 (2012). (“T g p tent x f ndef n te se l ng, n nd scl s e ( .e. g gg ng), nd delayed-notice provisions, ECPA [Electronic Surveillance Privacy Act] surveillance orders all but v n s nt leg l v d.” Id. at 314. The Pen/Tap statute is Title III of ECPA. See Pub. L. No. 99- 508, tit. III, 100 Stat. 1848, 1868–1873 (codified as amended at 18 U.S.C. §§ 3121–3127 (2010)). 132 In the Matter of The Application of the United States of America for An Order Authorizing the Installation and Use of a Pen Register and Trap and Trace Device, 890 F. Supp. 2d 747, 748 (S.D. Tex. 2012). A target had switched from using a phone known to agents to an unknown phone. Id. The gent le d ng t e nvest g t n nd c ted t t t e “eq p ent des gned t c pt e t e cell p ne numbe s w s kn wn s ‘[ ]t ng[R] y.’” Id. 133 Id. 134 It s n t cle f t e 2012 g st te p n n w t p p se t s c t t n t ECPA’s t ed Communications Act served in terms of providing additional authority of unmediated, direct collection of non-content data in this investigation. The 2005 Guidance indicated that only a

×