Thursday, December 3, 2015

IRS Use of Cell-Site Simulators (Also called Stingray) to Retrieve Information About and From Cell Phones (12/3/15)

The IRS's use of so-called cell-site simulators have been in the news recently.  I thought it might be helpful to introduce readers the topic.  First, I will provide some information on the scope of the technology as I understand it and then the legal issues from its use by law enforcement, including the IRS.  I am by no means an expert in the technology and have no unique insight into how the IRS or other law enforcement agencies are using the technology.  I am essentially repeating what I read in the news and tax media.

Nature of the Technology

The American Civil Liberties Union (commonly referred to as "ACLU") has this very brief description, here, of the technology:
Stingrays, also known as "cell site simulators" or "IMSI catchers," are invasive cell phone surveillance devices that mimic cell phone towers and send out signals to trick cell phones in the area into transmitting their locations and identifying information. When used to track a suspect's cell phone, they also gather information about the phones of countless bystanders who happen to be nearby.
Wikipedia has this discussion, here, of the Harris Corporation version, called Stingray, which seems to the most popular version used by law enforcement and the version used by the IRS.  Wikipedia further says that the word "Stingray has also become a generic name to describe these kinds of devices." Wikipedia's general description is (footnotes omitted):
The StingRay is an IMSI-catcher (International Mobile Subscriber Identity), a controversial cellular phone surveillance device, manufactured by Harris Corporation.Initially developed for the military and intelligence community, the StingRay and similar Harris devices are in widespread use by local and state law enforcement agencies across the United States and possibly covertly in the United Kingdom. 
* * * * 
The StingRay is an IMSI-catcher with both passive (digital analyzer) and active (cell site simulator) capabilities. When operating in active mode, the device mimics a wireless carrier cell tower in order to force all nearby mobile phones and other cellular data devices to connect to it. 
The features of the technology that are apparently of most concern are what Wikipedia calls the "Active Mode Operations" and "Capabilities." 
Active mode operations 
1. Extracting stored data such as International Mobile Subscriber Identity ("IMSI") numbers and Electronic Serial Number ("ESN"),
2. Writing cellular protocol metadata to internal storage
3. Forcing an increase in signal transmission power,
4. Forcing an abundance of radio signals to be transmitted
5. Interception of communications content
6. Tracking and locating the cellular device user,
7. Conducting a denial of service attack
8. Encryption key extraction.
9. radio jamming for either general denial of service purposes or to aid in active mode protocol rollback attacks
* * * * 
Active (cell site simulator) capabilities 
In active mode, the StingRay will force each compatible cellular device in a given area to disconnect from its service provider cell site (e.g., operated by Verizon, AT&T, etc.) and establish a new connection with the StingRay. In most cases, this is accomplished by having the StingRay broadcast a pilot signal that is either stronger than, or made to appear stronger than, the pilot signals being broadcast by legitimate cell sites operating in the area. A common function of all cellular communications protocols is to have the cellular device connect to the cell site offering the strongest signal. StingRays exploit this function as a means to force temporary connections with cellular devices within a limited area. 
Extracting data from internal storage 
During the process of forcing connections from all compatible cellular devices in a given area, the StingRay operator needs to determine which device is a desired surveillance target. This is accomplished by downloading the IMSI, ESN, or other identifying data from each of the devices connected to the StingRay. In this context, the IMSI or equivalent identifier is not obtained from the cellular service provider or from any other third-party. The StingRay downloads this data directly from the device using radio waves. 
In some cases, the IMSI or equivalent identifier of a target device is known to the StingRay operator beforehand. When this is the case, the operator will download the IMSI or equivalent identifier from each device as it connects to the StingRay. When the downloaded IMSI matches the known IMSI of the desired target, the dragnet will end and the operator will proceed to conduct specific surveillance operations on just the target device. 
In other cases, the IMSI or equivalent identifier of a target is not known to the StingRay operator and the goal of the surveillance operation is to identify one or more cellular devices being used in a known area. For example, if visual surveillance is being conducted on a group of protestors, a StingRay can be used to download the IMSI or equivalent identifier from each phone within the protest area. After identifying the phones, locating and tracking operations can be conducted, and service providers can be forced to turn over account information identifying the phone users.
* * * *
Interception of communications content[edit]
By way of software upgrades, the StingRay and similar Harris products can be used to intercept GSM communications content transmitted over-the-air between a target cellular device and a legitimate service provider cell site. The StingRay does this by way of the following man-in-the-middle attack: (1) simulate a cell site and force a connection from the target device, (2) download the target device's IMSI and other identifying information, (3) conduct "GSM Active Key Extraction" to obtain the target device's stored encryption key, (4) use the downloaded identifying information to simulate the target device over-the-air, (5) while simulating the target device, establish a connection with a legitimate cell site authorized to provide service to the target device, (6) use the encryption key to authenticate the StingRay to the service provider as being the target device, and (7) forward signals between the target device and the legitimate cell site while decrypting and recording communications content. 
The "GSM Active Key Extraction" performed by the StingRay in step three merits additional explanation. A GSM phone encrypts all communications content using an encryption key stored on its SIM card with a copy stored at the service provider. While simulating the target device during the above explained man-in-the-middle attack, the service provider cell site will ask the StingRay (which it believes to be the target device) to initiate encryption using the key stored on the target device. Therefore, the StingRay needs a method to obtain the target device's stored encryption key else the man-in-the-middle attack will fail. 
GSM primarily encrypts communications content using the A5/1 call encryption cypher. In 2008 it was reported that a GSM phone's encryption key can be obtained using $1,000 worth of computer hardware and 30 minutes of cryptanalysis performed on signals encrypted using A5/1. However, GSM also supports an export weakened variant of A5/1 called A5/2. This weaker encryption cypher can be cracked in real-time. While A5/1 and A5/2 use different cypher strengths, they each utilize the same underlying encryption key stored on the SIM card. Therefore, the StingRay performs "GSM Active Key Extraction" during step three of the man-in-the-middle attack as follows: (1) instruct target device to use the weaker A5/2 encryption cypher, (2) collect A5/2 encrypted signals from target device, and (3) perform cryptanalysis of the A5/2 signals to quickly recover the underlying stored encryption key. Once the encryption key is obtained, the StingRay uses it to comply with the encryption request made to it by the service provider during the man-in-the-middle attack.
 The following is a very good article with information about Stingray.  Larry Greenemeier, What Is the Big Secret Surrounding Stingray Surveillance? (Scientific American 6/25/15), here.

Federal Agencies Using the Technology

The technology is used by numerous federal agencies, including:  FBI, IRS, the Armed Services, and the NSA.  The technology is used also by many state agencies.

Constitutional Issues

The question is what Constitutional protections need to be observed in the use of the technology by law enforcement.  The basic protection is the Fourth Amendment's guarantee against unreasonable searches and seizures by the Government, a protection applying to both State and Federal Governments.  The text of the Fourth Amendment is short:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The Fourth Amendment obviously does not speak to a person's right to privacy with respect to their cell phone's location and internal data.  But, the Fourth Amendment does not address many features of life after its adoption -- e.g., cars.  Generally, speaking through the process of constitutional interpretation and application in specific cases, the Fourth Amendment is applied to many of those features of modern life.

The issue is whether the Fourth Amendment applies to the type of investigation and electronic intrusion into cell phones allowed by the cell-site simulator.  I won't try to deal with the complex constitution and interpretive issues in any detail.  Suffice it to say, law enforcement recognizes that Fourth Amendment concerns are raised by its use.

DOJ Policy of 9/3/15

Most particularly, in response to public concerns about the use of the technology, on 9/3/15, the DOJ announced its revised policy for use.  See press release titled Justice Department Announces Enhanced Policy for Use of Cell-Site Simulators, here.  The following are the key excerpts:
To enhance privacy protections, the new policy establishes a set of required practices with respect to the treatment of information collected through the use of cell-site simulators.  This includes data handling requirements and an agency-level implementation of an auditing program to ensure that data is deleted consistent with this policy.  For example, when the equipment is used to locate a known cellular device, all data must be deleted as soon as that device is located, and no less than once daily.
Additionally, the policy makes clear that cell-site simulators may not be used to collect the contents of any communication in the course of criminal investigations.  This means data contained on the phone itself, such as emails, texts, contact lists and images, may not be collected using this technology. 
While the department has, in the past, obtained appropriate legal authorizations to use cell-site simulators, law enforcement agents must now obtain a search warrant supported by probable cause before using a cell-site simulator.  There are limited exceptions in the policy for exigent circumstances or exceptional circumstances where the law does not require a search warrant and circumstances make obtaining a search warrant impracticable.  Department components will be required to track and report the number of times the technology is deployed under these exceptions.
The link to the actual policy is here.  The policy has a good statement as to the background and history of the technology, its use and its constitutional implications.  Key excerpts are:
Basic Uses 
Law enforcement agents can use cell-site simulators to help locate cellular devices whose unique identifiers are already known to law enforcement, or to determine the unique identifiers of an unknown device by collecting limited signaling information from devices in the simulator user's vicinity. This technology is. one tool among many traditional law enforcement techniques, and is deployed only in the fraction of cases in which the capability is best suited to achieve specific public safety objectives.  
How They Function 
Cell-site simulators, as governed by this policy, function by transmitting as a cell tower. In response to the signals emitted by the simulator, cellular devices in the proximity of the device identify the simulator as the most attractive cell tower in the area and thus transmit signals to the simulator that identify the device in the same way that they would with a networked tower. A cell-site simulator receives and uses an industry standard unique identifying number assigned by a device manufacturer or cellular network provider. When used to locate a known cellular device, a cell-site simulator initially receives the unique identifying number from multiple devices in the vicinity of the simulator. Once the cell-site simulator identifies the specific cellular device for which it is looking, it will obtain the signaling information relating only to that particular phone. When used to identify an unknown device, the cell-site simulator obtains signaling information from non-target devices in the target's vicinity for the limited purpose of distinguishing the target device. 
What They Do and Do Not Obtain 
By transmitting as a cell tower, cell-site simulators acquire the identifying information from cellular devices. This identifying information is limited, however. Cell-site simulators provide only the relative signal strength and general direction of a subject cellular telephone; they do not function as a GPS locator, as they do not obtain or download any location information from the device or its applications. Moreover, cell-site simulators used by the Department must be configured as pen registers, and may not be used to collect the contents of any communication, in accordance with 18 U.S.C. § 3127(3). This includes any data contained on the phone itself: the simulator does not remotely capture emails, texts, contact lists, images or any other data from the phone. In addition, Department cell-site simulators do not provide subscriber account information (for example, an account holder's name, address, or telephone number). 
I am not sure if the latter description as not accessing cell-phone content location via GPS and not accessing cell phone content are limitations of the technology or limitations that DOJ puts on its use of the technology..

The DOJ policy is:
The use of cell-site simulators is permitted only as authorized by law and policy. While the Department has, in the past, appropriately obtained authorization to use a cell-site simulator by seeking an order pursuant to the Pen Register Statute, as a matter of policy, law enforcement agencies must now obtain a search warrant supported by probable cause and issued pursuant to Rule 41 of the Federal Rules of Criminal Procedure (or the applicable state equivalent), except as provided below. 
As a practical matter, because prosecutors will need to seek authority pursuant to Rule 41 and the Pen Register Statute, prosecutors should, depending on the rules in their jurisdiction, either (1) obtain a warrant that contains all information required to be included in a pen register order pursuant to 18 U.S.C. § 3123 (or the state equivalent), or (2) seek a warrant and a pen register order concurrently. The search warrant affidavit also must reflect the information noted in the immediately following section of this policy ("Applications for Use of Cell-Site Simulators"). 
There are two circumstances in which this policy does not require a warrant prior to the use of a cell-site simulator. 
1. Exigent Circumstances under the Fourth Amendment  
Exigent circumstances can vitiate a Fourth Amendment warrant requirement, but cell-site simulators sti11 require court approval in order to be lawfully deployed. An exigency that excuses the need to obtain a warrant may arise when the needs of law enforcement are so compelling that they render a warrantless search objectively reasonable. When an officer has the requisite probable cause, a variety of types of exigent circumstances may justify dispensing with a warrant. These include the need to protect human life or avert serious injury; the prevention of the imminent destruction of evidence; the hot pursuit of a fleeing felon; or the prevention of escape by a suspect or convicted fugitive from justice.  
In this circumstance, the use of a cell-site simulator still must comply with the Pen Register Statute, 18 U.S.C. § 3121, et seq., which ordinarily requires judicial authorization before use of the cell-site simulator, based on the government's certification that the information sought is relevant to an ongoing criminal investigation. In addition, in the subset of exigent situations where circumstances necessitate emergency pen register auth01ity pursuant to 18 U.S.C. § 3125 (or the state equivalent), the emergency must be among those listed in Section 3125: immediate danger of death or serious bodily injury to any person; conspiratorial activities characteristic of organized crime; an immediate threat to a national security interest; or an ongoing attack on a protected computer (as defined in 18 U.S.C. § 1030) that constitutes a crime punishabl,e by a term of imprisonment greater than one year. In addition, the operator must obtain the requisite internal approval to use a pen reg ister before using a cell-site simulator. In order to comply with the terms of this policy and with 18 U.S.C. § 3125,3 the operator must contact the duty AUSA in the local U.S. Attorney's Office, who will then call the DOJ Command Center to reach a supervisory attorney in the Electronic Surveillance Unit (ESU) of the Office of Enforcement Operations.  Assuming the parameters of the statute are met, the ESU attorney will contact a DAAG in the Criminal Division5 and provide a short briefing. If the DAAG approves, the ESU attorney will relay the verbal authorization to the AUSA, who must also apply for a court order within 48 hours as required by 18 U.S.C. § 3125. Under the provisions of the Pen Register Statute, use under emergency pen-trap authority must end when the information sought is obtained, an application for an order is denied, or 48 hours has passed, whichever comes first.  
2. Exceptional Circumstances Where the Law Does Not Require a Warrant  
There may also be other circumstances in which, although exigent circumstances do not exist, the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. In such cases, which we expect to be very limited, agents must first obtain approval from executive-level personnel at the agency's headquarters and the relevant U.S. Attorney, and then from a Criminal Division DAAG. The Criminal Division shall keep track of the number of times the use of a cell-site simulator is approved under this subsection, as well as the circumstances underlying each such use.
In this circumstance, the use of a cell-site simulator still must comply with the Pen Register Statute, 18 U.S.C. § 3121, et seq., which ordinarily requires judicial authorization before use of the cell-site simulator, based on the government's certification that the information sought is relevant to an ongoing criminal investigation. In  addition, if circumstances necessitate emergency pen register authority, compliance with the provisions outlined in 18 U.S.C. § 3125 is required (see provisions in section l directly above)
IRS Use of Cell-Site Simulators

Now, we get to the IRS's use of the technology, which was the subject of testimony by IRS Commissioner Koskinen before Congress and then letters from Koskinen to Congress clarifying his remarks.  Without getting into how the IRS used its simulator in the past, Koskinen advised Senator Wyden by letter dated 11/25/15 that the IRS has a moratorium on use and will issue its internal guidance on November 30, substantially mirroring the DOJ rules noted above.

I will have a posting later on the new IRS guidance when it becomes public.

Other materials:

There are references in the DOJ policy about pen registers and the Pen Register Statute.  I thought the following from Wikipedia here might be helpful:
A pen register, or dialed number recorder (DNR), is an electronic device that records all numbers called from a particular telephone line. The term has come to include any device or program that performs similar functions to an original pen register, including programs monitoring Internet communications. 
The United States statutes governing pen registers are codified under 18 U.S.C., Chapter 206.
The cell-site simulator obviously can function as a pen register device and, since there are statutes dealing with the use of those devices and the requirements, those statutes would apply to this use.

Addendum 12/3/15 9:00pm:

The issues are much the same, in a slightly different context, for accessing emails stored on internet or email service providers' web storage.  The issue is ultimately whether, in order to access email content, the investigating agency is required to obtain an SCA warrant which requires showing of probable cause under FRCrP 41.  Some of the information other than content may be obtained under a lesser showing for a "§ 2703(d) Court Order when the Government provides “specific and articulable facts showing that there are reasonable grounds to believe” that the records sought “are relevant and material to an ongoing criminal investigation."  All of it relates to reasonable expectations of privacy -- a Fourth Amendment concern -- and the protections required or needed to protect a reasonable zone of privacy.  The blogs in that context are (presented in reverse chronological order to show the development over time):

  • The Stored Communications Act and Emails: An Overview (Federal Tax Crimes Blog 4/25/15), here.
  • Guest Blog on Stored Communications Act Reach to Cloud Storage Outside the U.S. (Federal Tax Crimes Blog 4/25/15), here.
  • IRS to Require Search Warrants for All Emails from ISPs (Federal Tax Crimes Blog 5/15/13), here.
  • Are Emails Stored on the ISP's Computer Subject to Fourth Amendment Protections? (Federal Tax Crimes Blog 7/28/12), here.

No comments:

Post a Comment

Please make sure that your comment is relevant to the blog entry. For those regular commenters on the blog who otherwise do not want to identify by name, readers would find it helpful if you would choose a unique anonymous indentifier other than just Anonymous. This will help readers identify other comments from a trusted source, so to speak.