This article is more than 1 year old

Secret Service, ICE break the law over and over with fake cell tower spying

Investigations 'at risk' from sloppy surveillance uncovered by audit probe

The US Secret Service and Immigration and Customs Enforcement (ICE) agencies have failed to follow the law and official policy regarding the use of cell-site simulators, according to a government audit.

Cell-site simulators (CSS), also known as Stingrays or IMSI Catchers, are devices that serve as decoy cell towers. They're used by law enforcement, intelligence services, and others to intercept metadata or communications, and triangulate a phone's location. Essentially, your handset connects to the nearby tower, think it belongs to a telco, but in fact, it's a temporary mast set up by the Feds to snoop on devices within range.

For years, these devices have elicited criticism from civil rights groups and legislators who argue that they violate Fourth Amendment protection against unreasonable search and seizure. The government insists it will only use this type of kit in line with existing rules and restrictions, but it appears that is not the case.

The Department of Homeland Security (DHS) Office of the Inspector General (OIG) looked at CSS deployment by the Secret Service and ICE and found, "Secret Service and ICE HSI [Homeland Security Investigations] did not always adhere to Federal statute and CSS policies when using CSS during investigations involving exigent circumstances."

The OIG audit report [PDF] also found that "ICE HSI did not adhere to Department privacy policies and the applicable Federal privacy statute when using CSS."

The audit was originally undertaken to look at how the agencies adhered to policies on cell-phone surveillance and commercial location-sharing databases, but DHS OIG now is dealing with those two separately. The phone surveillance report offers six recommendations to help the agencies comply with their legal and policy obligations. But annoyingly it redacts statistical data about the number of investigations utilizing CSS devices in 2020 and 2021.

Government investigators are supposed to get a court order at the least to use a pen register (devices that record incoming and outgoing phone numbers when calls are made), except under exigent circumstances - the so-called ticking time bomb scenario. But as the OIG report notes, the two organizations often failed to do that.

"The fact that government agencies are using these devices without the utmost consideration for the privacy and rights of individuals around them is alarming but not surprising," said EFF Policy Analyst Matthew Guariglia in a blog post on Thursday. "The federal government, and in particular agencies like HSI and ICE, have a dubious and troubling relationship with overbroad collection of private data on individuals."

Guariglia argues the OIG should release the statistical data so that the public can better understand how often CSS devices play a role in investigations.

We make the rules, we break the rules

In October 2015 Alejandro Mayorkas, then Deputy Secretary of DHS and currently Secretary of DHS, issued a policy memorandum [PDF] stating that the department "must use cell-site simulators in a manner that is consistent with the requirements and protections of the Constitution, including the Fourth Amendment, and applicable statutory authorities, including the Pen Register Statute."

By 2017, the Secret Service and ICE had each formulated policies incorporating the DHS directive.

The Department of Justice says [PDF] that while it has in the past "obtained authorization to use a cell-site simulator by seeking an order pursuant to the Pen Register Statute" – which does not require a probable cause warrant – "as a matter of policy, law enforcement agencies must now obtain a search warrant supported by probable cause and issued pursuant to Rule 41 of the Federal Rules of Criminal Procedure (or the applicable state equivalent)."

But there are various exceptions when a warrant is not required and CSS deployment is governed by the rules for pen registers. Exceptions include: "the need to protect human life or avert serious injury; the prevention of the imminent destruction of evidence; the hot pursuit of a fleeing felon; or the prevention of escape by a suspect or convicted fugitive from justice." And there's also an exception when the law doesn't require a warrant and obtaining one would be impractical.

Given this legal inconsistency, it's not always obvious whether CSS deployment was done lawfully. In a 2017 decision in Prince Jones v. US, an appeals court found "the government violated the Fourth Amendment when it deployed the cell-site simulator against [plaintiff Prince Jones] without first obtaining a warrant based on probable cause." And the following year, the US Supreme Court ruled 5-4 in US v. Carpenter that the warrantless search and seizure of cell-site data violated the Fourth Amendment.

Legislators recently have tried to make CSS usage clearer. In 2021, US Senator Ron Wyden (D-OR) and a bipartisan group of other lawmakers introduced a bill, the Cell-Site Simulator Warrant Act, requiring the government to obtain a warrant to deploy a CSS device.

"Current federal, state, and local policies regulating Stingrays are confusing and inconsistent, opening the door to abuse and unconstrained, invasive surveillance by law enforcement," the Project on Government Oversight (POGO) said in support of the bill.

The bill never made it out of committee.

Freddy Martinez, a senior researcher with POGO, told The Register in a phone interview that since the Carpenter decision, most jurisdictions have some sort of warrant requirement. But the report, he said, indicates that there's still a lot of confusion about differences between historical cell-site data, real-time cell-site data, and emergency access, and so on.

"This report really does speak to the problems of unclear statutes," he said. "It would be easy if Congress just passed a law that said you have to get a warrant to use this equipment."

Martinez also observed that the report points out the problem with federal authorities relying on local partners to do the necessary paperwork. "They're not doing the paperwork that they need to be doing and they're putting cases at risk," he said. ®

More about

TIP US OFF

Send us news


Other stories you might like