FBI agents wanted to search Michael Cohen’s hotel room, but didn’t know which room he was in. So, they used a controversial device that captured his cellphone’s location.
The revelation — included in a trove of search warrant documents released Tuesday in the case of President Trump’s former personal lawyer — sheds some light on how police are using the suitcase-sized devices, which mimic cellphone towers and can scoop up data from any phone that bounces off them.
Federal law enforcement has long used the devices — known as “cell site simulators,” StingRays, or by various other brand names -- to pinpoint suspects’ locations. And, before a 2015 policy shift, they may have also used them to gather other information such as text messages and emails.
Foreign adversaries may also be using StingRays in Washington to spy on Americans.
The Cohen case presents a relatively uncontroversial use of the tools, but it also highlights the concerns many privacy advocates have about them — that they’re far more intrusive than other options and more prone to scoop up information about innocent bystanders.
“It’s like taking a baseball bat to a mosquito,” Faiza Patel, co-director of the Liberty and National Security Program at New York University Law School’s Brennan Center for Justice, told me.
The U.S. Marshals Service, for example, used the devices to track 6,000 cellphones, according to a USA Today report. In some cases, the service even took them on airplanes and scooped up information from tens of thousands of people on the ground below to locate a few criminal suspects, the Wall Street Journal reported.
Under the new ground rules, federal law enforcement officers are required to get a warrant before using the devices — with a few exceptions — and to use them only to access location information, not phone content such as emails and texts. Officers must also delete any unnecessary information they gather from bystanders within a matter of days.
But that hasn’t quelled advocates’ concerns, Patel said.
One major problem is that federal law enforcement is allowed to skip getting a warrant in certain “exigent circumstances.” But the policy doesn’t outline what those circumstances might be — and there’s very little public information showing police aren’t abusing the loophole, she said.
In the Cohen case, the FBI did get a warrant to use the simulators — they used a particular brand called TriggerFish, But most of their justification for using it is redacted in the documents produced Tuesday.
That doesn’t give the public much information about whether the simulators were really necessary or if the FBI could have used a less invasive technique to learn which hotel room Cohen was in.
Different versions of the simulators have different ranges, but it’s likely the device the FBI used captured information from most or all of the cellphones in the Manhattan hotel where Cohen and his family were staying while their apartment was being renovated, Patel told me.
An FBI spokeswoman declined to comment on the warrant or the broader Cohen case.
When warrant requests for StingRays do become public, they frequently suggest police and judges aren’t taking seriously enough how invasive the technology can be and how it can affect bystanders’ privacy, Stephanie Lacambra, a criminal defense staff attorney with the Electronic Frontier Foundation, told me.
Another concern is that the federal policy doesn’t apply to state and local law enforcement agencies, many of which are still using StingRays with few restrictions and little or no oversight, according to studies by the American Civil Liberties Union.
That can cause major problems, especially in places where police and judges granting their warrants don’t have a good sense of all the privacy issues the devices create, Lacambra said.
“Some jurisdictional offices aren’t as familiar with the technology and will sometimes hand these warrants out without really understanding what they’re doing,” she said. “Digital tools are different, and they need to be treated differently.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: European Union leaders plan to sound an alarm this week about possible Russian efforts to interfere in E.U. elections in May, Reuters’s Alissa de Carbonnel, Alastair Macdonald and Jean-Baptiste Vey reported.
Officials plan to “urge governments to share information on threats via a new warning system” and to “call for online platforms, such as Facebook and Google, to do more to remove misleading or illegal content,” according to a draft statement obtained by Reuters that’s scheduled to be released at an E.U. Leaders Summit this week in Brussels.
“Many of our nations, including France, have already been targeted by campaigns, attacks or manipulation,” an Elysee official told Reuters. “We have to increase our efforts at the European level.”
PATCHED: Democratic leaders on the House Energy and Commerce Committee want to know how much more the Federal Trade Commission could do to protect data security and consumer privacy if it got a major funding boost.
In a letter Wednesday, Committee Chairman Frank Pallone Jr. (D-N.J.) and Jan Schakowsky (D-Ill), chair of the committee’s consumer protection panel, float three possibilities — if the commission got a $50 million, $75 million or $100 million funding boost — and ask how it would ramp up its efforts under each scenario.
The letter also asks how the commission would go about hiring a staff of technologists if Congress directed it to and what the commission would do if it had the power to create new privacy and security regulations. Right now, the FTC has the power only to enforce rules and to hold companies accountable for breaking them.
PWNED: Israeli Prime Minister Benjamin Netanyahu, who’s in a tight race for reelection, blamed Iran for hacking his challenger Benny Gantz’s cellphone — without citing evidence — and warned that could leave Gantz open to blackmail, Reuters’s Dan Williams reported.
“[Netanyahu’s] comments, in a brief speech broadcast online from his official residence, brought a new level of vitriol to the election race,” according to the report.
Gantz, who leads Israel’s centrist Blue and White party, has confirmed Israeli intelligence told him his phone was hacked, but neither Gantz nor the intelligence agency has revealed who did the hacking. Iran has denied culpability, Reuters reported.
“What do the Iranians know about you that you are hiding from us? And … how would you, as prime minister, face up to Iran, our number one enemy, when Iran has sensitive information about you?” Netanyahu asked, according to Reuters.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: