StingRays mimic cellphone towers and grab location information from any nearby device. That makes them extremely useful for locating criminals when police know the phone they’re carrying. But they also capture identifying information from the mobile cellphones of everyone else in their range, which can cover a whole apartment building or multiple city blocks, which critics say is a huge invasion of privacy.
The suitcase-sized cell site simulators are so effective, in fact, that the FBI uses them in a range of high profile cases -- including to track President Trump's personal lawyer Michael Cohen in a campaign finance investigation -- and foreign adversaries may also be using them in Washington to spy on Americans.
And as they become far more common, civil liberties groups worry the government is striking the wrong balance between privacy and security. “This is the equivalent of kicking down every door in a neighborhood in order to find a particular suspect,” Nathan Freed Wessler, an ACLU staff attorney, told me. “The most invasive techniques need to be reserved for the most serious investigations, and there’s a real concern that it’s being used for relatively low-level crimes.”
This is especially concerning since it's unclear if the people they’re tracking have committed serious offenses or if they've just crossed the border illegally — as news reports suggest is often the case.
“People are willing to use this very intrusive technology when law enforcement is targeting the most serious crimes, but there’s inevitable mission creep,” Faiza Patel, co-director of the Liberty and National Security Program at New York University Law School’s Brennan Center for Justice, told me. “They’re inevitably used for more routine violations, and the next thing you know you’re using them to track shoplifters.”
The fact the tools are being used to track people who’ve entered the country illegally could be a troubling sign their use will become more widespread. “Government abuses of power often affect the most vulnerable members of society first and immigrant communities are particularly vulnerable,” Wessler told me. “So we, as a society, have to be particularly attentive to how the government comports itself in those areas.”
ICE and CBP have been especially tight-lipped, refusing to reveal any information about how they’re using at least 92 StingRays they’ve purchased for $13 million in recent years, according to a congressional oversight report.
Government rules on StingRays have generally lagged how agencies are using them. Before Justice and Homeland Security Department policies were enacted in 2015, agencies sometimes used the tools without warrants and may have used them to swipe content from phones, such as text messages and voice mails, rather than just technical information about the phone’s location.
The U.S. Marshals Service, for example, reportedly used the devices to track 6,000 cellphones and, in some cases, even took them on airplanes and scooped up information from tens of thousands of people on the ground below to locate a few criminal suspects.
The ACLU initially filed Freedom of Information Act requests to find out how the agencies were using StingRays but hasn’t received answers more than two years later. The lawsuit, filed in a federal court in Manhattan, would force them to answer that FOIA request. Representative for ICE and CBP both declined to comment on the case.
“This is about what kind of society we want to live in,” Wessler told me. “Is it a society where people are allowed to walk around in public without the constant threat of a government agency downloading their identifying information? Or do we drift toward a police state where the government has that information all the time?”
PINGED, PATCHED, PWNED
PINGED: The president must share the Pentagon's classified offensive hacking guidelines with some congressional committees under a provision in a massive defense policy bill that House and Senate negotiators finalized yesterday. It's expected to become law. That's a win for lawmakers who battled the White House to release the classified memo for almost 15 months before forcing the administration’s hand with legislation.
The $738 billion bill, which has already passed the House, also creates a Space Force, as my colleagues Paul Sonne and Karoun Demirjian report. Other cybersecurity provisions include a $10 million fund to establish a cybersecurity strategy to protect the nation's electric grid championed by Sen. Angus King (I-Maine) and a requirement for the Department of Homeland Security to produce an unclassified report on 2016 cyberattacks against U.S. election infrastructure.
PATCHED: Sen. Ron Wyden (D-Ore.) wants answers from anti-virus company Avast about why its selling its users' data to marketers, his office told Joseph Cox at Motherboard. Wyden's questions come after the nonprofit browser operator Mozilla removed Avast's browser extensions for harvesting and selling user data.
“Americans expect cybersecurity and privacy software to protect their data, not sell it to marketers. I'm looking into this troubling report about Avast and its failure to protect consumers' data.” Wyden wrote in a tweet.
Avast's CEO Ondrej Vlceck defended the practice, telling Forbes that it strips information that could identify users.
“We had a brief conversation with an aide in Senator Wyden’s office yesterday to understand and listen to their feedback. We are confident in our data processing practices and are happy to delve deeper into the conversation,” an Avast representative told Motherboard.
PWNED: Hackers are selling software that breaks into Amazon's Ring security cameras for as little as $6 on Web forums, Joseph Cox and Samantha Cole at Motherboard report. Reporters discovered the black market tools on several online forums after local news reports about hackers accessing Ring cameras and speaking to the owners' children or shouting slurs through the devices. (Amazon CEO Jeff Bezos owns The Washington Post).
Motherboard found several posts on different crime forums where hackers discussed creating tools for breaking into Ring accounts. One tool, called CamCheck, churns through lists of usernames and passwords on a Ring interface until it finds a match that grants it access to a camera, Joseph and Samantha report.
The hack was not the result of a “breach or compromise of Ring's security," Ring told Motherboard but didn’t explain further. The company also encourages users to use extra security features when logging into accounts.
— The Homeland Security Department is hosting the final round of the first President’s Cup Cybersecurity Competition today. You can live-stream the event through most of the day here.
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad: