Spyware

Last Thursday, the Department of Justice announced the immediate implementation of what it called an “enhanced policy” regarding the use of “cell-site simulators,” also known as “Stingrays.”

The enhanced policy essentially confirms that federal agents under DoJ jurisdiction – including those from the FBI, Drug Enforcement Administration, U.S. Marshals Service, Bureau of Alcohol, Tobacco and Firearms, and others, must get warrants before using Stingray technology to collect information about people.

However, this policy only covers organizations under direct DoJ jurisdiction, which does not include agents of the Department of Homeland Security, nor state- or local-level police.

The Fourth Amendment to the Constitution, which was ratified in December 1791 along with the rest of the Bill of Rights, sets limits on the government's behavior by guaranteeing “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures,” unless the government obtains a warrant based on probable cause to suspect that the person being searched is actually guilty of a crime.

New technology argument

And ever since 1791, whenever new technology has been introduced, various members of the government have tried arguing that the constitutional restrictions on their behavior shouldn't apply to this new technology, too. Such debates have become especially contentious ever since cell phones, the Internet, computers and related items made it technologically possible for governments to spy on their populations more thoroughly than ever before.

What exactly is a cell-site simulator, and why is its use so controversial? As the name suggests, cell-site simulators are devices that simulate cell phone towers in a way that forces cell phones in the area to broadcast information which can be used to locate and identify them. And of course, if you know the location and movement of a given cell phone, you probably know the same information about the cell phone's owner.

In February, the American Civil Liberties Union released records it had obtained via Freedom of Information requests from police agencies across the state of Florida, detailing widespread law enforcement use of Stingray surveillance. This surveillance was kept secret not only from ordinary American citizens, but from judges and the court system, too.

That secrecy was allegedly justified in the name of “national security” even though, as the ACLU noted at the time, a detailed list of over 250 investigations from just one city's police department showed that not a single case was actually related to national security. Since 2008, Florida alone spent more than $3 million on Stingrays and related equipment, according to the ACLU.

Not the locals

But the Department of Justice's new policy doesn't apply to local police departments. Indeed, right now it's impossible to say for certain how many Stingray towers there are, or how many government departments (at all levels) use them. The ACLU has produced a map illustrating “Stingray tracking devices: who's got them?” However, as the ACLU said in an explanation of the maps' limitations:

The ACLU has identified 54 agencies in 21 states and the District of Columbia that own stingrays, but because many agencies continue to shroud their purchase and use of stingrays in secrecy, this map dramatically underrepresents the actual use of stingrays by law enforcement agencies nationwide.

Stingrays, also known as "cell site simulators" or "IMSI catchers," are invasive cell phone surveillance devices that mimic cell phone towers and send out signals to trick cell phones in the area into transmitting their locations and identifying information. When used to track a suspect's cell phone, they also gather information about the phones of countless bystanders who happen to be nearby.

Which is why Linda Lye, an attorney with the ACLU of Northern California, told Ars Technica that the DoJ policy mandating federal agents get warrants before using Stingray is “a welcome and overdue first step, but it is just a first step. It doesn’t cover non-DOJ entities and it doesn’t cover the locals.”

October 5, 2006
It's back to Square One for California privacy advocates hoping to restrict the use of "spychip" technology in the state, after Gov. Arnold Schwarzenegger vetoed a bill passed by the General Assembly.

Schwarzenegger said the measure might contradict forthcoming federal guidance for technology used in government identification, specifically relating to the REAL ID act, which mandates national standards for verifying the identity of driver's license applicants.

The so-called spychip technology -- technical known as radio frequency identification (RFID) (RFID) -- is a leading contender for use in nationally-readable ID cards.

"I am concerned that the bill's provisions are overbroad and may unduly burden the numerous beneficial new applications of contactless technology," Schwarzenegger said in his veto statement.

The bill, sponsored by state Senator Joseph Simitian (D-Palo Alto), would have implemented multiple safeguards into any machines capable of reading RFID-tagged cards, provided information on the locations of RFID tag machine readers throughout the state, and ensured consumers had control of how their information was transmitted.

With RFID technology, any product -- or person, for that matter -- can be tracked and catalogued. It's the potential to track humans that has alarmed many privacy advocates.

Organizations such as the American Civil Liberties Union (ACLU) hoped that passage of the California law would trigger other states to pursue similar measures. Privacy advocates such as Liz McIntyre criticized Schwarzenegger's veto as an example of "his admiration for paternalistic power."

"He's in the cat bird seat now, but his perspective might change if he becomes the tracked rather than the person doing the tracking, "McIntyre told ConsumerAffairs.com.

"It's a shame he had the opportunity to protect what's left of California citizens' privacy, but chose instead to terminate the bill."

McIntyre and partner Katherine Albrecht have led the charge for more public awareness of the usage of RFID tags, or "spychips," in public life.

Their book of the same name details many examples of government and business pushing the use of RFID tagging for everything from jeans to medical patients.

McIntyre and Albrecht also head CASPIAN (Consumers Against Supermarket Privacy Invasion And Numbering), which opposes the usage of "loyalty cards" and collecting information on shoppers' buying habits.

The duo had previously brought attention to Levi Strauss and Co.'s attempts to test RFID tracking chips imbedded in men's jeans at stores in Mexico. Levi Strauss refused to disclose the location of the tests, possibly fearing a consumer backlash and boycott.

In spite of the criticism, government agencies and businesses are pushing ahead with various RFID initiatives. Leading RFID technology designer VeriChip has been petitioning the Pentagon to "tag" all military personnel with chips containing their personal health information.

Hackers and security analysts have repeatedly demonstrated that RFID chips can be "read" and copied easily, enabling thieves to make off with any information stored therein, but to no avail.

If RFID tags make it into the new REAL ID driver's licenses, that will be one more item on the list for a program with estimated costs running in the hundreds of millions.

Critics of the plan say that the initiative is one step closer to a national ID card, as well as a potential gold mine for identity thieves who will take advantage of the massive project to harvest information from unsuspecting Americans.