By Joseph Marks
The StingRay II, a cellular site simulator used for surveillance purposes. (U.S. Patent and Trademark Office/AP)
Immigration and border agents may be scooping up cellphone information from thousands of innocent U.S. citizens in their effort to track a few people who’ve crossed the border illegally — using invasive surveillance tools that were originally developed to protect military operations.
That’s the big concern raised in a lawsuit the American Civil Liberties Union filed yesterday against U.S. Immigration and Customs Enforcement and Customs and Border Protection, demanding to know how widely the agencies are using the tools called StingRays and who they’re targeting.
StingRays mimic cellphone towers and grab location information from any nearby device. That makes them extremely useful for locating criminals when police know the phone they’re carrying. But they also capture identifying information from the mobile cellphones of everyone else in their range, which can cover a whole apartment building or multiple city blocks, which critics say is a huge invasion of privacy.
The suitcase-sized cell site simulators are so effective, in fact, that the FBI uses them in a range of high profile cases -- including to track President Trump's personal lawyer Michael Cohen in a campaign finance investigation -- and foreign adversaries may also be using them in Washington to spy on Americans.
And as they become far more common, civil liberties groups worry the government is striking the wrong balance between privacy and security. “This is the equivalent of kicking down every door in a neighborhood in order to find a particular suspect,” Nathan Freed Wessler, an ACLU staff attorney, told me. “The most invasive techniques need to be reserved for the most serious investigations, and there’s a real concern that it’s being used for relatively low-level crimes.”
This is especially concerning since it's unclear if the people they’re tracking have committed serious offenses or if they've just crossed the border illegally — as news reports suggest is often the case.
“People are willing to use this very intrusive technology when law enforcement is targeting the most serious crimes, but there’s inevitable mission creep,” Faiza Patel, co-director of the Liberty and National Security Program at New York University Law School’s Brennan Center for Justice, told me. “They’re inevitably used for more routine violations, and the next thing you know you’re using them to track shoplifters.”
The fact the tools are being used to track people who’ve entered the country illegally could be a troubling sign their use will become more widespread. “Government abuses of power often affect the most vulnerable members of society first and immigrant communities are particularly vulnerable,” Wessler told me. “So we, as a society, have to be particularly attentive to how the government comports itself in those areas.”
ICE and CBP have been especially tight-lipped, refusing to reveal any information about how they’re using at least 92 StingRays they’ve purchased for $13 million in recent years, according to a congressional oversight report.
Government rules on StingRays have generally lagged how agencies are using them. Before Justice and Homeland Security Department policies were enacted in 2015, agencies sometimes used the tools without warrants and may have used them to swipe content from phones, such as text messages and voice mails, rather than just technical information about the phone’s location.
The U.S. Marshals Service, for example, reportedly used the devices to track 6,000 cellphones and, in some cases, even took them on airplanes and scooped up information from tens of thousands of people on the ground below to locate a few criminal suspects.
The ACLU initially filed Freedom of Information Act requests to find out how the agencies were using StingRays but hasn’t received answers more than two years later. The lawsuit, filed in a federal court in Manhattan, would force them to answer that FOIA request. Representative for ICE and CBP both declined to comment on the case.
“This is about what kind of society we want to live in,” Wessler told me. “Is it a society where people are allowed to walk around in public without the constant threat of a government agency downloading their identifying information? Or do we drift toward a police state where the government has that information all the time?”
PINGED, PATCHED, PWNED
President Trump. (Alex Edelman/Bloomberg News)
The $738 billion bill, which has already passed the House, also creates a Space Force, as my colleagues Paul Sonne and Karoun Demirjian report. Other cybersecurity provisions include a $10 million fund to establish a cybersecurity strategy to protect the nation's electric grid championed by Sen. Angus King (I-Maine) and a requirement for the Department of Homeland Security to produce an unclassified report on 2016 cyberattacks against U.S. election infrastructure.
Sen. Ron Wyden (D-Ore.). (Patrick Semansky/AP)
“Americans expect cybersecurity and privacy software to protect their data, not sell it to marketers. I'm looking into this troubling report about Avast and its failure to protect consumers' data.” Wyden wrote in a tweet.
Americans expect cybersecurity and privacy software to protect their data, not sell it to marketers. I’m looking into this troubling report about Avast and its failure to protect consumers’ data. https://t.co/c4tDxvMXvU— Ron Wyden (@RonWyden) December 10, 2019
“We had a brief conversation with an aide in Senator Wyden’s office yesterday to understand and listen to their feedback. We are confident in our data processing practices and are happy to delve deeper into the conversation,” an Avast representative told Motherboard.
A Ring doorbell. (Jessica Hill/AP)
Motherboard found several posts on different crime forums where hackers discussed creating tools for breaking into Ring accounts. One tool, called CamCheck, churns through lists of usernames and passwords on a Ring interface until it finds a match that grants it access to a camera, Joseph and Samantha report.
The hack was not the result of a “breach or compromise of Ring's security," Ring told Motherboard but didn’t explain further. The company also encourages users to use extra security features when logging into accounts.
PUBLIC KEY— The Homeland Security Department is hosting the final round of the first President’s Cup Cybersecurity Competition today. You can live-stream the event through most of the day here.
— More cybersecurity news from the public sector: