EPIC - EPIC v. FBI - Stingray / Cell Site Simulator

EPIC v. FBI - Stingray / Cell Site Simulator

Legal Documents|
FOIA Documents |
News

Top News

New York City Passes New Surveillance Transparency Law: Yesterday the New York City Council passed the Public Oversight of Surveillance Technology (POST) Act, a law that enables public oversight of surveillance technologies used by the New York Police Department. The POST Act will require the police to publish documents explaining their use of surveillance technologies, accept public comments about them, and provide a final surveillance impact and use policy to the public. EPIC has worked for years to focus public attention on the privacy impact of emerging surveillance technologies, and has pursued open government cases against the FBI and other law enforcement agencies to release information about cell site simulators and other surveillance technologies. EPIC has recently launched a project to track and review algorithms used in the criminal justice system. (Jun. 19, 2020)
EPIC Urges House Appropriations to Examine FBI Response to Russian Cyber Attacks: EPIC has asked the House Appropriations Committee to explore the FBI's failure to respond to cyberattacks. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." But an AP investigation found that the FBI failed to notify hundreds of officials whose email was hacked during the 2016 election. Earlier this week, the Inspector General also found that the DOJ guidelines "do not consider the needs of victims of cybercrime." EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI. (Apr. 5, 2019)
Report: FBI Victim Notification Procedures ‘Unreliable’ and ‘Incomplete’: The FBI’s system for notifying victims of cyberattacks is “unreliable” and “incomplete,” according to a report by the Inspector General for the Department of Justice. The IG report found that “not all victims were informed of their rights as required by” DOJ guidelines, which are “outdated since they do not consider the needs of victims of cybercrime.” In 2017, EPIC obtained through EPIC v. FBI, a FOIA lawsuit, the FBI Victim Notification Procedures that should have applied to Russian cyberattacks during the 2016 Presidential election. The FBI Notification Procedures made clear that notification should occur “even when it may interfere with another investigation or (intelligence) operation.” The records obtained by EPIC led to Associated Press investigation ("FBI gave heads-up to fraction of Russian hackers’ US targets”), which found that the FBI did not follow the Procedures and failed to notify U.S. officials that their email accounts were compromised. The EPIC Democracy and Cybersecurity Project has pursued multiple FOIA cases concerning Russian interference with the 2016 election, including EPIC v. DOJ (the Mueller Report), EPIC v. ODNI (Russian hacking), EPIC v. IRS I release of Trump's tax returns), EPIC v. IRS II (release of Trump business tax records), and EPIC v. DHS (election cybersecurity). (Apr. 1, 2019)
Intelligence Chiefs: New Threats to Democratic Institutions: In a hearing last week, the chiefs of the U.S. intelligence agencies told Senators that foreign adversaries will "increasingly use cyber capabilities" to "seek political, economic, and military advantage." The intelligence leaders further stated that foreign powers are "already looking to the 2020 election" in order to advance their interests, and that those powers will "almost certainly" target online operations to weaken democratic institutions. After the 2016 election, EPIC launched a project on Democracy and Cybersecurity to safeguard democratic institutions. EPIC filed a series of Freedom of Information Act lawsuits to determine the extent of Russian interference: EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS I (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity). EPIC has said, "The public has a right to know the details when a foreign government attempts to influence the outcome of a U.S. presidential election. And the public has a right to know what steps have been taken to prevent future attacks." (Feb. 4, 2019)
Senate Reports Detail Russian Russian Interference in 2016 Election: In a pair of reports released this week, the Senate Intelligence Committee provided fresh details on the extent of Russian interference in the 2016 election. Committee Chairman Richard Burr explained: "This newly released data demonstrates how aggressively Russia sought to divide Americans by race, religion and ideology, and how the IRA actively worked to erode trust in our democratic institutions. Most troublingly, it shows that these activities have not stopped." Shortly after the 2016 presidential election, EPIC filed a series of Freedom of Information Act lawsuits to determine the extent of Russian interference: EPIC v. FBI, EPIC v. ODNI, EPIC v. IRS I, and EPIC v. DHS. As EPIC President Marc Rotenberg explained in an op-ed in March 2017: "The public has a right to know the details when a foreign government attempts to influence the outcome of a U.S. presidential election. And the public has a right to know what steps have been taken to prevent future attacks." (Dec. 18, 2018)
Special Counsel: Russian Intelligence Stole Data on 500,000 Voters: Russian intelligence officers hacked the website of a political organization in 2016 and stole personal data on more than 500,000 voters, according to a new indictment from the Special Counsel's Office. The stolen data included "names, addresses, partial social security numbers, dates of birth and driver's license numbers." In January 2017, EPIC sued the FBI for information about the agency's failure to respond to foreign cyber attacks on the DNC and the RNC. EPIC eventually obtained the victim notification procedures that would have applied during the 2016 Presidential election, but which the FBI failed to follow. Almost 18 months have passed since the filing of EPIC v. FBI and the first criminal indictments. (Jul. 13, 2018)
Congress Asks Google, Apple About Smartphone Data Collection: Members of the House Energy and Commerce Committee have sent letters to Apple CEO Tim Cook and Alphabet CEO Larry Page seeking information about the data collection capabilities of smartphones. Prompted by recent privacy scandals, the representatives asked Google and Apple whether their devices track users' location even when location services are disabled or record users' private conversations without a "trigger" word. The issue of smartphones and privacy has generated widespread attention following the Supreme Court's landmark ruling in Carpenter v. U.S. that the Fourth Amendment protects location records generated by mobile phones. EPIC recently advised Congress to strengthen privacy protections for mobile location data in response to the Supreme Court's ruling. (Jul. 10, 2018)
After Carpenter Decision, EPIC Calls on Congress to Update Federal Wiretap Law: In advance of a hearing on “Bolstering Data Privacy and Mobile Security” EPIC has told the House Science Committee that Congress should apply a heightened “super warrant” standard to "StingRays,” a technique for tracking cell phones users. After an EPIC FOIA lawsuit revealed that the FBI was using stingrays without a warrant, the Bureau changed its practices. EPIC filed amicus briefs in U.S. v. Jones and Carpenter v. U.S., two recent Supreme Court cases, arguing that a warrant is required to obtain location information. In a landmark ruling last week, the Supreme Court held that the Fourth Amendment protects location records generated by mobile phones. As a consequence, EPIC said, Congress should update federal privacy law. (Jun. 27, 2018)
D.C. Circuit Sets Date for Argument in EPIC v. IRS, FOIA Case for Trump's Tax Returns: The D.C. Circuit has scheduled oral argument in EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. The Court will hear the case on Thursday, September 13, 2018. EPIC has argued that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." A broad majority of the American public favor the release of the President's tax returns. EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyber attack) and EPIC v. DHS (election cybersecurity). (Jun. 19, 2018)
EPIC Urges Senate Judiciary to Examine FBI Response to Russian Cyber Attacks: EPIC has sent a statement to the Senate Judiciary Committee ahead of Monday's hearing "Examining the Inspector General’s First Report on Justice Department and FBI Actions in Advance of the 2016 Presidential Election." EPIC urged the Committee to explore the FBI's ability to respond to future cyberattacks. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." But an AP investigation found that the FBI failed to notify hundreds of officials whose email was hacked during the 2016 election. EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI. Last month, a federal court ruled that the agency may withhold records still sought by EPIC but said that lawmakers should pursue threats to democratic institutions described in the EPIC lawsuit. (Jun. 15, 2018)

Background

A StingRay is a device that can triangulate the source of a cellular signal by acting "like a fake cell phone tower" and measuring the signal strength of an identified device from several locations. With StingRays and other similar "cell site simulator" technologies, Government investigators and private individuals can locate, interfere with, and even intercept communications from cell phones and other wireless devices. The Federal Bureau of Investigation ("FBI") has used such cell site simulator technology to track and locate phones and users since at least 1995. Recently, federal investigators used a similar device to track down a suspect in an electronic tax fraud ring. This case, United States v. Rigmaiden, No 08-814, 2012 WL 1038817 (D. Ariz. Mar. 28, 2012), has brought the use of this cell phone surveillance technology under public scrutiny, as the Government attempts to shield the methods from discovery. See Order, id. As the Government's own documents make clear, the use of cell site simulator technology implicates not only the privacy of the targets in federal investigations, it also affects other innocent users in the vicinity of the technology.

On July 23, 2008 Daniel David Rigmaiden was indicted on various counts of conspiracy, wire fraud, and identity theft by U.S. Attorneys in Phoenix, Arizona. United States v. Rigmaiden, No. 08-814-PHX-DGC, 2010 WL 3463723 (D. Ariz. Aug. 27, 2010). Since his indictment, Defendant Rigmaiden has submitted various discovery motions seeking information about the investigatory techniques used to locate him. See Rigmaiden, 2010 WL 1039917. The Government opposed Defendant Rigmaiden's request for disclosure of techical specifications and other details about the technology. The Government relied on the testimony of an FBI Supervisor, who described the device as a pen register/trap and trace device. Aff. Supervisory Special Agent Bradley S. Morrison at 1, United States v. Rigmaiden, No. 08-cr-00814 (D. Ariz. Oct. 27, 2011). However, Agenty Morrison also made clear that all data is deleted after an operation because the devices may tend to pick up information “from all wireless devices in the immediate area of the FBI device that subscribe to a particular provider … including those of innocent, non-target devices.” Id. at 3.

In an attempt to avoid disclosure of documents related to this technology, the Government was willing to concede that the "actions it took during the air card locating mission were sufficiently intrusive to constitute a search under the Fourth Amendment if Defendant has a reasonable expectation of privacy." Rigmaiden, 2010 WL 1039917. However, the Government is not willing to concede that Defendant did have a reasonable expectation of privacy in the location of his laptop aircard (in his apartment). Id. As a result of the Government's unwillingness to disclose documents related to this invasive cell site simulator technology that impacts the privacy of innocent communications, EPIC filed a Freedom of Information Act ("FOIA") request in February 2012.

EPIC's Freedom of Information Act Request and Subsequent Lawsuit

In February 2012, EPIC submitted a FOIA request to FBI for:

All documents concerning technical specifications of the StingRay device or other cell site simulator technologies;
All documents concerning procedural requirements or guidelines for the use of StingRay device or other cell site simulator technologies (e.g. configuration, data retention, data deletion);
All contracts and statements of work that relate to StingRay device or other cell site simulator technologies;
All memoranda regarding the legal basis for the use of StingRay device or other cell site simulator technologies; and
All Privacy Impact Assessments or Reports concerning the use or capabilities of StingRay device or other cell site simulator technologies.

The FBI sent a letter confirming the receipt of EPIC's FOIA request on February 21, 2012. THe FBI Records Management Division assigned a FOIPA Request No: 1182490-000.