A Cell Site Simulator Follow-UP & an FBI FOIA

I recently wrote and published a piece on the use of cell site simulators for the ABA Journal, and during that process I FOIA’ed the FBI. This post includes the results of that FOIA and further discussion around the FBI’s new guidelines.

For the TLDR crowd: there are these tools (AKA: StingRays, IMSI Catchers, HailStorm, or cell site simulators) that law enforcement use primarily without probable cause warrants. The tool forces cellphones in its proximity to give up their location. This approach is being challenged in state and federal court, including Maryland, which recently decided that you did need probable cause warrants to use these devices. The trend from the courts seem to be towards requiring probable cause, which is a good thing.

That being said, while interviewing a spokesperson at the FBI for this piece I asked for a copy of the pre-2015 guidelines. I could hear his smirk through the phone as he told me that he wouldn’t share it but I could FOIA it. So, I did.

Below is the document that they released pertaining to any pre-2015 FBI guidelines on the use of cell site simulators. The original document was 20 pages, they sent seven. (In the original post, the PDF was embedded, but since I can’t do that on Medium this is the link to the FOIA’ed doc.)

The biggest change between the two sets of guidelines regards the court order the FBI recommends to legally deploy the tool. Pre-2015, the guidelines recommended a pen register order (or a pen reg order plus a warrant depending on the jurisdiction). A pen register order does not require law enforcement to show probable cause. The new guidelines do recommend a warrant, which would require probable cause. Incase you’re wondering, requiring probable cause is an extra layer of due process that law enforcement needs to go through to carry out the search. It’s a procedural check on police search and seizure.

While this is an improvement, it’s important to remember that they are just guidelines. They do not raise to the level of regulation, let alone law or precedent. The FBI have skated past these guidelines to deploy StingRays before. The older guidelines state that the order/warrant needs to describe the “technique to be deployed”, which would inform the court what tool is being used.

The recent Andrews decision in Maryland illustrates how courts are being habitually kept in the dark by law enforcement in regards to the use and deployment of these tools. Granted this is a state case, and not one led by the FBI; however, there’s evidence of the FBI’s shortcomings as well.

Last, these new guidelines do nothing in regards to the FBI’s needless yet fervent non-disclosure agreements with local law enforcement. The FBI makes every agency, no matter the level of government, sign an NDA saying they wont mention, discuss, or acknowledge the use of the tool. The spokesperson at the FBI I spoke with said that the NDAs were to protect the proprietary nature of the tool, which is developed by Florida-based Harris Corp, and not the use of the tool by law enforcement. You can read the NDAs for yourself in the previous link, but my interpretation is that the NDAs go much further than protecting Harris Corp’s IP. And cases like Andrews illustrate that local law enforcement agree that the NDA goes beyond protecting the nature of the tool.

The long and short of it is that even with improved guidelines, the NDAs and lack of controlling law in the vast majority of U.S. jurisdictions leaves the situation basically the same.


Originally published at www.justicecodes.org on July 6, 2016.