The Serious Threat of Cell-Site Simulators
by Michael Dean Thompson
Within the past several decades, police have acquired a new tool so secretive that prosecutors were told to either plea out cases or repress evidence rather than permit the public to know about them. Much to the chagrin of the courts, that secrecy extended even unto them. “It is time for Stingray to come out of the shadows so that its use can be subject to the same kind of scrutiny as other mechanisms.” Chief Judge Wood wrote those words in his 2016 dissent in United States v. Patrick, 842 F. 3d 540 (7th Cir. 2016) (Wood, J., dissenting), when the issue of cell-site simulators came before the Seventh Circuit. Nevertheless, little more is known about them seven years later, and various court references to their capabilities seem to conflict with each other. Fortunately, thanks to critical courts, the work of groups like the Electronic Frontiers Foundation (“EFF”), and the American Civil Liberties Union (“ACLU”), as well the emergence of competitors to the maker of Stingray who advertise their product capabilities, more information is being revealed about them.
The super-secret system in question is at least conceptually tied to a humble device. Years ago, corporations realized their massive buildings wreaked havoc on cell phone reception. The solution was to place boxes called femtocells (and their ilk) throughout their building. These boxes, which attach to the corporate network, act as tiny (hence femto-, which is smaller than nano-) cell towers. All local cellular traffic then passes through the corporate network and out to the cellular provider. The presence of so much cellular data (such as emails, SMS (text) messages, recordable voice conversations, etc.) made these boxes, or devices that shared those capabilities, extraordinarily attractive to police surveillance teams. The result was the IMSI Catcher or cell-site simulator (“CSS”).
Stingray is only one of the CSS products produced by Harris, the apparent market leader, which also includes but maybe not limited to Hailstorm, Arrowhead, AmberJack, and KingFish. Boeing, through its Digital Receiver Technology division, also produces its own CSS products, often called dirt boxes. The secrecy over CSS devices is instigated by the FBI and enforced by the Federal Communications Commission (“FCC”). Companies like Harris require that law enforcement agencies sign a nondisclosure agreement (“NDA”). The NDAs can vary in their language, but they insist that agencies must immediately notify the FBI if they receive a request motion or court order that either seeks or orders disclosure of the technology so that they can block the disclosure of the devices, operations, or use.
NDAs have slowly been coming to light. As recently as last year, an NDA for the city of San Francisco was disclosed to the public. In order to keep the devices secret, police departments in Florida have even gone so far as referring to CSSs as “confidential informants” in an effort to conceal their use of CSS devices and avoid court sanction. One state judge in Florida even allowed U.S. Marshals to seize the records from a local police department and transfer them out of state in order to shield them. As for Harris, it proudly displays on its website its myriad products for police and the military, but past searches for “IMSI Catcher” and “Stingray” turned up nothing.
The apparent plethora of products as well as intentional misdirection/deception by law enforcement embedded within enforced secrecy by the FBI and FCC has created significant confusion as to what exactly the CSSs can do. So, even if the police do not intentionally obfuscate, it remains possible that officers from different agencies could report wildly different capabilities solely because they are using different products.
All of this assumes that in its due diligence law enforcement reports its use of CSS technologies. A recent report by the Department of Homeland Security (“DHS”) Office of the Inspector General (“OIG”) has shown even that assumption to be misguided. As it turns out, Immigration and Customs Enforcement (“ICE”) and the Secret Service have both failed to acquire the appropriate authorization to use the tools in violation of the law and DHS standards. Likewise, the Texas Observer revealed that the Texas National Guard had been using airborne CSSs over the state.
Cell-site simulators work because cell phones are little more than handheld radio transmitters. Each cell phone possesses a unique series of digits known as an International Mobile Subscriber Indemnification (“IMSI”) that it uses to announce itself even when not in use. While the cellular device is on, and not in airplane mode, it will broadcast its IMSI inside communications attempts, such as pings. Any nearby cell towers can respond to that ping, establishing their relative signal strengths as well as other connection-specific data and possibly even a rough location using longitude and latitude and the degree of uncertainty (distance in meters). The cell phone in turn develops an affinity for the tower with the strongest signal, at least until the pings return some other stronger signal (as would happen fairly often if the cellular device were travelling down the freeway). Cell-site simulators, then, work much like a cell tower and its smaller siblings such as the femtocell by acting as if they were themselves a cell tower but without the connection to the cellular networks (though in the age of broadband wireless communications, there is no real technical reason that should still be true).
There are two primary modes for a CSS. The first is passive and is often called an IMSI Catcher. In the passive mode, the CSS transmits no signals and is completely undetectable. Instead, it captures and records the emissions from consumer cellular devices. As to exactly which of those emissions are overheard and/or recorded may be dependent on the product in use, that product’s configuration, and police willingness to limit themselves to the bounds of the law. As we have seen from Florida, ICE, and Secret Service examples, the latter expectation is rather idealistic. Because cellular communications are transmitted over the air, it is entirely possible for such devices to intercept the contents of phone calls, emails, and more while leaving the device in question oblivious to its presence.
In the active mode, a CSS representing itself as a cell tower tricks the target devices into connecting to it by producing a stronger signal than the tower. The target devices transmit their identifiers to the CSS and develop an affinity for it. In United States v. Temple, 2017 U.S. Dist. LEXIS 218638 (E.D. Mo. 2017), using the testimony of a special agent, the court found that when a CSS “locks-on” to a target device, that device “is not able to place or receive calls because the Cell-Site Simulator interrupts normal service.” Once the affinity is established, the CSS, usually in conjunction with a second handheld CSS device, can be used as a locator device using signal strength and at least some sense of direction (though this is disputed by law enforcement in some court filings, the capability to locate cell phones is highlighted in Andrews v. Maryland, 2020 Md. App. LEXIS 1086 (2020), and others, where police used Hailstorm CSS to track the defendant’s phone in the defendant’s pocket and the couch on which he was sitting – as was their claim when they found a gun hidden in the couch).
Some court filings separate the modes into “canvassing” and “locating,” as they did in In re Warrant Application for Use of A Canvassing Cell-Site Simulator, 2023 U.S. Dist. LEXIS 77393 (N.D. Ill. 2023) (“Warrant”). In doing so, they divide them into conceptual frameworks. In Warrant, police claimed they were unable to locate their target devices when using a canvassing cell-site simulator (“CCSS”). Instead, the CCSS is used as an analog for a broad geofence where all IMSIs from all nearby devices are drawn into the device. Bear in mind the IMSI is far from the quasi-anonymous device people use by Google and others to track mobile devices. Rather, armed with an IMSI, the police only need a subpoena to access the business records of the associated phone number, including the name and address of the account holder (though not necessarily phone user).
In the geofencing case United States v. Chatrie, 590 F. Supp. 3d 901 (E.D. Va. 2022), police were looking back in time at a bank robbery. They drew a circle 300 meters wide, covering about 17 acres, and asked Google to identify every phone they could in the area. Google found 19 devices in the first step and returned them with their quasi-anonymous device IDs. It was not until the third step of the single warrant that the police were able to acquire identifying information on a single device. Yet, the court found that to be a Fourth Amendment violation and required a warrant for each of the three steps in Google’s law enforcement cell phone data retrieval process. In contrast, a CCSS can potentially identify devices over a mile away from it in a single step. In Warrant, the court pointed out that in a city like Chicago, with a CCSS configured to identify phones within a quarter mile (400 meters) of the device, more than 2,000 devices would be vulnerable and fully identified. In an effort to mitigate the effects of such a broad intrusion to appease the courts, the police argued that all IMSIs captured by the CCSS but were not the target devices would be deleted once the warrant terminated.
As described above, a CCSS sounds like a CSS in passive mode. That is, it need only “listen” for pings broadcast over the air, which all phones emit periodically. However, that is not how it is described in Warrant. Instead, it is described as actively emitting signals. “When law enforcement uses a CSS, it may interrupt cellular service of cellular devices in the CSS’s immediate vicinity.”
It is that understanding of the cell-site simulator that the court brought into the discussion of the CCSS. Although the government testified that it cannot “provide this Court with a precise answer regarding (a) the size of the area containing phones that would connect to the CSS, or (b) the number of subscribers in that area,” the court describes the CCSS as active saying, “Because a CCSS works by attempting to emit a more attractive signal than a cell tower, it is likely that a CCSS’ range would be at least similar or perhaps even greater, covering large swaths of urban neighborhoods in densely populated cities.” Nevertheless, the magistrate described the capabilities of the CSS technologies are “fuzzy” and attributed that to the breadth of products and their requisite NDAs.
While a CCSS compares well to a geofence, it also shares a significant number of features with a tower dump such as in Carpenter v. United States, 138 S. Ct. 2206 (2018). A tower dump can be broadly defined as a download of all IMSIs that have connected to specific towers. In other words, a tower provides an analog to location because cell phones connecting to it must be within a mile or so of the tower. That is, any phone responding to that tower must have been within that roughly three-square mile area. A tower dump differs from a CSS because it is a records request and can be tightly controlled. A CSS, however, is a live exercise where controls are difficult to implement and differs from a full tower dump in that the police were specifically asking for the list of towers to which the defendant had connected and that cell-site location information (“CSLI”) was found to be a search and require a warrant. Carpenter.
Locating cell-site simulators are active CSS devices that work by enticing cell phone connections by emitting stronger signals. When a phone develops an affinity for a CSS, it can be enticed to exchange data. That induced chattiness, the cell phone’s signal strength, and the added possibility of GPS-like longitude and latitude location coordinates embedded within a ping, allow investigators to zero-in on that suspect phone. However, the Locating CSS must know the phone’s IMSI data to lock onto it (and without it, whom are the cops locating?). Likewise, phones in the vicinity of the locating CSS, as well as the suspect phone, may not have phone service because the CSS is (presumably) unconnected to any cellular network. This will lead some investigators to intermittently turn the CSS on and off so that the suspects are not aware of their presence. However, if a phone is actively engaged in a call when the CSS pulses on, the suspect phone may not try to connect to the CSS, disincentivizing the investigator from pulsing the device.
Until Carpenter, and often still with regard to a cell-site simulator, such attempts had been covered as a pen register and subject only to a subpoena. In fact, in a recent case, United States v. Reeves, 2023 U.S. Dist. LEXIS 51693 (E.D. Mo 2023), the special agent testified that the Department of Justice requires only that a CSS be treated as a pen register, a device (or software) that logs a given phone’s metadata, such as the number dialed. Included in the Pen Register and Track and Trace statute 18 U.S.C. §§ 3121 - 3127, is signaling information, routing information, etc. The lower bar of a pen register subpoena was first set in 1986, before cell phones became ubiquitous. Since then, some court decisions have found the CSS too burdensome on the right of privacy for those innocently ensnared by a CSS though the decisions are inconsistent. A bill that would have banned the use of cell-site simulators except by warrant, the Cell-Site Simulator Warrant Act of 2021, 117 S. 2122, has been pending since June of 2021. Meanwhile, we wait for the courts and Congress to act to strengthen controls.
Sources: eff.org; oig.dhs.gov; “A Hailstorm of Uncertainty: The Constitutional Quandary of Cell-Simulators,” 85 U. CLN. L. Rev. 665; “If the Tree Falls: Bulk Surveillance, the Exclusionary Rule, and the Firewall Loophole,” 13 Ohio St. J. Crim. L. 211
Writer’s note: One of the more confounding aspects of evidentiary law for this writer is the Firewall Loophole, in which “police can use [the loophole], even intentionally, to engage in illegal searches and seizures with immunity from suppression and most likely, without detection.” Ohio St. J. Crim. For example, a “knock and announce” violation that led to the discovery of additional evidence was sufficiently “attenuated” from the discovery that the additional evidence remained admissible in Hudson v. Michigan, 647 U.S. 586 (2006). A police officer using a cell-site simulator, then, could use it to listen to a conversation on the phone being tracked without first obtaining a warrant. Even if the police officer cited “exigent circumstances,” such as a belief the suspect was conspiring to imminently flee a warrant for arrest, but that was found to be in violation of the suspect’s rights, VA confession based upon the cop’s knowledge derived from the call might still be admissible because the arrest was not the result of the evidence. For this reason, Congress should also mandate that cell-site simulators must not be able to both extract content and operate as a canvassing or locating CSS. The features must be exclusive and each require a warrant. Content-extracting CSSs should only be used by highly trained personnel under very specific conditions.