by Michael Dean Thompson

The American Civil Liberties Union (“ACLU”) successfully sued for access to FBI information regarding cell-site simulators (“CSS”). For years, the FBI has used nondisclosure agreements (“NDA”) to hide their use of CSSs from the public and the courts. Now, thanks to the Freedom of Information Act (“FOIA”) suit, the content and logic of the NDAs is available to the public.

The FBI believes that Americans should not be aware of what a CSS can do. Having labeled the devices as both Law Enforcement Sensitive and a “regulated defense article on the United States Munitions List (USML),” they have wanted to lock down what is known about the devices under a theory that each small piece helps criminals and terrorists to build a bigger picture and evade the technology. Even “innocuous information about cell site simulators may provide adversaries … with critical information about the capabilities, limitations, and circumstances of their use, and would allow those adversaries to accumulate information and draw conclusions about the use and technical capabilities of the technology,” the FBI claims in one of the procured NDAs.

The theory has multiple problems, causing it to fall apart rapidly upon contemplation. The first problem ironically dates all the way back to Thomas Hobbes’ Leviathan in 1651. Hobbes thought that the only way to secure a civil society was through complete submission to the sovereign. But submission requires a transparent leviathan. A government’s actions and decisions must be rational and apparent. If no one understands why the sovereign chooses to prosecute a citizen, or not, the action can be seen as capricious and cruel. If a government hides the technology and methodologies by which it discovers crime, it gives way to magical and conspiratorial thinking.

There is an analog in software—both in encryption and the debate over open or closed source software (i.e., software developed in the open by a community or behind the closed doors of a business). Corporations and governments have long argued for security by obscurity. They believe that technologies developed in secret are inherently more secure. Sometime before the millennium, Americans had access to the Defense Encryption Standard (“DES”). It was fairly weak, but if it were run over a file three times—called Triple DES—the result would be a bit stronger (though, through an odd quirk, running it only twice actually weakened the encryption). Triple DES is how DVDs were encrypted (and quickly cracked). Back then, exporting Windows NT with “strong” encryption violated the law because the government wanted to protect its encryption secrets.

However, it actually had the opposite effect. Not only were copies exported anyway, but it prevented an open dialog and testing of the solutions. The creators of RSA encryption helped to break the borders and open a global discussion of encryption. Eventually, the meager Advanced Encryption Standard (“AES”) in common use today was adopted from Rijndael, an open-sourced contest winner, and far exceeds Triple DES. Likewise, open-source software has allowed ideas in development of operating systems and applications to proliferate. The quality of the project varies with the amount of support it receives, but it is clear Linux and OpenAI have benefitted from the wisdom of the crowd. Linux is not less secure because of the jigsaw’s millions of detailed pieces splayed out before the world but more so.

The government, in hiding the capabilities of the cell-site simulators, is still trying to argue for security through obscurity. They have classified it as a munition, precluding export, but there can be no doubt that the technology has already escaped our borders. Some of the leading makers of CSS technology are housed in foreign countries, from Canada to Israel and beyond.

In addition, open-source kits available on the internet allow DIY types to build their own CSSs in the U.S. for as little as $1,000. Even without the open-source kits, hiding CSS devices from state actors is senseless because the technology and concepts are available to any engineer capable of reading the cellular telephony standards. Similarly, international terrorists and major criminal organizations have already moved on from open cellular communications.

Following the government’s logic, that only leaves the “common” criminal. Yet, that is where the leviathan benefits most from transparency and visibility. Open knowledge that cellphones are intrinsically insecure raises the cost of entry. If the common criminal is adaptable enough to be aware of the options, they are likely already using them. Otherwise, the well-reasoned belief that Johnny Law is all-seeing may actually deter all but the most determined and passionate crimes.

By adopting the logic of the jigsaw theory, the government is bought in to the apparent caprices. They outline a list of conditions in the NDA for the use of the CSS technology. The third condition states that if all other possible solutions for preventing the technology’s capabilities from falling into the hands of the court, they will “at the request of the FBI, seek dismissal of the case in lieu of using or providing, or allowing others to use or provide, any information concerning” the cell-site simulator/pen register equipment/technology in criminal litigation.

The state or local agency cannot so much as let on to a defendant or counsel that a CSS device was used. In Florida, cops have labeled cell-site simulators as confidential informants to get around judicial notification. If a particular defense team becomes too nosy, the agency is required to drop the case. This effectively defines caprice when a defendant has no idea where the cops derived their evidence or why the case was dropped. Likewise, it does not seem to serve the interests of justice as an ideal since the actual guilt or innocence of the defendant has no bearing on the outcome.

There are a few things the government is willing to say about cell-site simulators. The eighth condition states the agency may disclose that it possesses a CSS device, that the device is capable of identifying and locating cellular devices, it may cause disruption in the operations of cellular devices in the area, and that it has been used to determine general information about the cellular devices. In the few cases that have worked their way through the courts, the agents have maintained those limits admirably. In fact, reading that condition clarifies why the agents often gave contradictory testimony. The contradictions might simply originate from the agents’ accidental deviations from the script when they were tempted to give more truthful replies.

Secrecy also spawns misuse. Use a powerful tool long enough in secret, but only the most basic functions, and the more powerful functions will begin to call out. We have been notified of parallels to the issue when the Department of Homeland Security’s inspector general found that Secret Service and Immigration and Customs Enforcement (“ICE”) Homeland Security Investigations (“HIS”) had repeatedly failed to apply for a warrant. One county judge apparently misunderstood the prevailing laws and policies, allowing a series of unwarranted deployments because he “believed it to be unnecessary.” If the government is unwilling to share with the courts just how powerful the devices are and instead demand that we trust they are not violating the law, the Secret Service and HSI are undermining their argument. It does not seem there would be a clear mechanism for reporting illegal usage of the devices in manners the government is unwilling to admit exist.

Illegal use of cell-site simulators has become apparent elsewhere and illustrates more of what can be done. As it turns out, criminals have begun using CSSs themselves. In 2016, a Florida man stalked his ex-girlfriend. The man used the device to listen to her calls and track her location. A woman in California tracked her husband’s location and read his text messages. With the devices, criminals are capable of serious fraud, including identity theft. Cell-site simulators can deliver spam and insert zero-click malware that allows the CSS user to steal every morsel of data stored in the phone.

If the cops wanted to search your photo albums in your home and thumb through your personal letters, they would need a search warrant describing what they are looking to find. Yet, if they could do so from a distance with a tool that allows them to make perfect copies in secret, can we really be certain the lack of a warrant would stop them? Cops also now have CSS devices that can be worn in clothing, allowing them to walk through crowds slurping up information from every cellular device in the area, giving them broad access to everyone’s data—including the phones of innocent children.

Cell-site simulators are only a secret in our courts. That should not be. Laura Moraff, a legal expert at the ACLU, told Wired, “We deserve to know when the government is using invasive surveillance technologies that sweep up information about suspects and bystanders alike.” She went on to add, “The FBI needs to stop forcing law enforcement agencies to hide these practices.”   

Sources: wired.com, techcrunch.com, documentcloud.org

Subscribe today

Already a subscriber? Login