DoJ defines new rules for spying with the Stingray technology

The US Justice Department issued guidelines for StingRay Surveillance devices, new rules define aim to ensure privacy protection and transparency.

Do you know what is a StingRay? If you want further details give a look to a post I wrote for the Infosec Institute on the StingRay Technology:

“StingRay is an IMSI-catcher (International Mobile Subscriber Identity) designed and commercialized by the Harris Corporation. The cellular-surveillance system costs as much as $400,000 in the basic configuration, and its price varies with add-ons ordered by the agency.

The IMSI-catcher is a surveillance solution used by military and intelligence agencies for telephone eavesdropping. It allows for intercepting mobile phone traffic and tracking movements of mobile phone users. Essentially, an IMSI catcher operates as a bogus mobile cell tower that sits between the target mobile phone and the service provider’s real towers. The IMSI catcher runs a Man In the Middle (MITM) attack that could not be detected by the users without using specific products that secure communication on mobile devices.

The use of the IMSI-catcher is raising a heated debate in the United States because devices like StingRay and other similar cellphone tracking solutions are being widely adopted by law enforcement agencies across the country.” I wrote in a blog post

The Stingray devices are used by law enforcement to track criminals, in the majority of cases without obtaining court orders.

But things are changing, the Federal law agencies will have to be more transparent about the use of Stingray devices for their investigations. The US Department of Justice has issued a new policy this week on the use of Stingray to spy on the cell phone of suspects, track and record their locations, and in some cases even intercept Internet traffic and phone calls or serve a spyware on mobile phones.

The new policy requires law enforcement and intelligence agencies to obtain a court authorization or warrant to use the StingRay technology in their operations to ensure the respectful of individual’s privacy.

“This new policy ensures our protocols for this technology are consistent, well-managed and respectful of individuals’ privacy and civil liberties,” explained the Deputy Attorney General Sally Quillian Yates in an official statement.

Another novelty introduced by the policy is the duty for the Feds to completely destroy the data acquired by the Stingray during the investigations.

“To enhance privacy protections, the new policy establishes a set of required practices with respect to the treatment of information collected through the use of cell-site simulators.  This includes data handling requirements and an agency-level implementation of an auditing program to ensure that data is deleted consistent with this policy.  For example, when the equipment is used to locate a known cellular device, all data must be deleted as soon as that device is located, and no less than once daily.”

Moreover, the agencies will have to present an annual report on the use of the StingRay Technology.

“While the department has, in the past, obtained appropriate legal authorizations to use cell-site simulators, law enforcement agents must now obtain a search warrant supported by probable cause before using a cell-site simulator.  There are limited exceptions in the policy for exigent circumstances or exceptional circumstances where the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. “

The new policy is a great step forward in the defense of the citizen privacy and transparency as explained by the Staff Attorney at the American Civil Liberties Union, Nate Freed Wessler.

“The new policy is a step forward in the “right direction” as well as “a win for privacy and transparency.”” said Wessler.

Wessler highlighted that the policy still has a gray parts when dealing with local and regional authorities.