leaked photo of IMSI catchers owned by Florida police |
IMSI Catchers in Raleigh
A few days ago I was bored and looking through FOIA requests (because that's what kids do for fun these days) to Raleigh agencies, when I found a request to Raleigh PD for information on their purchase and use of IMSI catchers. IMSI catchers are essentially fake cell phone towers that trick phones within a certain radius to use the catcher instead of a real tower. The IMSI catcher can then determine the IMSI (unique id number) of the phone, determine the phone's location, and can even decrypt SMS messages and other data sent from the phone.
As it turns out, in 2009 Raleigh PD purchased a KingFish IMSI catcher from Harris Corporation for $122,364.00 including training. Raleigh PD purchased an IMSI catcher system in 2016 for $490,302.75 from KeyW and spent another $42,700.00 on training, to bring the grand total to $655,366.75 spent on IMSI devices [1]. Why would Raleigh PD pay over half a million dollars for this technology? While the KeyW product's capabilities are unknown, the KingFish is a handheld IMSI which can both track location and intercept communications, though it doesn't appear Raleigh PD has bought the software package to enable communications interception yet [2, 1]. Even without the interceptor package the KingFish could be brought to protests to log the phones of every protester present and identify the most consistent/active protesters. It also could be used to establish the identity of people present at a protest where something illegal allegedly occurred.
The use of IMSI catchers by police and other law enforcement is something that's not well studied due to secrecy of corporations and law enforcement. It appears the Department of Homeland Security often funds local police departments' purchases of the device [3]. Like indefinite detention and fusion centers, the IMSI catcher programs were initially claimed for terrorism, but now they've been used for various other investigations. Police departments are hiding behind a non-disclosure agreement with Harris Corporation to avoid obtaining warrants for IMSI catcher use, and to avoid providing most information about their use to the public. They claim the terms of the non-disclosure agreement supersede the legal requirement to obtain a warrant [4]. Some court decisions have approved the use of StingRays without a warrant [5]. The devices are also likely violating privacy rights regardless, as they can't target a specific phone, and instead collect data on all phones in the area.
As of November 2018, the ACLU has identified 75 state and local police departments in 27 states and 14 federal agencies that use IMSI catchers [6]. These numbers are likely far below the actual use, as many police departments have ignored or declined FOIA requests. In North Carolina, the State Bureau of Investigation, Raleigh PD, Durham PD, Charlotte PD I & II, Wilmington PD, and New Hanover Sheriff's Department all have IMSI catchers [6].
For a time Harris Corporation had cornered the market in IMSI catchers in the US, forming a complete monopoly as they were the only company approved by the FCC. However, it appears KeyW has been selling IMSI catchers to US law enforcement since at least 2016, as the Raleigh PD FOIA response showed what we can only presume is an IMSI catcher [1]. In 2016 a new CEO, army captain William Weber, took over KeyW. Weber had previously worked with a number of companies with military contracts, and it appears he was able to get KeyW connected, as in the same year they were named an official provider for national cyber-security education and training [7, 8]. The use of private companies in the production of high-tech police state equipment is increasingly common. The legal challenges this poses for those fighting for transparency is still undetermined.
What Can We Do?
Being aware of the security measures the state is likely using against activists is immensely important. Unfortunately cell phones are often important at protests- to coordinate security, to communicate with jail support, to video police misconduct, etc... There are other options though- use secure messaging app 'Signal' for communications- even if an IMSI catcher intercepts the data and breaks the network encryption, it's encrypted separately. To find out if your local PD has IMSI catchers you can search for FOIA requests here, just fill in your local police department under 'agency' on the right. If you find out they do, raise awareness, force the media to cover it. If there's no requests, file one yourself- MuckRock charges to file requests, but you can copy their format or ask your local ACLU to help. Certain apps for android phones can detect IMSI catchers, including SnoopSnitch, Cell Spy Catcher, and GSM Spy Finder. These apps are worth a try, but IMSI catchers may be able to evade detection on them, so if there are not IMSI catchers detected that may be a false negative [9].
Sources:
- MuckRock: "Contracts and Policies Regarding IMSI Catchers (Raleigh Police Department)" [archive]
- "Harris Corporation Catalog 2008"
- ACLU: "Documents Reveal Unregulated Use of Stingrays in California" [archive]
- Manahan, Torin: Built to Lie: "Investigating Technologies of Deception, Surveillance, and Control", The Information Society (2016) [archive]
- Farivar, Cyrus: "Appeals Court: It Doesn't Matter How Wanted Man Was Found, Even if Via StingRay", Ars Technica (2016) [archive]
- ACLU: "Stingray Tracking Devices: Who's Got Them?" [archive]
- Linkedin: "Bill Weber"
- GlobeNewsWire: "KeyW's Parrot Labs Named an Official Provider in National Cyber Education and Training Catalog" [archive]
- Cox, Joseph: "Stingray Detection Apps Might Not Be All That Good, Research Suggests", Motherboard (2017) [archive]
No comments:
Post a Comment