Stingray (IMSI Catcher)

Audio readout of this entry.

Overview

The IMSI catcher is the principal post-1995 mobile-device-locating technology in operational use by US law-enforcement and intelligence agencies. The technology's operational characteristic — the ability to compel cellular-device registration within a defined geographic area without the cooperation of the cellular-service-provider infrastructure — has produced the operational pattern of geographically bounded mass collection of cellular-device-identifier information. The documented operational deployment pattern is geographically targeted (typically a city block or specific building), temporally bounded (typically for an operational period of hours to days), and produces the collection of identifiers from substantially every cellular device within range during the operational period.

The documented institutional pattern of US law-enforcement IMSI-catcher deployment across the post-2007 period has been the subject of sustained academic, civil-liberties, and policy commentary. The principal contested issues have been the Fourth Amendment status of warrantless IMSI-catcher deployment, the Stingray-related non-disclosure framework, and the operational scope of the US-domestic deployment pattern.

Origins and vendor evolution

The IMSI-catcher concept emerged in the institutional context of the post-1995 expansion of cellular-mobile-network deployment in the United States and Europe. The technical foundation — the design pattern of cellular networks in which mobile devices register against the strongest available base-station signal and trust the base station's institutional position — was documented in the cellular-network technical-standards literature across the 1985–95 period and was recognised as an institutional vulnerability across the same period.

The first documented commercial IMSI-catcher product was the Rohde & Schwarz GA 091 IMSI Catcher, introduced in 1996 as a German-vendor product for the German law-enforcement market. The Harris Corporation Stingray product line entered the US market in approximately 2000, built on the institutional commercial-cellular-network engineering expertise that Harris had developed across the 1990s as a cellular-network supplier. The documented Harris Corporation product evolution has included Stingray (the original 2000-vintage product line); StingRay II (expanded operational capability across 2008–10); Hailstorm (the mid-2010s product line, with operational capability against 4G/LTE networks); and successive subsequent evolutions.

The institutional alternative-vendor product set has expanded across the post-2010 period. The documented vendor product lines include Digital Receiver Technology (DRT) Boxes (the DEA-and-DoD product set, deployed on US Marshals Service surveillance aircraft); Septier Communications IMSI Catcher products (the Israeli-vendor product line); KeyW Corporation cellular-interception products (a contracting vehicle for substantial portions of the US-government IMSI-catcher institutional deployment); and adjacent vendors.

The 2019 merger of equals between L3 Technologies and Harris Corporation — completed 29 June 2019 and forming L3Harris Technologies — produced the institutional reorganisation of the principal US IMSI-catcher product line. The post-2019 product evolution has continued the Stingray-Hailstorm pattern with successive operational-capability expansion against 5G networks.

Active-mode IMSI / IMEI capture

The baseline operational mode of IMSI-catcher products is active-mode IMSI/IMEI capture. The deployment involves the IMSI catcher being deployed at a target geographic location and configured to present a sufficiently strong cellular-network signal to compel registration by mobile devices within range. Each registered device transmits its IMSI (the subscriber identifier — the unique identifier associated with the SIM card and traceable to the subscriber's institutional account) and IMEI (the equipment identifier — the unique identifier associated with the cellular device hardware). The IMSI catcher records both identifiers; subsequent institutional reconciliation against cellular-service-provider records identifies the registered subscribers.

Forced downgrade and content interception

Higher-capability IMSI-catcher products additionally provide the operational capability to compel registered devices to operate in less-encrypted cellular-network protocols (typically the forced downgrade from 4G/LTE encrypted protocols to 2G GSM protocols, which use older and less cryptographically secure encryption). The operational consequence of forced downgrade is that the IMSI catcher can additionally intercept voice-call content and SMS-message content of the registered devices.

Targeted blocking and denial-of-service

The IMSI-catcher operational capability includes the blocking of cellular service to specific target devices — the capability to prevent a specific identified device from establishing a cellular connection within the IMSI-catcher's operational range. The institutional rationale for this capability is the law-enforcement scenario of preventing a specific target's communication during an arrest operation.

Geographic-precision tracking

The IMSI-catcher operational capability includes geographic-precision tracking of a specific target device within the operational range — by comparing signal-strength readings from the target device across multiple operational positions to triangulate the target's geographic location. The documented operational precision is approximately 10 metres at typical urban operational ranges.

Deployment platforms

The documented operational deployment platforms for IMSI-catcher products across the post-2010 period have included three principal categories. Vehicle-mounted deployment is the documented unmarked-vehicle deployment pattern. Aerial deployment is the documented US Marshals Service "Dirtbox" deployment of Digital Receiver Technology (DRT) Boxes on Cessna and adjacent fixed-wing aircraft, documented in the November 2014 Wall Street Journal disclosure. Pedestrian-portable deployment is the documented "backpack" deployment configuration. Operational range varies by platform — vehicle-mounted ranges are typically a few hundred metres; aerial-platform ranges are typically several kilometres.²

Documented deployments

Confirmed Federal Bureau of Investigation deployment. The documented FBI deployment pattern has included the operational use of Stingray products across substantially every FBI field office. The FBI's documented institutional non-disclosure agreement framework — the practice of requiring state-and-local law-enforcement agencies to whom Stingray products were institutionally distributed to non-disclose the use of the products in court proceedings — has been the subject of subsequent civil-liberties commentary and litigation.

Confirmed US Marshals Service aerial deployment ("Dirtbox"). The November 2014 Wall Street Journal disclosure of the US Marshals Service operational programme — the deployment of DRT Boxes on Cessna fixed-wing surveillance aircraft, operating from at least five US airports and conducting aerial-IMSI-collection operations across substantially every major US metropolitan area — produced the public-record reconstruction of the institutional operational scale.

Confirmed Drug Enforcement Administration and adjacent federal-agency deployment. The documented DEA, IRS-CI, US Customs and Border Protection, and US Immigration and Customs Enforcement institutional IMSI-catcher deployment across the post-2010 period has expanded the institutional operational scope of the underlying technology beyond the FBI baseline.

Confirmed State and local law-enforcement deployment (approximately seventy documented agencies). The American Civil Liberties Union's institutional inventory of state-and-local US law-enforcement IMSI-catcher deployment — conducted through state-level public-records litigation across the 2014-present period — has documented deployment by approximately seventy state-and-local US law-enforcement agencies. The operational deployment pattern across the documented cohort has included drug-trafficking-investigation deployment, fugitive-apprehension deployment, and adjacent operational categories.¹

The 2015 DOJ policy

The September 2015 US Department of Justice institutional policy on IMSI-catcher operational deployment required that all federal-agency IMSI-catcher deployments be conducted under search-warrant authority — the institutional reform that responded to the prior pattern of warrantless deployment. The institutional exception within the DOJ policy is for defined exigent-circumstances operational deployments.⁴

Carpenter v. United States

The June 2018 US Supreme Court decision in Carpenter v. United States, 138 S. Ct. 2206 (2018), held that the collection of historical cell-site-location-information from cellular-service-provider records constitutes a Fourth Amendment search requiring search-warrant authority. The decision has been invoked by analogy in subsequent IMSI-catcher litigation; however, Carpenter itself addressed historical cell-site-location information obtained from cellular carriers rather than active IMSI-catcher deployment, and no Supreme Court holding has directly applied Carpenter to cell-site simulators.³

Subsequent state-level reform

The documented subsequent state-level legislative reform across the post-2015 period has produced state-level statutory frameworks for IMSI-catcher operational deployment in approximately twenty US states. The pattern across the state frameworks has included search-warrant requirements, institutional reporting requirements, and adjacent oversight mechanisms.

Sources and further reading

1. American Civil Liberties Union, Stingray Tracking Devices: Who's Got Them?, ongoing institutional inventory, ACLU.
2. Devlin Barrett, Americans' Cellphones Targeted in Secret U.S. Spy Program, The Wall Street Journal, 13 November 2014 — the principal disclosure of the US Marshals Service "Dirtbox" aerial-deployment programme.
3. Carpenter v. United States, 585 U.S. ___, 138 S. Ct. 2206 (2018) — the principal Supreme Court Fourth Amendment cell-site-information decision.
4. US Department of Justice, Department of Justice Policy Guidance: Use of Cell-Site Simulator Technology, 3 September 2015.
5. Stephanie K. Pell and Christopher Soghoian, Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and Its Impact on National Security and Consumer Privacy, 28 Harvard Journal of Law and Technology 1 (2014) — the principal academic-legal treatment of IMSI-catcher institutional deployment.
6. Citizen Lab, IMSI Catchers and Mobile Security, ongoing research collection.
7. Electronic Frontier Foundation Cell-Site Simulator Tracker, ongoing institutional inventory available at eff.org/issues/cell-site-simulators.
8. Brian L. Owsley, Triggerfish, Stingrays, and Fourth Amendment Fishing Expeditions, 66 Hastings Law Journal 183 (2014) — the principal academic-legal treatment from a former federal magistrate judge's perspective.
9. House Oversight and Government Reform Committee, Law Enforcement Use of Cell-Site Simulator Technologies: Privacy Concerns and Recommendations, 19 December 2016 — the principal Congressional-oversight institutional review.
10. Susan Landau, Listening In: Cybersecurity in an Insecure Age, Yale University Press, 2017 — the principal academic-policy treatment of the broader cellular-network-interception institutional landscape.