Stingray (IMSI Catcher)

Overview

The IMSI catcher is the principal post-1995 mobile-device-locating technology in operational use by US law-enforcement and intelligence agencies. The technology's substantive operational characteristic — the ability to compel cellular-device registration within a defined geographic area without the substantive cooperation of the cellular-service-provider institutional infrastructure — has substantively produced the operational pattern of geographically-bounded mass-collection of cellular-device-identifier information. The substantively documented operational deployment pattern is geographically targeted (typically a city block or specific building), temporally bounded (typically for an operational period of hours to days), and produces the substantive collection of identifiers from substantially every cellular device within range during the operational period.

The substantively documented institutional pattern of US law-enforcement IMSI-catcher deployment across the post-2007 period has been the subject of sustained subsequent academic, civil-liberties, and policy commentary. The substantive principal contested institutional issues have been: the substantive Fourth Amendment status of warrantless IMSI-catcher deployment, the substantive Stingray-related non-disclosure framework, and the substantive operational scope of the US-domestic deployment pattern.

Origins / Development

The IMSI-catcher concept emerged in the institutional context of the post-1995 expansion of cellular-mobile-network deployment in the United States and Europe. The substantive technical foundation — the substantive design pattern of cellular networks in which mobile devices register against the strongest available base-station signal and substantively trust the base station's institutional position — was substantively documented in the cellular-network technical-standards literature across the 1985–95 period and was substantively recognised as an institutional vulnerability across the same period.

The first substantively documented commercial-IMSI-catcher product was the Rohde & Schwarz GA 091 IMSI Catcher, introduced in 1996 as a German-vendor product for the substantively documented German law-enforcement institutional market. The Harris Corporation Stingray product line entered the US market in approximately 2000, substantively built on the institutional commercial-cellular-network engineering expertise that Harris had developed across the 1990s as a cellular-network supplier. The substantively documented Harris Corporation product evolution has included: Stingray (the original 2000-vintage product line); StingRay II (substantially expanded operational capability across the 2008–10 period); Hailstorm (the substantially expanded mid-2010s product line, with substantial operational capability against 4G/LTE networks); and successive subsequent product evolutions.

The institutional alternative-vendor product set has across the post-2010 period substantially expanded. The substantively documented vendor product lines include Digital Receiver Technology (DRT) Boxes (the substantive DEA-and-DoD product set, substantially deployed on US Marshals Service surveillance aircraft); Septier Communications IMSI Catcher products (the substantively documented Israeli-vendor product line); KeyW Corporation cellular-interception products (substantively documented as a contracting vehicle for substantial portions of the US-government IMSI-catcher institutional deployment); and substantial subsequent additions.

The institutional Harris Corporation acquisition by L3Harris Technologies in 2019 substantially produced the institutional reorganisation of the principal US IMSI-catcher product line. The substantively documented post-2019 product evolution has substantially continued the Stingray-Hailstorm pattern with successive operational-capability expansion against 5G networks.

Operational characteristics

The substantively documented operational characteristics of IMSI-catcher products across the post-2010 published institutional record substantially comprise the following operational pattern.

Active-mode IMSI / IMEI capture

The substantive baseline operational mode of IMSI-catcher products is the active-mode IMSI/IMEI capture. The operational deployment substantively involves the IMSI catcher being deployed at a target geographic location and configured to present a sufficiently strong cellular-network signal to compel registration by mobile devices within range. Each registered device substantively transmits its IMSI (the substantive subscriber identifier — the unique identifier associated with the SIM card and substantively traceable to the subscriber's institutional account) and IMEI (the substantive equipment identifier — the unique identifier associated with the cellular device hardware). The IMSI catcher substantively records both identifiers; subsequent institutional reconciliation against cellular-service-provider records substantively identifies the registered subscribers.

Forced-downgrade and content-interception modes

Higher-capability IMSI-catcher products substantively additionally provide the operational capability to compel registered devices to operate in substantively less-encrypted cellular-network protocols (typically the substantive forced downgrade from 4G/LTE encrypted protocols to 2G GSM protocols, which use substantively older and substantively less-cryptographically-secure encryption). The substantive operational consequence of forced downgrade is that the IMSI catcher can substantively additionally intercept voice-call content and SMS-message content of the registered devices.

Targeted-blocking and denial-of-service modes

The IMSI-catcher operational capability substantively additionally includes the substantive blocking of cellular service to specific target devices — the operational capability to substantively prevent a specific identified device from establishing a cellular connection within the IMSI-catcher's operational range. The institutional rationale for this operational capability is substantively the institutional law-enforcement scenario of preventing a specific target's communication during an arrest operation.

Geographic-precision tracking

The IMSI-catcher operational capability substantively additionally includes the substantive geographic precision tracking of a specific target device within the operational range — through the institutional mechanism of comparing signal-strength readings from the target device across multiple operational positions to triangulate the target device's geographic location. The substantively documented operational precision is approximately 10 metres at typical urban operational ranges.

Vehicle-mounted and aerial deployment platforms

The substantively documented operational deployment platforms for IMSI-catcher products across the post-2010 period have included: vehicle-mounted deployment (the substantively documented unmarked-vehicle deployment pattern); aerial deployment (the substantively documented US Marshals Service "dirtbox" deployment on Cessna and adjacent fixed-wing aircraft, substantively documented in the November 2014 Wall Street Journal disclosure); and pedestrian-portable deployment (the substantively documented "backpack" deployment configuration). The substantive operational deployment range varies by platform — vehicle-mounted operational ranges are typically a few hundred metres; aerial-platform operational ranges are typically several kilometres.

Documented deployments

The documented deployments of IMSI-catcher products in the United States across the post-2010 published institutional record substantially comprise:

Confirmed Federal Bureau of Investigation deployment. The substantively documented FBI institutional deployment pattern has substantially included the operational use of Stingray products across substantially every FBI field office. The substantively documented institutional non-disclosure agreement framework — the FBI's substantively-documented practice of requiring state-and-local law-enforcement agencies to whom Stingray products were institutionally distributed to substantively non-disclose the use of the products in court proceedings — has been the subject of substantial subsequent civil-liberties commentary and litigation.

Confirmed US Marshals Service aerial deployment ("Dirtbox"). The November 2014 Wall Street Journal disclosure of the substantively documented US Marshals Service operational programme — the deployment of Digital Receiver Technology (DRT) Boxes on Cessna fixed-wing surveillance aircraft, operating from at least five US airports and substantively conducting aerial-IMSI-collection operations across substantially every major US metropolitan area — produced the substantial public-record reconstruction of the institutional operational scale.

Confirmed Drug Enforcement Administration and adjacent federal-agency deployment. The substantively documented DEA, IRS-CI, US Customs and Border Protection, and US Immigration and Customs Enforcement institutional IMSI-catcher deployment across the post-2010 period has substantially expanded the institutional operational scope of the underlying technology beyond the FBI institutional baseline.

Confirmed State and local law-enforcement deployment (substantially seventy documented agencies). The American Civil Liberties Union's substantively documented institutional inventory of state-and-local US law-enforcement IMSI-catcher deployment — substantially conducted through state-level public-records litigation across the 2014–present period — has substantially documented the institutional deployment by approximately seventy state-and-local US law-enforcement agencies. The substantive operational deployment pattern across the documented institutional cohort has substantially included drug-trafficking-investigation deployment, fugitive-apprehension deployment, and substantial subsequent operational categories.

Legal / Oversight framework

The legal framework within which IMSI-catcher operational deployment has occurred in the United States across the post-2010 period has been the subject of substantial subsequent litigation and institutional-reform debate. The substantively settled current institutional position is substantially shaped by the following developments.

The 2015 DOJ policy

The September 2015 US Department of Justice institutional policy on IMSI-catcher operational deployment substantively required that all federal-agency IMSI-catcher operational deployments be conducted substantially under the substantive search-warrant authority — the substantive institutional reform that substantively responded to the prior institutional pattern of warrantless operational deployment. The substantive institutional exception within the DOJ policy is for substantially-defined exigent-circumstances operational deployments.

The 2018 Carpenter v. United States decision

The June 2018 US Supreme Court decision in Carpenter v. United States, 138 S. Ct. 2206 (2018), substantively held that the substantive collection of historical cell-site-location-information from cellular-service-provider records substantively constitutes a Fourth Amendment search requiring search-warrant authority. The substantive institutional implication for IMSI-catcher operational deployment has been the substantive expansion of the Fourth Amendment search-warrant requirement to substantive IMSI-catcher operational categories that the prior institutional doctrine had substantially excluded.

Subsequent state-level reform

The substantively documented subsequent state-level legislative reform across the post-2015 period has substantially produced state-level statutory frameworks for IMSI-catcher operational deployment in approximately twenty US states. The institutional pattern across the state-level frameworks has substantially included search-warrant requirements, institutional-reporting requirements, and adjacent institutional-oversight mechanisms.

Sources & Further Reading

1. American Civil Liberties Union, Stingray Tracking Devices: Who's Got Them?, ongoing institutional inventory, ACLU.
2. Devlin Barrett, Americans' Cellphones Targeted in Secret U.S. Spy Program, The Wall Street Journal, 13 November 2014 — the principal disclosure of the US Marshals Service "Dirtbox" aerial-deployment programme.
3. Carpenter v. United States, 585 U.S. ___, 138 S. Ct. 2206 (2018) — the principal subsequent Supreme Court Fourth Amendment cell-site-information decision.
4. US Department of Justice, Department of Justice Policy Guidance: Use of Cell-Site Simulator Technology, 3 September 2015.
5. Stephanie K. Pell and Christopher Soghoian, Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and Its Impact on National Security and Consumer Privacy, 28 Harvard Journal of Law and Technology 1 (2014) — the principal academic-legal treatment of IMSI-catcher institutional deployment.
6. Citizen Lab, IMSI Catchers and Mobile Security, ongoing research collection.
7. Electronic Frontier Foundation Cell-Site Simulator Tracker, ongoing institutional inventory available at eff.org/issues/cell-site-simulators.
8. Brian L. Owsley, Triggerfish, Stingrays, and Fourth Amendment Fishing Expeditions, 66 Hastings Law Journal 183 (2014) — the principal academic-legal treatment from a former federal magistrate judge's perspective.
9. House Oversight and Government Reform Committee, Law Enforcement Use of Cell-Site Simulator Technologies: Privacy Concerns and Recommendations, 19 December 2016 — the principal Congressional-oversight institutional review.
10. Susan Landau, Listening In: Cybersecurity in an Insecure Age, Yale University Press, 2017 — the principal academic-policy treatment of the broader cellular-network-interception institutional landscape.