The U.S. Department of Justice (DOJ) announced a new policy, effective immediately, which describes when and how...
cell-site simulator technology can be used by federal law enforcement to track mobile phones.
The cell-site simulator devices, also known as Stingrays, force connections with mobile devices within range in order to collect data and track devices. The DOJ claims such devices "are deployed only in the fraction of cases in which the capability is best suited to achieve specific public safety objectives."
The new "Enhanced Policy for Use of Cell-Site Simulators" will require that law enforcement obtain a warrant in order to track mobile phones. There are also new requirements for handling the data collected by the devices, including an auditing program to ensure data is deleted properly. The new policy also states that communication data, including emails, texts, contact lists and images, cannot be collected by the Stingray devices.
According to the DOJ, the aim of the new policy to track mobile phones is to enhance transparency and accountability, improve training and supervision, establish a higher and more consistent legal standard, as well as increase privacy protections in relation to law enforcement's use of this critical technology.
"With the issuance of this policy, the Department of Justice reaffirms its commitment to hold itself to the highest standards, as it performs its critical work to protect public safety," said Deputy Attorney General Sally Quillian Yates in a press release. "Cell-site simulator technology has been instrumental in aiding law enforcement in a broad array of investigations, including kidnappings, fugitive investigations and complicated narcotics cases. This new policy ensures our protocols for this technology are consistent, well-managed and respectful of individuals' privacy and civil liberties."
Rebecca Herold, CEO of Privacy Professor, praised the aims of the new policy and said the rules surrounding data handling, accountability, training and the need for warrants were "long overdue." But Herold also said the effective scope of the policy is too narrow.
"One huge gap is that [the rules] do not apply to all those using such devices; they only apply to DOJ agencies and activities, leaving a large number of others with free rein to basically do whatever they want with such surveillance tools," Herold said. "And, unfortunately, we know the track record for law agencies being transparent with how they use surveillance tools is dismal."
The rules as enforced will cover agencies under the DOJ, including the U.S. Drug Enforcement Administration, Bureau of Alcohol, Tobacco, Firearms and Explosives, FBI, Interpol Washington and the U.S. Marshals Service, but does not extend to the CIA, National Security Agency or any local law enforcement.
Herold noted that the descriptions of "exceptional circumstances" that would supersede the new rules are too vague. The rules do not include policies for recording why the use of tracking devices was deemed necessary or the potential harmful effects of their use -- only provisions for recording how many times such devices were used.
Herold also said the rules surrounding the audits could be greatly expanded.
"Audits should occur to validate that the use of the technology was appropriate, that they were used in accordance to the rules and that data was removed completely," Herold said. "The audits should also ensure that only the allowed data was collected. Just because the rules restrict what can be collected, we cannot ensure that these administrative requirements were followed if those using the technologies decide to collect more; accountability must be upheld."
Herold admitted that there are situations where Stingray technologies are critical tools in catching criminals and terrorists, but said any rules applied to law enforcement practices need to be comprehensive.
"Ultimately, when technologies are deployed to assist in locating criminals and terrorists, the associated privacy risks to others in the vicinity are going to be significant," Herold said. "And those risks must be mitigated with not only comprehensive rules for all types of law enforcement using the technologies, but with technical controls, as well as establishing accountability and associated penalties and sanctions for misuse of the technologies, and for not following the rules."