News + Insights from the Legal Team at Zalkind Duncan & Bernstein

DOJ Takes Necessary, But Not Yet Sufficient, Steps to Safeguard People from Warrantless Use of Cell-Site Simulator Technology

Last month, The U.S. Department of Justice announced that it was implementing a new policy to govern the use of cell-site simulator technology, known also as “stingrays,” by federal law enforcement. The policy, available here, is intended to better protect suspects in criminal investigations and bystanders from intrusive, warrantless searches of data collected from their cellular phones.

A stingray is a small device—easily transportable in a car or even on someone’s person—that operates as a portable cell tower. Its signal reaches cell phones and other electronic devices in the area, which in turn transmit information through the stingray instead of through a proper cellular tower. The stingray can obtain information from all devices in the area, even those that are not in use. The problem is that the stingray is not owned or operated by a phone company. It’s owned and operated by the government, and law enforcement will collect and retain location and other identifying information from devices in range of the stingray. A police car that contains a stingray can drive down a road, or stop at a busy intersection, and collect data from electronic devices, without the owners of those devices having any idea that it is happening. The stingray works through walls, which means it can collect data from inside businesses and homes, and can accurately and precisely determine someone’s location. Even when the aim is to collect data from a specific person’s phone, it will also pick up data from bystanders who happen to be in the wrong place at the wrong time: that is, being in the vicinity of a law enforcement officer with a stingray. A stingray has other nasty side effects, too, including by draining device batteries by forcing them to transmit data even when they are not in use, and by disrupting cellular service to the area.

There has been very little oversight regarding the use of stingrays. But as more information has become public, a number of legal experts and privacy rights activists have advocated against the unlimited and often secret use of the technology.

The DOJ’s new policies address some of these concerns. The policy says that stingrays will not be used to collect the contents of communication. It also requires operators to receive training and supervision, though development of training protocols will be left to individual agencies. More importantly, the policy requires federal law enforcement agencies to obtain a search warrant to use a stingray. That means that the agency will have to show that there is probable cause to search for a suspect’s cellular location and identification data using a stingray. They will also be required to obtain an order under the Pen Register Statute, 18 U.S.C. 3123. To obtain a Pen Register order, the agency has only to certify to the court that the information it seeks to obtain is relevant to an ongoing criminal investigation. Law enforcement will be expected to consult with prosecutors before using a stingray, and search warrants must clearly explain to the courts what the stingray will do to the target device and to other bystander devices.

The policy also limits how long federal agencies can retain data from non-target devices: where the stingray is used to locate a known cell phone (when the agency already has identifying information about the suspect’s phone, and is using it to find out information about the suspect’s location), unrelated data should be deleted at least once daily; when the agency does not have identifying information about the suspect’s phone, all data has to be deleted no less than once every 30 days, or as soon as the target cell phone is identified, whichever comes sooner.

The DOJ’s policy takes some important steps toward protecting people’s privacy against the broad use of stingray technology, but it remains inadequate in many respects. Notably, the policy allows for broad exceptions in “exigent circumstances’ or “exceptional circumstances.” In other words, the agency can bypass the search warrant requirement when an emergency arises. Although the DOJ would still require agencies to obtain a Pen Register order, such an order requires far less than a search warrant—and importantly, would not require agencies to disclose to the court what type of technology is being used to obtain the sought-after data.

Another problem is that the policy doesn’t create a right of enforcement. In other words, a federal agency cannot be sued just because it violated this policy. People will have to look elsewhere, likely to the federal and state constitutions, to challenge the use of stingray devices.

Perhaps the biggest weakness is that the policy applies only to federal agencies. Local and state law enforcement agencies are not bound by the DOJ’s policy. This is troubling not only because stingrays are being used in many local and state agencies across the country, but also because the Federal Bureau of Investigation (FBI) has provided the technology to these agencies. Moreover, the FBI has required local and state agencies to sign non-disclosure agreements before handing over the technology. This means that the technology is being used in many cities and states around the country without public knowledge or oversight. While the DOJ’s policies will hopefully improve accountability and provide some protections from warrantless searches by federal officials, local and state law enforcement will not be similarly bound.

Super Lawyers
Martindale-Hubbell
Best Lawyers
Best Law Firms