For most Americans, information security – like climate change, terrorism, or shark attacks – is just part of the menacing background of everyday life. It is a monolithic problem, and it is deadly serious, but it won’t affect you personally. Not now. Not yet. You’re probably safe.
If I were to tell you that there is a device, an invisible energy field covering whole city blocks, something that can crack open your phone and steal all your secrets – you might take me shopping for a tinfoil hat. This device is absolutely real, however – and it’s a nightmare for security and privacy. It’s called Stingray.
In order to understand why Stingray – also known as an IMSI catcher – is a problem, you need to know about information security on mobile devices. This is pretty simple, but that’s because mobile security is not all that great. Your smartphone doesn’t come with anything like a firewall, or antivirus software, or even a popup blocker.
The traditional security tools that might protect your PC or laptop don’t exist on mobile devices. To secure your phone, you – or your IT guy – might encrypt the device so that only someone with a password can read its files.
Your company might even give you your own special phone with a custom operating system designed to be more secure than Android or iOS. These protections all work pretty well – except that Stingray can walk through most of them like they were made of Saran wrap.
Stingray is effective because it does not attack your phone directly. It impersonates a cellphone tower. Your phone thinks that you just wandered into a new coverage area, and it connects to the Stingray like it would any other tower. When you use your cellphone, the Stingray sees everything you see.
If you send a text, the Stingray reads it. If you open an encrypted file, the Stingray knows your password. It knows wherever you are, inside its coverage area, and it can even download your cellphone metadata so you can be tracked and identified after you drive out of range.
Stingray devices are used mostly by law enforcement – both local and state police, as well as national security agencies – have all been observed using IMSI catchers. It’s a fair point that most people who are surveilled by these devices have nothing to fear, because they have nothing to hide. I’d argue, however, that Stingray is one of those technologies which, by its very nature, lends itself to abuse.
For example, how many times was Stingray used last year? I don’t know, and neither do you. An organization known as MuckRock has been trying to find out, using Freedom of Information Act requests. The government’s response consisted of five thousand pages of black highlighter.
When a police department offered its Stingray records to the ACLU, Federal Marshals raided the police to keep those records from the public. Do cops apply for warrants when using Stingray devices? In many cases no, because the government claims that these devices aren’t invasive enough to require judicial oversight. None of this really argues well for the safe and restrained use of Stingray technology.
Whether you believe that the U.S. government should use Stingray or not, there is no question that it can be used as a tool to squelch free speech. During last year’s protests in Ukraine, demonstrators received notification – via a Stingray-type device – that they were now registered as participants in a mass disturbance.
Think it couldn’t happen in the States? This past December, protesters in Illinois demonstrating against the death of Eric Garner reported being tailed by a “mysterious SUV” that messed up their phones whenever it went by. The Illinois police department has invested heavily in Stingray technology.
Now, depending on where you fall on the political spectrum, you might think that the government has the right to monitor civil unrest in order to prevent rioting and property damage. This is, again, a fair point – if you’re assuming that the government is the only one watching.
By unleashing Stingray, the government has let a genie out of its bottle. The Washington Post reports that, “Reasonably skilled hobbyists can build an IMSI catcher, which typically consists of high-tech boxes with radio antennas, for less than $1,500.” Stingrays are cheap enough that they are falling into the hands of foreign governments and organized criminals, and both are using them to spy on American citizens.
So – what can we do about this, and how can we stop it? Unfortunately, this is the kind of problem where a merely technological solution is both expensive and rare. Civil action often seems as useful as shouting at the ocean, but it gets results – the House just voted to end the NSA’s bulk data collection program after all.
After all, you know they’re watching.