Elizabeth Kreft, TheBlaze’s Intel & Tech Editor, spoke with Nathan Freed Wessler, a staff attorney with the American Civil Liberties Union’s Project on Speech, Privacy and Technology, about the key words that every privacy-minded American should recognize.
Unless you are a technology expert or work in the telecommunications field, the words “pen register” or “cell site simulators” might not raise any red flags.
The verbiage associated with local police or state and federal-level tracking is technical, but not impossible to understand. Whether sitting in on a city council meeting or simply following the news on the latest trends in cellphone spying, these are the terms you need to know.
Elizabeth Kreft: So what are some of the most common tracking devices that the American people should be aware of?
Nathan Freed: The first I’d say is “cell site location information,” often abbreviated CSLI. That is generally referring to tracking of cellphone location through the cell service provider. There are two kinds of CSLI: historical and real time.
Historical is when police go to cellphone companies and ask for a record of all of the cell towers and sectors that the suspect’s phone was located in every time that person made or received a phone call or text message. The cellphone company is logging not only the cell tower the phone is connected to — at the start and end of each call or connection — but also the sector within that cellphone tower. The cell towers have multiple antennas facing different directions, and so the cellphone company actually knows which direction you are making the call from.
EK: How long do they maintain those records?
NF: It differs between cell service providers; some keep it from one year to 18 months. Since 2008, AT&T has said it keeps the records indefinitely.
[sharequote align=”center”]”The cellphone company is logging … the start and end of each call or connection.”[/sharequote]
EK: How accurate are they?
NF: The precision of the location varies depending upon how dense the cell towers are in a particular area. The closer together cell towers are, the smaller the radius is around each tower, or the area the phone would be connecting to. So in a rural area, in might be a couple of miles between cell towers. But in urban areas, or dense suburban areas, cell towers are quite close together, which means they would be able to pinpoint a cell location to within a couple block radius.
EK: So that’s historical, what about real time?
NF: Police can also go to a cellphone company and request real-time information about somebody’s cellphone location and that will often involve the cellphone company pinging the phone — every few seconds, or every minute or every couple minutes — so that the phone is actually reporting back its location much more frequently than whenever you happened to have made a call.
EK: That sounds more precise.
NF: Cellphone companies can track more precisely in real time, because they can either triangulate the signal between towers, or send out a ping to the phone saying “tell us where you are.” The phone will send back that ping to several towers in the area and the company can determine which one the phone checked in from. Other companies actually have the ability to activate the GPS chip in the phone to get exact coordinates.
2. Cell Tower Dump
EK: So that’s a tool they can use when law enforcement agents know the phone number of a suspect. What do they use if they don’t?
NF: This is when the police will go to a cell service provider and ask for a list of every cellphone that connected to a tower, or a particular set of towers, during some time period in the past. That results in a download of a whole bunch of people’s location information and identifying information about their phones, which will invariably include hundreds or thousands — or in one case we’ve seen, hundreds of thousands — of completely innocent people’s information.
NF: One way police have used this technique is if there’s been, say, a series of robberies. Maybe a series of bank robberies with the same type of MO, like the suspects have worn the same type of face masks, that makes police think one person committed the whole series of crimes. The police will then go to the cell companies and say, “We want to know all the phones that have communicated with these towers near this bank at this time.”
EK: Do they really call it a “cell tower dump”?
NF: There have been a few judicial opinions they refer to them as such; that’s sort of the accepted shorthand, although it’s not always what the court papers will say. The obvious concern about this kind of cellphone tracking is that 99.9 percent of the people whose records are claimed by the government are completely innocent and there is in fact zero level of suspicion on them, and yet [police] are still served their location information.
EK: I’m not sure “wow” covers it for that one.
3. Cell Site Simulators/IMSI Catcher (aka StingRays, Triggerfish, Kingfish or Hailstorm)
NF: Cellphones have international mobile subscriber identifiers — that’s basically an electronic serial number unique to everyone’s cellphone — and when it connects to the network it sends out that number in order for the companies to know which customer’s phone it is. There is one U.S. company that makes devices, Harris Corporation, and they have a whole line of these devices — different models with different trade names. The most common one is called the Stingray, they others called Triggerfish and Kingfish, their new, most powerful version is called Hailstorm.
EK: It’s no surprise the company is based in Florida.
NF: Yeah, they seem to have a nautical, aquatic kick and then moved on to ominous weather systems.
EK: I’m sure it seemed like a good marketing decision at the time.
NF: These devices are pieces of physical equipment that police use themselves to track cellphones. It works by mimicking cell service providers’ cellphone towers and then sending out electronic signals that force phones — really trick phones — into reporting back their identifying information, including their electronic serial numbers and their location. A good way to describe this is that old kids pool game: so the cell site simulator will say “Marco,” and your cellphone says “Polo.”
EK: Ha. I want to laugh, but I’m too annoyed. So many ways for innocent Americans to be tracked. Now, some of these are carried and some are permanently fixed, right?
NF: One is a handheld model that is a little less powerful, others are vehicle-based that have stronger signals, some of them have directional antennas — but they all work in the same way. But there are several concerning things about how these work, much like cell tower dumps, they trigger every phone in the area — including phones of completely innocent bystanders — into reporting back their location information to the police.
EK: How will this typically be used?
NF: Often the way police will use this is they’ll mount it in a vehicle and they’ll drive around a neighborhood or part of a city looking for the phone they are trying to track. They might cover a high-traffic area where they are triggering many phones — it could be hundreds or easily thousands another troubling aspect of how these works — they are sending out invasive electronic signals that are traveling through the walls of private homes and offices and other private spaces and then revealing information about who is inside and where inside the phone is.
EK: Seems to be a clear violation of privacy.
NF: Those are places where the Supreme Court has repeatedly said have special protection under the Fourth Amendment of the Constitution. The home is our castle.
4. Pen Registers/Trap and Trace Order
EK: What is a pen register? Didn’t that originally refer to a device that would record telegraph signals?
NF: Yes, and pen registers refer to old devices when phones were on the analog networks, these were physical devices that could be installed at the phone company. A pen register and a trap and trace device together can record the phone numbers that numbers that were dialing you. And originally that was all the information they could record, they couldn’t even the duration of the call or whether either person picked up or not.
EK: How do police get the pen register orders?
NF: All the government has to show is information they are seeking is relevant to an ongoing investigation, which is a very low standard and very easy to meet. So we’ve seen police getting these pen register orders, then using them to get permission to use the cell site simulators, which itself troubling, because they aren’t proving probable cause. And often, the reason judges are signing these orders in this context is that police haven’t really accurately described what they want to do with them. Judges may not actually realize police want to do something particularly invasive. Judges get many of these pen register applications every day; it’s a routine law enforcement tactic and “relevance” is such a low standard judges routinely sign them and police go out and get their information.
EK: To sum it all up, the government has many options here. What do you think is worse, real-time tracking or historical?
NF: I actually think historical tracking is worse. These records give police information that they’ve never in the history of our country had access to before. It’s essentially a time machine into our past locations and associations. There was never at time in history when the police decided today that I was a suspect and then were able to track my information over a past time period.
Follow Elizabeth Kreft (@elizabethakreft) on Twitter