Oct 162020
 

With Harris Corporation no longer selling its cell site simulators to local law enforcement, Anaheim has joined a growing list of police departments replacing them with cell site simulators manufactured by Nyxcell and KeyW.

Nyxcell high power base station for its CSS
Nyxcell base station for its CSS

At a meeting of the Anaheim City Council on June 9, 2020, the Anaheim City Council approved the $755,000 purchase of a Nyxcell cell site simulator (CSS) from Tactical Support Equipment by a vote of 6-0-1, with Councilmember Jose Moreno abstaining because he felt he needed to learn more about how the CSS was used in the past. Although the name of the cell site simulator is redacted in documents, we were able to confirm that it is manufactured by Nyxcell.

Cell site simulators are used by law enforcement to track the location of cellular phones. They work by pretending to be a cell phone tower to which nearby cell phones will connect. Once connected to the CSS, the CSS obtains information unique to the cellular phone that allows it to be tracked. In order to connect to a target cell phone, the CSS is typically installed in a vehicle and once the cell phone is tracked to a general location, a handheld device is used to track the cell phone to a specific room or person. A CSS can also be used to eavesdrop on phone calls and text messages. The EFF has more information about how cell site simulators work.

This item was on the consent portion of the agenda, meaning that it was expected to be passed with a much larger group of items without any discussion at all by the Anaheim City Council. However, Councilmember Denise Barnes asked for the agenda item to be pulled from consent for a staff report. Barnes wanted more information so she could get her “mind around spending this money….on a cell phone site simulator.”

Police Chief Cisneros stated that the cell phone tracking equipment “has been in existence with the Anaheim Police Department since 2008. This will be the third vendor we have used since we began tracking cell phones.” [The other two were DRT and Harris.] According to Cisneros, the equipment was used “for search and rescue, critical missing people, locating injured or suicidal people who are unable to call for help, kidnap or ransom victims, hostage rescues, mass casualty threats, credible hostile threats against churches and religious groups throughout our community, human trafficking, mass murder fugitives… serial rapist investigations, etc.” Cisneros went on to say that the CSS has been used 1200 times in the last four years. However, the staff report stated, “The simulator is utilized an average of 150 times per year.” CSS logs provided in response to a public records request show that the CSS was used 86 times in 2018 and 196 times in 2019.

The reason for the purchase, Cisneros stated, is that “Our current generation of cell phone tracking equipment that we currently have… it is no longer going to be supported after July 2020.” According to the staff report, “The service contract with the existing manufacturer [Harris Corporation] ends in June 2020 and at that time the manufacturer will no longer support the existing equipment, rendering it obsolete.”

Councilmember Barnes asked how many time the equipment had been effective for locating at-risk persons or missing children, Cisneros said he didn’t have that information available. Barnes said that “if we’ve been using this [the CSS] since ’08, I take it that it’s been extremely effective for your department,” although no data was provided to the City Council about its effectiveness. Cisneros notes that Anaheim had to use the existing CSS for the county because of funding it received for the CSS from the Urban Areas Security Initiative (UASI), but now the CSS will be used mainly for Anaheim.

After Barnes moved to pass the item, Councilmember Moreno noted that he had express concerns about the technology that predated Cisneros. Moreno stated that the ACLU raised surveillance, privacy, and civil liberties concerns about CSS devices in 2016. Moreno also noted that the ACLU had to sue Anaheim to obtain public records pertaining to its CSS. Cisneros was happy to note that the policy required obtaining a search warrant before the CSS was used, but failed to note that the requirement for a search warrant was because of the California Electronic Communications Privacy Act, which was signed into law in 2015.

The equipment purchase includes all the tools needed to locate a cellular phone, cellular device, or wi-fi device. It includes an 8-channel base station unit designed to be installed in a vehicle for $518,600, a vehicular location system (which includes software and likely an antenna for the vehicle) for $60,000, a handheld Covert Hostile Emitter Angle Tracker Revised (C-HEATR), “rugged, portable, direction finding (DF) system used to locate RF emitters” for $40,716, and a 3-channel wi-fi direction finder for $60,000.

Supporting documents and audio:

Mar 212020
 

On the consent agenda for the March 24, 2020, Vallejo City Council meeting is $766,018 to purchase a KeyW cell site simulator.Vallejo Police Department logo

If approved, Vallejo Police would become the fourth local Bay Area law enforcement agency with this device, after the San Francisco Police Department, San Jose Police Department, and the Alameda County District Attorney (which shares its device with the Oakland Police Department and Fremont Police Department). These other agencies own cell site simulators manufactured by Harris Corporation.

The agenda item includes implementation of a usage and privacy policy, but no policy was provided as part of the background material because the policy will be created at the direction of the Chief of Police, and not by the City Council. California’s Electronic Communications Privacy Act, which went into effect on January 1, 2016, requires that a search warrant be obtained before using a cell site simulator.

Policies in the City of Oakland and Alameda County require annual reporting on the usage of their shared cell site simulator. In 2017, the cell site simulator was used three times, in 2018, it was used four times, and it was used once in 2019. Without public input and city council oversight, Vallejo’s policy is unlikely to require any annual reporting.

A cell site simulator pretends to be a cell phone tower, to which cell phones connect in order to initiate a phone call. Once a cell phone connects to the cell site simulator, the cell phone’s IMSI number can be obtained and used to track the location of the cell phone.

According to the staff report, the cell site simulator will be used by the Crime Reduction Team, which is “tasked with the tracking and apprehension of serious violent offenders, covert surveillance during criminal investigations, human trafficking, and other plain clothes investigative operations…” The desire to obtain a cell site simulator appears to be motivated by an unnamed agency assisting Vallejo by using its own cell site simulator. “In November of 2019, an outside agency used a cellular site simulator for the Vallejo Police Department on several occasions.”

The staff report fails to note that cell site simulators can disrupt “the target cellular device (e.g., cell phone) and other cellular devices in the area might experience a temporary disruption of service from the service provider,” according to guidance from the US Department of Justice. In other words, it could interfere with normal operation of other cellular phones and devices near the cell site simulator, including emergency calls.

The staff report claims that “The equipment does not retain data and is not capable of intercepting and listening to calls, text messages, dialed numbers or any other such content.” However, other cell site simulators are able to eavesdrop on calls and messages and are limited only by the installed software, not the hardware’s capabilities.

The $766,018 price includes the following:

  • $415,000 for the base station
  • $1,400 for two Shark Fin antennas
  • $40,000 for five-day on-site training
  • $60,000 for additional two-year warranty
  • $120,000 for standard vehicle integration (a 2020 Chevrolet Suburban)
  • $32,000 for a Trachea 2 device, a stand alone direction finding system
  • $15,000 for two Jugular 4 devices, a handheld direction finding system
  • $17,760 for two Jugular 4 field kits

The vehicle containing the cell-site simulator (a 2020 Suburban) will drive around to track a cell phone to a building or similar area. Then the handheld Jugular 4 or Trachea 2 devices can be used to track a cell phone to a specific apartment of room. Although little is known about these devices, an earlier version of the Jugular was detailed in a document obtained the Intercept. The Jugular 2 was capable of tracking GSM, CDMA, and UMTS cellular signals. The Jugular 4 and Trachea 2 are likely capable of tracking 4G cellular signals.

The Vallejo City Council meeting takes place on March 24, 2020, at 7pm via teleconference. Since there is no physical access for the public to the meeting, members of the public who wish to comment on the item are required to register to use Open Town Hall at http://www.opentownhall.com/8413.

Documents:

UPDATE: On March 24, 2020, the Vallejo City Council unanimously approved the cell site simulator purchase without discussing potential privacy issues or interruption of cell phone service. Oakland Privacy and the EFF have urged that the cell site simulator purchase be nullified because the Vallejo City Council failed to comply with California state law that requires approval of a privacy and usage policy by the local governing body.

Aug 012015
 

In a letter dated July 28, 2015, the FBI said it could neither confirm nor deny that it has contract J-FBI-09-211, which has to do with “Landshark” restricted software used with the Harris StingRay. This document is referenced in FBI letters to Harris Corporation in which the FBI notifies Harris of its approval of a law enforcement agency’s non-disclosure agreement. This non-disclosure agreement is required before the law enforcement agency can purchase a cell site simulator such as a StingRay, KingFish, or HailStorm from Harris Corporation.

The letter from the FBI states,

Please be advised that upon reviewing the substantive nature of your request, we can neither confirm nor deny the existence of records responsive to your request pursuant to FOIA exemption (b) (7) (E) [5 U.S.C.§552 (b)(7)(E)]. The mere acknowledgment of whether or not the FBI has any such records in and of itself would disclose techniques, procedures, and/or guidelines that could reasonably be expected to risk of circumvention of the law. Thus, the FBI neither confirms nor denies the existence of any records.

Contract J-FBI-09-211 is referenced in the following documents:

Jun 182015
 

In a letter dated June 8, 2015, the FBI responded to my request for a copy of the April 6, 2010, agreement between the FBI an Harris Corporation. This April 6, 2010, agreement is referenced in the approval of law enforcement agency’s non-disclosure agreements that are required before the law enforcement agency can purchase a cell site simulator such as a StingRay, KingFish, or HailStorm from Harris Corporation.

The letter from the FBI states,

Please be advised that upon reviewing the substantive nature of your request, we can neither confirm nor deny the existence of records responsive to your request pursuant to FOIA exemption (b) (7) (E) [5 U.S.C.§552 (b)(7)(E)]. The mere acknowledgment of whether or not the FBI has any such records in and of itself would disclose techniques, procedures, and/or guidelines that could reasonably be expected to risk of circumvention of the law. Thus, the FBI neither confirms nor denies the existence of any records.

However, although the FBI will neither confirm nor deny the existence of the April 6, 2010, agreement, it is referenced in letters from the FBI to Harris Corporation dated June 14, 2012 and February 13, 2013. This refusal to confirm or deny the existence of a document or specific information is known as a Glomar response, named for the Central Intelligence Agency’s response to a FOIA request about its Global Marine front company and its attempt to salvage a Soviet submarine. A portion of the text from both letters states,

The Federal Bureau of Investigation (FBI) has an approved non-disclosure agreement (NDA) in place with the captioned law enforcement agency. In accordance with the cited restricted software agreement and the April 6, 2010 agreement between the FBI and the Harris Corporation, your notification to the FBI of the agency’s intent to purchase, and our execution of the NDA, meets the FBI’s advance coordination requirement. Therefore, the Harris Corporation is permitted to sell the state-and-local version of the Stingray product with the restricted software to the…

Jun 082015
 

In a response to a public records request from April 22, 2015, on June 1, the Pennsylvania State Police released a redacted administrative regulation for the use of “Telecommunication Identification Interception Devices” also known as cell site simulators, IMSI catchers or Stingrays. Administrative regulation AR 9-16 references Pennsylvania’s Wiretapping and Electronic Surveillance Control Act and specifically refers to interception of electronic communications.

The Pennsylvania State Police FAQ on cell site simulators (CSS) claims that the CSS “cannot intercept the content of voice calls or text messages” nor can it obtain “cellular telephone numbers…of any user of a cellular device.” While the specific technical details and capabilities of the two Harris HailStorm devices owned by the Pennsylvania State Police are not known, the claim that the Harris HailStorm cell site simulators cannot obtain the cellular telephone numbers of cellular devices appears to be incorrect. In fact, the name IMSI catcher refers to the devices’ ability to capture the International Mobile Subscriber Identity, which is the device’s phone number.

For more information about the Pennsylvania State Police cell site simulators, see the excellent work by Dustin Slaughter at The Declaration and the Pennsylvania Right to Know Act request at MuckRock.

Pennsylvania purchase orders for Harris StingRay II to HailStorm Upgrade

Update: 6/26/15 – Text was updated to correct a mistake. It can still be seen in strikeout.

Jun 072015
 

In a May 28, 2015, response to a public records request, the Minnesota Department of Public Safety, Bureau of Criminal Apprehension (BCA), released an unredacted non-disclosure agreement with the Federal Bureau of Investigation (FBI). Despite releasing the unredacted NDA, the BCA still claims that portions of the Harris Corporation Terms and Conditions, descriptions of what it purchased and their prices are still exempt from disclosure:

It should be noted that portions of these documents have been redacted pursuant to Minnesota Statute 13.82, subd. 25 as they would reveal deliberative processes or investigative techniques of this agency that would disclose the existence of and the capabilities provided by cellular exploitation equipment to the public. Disclosure of the redacted portions of the documents would reveal sensitive technological capabilities possessed by the law enforcement community and may allow individuals who are the subject of investigation to employ countermeasures to avoid detection by law enforcement.

Credit goes to Rich Neumeister and the Minneapolis Star Tribune for forcing the Minnesota BCA to release a redacted NDA between the BCA and FBI in November 2014.

In this latest release, the BCA included unredacted and redacted versions of the NDA, entitled “Re: Acquisition of Wireless Collection Equipment/Technology and Non-Disclosure Obligations” and dated June 5, 2012.

The BCA also released an email from the FBI, advising it on how to prevent the NDA from being publicly disclosed.  That email from a Supervisory Special Agent at the FBI states,

Hello Andrew,

(U/LES) Thank you for talking with me yesterday about your pending disclosure request. As stated in our conversation, the protection of cell site simulator (CSS) information is a concern for all law enforcement agencies in the U.S. In light of the importance of the lawful usage of the CSS gear, my unit would like to assist you in protecting the data associated with the CSS gear from exposure to counter measures in criminal, terrorism, and foreign intelligence investigations. The first layer of protection for the CSS gear is the Non Disclosure Agreement (NDA), which your agency has signed in order to receive the CSS gear. From our conversation yesterday, my understanding is that you are being asked to disclosure all or part of the NDA. In order to clarify our position, I have attached a letter that the FBI has created for the purpose of articulating the law enforcement and legal support for protecting the NDA. We can send a signed copy of the letter to a government official, if you believe that will assist you in protecting the NDA. Please note that the letter is marked (LES).

(U/LES) In addition, you mentioned that the requestor has claimed that other disseminations of CSS information have appeared in the public view, which classifies them as “public record” pursuant to Minnesota’s laws, and therefore are subject to disclosure by your agency. When possible, would you be willing to send a sample of such information as we may be able to clarify the circumstances of the dissemination? Some disseminations may have been conducted unlawfully and therefore should not be considered “public record” or be subject to further authentication. In addition, we would like to be in a position to assist you in determining the scope and type of your pending response, so if we could set up a meeting with our FBI legal counsel and your office, that would be greatly appreciated.

A comparison of the redacted and unredacted versions of the NDA shows that the information redacted had nothing to do with the technical details or capabilities of the Harris Corporation equipment, but were mostly about preventing disclosure to the public, news media, and judicial system. One heavily redacted paragraphs states that the BCA should seek dismissal of a case in order to prevent disclosure of information about the Harris Corporation equipment. The document also redacted portions of FBI addresses, the name and division of the Assistant Director at the FBI, and the other signatories from the BCA. Here is the remaining text that was redacted in the NDA:

in press releases, in court documents, during judicial hearings, or during other public forums or proceedings

for the sale of the equipment/technology.

met the operator training standards identified by the FBI and’ are certified to conduct operations.

coordinate with the FBI in advance of its use of the wireless collection equipment/technology

the wireless collection equipment/technology or any software, operating manuals, or related technical documentation (including its technical/engineering descriptions) and capabilities)

concerning the wireless collection equipment/technology or any software) operating manuals, or related technical documentation (including its technical/engineering description(s) and capabilities)

wireless collection equipment/technology or any software, manuals, or related technical documentation

in any civil or criminal proceeding, use or provide any information concerning the Harris Corporation wireless collection equipment/technology, its associated software, operating manuals, and any related documentation (including its technical/engineering description(s) and capabilities) beyond the evidentiary results obtained through the use of the equipment/technology including, but not limited to, during pre-trial matters, in search warrants and related affidavits, in discovery, in response to court ordered disclosure, in other affidavits, in grand jury hearings, in the State’s case-in-chief, rebuttal, or on appeal, or in testimony in any phase of civil or criminal trial, without the prior written approval of the FBI. If the Minnesota Bureau of Criminal Apprehension learns that a District Attorney, prosecutor, or a court is considering or intends to use or provide any information concerning the Harris Corporation wireless collection equipment/technology, its associated software, operating manuals, and any related documentation (including its technical/engineering description(s) and capabilities) beyond the evidentiary results obtained through the use of the equipment/technology in a manner that will cause law enforcement sensitive information relating to the technology to be made known to the public, the Minnesota Bureau of Criminal Apprehension will immediately notify the FBI in order to allow sufficient time for the FBI to intervene to protect the equipment/technology and information from disclosure and potential compromise.

at the request of the FBI, seek dismissal of the case in lieu of using or providing, or allowing others to use or provide, any information concerning the Harris Corporation wireless collection equipment/technology, its associated software, operating manuals, and any related documentation (beyond the evidentiary results obtained through the use of the equipment/technology), if using or providing such information would potentially or actually compromise the equipment/technology. This point supposes that the agency has some control or influence over the prosecutorial process. Where such is not the case, or is limited so as to be inconsequential, it is the FBI’s expectation that the law enforcement agency identify the applicable prosecuting agency, or agencies, for inclusion in this agreement.

equipment/technology and any associated software, operating manuals, or related documentation (including its technical/engineering description(s) and capabilities)

in any news or press releases, interviews, or direct or indirect statements to the media.

wireless collection equipment/technology, its associated software, operating manuals, and any related documentation (including its technical/engineering description(s) and capabilities)

UPDATE: June 18, 2015 – It turns out that the Minnesota BCA accidentally released the unredacted NDA. And I thought that someone there had come to their senses.

 

May 262015
 

In response to a January 28, 2015, public records request and after I sent $1.14 to cover the cost of copies, the Phoenix Police Department sent a copy of its February 11, 2013, non-disclosure agreement with the Federal Bureau of Investigation.

With other non-disclosure agreements from the Minnesota Bureau of Criminal Apprehension, Erie County Sheriff’s Office, San Bernardino County Sheriff’s Office, Baltimore Police Department, and Ventura County Sheriffs Office, we can readily determine what text was redacted from the NDA. Nearly all of the redactions are references to hiding information about the StingRay from the judicial system.

From the bottom of the first page, the words “to employ countermeasures” were redacted from the sentence “Disclosing the existence of and the capabilities provided by such equipment/technology to the public would reveal sensitive technological capabilities possessed by the law enforcement community and may allow individuals who are the subject of investigation wherein this equipment/technology is used to employ countermeasures to avoid detection by law enforcement.”

Near the top of the third page of the NDA, the words “during pre-trial matters, in search warrants and related affidavits, in discovery, in response to court ordered disclosure, in other affidavits, in grand jury hearings, in the State’s case-in-chief, rebuttal, or on appeal, or in testimony in any phase of civil or criminal trial,” were redacted from the sentence “The Phoenix Police Department shall not, in any civil or criminal proceeding, use or provide any information concerning the Harris Corporation wireless collection equipment/technology, its associated software, operating manuals, and any related documentation (including its technical/engineering description(s) and capabilities) beyond the evidentiary results obtained through the use of the equipment/technology including, but not limited to, during pre-trial matters, in search warrants and related affidavits, in discovery, in response to court ordered disclosure, in other affidavits, in grand jury hearings, in the State’s case-in-chief, rebuttal, or on appeal, or in testimony in any phase of civil or criminal trial, without the prior written approval of the FBI.”

At the bottom of the third page, the words “seek dismissal of the case in” were redacted from the sentence “In addition, the Phoenix Police Department will, at the request of the FBI, seek dismissal of the case in lieu of using or providing, or allowing others to use or provide, any information concerning the Harris Corporation wireless collection equipment/technology, its associated software, operating manuals, and any related documentation (beyond the evidentiary results obtained through the use of the equipment/technology), if using or providing such information would potentially or actually compromise the equipment/technology.”

Later in the same paragraph, the words “control or influence over the prosecutorial process” were redacted from the sentence “This point supposes that the agency has some control or influence over the prosecutorial process.”

Also in the same paragraph, the words “prosecuting agency, or agencies” were redacted from the sentence “Where such is not the case, or is limited so as to be inconsequential, it is the FBI’s expectation that the law enforcement agency identify the applicable prosecuting agency, or agencies, for inclusion in this agreement.”

At the bottom of the fourth page, the words “the civil or criminal discovery process” were redacted from the sentence “In the event that the Phoenix Police Department receives a request pursuant to the Freedom of Information Act (5 U.S.C. § 552) or an equivalent state or local law, the civil or criminal discovery process, or other judicial, legislative, or administrative process, to disclose information concerning the Harris Corporation wireless collection equipment/technology, its associated software, operating manuals, and any related documentation (including its technical/engineering description(s) and capabilities), the Erie County Sheriff’s Office will immediately notify the FBI of any such request telephonically and in writing in order to allow sufficient time for the FBI to seek to prevent disclosure through appropriate channels.”

Other less interesting redactions included the names of people in the Phoenix Police Department, the name of the Assistant Director of the FBI’s Operation Technology Division (Amy Hess), and the phone numbers for the Assistant Director of the FBI’s Operation Technology Division and the Unit Chief of the Tracking Technology Unit.

May 192015
 

On May 19, 2015, the Tacoma Police Department released a February 13, 2013, letter from the FBI to Harris Corporation permitting it “to sell the  state-and-local version of the Stingray product with the restricted [“Landshark”] software to the Tacoma Police Department.”

The complete text of the letter:

Attention: Patricia Sciandra

Re: Contract J-FBI-09-211 “Landshark” Restricted Software Request Approval – Tacoma Police Department

Dear Ms. Sciandra:

The Federal Bureau of Investigation (FBI) has an approved non-disclosure agreement (NDA) in place with the captioned law enforcement agency. In accordance with the cited restricted software agreement and the April 6, 2010 agreement between the FBI and the Harris Corporation, your notification to the FBI of the agency’s intent to purchase, and our execution of the NDA, meets the FBI’s advance coordination requirement. Therefore, the Harris Corporation is permitted to sell the state-and-local version of the Stingray product with the restricted software to the Tacoma Police Department.

W. L. Scott Bean, III
Chief, Technical Surveillance Section
Operational Technology Division

May 162015
 

On February 27, 2015, California Senator Jerry Hill introduced SB 741, which “would require that require local governing bodies in California to take public comment before implementing cell phone intercept technology.

SB-741 was discussed at a meeting of the California Senate Judiciary Committee on May 12, 2015. After opening remarks by Senator Hill, Tracy Rosenberg of the Bay Area Civil Liberties Coalition spoke in favor of the bill and Aaron Maguire of the California State Sheriff’s Association spoke against the bill.

Maguire said,

We are in respectful opposition to the bill. We’re in opposition to actually several bills that are currently moving through both houses. And really it is sort of a philosophical disagreement. I agree wholeheartedly with the author about the checks and balances that we have in our system in terms of the legislature appropriating certain money and the executive branch utilizing those funds, but I think what we have here is something that goes a little bit too far, which is where the state is mandating that certain items be placed on the board agenda which is, so, with whether it’s with respect to unmanned aerial vehicles or whether its this type of technology or other tactics or other things, we just think that this simply just goes too far and for those reasons, we’re in opposition. Thank you.

After Maguire’s remarks, Senator Joel Anderson asked, “When you use this type of technology, is it considered wiretapping?” Maguire responded, “To be honest with you, Senator Anderson, as far as I know, laws with regard to state, federal, and Fourth Amendment are followed.” Committee Chair Senator Hannah-Beth Jackson noted, “That’s sort of not exactly an answer. So do you have an answer to that?” However, it was Rosenberg who responded, noting that law enforcement frequently seeks an order for a pen register, which is technology for landline telephones that judges understand. Orders for pen registers also have the advantage of not requiring probable cause – they only require that the information likely to be obtained is relevant to an ongoing criminal investigation.

Towards the end of the hearing, Senators Mark Leno and Joel Leno both requested to be added as co-authors to the bill, which was passed unanimously.

Click here for the audio of the SB 741 hearing – a total of 12 minutes and 30 seconds.

May 042015
 

Previously, the Ventura County Sheriff released a heavily redacted non-disclosure agreement with the FBI and similarly redacted terms and conditions from Harris Corporation (See http://www.cehrp.org/ventura-county-sheriff-has-a-stingray/).

Today, I received the following responses to my appeal: