Another case of “We can, therefore we must?” (I have a new hammer, let’s find some nails!)
Report: ICE and the Secret Service Conducted Illegal Surveillance of Cell Phones
Mathew Guariglia of EFF writes:
The Department of Homeland Security’s Inspector General has released a troubling new report detailing how federal agencies like Immigration and Customs Enforcement (ICE), Homeland Security Investigations (HSI), and the Secret Service have conducted surveillance using cell-site simulators (CSS) without proper authorization and in violation of the law. Specifically, the office of the Inspector General found that these agencies did not adhere to federal privacy policy governing the use of CSS and failed to obtain special orders required before using these types of surveillance devices.
Even under exigent circumstances, where law enforcement use of technologies that track cell-phone use are deemed immediately necessary, law enforcement must still get a pen register order. The pen register order is required by statute and policy even though exigency otherwise excuses police from having to obtain a conventional warrant. The Inspector General noted that the agencies didn’t follow the rules in these cases either.
Cell-site simulators, also known as “Stingrays” or IMSI catchers, are devices that masquerade as legitimate cell-phone towers, tricking phones within a certain radius into connecting to the device rather than a tower.
Cell-site simulators operate by conducting a general search of all cell phones within the device’s radius, in violation of basic constitutional protections. Law enforcement use cell-site simulators to pinpoint the location of phones with greater accuracy than phone companies. Cell-site simulators can also log IMSI numbers (unique identifying numbers) of all of the mobile devices within a given area.
Unfortunately, the report redacts crucial information regarding the total number of times that each agency used CSS with and without a warrant, and when they used the devices to support external information. The OIG should release this information to the public: knowing the aggregate totals would not harm any active investigation, but rather inform public debate over the agencies’ reliance on this invasive technology. Make no mistake, cell-site simulators are mass surveillance that draws in the cell signal and collects data on every phone in the vicinity.
The fact that government agencies are using these devices without the utmost consideration for the privacy and rights of individuals around them is alarming but not surprising. The federal government, and in particular agencies like HSI and ICE, have a dubious and troubling relationship with overbroad collection of private data on individuals. In 2022 we learned that HSI and ICE had used overly-broad warrants to collect bulk financial records concerning people sending money across international borders through companies like Western Union. Mass surveillance of this kind is a massive violation of privacy and has elicited the concern of at least one U.S. senator hoping to probe into these tactics.
Most people carry cell phones on them at any given moment. EFF will continue to fight against careless government use of cell-site simulators, and we will continue to monitor federal agencies that rely on secrecy and a strategic ignorance of the law in order to wield powerful and overly broad surveillance powers and technologies.
This column was originally published at EFF.
In related coverage of the IG’s report, Zack Whittaker pulls out some specific examples of concerns, such as:
In one case highlighted by the inspector general, a county judge “did not understand” why prosecutors sought an emergency surveillance order because, not understanding the statute, the judge “believed it to be unnecessary,” leading to a raft of warrantless deployments.
Read more at TechCrunch.
Perspective.
https://krebsonsecurity.com/2023/03/highlights-from-the-new-u-s-cybersecurity-strategy/
Highlights from the New U.S. Cybersecurity Strategy
The Biden administration today issued its vision for beefing up the nation’s collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The White House’s new national cybersecurity strategy also envisions a more active role by cloud providers and the U.S. military in disrupting cybercriminal infrastructure, and it names China as the single biggest cyber threat to U.S. interests.
(Related)
Software liability reform is liable to push us off a cliff
Like “SBOMs will solve everything,” there is a regular cry to reform software liability, specifically in the case of products with insecurities and vulnerabilities. US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly’s comments this week brought the topic back into focus, but it’s still a thorny issue. (There’s a reason certain things are called “wicked problems.”) The proposed remedy, taking up a full page of the Biden Administration’s National Cybersecurity Strategy, will cause more problems than it solves.
No comments:
Post a Comment