What are StingRays and how do Certain types of IMSI-catchers can also collect

unencrypted information such as websites you visit,

they work? calls, messages, and metadata such as when a call
was made and how long it lasted. Some devices
Our phones have revolutionized our lives. Over 80%
related to StingRays can even go a step further, and
of Americans have a smartphone, and we use them
are able to perform denial of service attacks and
for a thousand different things: communicating with
eavesdrop on phone conversations. iv There are some
friends and family, documenting our lives, finding
concerns that StingRay-type devices can be used to
our way, and reminding us of important events.
inject malware into a target phone. In January 2020,
They’re as private as personal diaries—and like one,
journalists in Morocco suspected they had been
contain a true treasure trove of personal information.
targeted by a network injection attack carried out via
Many of us assume that if we put a passcode on our
an IMSI-catcher with this capability. v
phone, the information stored on it is “secure.” But
that isn’t necessarily true, and there’s a police
It’s a common misconception that StingRays are
surveillance technology that proves that.
large and require some sort of satellite-outfitted van.
StingRays and their related devices are actually quite
The specific surveillance technology we’re referring
small and portable.vi They are commonly mounted in
to are called IMSI-catchers, commonly known as
vehicles but can also be concealed in a briefcase or
StingRays. These are a type of surveillance tech that
even handheld. When handheld, they are sometimes
can gather information about us through our
called “KingFish.” More advanced IMSI-catchers
phones—without us even knowing it.
are sometimes marketed under the name
“Hailstorm.” They can be used from lowflying
StingRays were initially developed for military and
aircraft or, as miniaturization advances, even from
intelligence use, but since at least 1995, devices with
drones.
these capabilities have been marketed to and have
become popular with domestic law enforcement
agencies. StingRay-type devices operate in two Why should you be worried about
different ways; passive and active. i
StingRays?
Passive IMSI-catchers work by “catching” (and
Since the 90s, technologists have known that
eventually releasing) signals from your cell phone as
theoretically a device like a StingRay could exist, but
they’re being sent to a cell tower. ii
they were first found to be used by police
departments in a case involving Daniel Rigmaiden.vii
Active IMSI-catchers work by simulating a cell
Rigmaiden, who went by multiple aliases and was
tower. These are often called Cell-Site Simulators.
ruthless about privacy, had caught the attention of
This works by taking advantage of the way cell
Baltimore PD after being suspected of committing
phones are designed: cell phones automatically
fraud. Rigmaiden noticed that the search warrant for
connect to the cell tower with the strongest signal in
his apartment did not mention how law enforcement
order to give you the best connection possible, so
had come to know his identity. Research led
active IMSI-catchers put out a signal that is stronger
Rigmaiden to uncovering Baltimore PD’s use of a
than other cell towers in the area, tricking your
StingRay to track him down, leading to one of the
phone into connecting to it.iii
first pieces of journalism revealing to the public the
widespread, constitutionally questionable use of
StingRay-type devices collect a wide variety of data
StingRay devices.viii
from your cellphone. All StingRay-type devices can
be used to collect your ESN and IMSI numbers;
While police departments cite counter-terrorism as
numbers that are personally identifiable and can be
justification for their purchases of StingRays and
traced back to your phone. StingRay-type devices
other IMSI-catchers, law enforcement commonly use
are also often used to collect your location data.
StingRays in order to solve minor crimes. Reporting evidence on a suspect. xiii This is because often the
out of Baltimore shows that cops have used manufacturers of StingRay-type devices—and
StingRays in thousands of cases, using the devices sometimes even the FBI—require police departments
more than 4,300 times over an eighty ear period.ix to sign non-disclosure agreements in order to
Documents published by the ACLU show that police purchase and use StingRays. Federal law
in Florida most commonly used StingRays for enforcement will often push for dismissal of cases if
solving minor crimes; this means that police may be it becomes clear that going through with the case
actively violating bystanders’ constitutional rights in will reveal specifics about how IMSI-catchers are
order to solve petty crimes such as theft. x used and operate.xiv

StingRays are commonly discussed in relation to There have also been cases of ICE using StingRays
surveillance tech that is used on protesters. While to track down undocumented immigrants in order to
there is not yet conclusive evidence that this arrest, imprison, and eventually deport them. xv As an
happens, it is highly probable. In 2014, protesters in additional barrier, ICE often doesn’t disclose usage
Chicago noticed their phones were not working of this technology; which cloaks the use of IMSI-
properly when a police vehicle suspected of being catchers in even more secrecy, interferes with the
outfitted with a StingRay was nearby. xi legal process, and prevents public oversight of these
Contemporaneous police communications appeared cases.xvi Advocates have decried the use of
to show their local fusion center was tracking StingRays in immigration cases as “excessive.”
cellphones within that same protest. While there are
similar reports from protests across the country, their One major protest-related Fourth Amendment
use on protestors has not yet been conclusively concern regarding StingRays is that, while law
proven.xii enforcement may be using it to target one
individual’s phone, they will inevitably be sweeping
One reason we do not have conclusive evidence that up large numbers of bystanders’ data. Theoretically,
StingRays are used on protesters is because it is police could then exploit that swept up data to find
almost impossible to prove their involvement evidence of other suspicious activity. StingRays’
without discovery materials relating to an actual access of cell site location information and other
criminal case—for example, a warrant referring to a phone data in real-time also has Fourth Amendment
StingRay being used. While it is likely, it’s implications.
important to keep in mind that network disruptions
caused by a StingRay can look quite similar to a In Carpenter v. United States, the Supreme Court
non-StingRay network disruption. declared that, when it comes to cell phone location
data, “the Government’s obligation is a familiar
“Baltimore...cops have used StingRays one—get a warrant.” Regardless of this, the state of
laws regarding StingRays is in flux. In 2015, the
in thousands of cases, using the Attorney-General issued guidance that federal law
devices more than 4,300 times over an enforcement agents would have to obtain a search
eight-year period.” warrant based on probable cause before using a
StingRay, instead of the common prior practice of
using “pen register” or “trap and trace” orders that
While a warrant may offer some evidence that a do not require probable cause. Federal courts,
StingRay has been used, police departments often beginning in 2016, have started to exclude the use of
conceal their usage of these devices through vague StingRay-derived evidence, but it is still common for
and euphemistic language when applying for a state and local police to not specify on their warrant
warrant—as seen in the Rigmaiden case. A police applications that a StingRay will be used, resulting in
department in Florida admitted in emails to having judges approving warrants without a full
used parallel construction in order to conceal that appreciation of what will be searched or seized. xvii
they had been using a StingRay-type device to gather Consequently, state legislatures still need to pass
3
laws requiring warrant protections, and the Attorney- enforcement use of StingRay devices, and would
General’s guidelines need to be backed by a federal require those warrants specifically mention
statute. StingRay usage—instead of the current common
practice of vague warrants euphemistically alluding
What can be done about StingRay at usage of technological devices to gather
evidence. This also requires that any StingRay use
devices? be disclosed to the defendants in a criminal case, an
issue we’ve seen repeatedly come up with
Theoretically, one can create a device that can “sniff
StingRay usage to gather evidence on a defendant
out” IMSI-catchers. In order to create a device to
(see, again, the Daniel Rigmaiden case). It also limits
find IMSI-catchers, you would need hardware like a
information that law enforcement are allowed to
BladeRF and open source code maintained by the
collect with StingRay devices to just identifying
EFF called “Crocodile Hunter.”xviii This tech can
information, and gives public right of action to any
theoretically detect when a Hailstorm device (a more
individual affected by unlawful StingRay usage.
advanced form of IMSI-catcher) is being used on a
cellphone by analyzing data that the phone reports
You can read the full bill text here.xix
about the cell tower (primarily the location of the
cell tower or Hailstorm device) and comparing it
against known data, like maps of legitimate cell
towers.

There are also efforts to pass legislation regulating

the use of StingRay-type devices. Restore the
Fourth has been involved in a few efforts to get
such legislation passed, both local and national.
Some examples of regulation include requiring law
enforcement to get a warrant that specifically
mentions StingRay usage before deploying them.

What has Restore the Fourth done

to rein in StingRays?
We support the passing of local ordinances that
increase public oversight of surveillance technology,
including StingRay devices. Restore the Fourth has
been a vital part of efforts to pass CCOPS and other
surveillance oversight legislation in a variety of
localities, including Boston. Restore The Fourth –
Boston and RI-Rights have supported efforts in their
state legislatures to require warrants before state and
local law enforcement can deploy StingRays.

Restore the Fourth is currently involved in a

bipartisan effort to get a national bill regulating
StingRay use passed in Congress with the help of
Representative Ted Lieu and Senator Ron Wyden
with Senator Steve Daines and Representative Tom
McClintock. This bill requires warrants for law-

4
i
https://epic.org/documents/epic-v-fbi-stingray-cell-site-
xi
simulator/ https://www.cbsnews.com/chicago/news/activists-say-
chicago-police-used-stingray-eavesdropping-technology-
ii
https://www.eff.org/pages/cell-site-simulatorsimsi-catchers during-protests/
iii xii
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2440982 https://restorethe4th.com/issues/fusion_centers/
iv xiii
https://arstechnica.com/tech-policy/2013/09/meet-the- https://cdn.arstechnica.net/wpcontent/uploads/2014/06/ACLU
machines-that-steal-your-phones-data/ -Florida-Stingray-Police-Emails.pdf
v xiv
https://www.amnesty.org/en/latest/research/2020/06/moroccan- https://www.theguardian.com/us-news/2015/apr/10/stingray-
journalist-targeted-with-network-injection-attacks-using-nso- spying-fbi-phone-dragnet-police
xv
groups-tools/ https://www.detroitnews.com/story/news/local/detroit-
city/2017/05/18/cell-snooping-fbi-immigrant/101859616/
vi
https://arstechnica.com/tech-policy/2013/09/meet-the-
xvi
machines-that-steal-your-phones-data/2/ https://www.univision.com/local/nueva-york-wxtv/ice-in-
new-york-has-a-spy-tool-to-hunt-undocumented-immigrants-
vii
https://www.theverge.com/2016/1/13/10758380/stingray- via-their-cell-phones
surveillance-device-daniel-rigmaiden-case
viii xvii
https://www.wsj.com/articles/SB10001424053111904194604 https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2911844
576583112723197574
xviii
https://github.com/EFForg/crocodilehunter
ix
https://www.baltimoresun.com/maryland/baltimore-city/bs-
xix
md-ci-stingray-case-20150408-story.html https://www.wyden.senate.gov/imo/media/doc/Cell%20Site%
20Simulator%20Warrant%20Act%20of%202021%20Bill%20T
x
https://www.documentcloud.org/home ext.pdf