Generally speaking, the FBI is a very secretive agency, as can be readily gleaned from its tendency to answer FOIA requests with page after page of fully-redacted documents. That it has managed to rope so many law enforcement agencies — including prosecutors and states’ attorneys’ offices — into highly-restrictive non-disclosure agreements is somewhat of a surprise, considering its position as a partner in law enforcement, rather than an overseer of local agencies like the DOJ.
These NDAs keep almost all information about Stingray device usage out of our nation’s courts. The desire to protect these specifics is all-encompassing, resulting in prosecutors and police departments cutting suspects loose (including those who have already pled guilty) rather than allowing information to make its way into the public domain.
But there could be more to it than just a naturally-secretive agency being secretive. It may be that it fears law enforcement agencies — if left to their own devices — will destroy the effectiveness of IMSI catchers by deploying the devices too often and with too little care.
In a discussion about the NSA’s use of exploits, the following observations were made.
FBI operations can be opaque because of the care they take with parallel construction; the Lavabit case was maybe an example. It could have been easy to steal the key, but then how would the intercepted content have been used in court? In practice, there are tons of convictions made on the basis of cargo manifests, travel plans, calendars and other such plaintext data about which a suitable story can be told. The FBI considers it to be good practice to just grab all traffic data and memorialise it forever.
The NSA is even more cautious than the FBI, and won’t use top exploits against clueful targets unless it really matters. Intelligence services are at least aware of the risk of losing a capability, unlike vanilla law enforcement, who once they have a tool will use it against absolutely everybody.
IMSI catchers are “top exploits.” While there’s plenty of information out there on its capabilities, very little of it has been confirmed by the FBI or other law enforcement agencies. What makes the “exploit” better is that almost every deployment has been successfully hidden… from everyone. Parallel construction, abuse of pen register orders, dismissal of cases — all of it works together to keep actual usage details out of the public’s hands.
Because of this, there’s very little anyone can do to avoid being swept up by Stingray devices other than avoid using cell phones. Most criminal enterprises require communication and cell phones are the cheapiest, easiest way to maintain contact. While spoofers can be sussed out with tools and apps, it requires the sort of proactive effort that often isn’t present — or practical — in many criminal ventures. Yeah, you can sweep a hotel room for bugs, but you can’t stop anyone from parking nearby and hoovering up call data and communications.
If this assessment is accurate, the FBI may be applying this intense pressure simply to prevent “vanilla” law enforcement agencies from using Stingrays as often and as carelessly as possible. Every deployment increases the risk of exposure. Tying cop shops up in NDA strings keeps dissemination to a minimum and encourages at least some form of risk analysis before deployment. It’s the FBI saving law enforcement agencies from themselves, and protecting itself and its tool of choice at the same time.
[Or not. The Baltimore PD deploys its Stingrays around 600 times a year, so there are exceptions to this theory… or some agencies simply just don’t care whether the effectiveness of this “exploit” suffers from diminishing returns.
And definitely click through to read the entire piece by Ross Anderson. It also discusses how intelligence agencies work around crypto they can’t crack — very germane to the discussion of the FBI’s current decrypt-or-else complaints.]