A Stingray device (also known as an IMSI-catcher) is a fake cell phone tower used by police and other surveillance agencies to monitor suspect’s telephone and text conversations (plus grab all unique IMSI and IMEI identity codes within their approximately 10 sq km operational radius.)
Because it effectively mimics a legitimate cell phone tower, every mobile phone within the broadcast radius (and which uses the faked network(s)) will connect automatically to the device. This makes Stingray use extremely untargeted, exposing potentially very large numbers of innocent citizens to indiscriminate monitoring of their conversations.
Concern over Stingrays been growing in the United States as it becomes clear that not only is their use by the FBI and local police forces extremely common, but that the FBI is willing to go to quite extreme lengths to prevent details of this use coming to the public attention.
Although there have been occasional judicial attempts to reign-in their use, and the state of California is mulling legislation (CalECPA) that would place limits on their use, there seems little general will to curb the increasing deployment of Stingray devices and protect ordinary US citizens’ privacy rights.
Until now, confirmed use of Stingrays has been limited to the United States, but a new investigation by Sky News reveals that these devices are routinely deployed in London. So routinely, in fact, that ‘over three weeks, Sky News discovered more than 20 instances in London.’ Full data logs of Sky News’ finding are available here. As Eric King, deputy director of Privacy International, noted,
‘In an urban space, thousands of people’s mobile phones would be swept up in that dragnet. What they do with that data, we don’t know. We know police have been using them for years, but this is the first time that it’s been shown that they’re being deployed in the UK.’
It has been known since 2011 that London’s largest metropolitan police force (‘the Met’) purchased IMSI-catcher units from Leeds-based Datong plc, ‘which counts the US Secret Service, the Ministry of Defence and regimes in the Middle East among its customers.’ This is the first time, however, that actual deployment of the devices has been confirmed.
Despite numerous public freedom of information requests, the UK government has refused to release any details on Stingray use. Met commissioner Bernard Hogan-Howe, when directly confronted over the issue by Sky News, was keen to downplay the issue,
‘We’re not going to talk about it, because the only people who benefit are the other side, and I see no reason in giving away that sort of thing. If people imagine that we’ve got the resources to do as much intrusion as they worry about, I would reassure them that it’s impossible.’
Tim Johnston,’ a barrister who specialises in the law of surveillance at Brick Court Chambers’ observes that this reluctance to talk about Stingray use means that there is no meaningful framework for overseeing their deployment, or that thier use falls within the Regulation of Investigatory Powers Act (RIPA) stipulation that to intercept communications a warrant must be personally authorised by the home secretary and be both necessary and proportionate,
‘Because it’s neither confirmed nor denied, we simply don’t know on what basis they are being used – if they are being used. We don’t know how they’re being overseen. There are a whole suite of commissioners that oversee communications, that oversee surveillance, and because we don’t know the statutory basis that’s being relied on, as a consequence we don’t know who – if anyone – is overseeing that use.’