How the Government Surveils Cellphones: A Primer

Here are all the ways the government can use your phone to watch you.

Institute for Money, Technology and Financial Inclusion / Flickr

Last week, the state of cellphone tracking became slightly more confusing. The U.S. Department of Justice announced that, except in emergency situations, federal agents would now seek warrants before using "Stingrays." Stingrays are devices that mimic cellphone towers and can pinpoint a phone’s physical location or record which number they’re calling.

For people who follow the issue closely, like the ACLU, the news was welcome if limited. But for many, it made the situation around cellphone surveillance even trickier than it was before. How many different ways can the government surveil cellphones? What can each method do? Here’s a primer.

If law enforcement wants to surveil your cellphone, they have two ways to do it. They can do it through a phone company; or they can do it directly, using a device like a Stingray.

Let’s talk about the first way. If the government goes through the phone company, they probably do it by seeking cell-site location information, or CSLI. CSLI is created whenever a cellphone talks to a cell tower: It’s a record of towers that a cellphone pinged, what direction the cellphone’s ping came from, and what time the ping came.

Police seek three different kinds of CSLI. The first is historical CSLI, when detectives ask for days, weeks, or months of this kind of location data from the past. This is an extremely common process: From January to June 2015, Verizon received more than 21,000 requests of this type. Right now, this kind of process doesn’t require a warrant in most jurisdictions. (The courts don’t completely agree on the law around this technology, though, so the Supreme Court could wind up weighing in on the issue soon.)

The second kind of CSLI is "prospective" or “real-time.” Law-enforcement agents might ask a mobile provider for a phone’s current location or its upcoming week of pings. They might also demand that the provider send a ping to the phone right now, generating its own record of CSLI. This type of search usually does require a warrant.

The third type of CSLI is called a "tower dump," and it works more like a dragnet. Authorities will ask a provider for all the CSLI from a tower or towers from a certain period, then comb through that looking for a common number. (They’d be investigating a question like: Which cellphone numbers were near this bank an hour before or after it was robbed?) Hanni Fakhoury, a senior staff attorney at the Electronic Frontier Foundation, told me there was very little case law on this kind of search, but that, in the one relevant court ruling he knew of, a warrant was not required.

With the second general method—surveilling a phone on their own—law enforcement appears to have fewer options. Officers might turn to a "Stingray"-like device: a physical antenna that pretends to be a cellphone tower and which can intercept a phone’s signals. Just by being nearby, Stingrays can pinpoint a phone’s physical location and even record the numbers it’s calling. Stingrays can’t access the content of a communication.

Last week, the U.S. Department of Justice announced new limits on the federal government’s use of Stingrays. Chief among these is that, except in "rare" emergency circumstances, the feds will now seek a warrant before turning on a Stingray.

These new rules, however, don’t apply to state or local law enforcement. That’s a big deal. The American Civil Liberties Union believes that agencies in at least 21 states have access to Stingrays, including city police departments in California, Texas, Florida, New York, and Illinois. And last month, USA Today revealed that municipal use of Stingrays in cities like Baltimore was much more common than previously believed. (Earlier this year, a city official had revealed that the department used its Stingray more than one and a half times per day since 2007.)

Stingrays are expensive, costing between $100,000 and $400,000. There’s an affordable solution, though: In August, The Wall Street Journal reported that local departments were instead buying a kind of mini-Stingray, called "Jugulars" or “Wolfhounds.” These smaller, handheld devices only go for around $6,500. They don’t work exactly like the Stingrays do—instead of actively spamming an area with a stronger signal, mimicking a cellphone tower, they listen in on signals the cellphone is already sending—but they have many of the same capabilities.

When used at the state or local level, neither Stingrays nor Wolfhounds require a warrant.

Part of the problem of laying out all the government’s options for surveillance is that the government keeps its tools close to the chest. For many years, local departments declined to release information about Stingrays—sometimes even withdrawing evidence from a trial—because of non-disclosure agreements they had signed with the FBI and the Harris Corporation, the technology’s manufacturer.

"Now, USA Today can run a big story on Stingrays and people can say, ‘oh yeah, we’ve been talking about this for two years,’ but [law enforcement has] actually been using it for ten," said Fakhoury.

There are a few other ways that law enforcement could learn a phone’s location, he said, though they’re considered more unusual. With a provider’s help (and a warrant), officers could remotely activate a phone’s GPS. They could even send malware to a device and get it to do "all sorts of crazy stuff," he said.

And the last surveillance method would circumvent both the mobile device and the mobile provider: Authorities could demand a certain user’s recent IP address from a website or social-media platform like Facebook or Google. Since wifi IP addresses can contain a user’s location or even street address, that would reveal someone’s location. The legal mechanism there, thankfully, is somewhat better established, and if the government came knocking on a tech company’s proverbial portal, they would probably do it with a warrant or a subpoena.