Focusing public attention on emerging privacy and civil liberties issues

EPIC v. FBI - Stingray / Cell Site Simulator

Top News

  • FBI Says Biometric Database has Reached "Full Operational Capability": The FBI announced that the Next Generation Identification system, one of the largest biometric databases in the world, has reached "full operational capability." In 2013, EPIC filed a Freedom of Information Act lawsuit about the NGI program. EPIC obtained documents that revealed an acceptance of a 20% error rate in facial recognition searches. Earlier this year, EPIC joined a coalition of civil liberties groups to urge the Attorney General Eric Holder to release an updated Privacy Impact Assessment for the NGI. The NGI is tied to "Rap Back," the FBI's ongoing investigation of civilians in trusted positions. EPIC also obtained FOIA documents revealing FBI agreements with state DMVs to run facial recognition searches, linked to NGI, on DMV databases. EPIC's recent Spotlight on Surveillance concluded that NGI has "far-reaching implications for personal privacy and the risks of mass surveillance." For more information, see EPIC: EPIC v. FBI - Next Generation identification. (Sep. 15, 2014)
  • EPIC Sues FBI for Missing Privacy Reports: EPIC has filed a Freedom of Information Act lawsuit to obtain details about the Federal Bureau of Investigation's surveillance programs. The agency is required to conduct privacy impact assessments when it collects and uses personal data. However, the Bureau has failed to publicly release privacy impact assessments for many of its programs, including facial recognition, drones, and license plate readers. According to the E-Government Act and Justice Department guidelines, all privacy assessments should be made public if practicable. EPIC, joined by a coalition of organizations, recently urged the Attorney General to immediately conduct a privacy assessment of the FBI's Next Generation Identification (NGI) program. The NGI program collects massive amounts of biometric data on U.S. citizens. For more information, see EPIC: EPIC v. FBI - Privacy Assessments. (Aug. 1, 2014)
  • EPIC FOIA - FBI Says 20% Error Rate Okay for Facial Recognition: EPIC's Freedom of Information Act lawsuit has produced new documents about "Next Generation Identification" and the FBI's plans for facial recognition. According to the document obtained by EPIC, "NGI shall return an incorrect candidate a maximum of 20% of the time." That number is much greater than expected. Earlier this year, EPIC received documents from the FBI regarding the use of facial recognition and state DMV photos. The FBI has still not updated a 2008 Privacy Impact Assessment on facial recognition technology despite telling Congress last year that a new assessment was planned. For more information, see EPIC: EPIC v. FBI - Next Generation Identification and EPIC: Face Recognition. (Oct. 4, 2013)
  • EPIC FOIA Documents Shed Light on Secret Cell Phone Tracking Team at FBI: In response to EPIC's Freedom of Information Act Lawsuit, the Federal Bureau of Investigation has released more than 400 pages of documents related to cell site simulator technology (commonly referred to as "Stingray"). This most recent release to EPIC includes training and promotional materials from a specialized unit within the FBI, the "Wireless Intercept & Tracking Team" that had previously been hidden from public view. According to the documents, the FBI's Tracking Team provides technical and financial support to a quickly expanding group of federal and local law enforcement agents trained to use the controversial surveillance tools. The documents reveal that the FBI believes it can use cell site simulators without a warrant, but so far only one federal court has considered the Fourth Amendment implications of these devices, including their interception of innocent users' data. For more information, see EPIC v. FBI (Stingray). (Oct. 4, 2013)
  • Court Permits Police Use of Phony Cell Phone Tower: A federal court in Arizona has denied a motion to suppress evidence gathered by "StingRay" surveillance technology. The court in United States v. Rigmaiden held that investigators did not violate the Fourth Amendment. The court also held that the government's use of a cell site simulator or StingRay device was supported by a "mobile tracking device" warrant. EPIC recently argued that users have a reasonable expectation of privacy in the location of their mobile devices, and has also received hundreds of pages of documents related to the FBI's use of StingRay technology. For more information, see EPIC v. FBI: StingRay and EPIC: State v. Earls. (May. 10, 2013)
  • EPIC Sues FBI to Obtain Details of Massive Biometric ID Database: EPIC has filed a Freedom of Information Act lawsuit against the FBI to obtain documents about "Next Generation Identification", a massive database with biometric identifiers on millions of Americans. The EPIC lawsuit follows the FBI's failure to respond to EPIC's earlier FOIA requests for technical specifications and contracts. According to EPIC's complaint, "When completed, the NGI system will be the largest biometric database in the world." NGI aggregates fingerprints, DNA profiles, iris scans, palm prints, voice identification profiles, photographs, and other identifying information. The FBI will use facial recognition to match images in the database against facial images obtained from CCTV and elsewhere. For more information, see EPIC v. FBI - Next Generation Identification, EPIC: Biometric Identifiers and EPIC: Face Recognition. (Apr. 8, 2013)
  • Court Rules for EPIC, Denies FBI Request for Delay in StingRay Case: A federal judge in Washington, DC today issued an Opinion denying the FBI's motion to delay the release of records sought under the Freedom of Information Act. The decision follows from a lawsuit filed by EPIC against the FBI for records about the agency's use of cell-site simulator technology, commonly referred to as "StingRay." These devices track cell phones and collect a vast amount of data from telephone customers. The Court found that the FBI was not facing the "exceptional circumstances" necessary to justify its proposed two-year delay. The Court ordered the agency to produce all records, except those subject to classification review, by August 1, 2013. For more information, see EPIC v. FBI - StingRay. (Mar. 28, 2013)
  • EPIC Obtains New Documents About FBI Cellphone Tracking Technology: In the fifth interim release of documents in EPIC v. FBI, a Freedom of Information Act lawsuit, the agency has turned over nearly 300 pages about the surveillance technique directed toward users of mobile phones. The documents obtained by EPIC reveal that agents have been using "cell site simulator" technologies, also known as "StingRay," "Triggerfish," or "Digital Analyzers" to monitor cell phones since 1995. Internal FBI e-mails, also obtained by EPIC, reveal that agents went through extensive training on these devices in 2007. In addition, a presentation from the agency's Wireless Intercept and Tracking Team argues that cell site simulators qualify for a low legal standard as a "pen register device," an interpretation that was recently rejected by a federal court in Texas. For more information, see EPIC v. FBI (StingRay). (Feb. 12, 2013)

Background

A StingRay is a device that can triangulate the source of a cellular signal by acting "like a fake cell phone tower" and measuring the signal strength of an identified device from several locations. With StingRays and other similar "cell site simulator" technologies, Government investigators and private individuals can locate, interfere with, and even intercept communications from cell phones and other wireless devices. The Federal Bureau of Investigation ("FBI") has used such cell site simulator technology to track and locate phones and users since at least 1995. Recently, federal investigators used a similar device to track down a suspect in an electronic tax fraud ring. This case, United States v. Rigmaiden, No 08-814, 2012 WL 1038817 (D. Ariz. Mar. 28, 2012), has brought the use of this cell phone surveillance technology under public scrutiny, as the Government attempts to shield the methods from discovery. See Order, id. As the Government's own documents make clear, the use of cell site simulator technology implicates not only the privacy of the targets in federal investigations, it also affects other innocent users in the vicinity of the technology.

On July 23, 2008 Daniel David Rigmaiden was indicted on various counts of conspiracy, wire fraud, and identity theft by U.S. Attorneys in Phoenix, Arizona. United States v. Rigmaiden, No. 08-814-PHX-DGC, 2010 WL 3463723 (D. Ariz. Aug. 27, 2010). Since his indictment, Defendant Rigmaiden has submitted various discovery motions seeking information about the investigatory techniques used to locate him. See Rigmaiden, 2010 WL 1039917. The Government opposed Defendant Rigmaiden's request for disclosure of techical specifications and other details about the technology. The Government relied on the testimony of an FBI Supervisor, who described the device as a pen register/trap and trace device. Aff. Supervisory Special Agent Bradley S. Morrison at 1, United States v. Rigmaiden, No. 08-cr-00814 (D. Ariz. Oct. 27, 2011). However, Agenty Morrison also made clear that all data is deleted after an operation because the devices may tend to pick up information “from all wireless devices in the immediate area of the FBI device that subscribe to a particular provider … including those of innocent, non-target devices.” Id. at 3.

In an attempt to avoid disclosure of documents related to this technology, the Government was willing to concede that the "actions it took during the air card locating mission were sufficiently intrusive to constitute a search under the Fourth Amendment if Defendant has a reasonable expectation of privacy." Rigmaiden, 2010 WL 1039917. However, the Government is not willing to concede that Defendant did have a reasonable expectation of privacy in the location of his laptop aircard (in his apartment). Id. As a result of the Government's unwillingness to disclose documents related to this invasive cell site simulator technology that impacts the privacy of innocent communications, EPIC filed a Freedom of Information Act ("FOIA") request in February 2012.

EPIC's Freedom of Information Act Request and Subsequent Lawsuit

In February 2012, EPIC submitted a FOIA request to FBI for:

  • All documents concerning technical specifications of the StingRay device or other cell site simulator technologies;
  • All documents concerning procedural requirements or guidelines for the use of StingRay device or other cell site simulator technologies (e.g. configuration, data retention, data deletion);
  • All contracts and statements of work that relate to StingRay device or other cell site simulator technologies;
  • All memoranda regarding the legal basis for the use of StingRay device or other cell site simulator technologies; and
  • All Privacy Impact Assessments or Reports concerning the use or capabilities of StingRay device or other cell site simulator technologies.

The FBI sent a letter confirming the receipt of EPIC's FOIA request on February 21, 2012. THe FBI Records Management Division assigned a FOIPA Request No: 1182490-000.

Legal Documents

EPIC v. FBI