EPIC v. FBI - Stingray / Cell Site Simulator

Top News

  • Special Counsel: Russian Intelligence Stole Data on 500,000 Voters: Russian intelligence officers hacked the website of a political organization in 2016 and stole personal data on more than 500,000 voters, according to a new indictment from the Special Counsel's Office. The stolen data included "names, addresses, partial social security numbers, dates of birth and driver's license numbers." In January 2017, EPIC sued the FBI for information about the agency's failure to respond to foreign cyber attacks on the DNC and the RNC. EPIC eventually obtained the victim notification procedures that would have applied during the 2016 Presidential election, but which the FBI failed to follow. Almost 18 months have passed since the filing of EPIC v. FBI and the first criminal indictments. (Jul. 13, 2018)
  • Congress Asks Google, Apple About Smartphone Data Collection: Members of the House Energy and Commerce Committee have sent letters to Apple CEO Tim Cook and Alphabet CEO Larry Page seeking information about the data collection capabilities of smartphones. Prompted by recent privacy scandals, the representatives asked Google and Apple whether their devices track users' location even when location services are disabled or record users' private conversations without a "trigger" word. The issue of smartphones and privacy has generated widespread attention following the Supreme Court's landmark ruling in Carpenter v. U.S. that the Fourth Amendment protects location records generated by mobile phones. EPIC recently advised Congress to strengthen privacy protections for mobile location data in response to the Supreme Court's ruling. (Jul. 10, 2018)
  • After Carpenter Decision, EPIC Calls on Congress to Update Federal Wiretap Law: In advance of a hearing on “Bolstering Data Privacy and Mobile Security” EPIC has told the House Science Committee that Congress should apply a heightened “super warrant” standard to "StingRays,” a technique for tracking cell phones users. After an EPIC FOIA lawsuit revealed that the FBI was using stingrays without a warrant, the Bureau changed its practices. EPIC filed amicus briefs in U.S. v. Jones and Carpenter v. U.S., two recent Supreme Court cases, arguing that a warrant is required to obtain location information. In a landmark ruling last week, the Supreme Court held that the Fourth Amendment protects location records generated by mobile phones. As a consequence, EPIC said, Congress should update federal privacy law. (Jun. 27, 2018)
  • D.C. Circuit Sets Date for Argument in EPIC v. IRS, FOIA Case for Trump's Tax Returns: The D.C. Circuit has scheduled oral argument in EPIC v. IRS, EPIC's Freedom of Information Act case to obtain public release of President Trump's tax returns. The Court will hear the case on Thursday, September 13, 2018. EPIC has argued that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." A broad majority of the American public favor the release of the President's tax returns. EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election, including EPIC v. FBI (response to Russian cyber attack) and EPIC v. DHS (election cybersecurity). (Jun. 19, 2018)
  • EPIC Urges Senate Judiciary to Examine FBI Response to Russian Cyber Attacks: EPIC has sent a statement to the Senate Judiciary Committee ahead of Monday's hearing "Examining the Inspector General’s First Report on Justice Department and FBI Actions in Advance of the 2016 Presidential Election." EPIC urged the Committee to explore the FBI's ability to respond to future cyberattacks. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." But an AP investigation found that the FBI failed to notify hundreds of officials whose email was hacked during the 2016 election. EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI. Last month, a federal court ruled that the agency may withhold records still sought by EPIC but said that lawmakers should pursue threats to democratic institutions described in the EPIC lawsuit. (Jun. 15, 2018)
  • EPIC Sues to Obtain Privacy Impact Assessment for DHS Journalist Database: EPIC has filed a Freedom of Information Act lawsuit to obtain a Privacy Impact Assessment for "Media Monitoring Services," a controversial new database proposed by the Department of Homeland Security. In April, the DHS announced a system to track journalists and "media influencers" and to monitor hundreds of thousands of news outlets and social media accounts. Although the system is designed to monitor journalists, the federal agency failed to conduct a Privacy Impact Assessment as required by law. EPIC submitted a request for Assessment but the agency did not respond. EPIC has successfully obtained several Privacy Impact Assessments, including a related media tracking system (EPIC v. DHS) and for facial recognition technology (EPIC v. FBI). In EPIC v. Presidential Election Commission, EPIC challenged the Commission's failure to publish a Privacy Impact Assessment prior to collection of state voter data. (May. 31, 2018)
  • U.S. House Report Finds FBI Cyberattack Victim Notification Inadequate: The House Permanent Select Committee on Intelligence has published a redacted version of its report on Russian interference with the 2016 Presidential Election. The report concludes that Russia did conduct cyberattacks on U.S. political institutions in 2015 and 2016. It also found that the FBI's "notification to numerous Russian hacking victims was largely inadequate." The report recommends that the FBI improve cyberattack victim notification. In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents state that "[b]ecause timely victim notification has the potential to completely mitigate ongoing and future intrusions and can mitigate the damage of past attacks while increasing the potential for the collection of actionable intelligence, CyD's policy regarding victim notification is designed to strongly favor victim notification." However, the FBI did not follow this procedure following cyber attacks on the DNC and RNC during the 2016 Presidential Election. The Committee also recommended measures to strengthen U.S. election systems, such as paper ballots, protection of voter registration systems, and funding for risk assessment of state election agency computer systems. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. (Apr. 30, 2018)
  • Senator Feinstein Calls for Transparency on Russian Election Interference:
    At a Senate Intelligence Committee hearing on Election Security this week. Senator Diane Feinstein said “America is the victim and America has to know what’s wrong. And if there are states that have been attacked, America should know that.” In a Freedom of Information Act lawsuit EPIC v. FBI, EPIC obtained the FBI notification procedures that would have applied during the 2016 Presidential election. The documents state that “[b]ecause timely victim notification has the potential to completely mitigate ongoing and future intrusions and can mitigate the damage of past attacks while increasing the potential for the collection of actionable intelligence, CyD’s policy regarding victim notification is designed to strongly favor victim notification.” However, the FBI did not follow this procedure following cyber attacks on the DNC and RNC during the 2016 Presidential Election. In early 2017, EPIC launched the Project on Democracy and Cybersecurity. EPIC is currently pursuing several additional FOIA cases concerning Russian interference with the 2016 election, EPIC v. ODNI (Russian hacking), EPIC v. IRS (release of Trump's tax returns), and EPIC v. DHS (election cybersecurity).
    (Mar. 22, 2018)
  • EPIC to Senate Intelligence: Ask NSA Director Nominee About Russian Election Interference: In advance of the hearing on the nomination of Lieutenant General Paul M. Nakasone to be the Director of the National Security Agency, EPIC has sent a statement to the Senate Intelligence Committee. EPIC urged the Committee to ask the nominee whether he agrees with the January 2017 assessment of the Intelligence Community that the Russians interfered with the 2016 Presidential election and whether he believes that the United States has taken sufficient steps to prevent Russian meddling in the mid-term elections. In the latest FOIA gallery, EPIC highlighted four new EPIC FOIA lawsuits to uncover details of the Russian interference in the 2016 Presidential election. One EPIC's FOIA cases, EPIC v. FBI, revealed that the Bureau failed to warn the DNC and the RNC that they were targeted by a Russian cyber attack. (Mar. 14, 2018)
  • EPIC v. IRS: EPIC Urges D.C. Circuit to Green-Light Release of President Trump's Tax Returns: EPIC has filed the opening brief in its case to obtain President Trump's tax returns. EPIC told the D.C. Circuit Court of Appeals that the IRS has the authority to disclose the President's returns to correct numerous misstatements of fact concerning his financial ties to Russia. For example, President Trump tweeted that "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING"—a claim "plainly contradicted by his own attorneys, family members, and business partners." A Quinnipiac poll released today confirms that public overwhelmingly supports (67%) the release of the President's returns. As EPIC told the Court, "there has never been a more compelling FOIA request presented to the IRS." EPIC v. IRS is one of several FOIA cases EPIC is pursuing concerning Russian interference in the 2016 Presidential election, including EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). Press Release. (Feb. 22, 2018)

Background

A StingRay is a device that can triangulate the source of a cellular signal by acting "like a fake cell phone tower" and measuring the signal strength of an identified device from several locations. With StingRays and other similar "cell site simulator" technologies, Government investigators and private individuals can locate, interfere with, and even intercept communications from cell phones and other wireless devices. The Federal Bureau of Investigation ("FBI") has used such cell site simulator technology to track and locate phones and users since at least 1995. Recently, federal investigators used a similar device to track down a suspect in an electronic tax fraud ring. This case, United States v. Rigmaiden, No 08-814, 2012 WL 1038817 (D. Ariz. Mar. 28, 2012), has brought the use of this cell phone surveillance technology under public scrutiny, as the Government attempts to shield the methods from discovery. See Order, id. As the Government's own documents make clear, the use of cell site simulator technology implicates not only the privacy of the targets in federal investigations, it also affects other innocent users in the vicinity of the technology.

On July 23, 2008 Daniel David Rigmaiden was indicted on various counts of conspiracy, wire fraud, and identity theft by U.S. Attorneys in Phoenix, Arizona. United States v. Rigmaiden, No. 08-814-PHX-DGC, 2010 WL 3463723 (D. Ariz. Aug. 27, 2010). Since his indictment, Defendant Rigmaiden has submitted various discovery motions seeking information about the investigatory techniques used to locate him. See Rigmaiden, 2010 WL 1039917. The Government opposed Defendant Rigmaiden's request for disclosure of techical specifications and other details about the technology. The Government relied on the testimony of an FBI Supervisor, who described the device as a pen register/trap and trace device. Aff. Supervisory Special Agent Bradley S. Morrison at 1, United States v. Rigmaiden, No. 08-cr-00814 (D. Ariz. Oct. 27, 2011). However, Agenty Morrison also made clear that all data is deleted after an operation because the devices may tend to pick up information “from all wireless devices in the immediate area of the FBI device that subscribe to a particular provider … including those of innocent, non-target devices.” Id. at 3.

In an attempt to avoid disclosure of documents related to this technology, the Government was willing to concede that the "actions it took during the air card locating mission were sufficiently intrusive to constitute a search under the Fourth Amendment if Defendant has a reasonable expectation of privacy." Rigmaiden, 2010 WL 1039917. However, the Government is not willing to concede that Defendant did have a reasonable expectation of privacy in the location of his laptop aircard (in his apartment). Id. As a result of the Government's unwillingness to disclose documents related to this invasive cell site simulator technology that impacts the privacy of innocent communications, EPIC filed a Freedom of Information Act ("FOIA") request in February 2012.

EPIC's Freedom of Information Act Request and Subsequent Lawsuit

In February 2012, EPIC submitted a FOIA request to FBI for:

  • All documents concerning technical specifications of the StingRay device or other cell site simulator technologies;
  • All documents concerning procedural requirements or guidelines for the use of StingRay device or other cell site simulator technologies (e.g. configuration, data retention, data deletion);
  • All contracts and statements of work that relate to StingRay device or other cell site simulator technologies;
  • All memoranda regarding the legal basis for the use of StingRay device or other cell site simulator technologies; and
  • All Privacy Impact Assessments or Reports concerning the use or capabilities of StingRay device or other cell site simulator technologies.

The FBI sent a letter confirming the receipt of EPIC's FOIA request on February 21, 2012. THe FBI Records Management Division assigned a FOIPA Request No: 1182490-000.

Legal Documents

EPIC v. FBI

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.