FOIA docs show feds can lojack mobiles without telco help

[Eugen Leitl]

http://arstechnica.com/news.ars/post/20081116-foia-docs-show-feds-can-lojack-mobiles-without-telco-help.html

FOIA docs show feds can lojack mobiles without telco help

By Julian Sanchez | Published: November 16, 2008 - 10:45PM CT

Courts in recent years have been raising the evidentiary bar law enforcement
agents must meet in order to obtain historical cell phone records that reveal
information about a target's location. But documents obtained by civil
liberties groups under a Freedom of Information Act request suggest that
"triggerfish" technology can be used to pinpoint cell phones without
involving cell phone providers at all.

Triggerfish, also known as cell-site simulators or digital analyzers, are
nothing new: the technology was used in the 1990s to hunt down renowned
hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby
cell phones into transmitting their serial numbers, phone numbers, and other
data to law enforcement. Most previous descriptions of the technology,
however, suggested that because of range limitations, triggerfish were only
useful for zeroing in on a phone's precise location once cooperative cell
providers had given a general location.

This summer, however, the American Civil Liberties Union and Electronic
Frontier Foundation sued the Justice Department, seeking documents related to
the FBI's cell-phone tracking practices. Since August, they've received a
stream of documentsbthe most recent batch on November 6bthat were posted on
the Internet last week. In a post on the progressive blog Daily Kos, ACLU
spokesperson Rachel Myers drew attention to language in several of those
documents implying that triggerfish have broader application than previously
believed.

As one of the documents intended to provide guidance for DOJ employees
explains, triggerfish can be deployed "without the user knowing about it, and
without involving the cell phone provider." That may be significant because
the legal rulings requiring law enforcement to meet a high "probable cause"
standard before acquiring cell location records have, thus far, pertained to
requests for information from providers, pursuant to statutes such as the
Communications Assistance for Law Enforcement Act (CALEA) and the Stored
Communications Act.

The Justice Department's electronic surveillance manual explicitly suggests
that triggerfish may be used to avoid restrictions in statutes like CALEA
that bar the use of pen register or trap-and-trace devicesbwhich allow
tracking of incoming and outgoing calls from a phone subject to much less
stringent evidentiary standardsbto gather location data. "By its very terms,"
according to the manual, "this prohibition applies only to information
collected by a provider and not to information collected directly by law
enforcement authorities.Thus, CALEA does not bar the use of pen/trap orders
to authorize the use of cell phone tracking devices used to locate targeted
cell phones." 

Perhaps surprisingly, it's only with the passage of the USA PATRIOT Act in
2001 that the government has needed any kind of court order to use
triggerfish. While previously, the statutory language governing pen register
or trap-and-trace orders did not appear to cover location tracking
technology. Under the updated definition, these explicitly include any
"device or process which records or decodes dialing, routing, addressing, and
signaling information."