[cryptome] Re: FOIPA adventures

[coderman]

two new for DOCSIS tech @FBI, @CIA:

"Any and all "DOCSIS" technology records, including cross-references
and indirect mentions, including records outside the investigation
main file. This is to include a search of each of the following record
stores and interfaces: the Central Records System (CRS), the Automated
Case Support system ("ACS") Investigative Case Management system
("ICM"), the Automated Case Support system ("ACS") Electronic Case
File ("ECF"), and the Automated Case Support system ("ACS") Universal
Index ("UNI"). I also request a search of "ELSUR", the database
containing electronic surveillance information, for any and all
records or activities related to "DOCSIS" or "DOCSIS intercept" or
"DOCSIS access" technology. In addition, please extend the search
criteria across any external storage media, including I-Drives,
S-Drives, or related technologies used during the course of
investigation involving Cable internet data services. DITU
experimental technologies or research also within scope of this
request. Please include processing notes, even if request is denied in
part. Please identify individuals responsible for any aspect of FOIA
processing in the processing notes, along with explanation of their
involvement if not typically assigned FOIA responsibilities for the
record systems above."
 - https://www.muckrock.com/foi/united-states-of-america-10/indocsis-19725/

"Any and all records, receipts, training, technology transfer
programs, research, evaluation technologies, or other materials
relevant to "DOCIS" cable communication technology. This is to include
"DOCSIS 1.0", "DOCSIS 2.0", "DOCSIS 3.0", and other relevant DOCSIS
protocols."
 - https://www.muckrock.com/foi/united-states-of-america-10/indocsisxfer-19726/



On 7/12/15, coderman <coderman at gmail.com> wrote:
> On 7/12/15, Douglas Rankine <douglasrankine2001 at yahoo.co.uk> wrote:
>> Are they giving reasons for the rejections?
>
> Glomar all around.  see also:
>
> "What Is the Big Secret Surrounding Stingray Surveillance?"
>  -
> http://www.scientificamerican.com/article/what-is-the-big-secret-surrounding-stingray-surveillance/
>
> ---
>
>  What Is the Big Secret Surrounding Stingray Surveillance?
>
> State and local law enforcement agencies across the U.S. are setting
> up fake cell towers to gather mobile data, but few will admit it
> By Larry Greenemeier | June 25, 2015
>
>
> Stung: Law enforcement agencies sometimes use a device called a
> stingray to simulate a cell phone tower, enabling them to gather
> international mobile subscriber identity (IMSI), location and other
> data from mobile phones connecting to them. Pictured here is an actual
> cell tower in Palatine, Ill.
>
>
> Given the amount of mobile phone traffic that cell phone towers
> transmit, it is no wonder law enforcement agencies target these
> devices as a rich source of data to aid their investigations. Standard
> procedure involves getting a court order to obtain phone records from
> a wireless carrier. When authorities cannot or do not want to go that
> route, they can set up a simulated cell phone tower—often called a
> stingray—that surreptitiously gathers information from the suspects in
> question as well as any other mobile device in the area.
>
> These simulated cell sites—which collect international mobile
> subscriber identity (IMSI), location and other data from mobile phones
> connecting to them—have become a source of controversy for a number of
> reasons. National and local law enforcement agencies closely guard
> details about the technology’s use, with much of what is known about
> stingrays revealed through court documents and other paperwork made
> public via Freedom of Information Act (FOIA) requests.
>
> One such document recently revealed that the Baltimore Police
> Department has used a cell site simulator 4,300 times since 2007 and
> signed a nondisclosure agreement with the FBI that instructed
> prosecutors to drop cases rather than reveal the department’s use of
> the stingray. Other records indicate law enforcement agencies have
> used the technology hundreds of times without a search warrant,
> instead relying on a much more generic court order known as a pen
> register and trap and trace order. Last year Harris Corp., the
> Melbourne, Fla., company that makes the majority of cell site
> simulators, went so far as to petition the Federal Communications
> Commission to block a FOIA request for user manuals for some of the
> company’s products.
>
> The secretive nature of stingray use has begun to backfire on law
> enforcement, however, with states beginning to pass laws that require
> police to obtain a warrant before they can set up a fake cell phone
> tower for surveillance. Virginia, Minnesota, Utah and Washington State
> now have laws regulating stingray use, with California and Texas
> considering similar measures. Proposed federal legislation to prevent
> the government from tracking people’s cell phone or GPS location
> without a warrant could also include stingray technology.
>
> Scientific American recently spoke with Brian Owsley, an assistant
> professor of law at the University of North Texas Dallas College of
> Law, about the legal issues and privacy implications surrounding the
> use of a stingray to indiscriminately collect mobile phone data. Given
> the invasive nature of the technology and scarcity of laws governing
> its use, Owsley, a former U.S. magistrate judge in Texas, says the
> lack of reliable information documenting the technology’s use is
> particularly troubling.
>
>
> [An edited transcript of the interview follows.]
>
> When and why did law enforcement agencies begin using international
> cell site simulators to intercept mobile phone traffic and track
> movement of mobile phone users?
>
> Initially, intelligence agencies—CIA and the like—couldn’t get local
> or national telecommunications companies in other countries to
> cooperate with U.S. surveillance operations against nationals in those
> countries. To fill that void companies like the Harris Corp. started
> creating cell site simulators for these agencies to use. Once Harris
> saturated the intelligence and military markets [with] their products,
> they turned to federal agencies operating in the U.S. So the [Drug
> Enforcement Administration], Homeland Security, FBI and others started
> having their own simulated cell sites to use for surveillance.
> Eventually this trickled down further to yet another untapped market:
> state and local law enforcement. That’s where we are today in terms of
> the proliferation of this technology.
>
>
> Under what circumstances do U.S. law enforcement agencies use cell
> site simulators and related technology?
>
> There are three examples of how law enforcement typically use
> stingrays for surveillance: First, law enforcement officials may use
> the cell site simulator with the known cell phone number of a targeted
> individual in order to determine that individual's location. For
> example, officials are searching for a fugitive and have a cell phone
> number that they believe the individual is using. They may operate a
> stingray near areas where they believe that the individual may be,
> such as a relative's home.
>
> Second, law enforcement officials may use the stingray to target a
> specific individual who is using a cell phone, but these officials do
> not know the cell phone number. They follow the targeted individual
> from a site to various other locations over a certain time period. At
> each new location, they activate the stingray and capture the cell
> phone data for all of the nearby cell phones. After they have captured
> the data at a number of sites they can analyze the data to determine
> the cell phone or cell phones used by the targeted individual. This
> approach captures the data of all nearby cell phones, including
> countless cell phones of individuals unrelated to the criminal
> investigation.
>
> Third, law enforcement officials have been known to operate stingray
> at political rallies and protests. Using the stingray at these types
> of events captures the cell phone data of everyone in attendance.
>
>
> How does law enforcement get permission to perform this type of
> surveillance?
>
> Federal law enforcement agencies typically get courts to approve use
> of something like stingray through a pen register application [a pen
> register is a device that records the numbers called from a particular
> phone line]. With that type of application, essentially the government
> says, we want this information. We think it’s going to be relevant to
> an ongoing criminal investigation. As you can imagine, that’s a pretty
> low bar for them to satisfy in the eyes of the court. Just about
> anything could fit into that description. You don’t even have to show
> that such an investigation would lead to an arrest or prosecution. Law
> enforcement is telling the court, look, we’re in the middle of this
> investigation. If we get this information, we think it might lead to
> some other important information.
>
> Different court orders have different standards for approval. The
> highest standard would be for a wiretap. A search warrant likewise has
> a much higher standard than a pen register, requiring law enforcement
> to prove probable cause before a judge will grant permission to use
> additional means of investigation. The problem that I have with a pen
> register to justify use of something like a stingray is that the
> standard for a pen register is much too low, given the invasive nature
> of a pen register. Instead, I think the use of a stingray should be
> consistent with the Fourth Amendment of the Constitution and pursuant
> to a search warrant.
>
>
> Why not explicitly state the type of technology being used and its
> specific purpose when filing for a court order?
>
> [When] law enforcement agencies seek to obtain judicial authorization
> through a pen register, they do not directly indicate that they are
> applying for authorization to use a stingray. Doing so might cause
> some courts to question whether the pen register statute [as opposed
> to some higher standard] is the appropriate basis for authorizing a
> stingray. In addition, law enforcement agencies typically have to sign
> nondisclosure agreements with Harris Corp. in order to receive the
> federal Homeland Security funding needed to purchase the technology.
> So there’s this concern, at least at the local law enforcement level,
> about revealing any information about it because that would violate
> the agreement with Harris and maybe subject them to losing the
> equipment or some other consequences.
>
>
> Why would law enforcement agencies sign a nondisclosure agreement with
> a technology company?
>
> I’m not sure whether the agreements are being driven by the FBI or by
> Harris, but these agreements seem to be getting less relevant insofar
> as [there is less] need to keep the public unaware of the existence of
> this technology. In the last three or so years there’s been a lot more
> awareness about the technology and its use. When agencies were first
> signing these agreements years ago, use of this technology wasn’t
> widely known. Now you are getting situations where criminal defense
> attorneys learn about stingray and similar technologies and the role
> they may be playing in the arrests of some of their clients. Defense
> teams are starting to ask questions and require the government to
> produce documentation such as court orders, and that’s creating the
> confrontation you’re now seeing.
>
>
> Why have law enforcement agencies kept their use of cell site
> simulators so secretive?
>
> Some of it is the cloudy legal issues surrounding the legitimate uses
> of this technology. Law enforcement agencies will also argue that the
> more information that’s available about this technology, the harder it
> is for them to use these devices to fight crime. Yet there’s a growing
> knowledge of this technology, and a serious criminal enterprise is
> already aware of it. People are already using prepaid disposable
> phones [sometimes referred to as “burner phones”] to some extent to
> defeat this technology. Sophisticated criminals are aware that there’s
> electronic surveillance out there in myriad ways, and so they’re going
> to take precautions. From a technology perspective, it’s sort of a
> cat-and-mouse game. There’s also a device that locates cell site
> simulators, something referred to as an IMSI catcher. There’s an arms
> race back and forth to get the best technology and to get the edge.
>
>
> What does it say to you about the whole process that a prosecutor or a
> law enforcement agency is willing to sacrifice a conviction in order
> to keep their methods a secret?
>
> I think it’s a very odd approach. You are throwing away some
> convictions or potential convictions for the sake of secrecy. But it’s
> even harder to understand now that knowledge of the technology is
> becoming so common. There have been documented cases in Baltimore and
> Saint Louis where stingray has supposedly been used. The use of
> stingray and related technologies is a roll of the dice in the sense
> that law enforcement is hoping that either the defense attorneys don’t
> have enough savvy or wherewithal to find out about the technology and
> ask the right questions or, even if that does happen, they’re hoping
> that the judge that they have is favorable to their approach and not
> going to order them to reveal information about its use. In the rare
> occasions when things go against them, they just dismiss it.
>
>
> You yourself denied a law enforcement application three years ago to
> use a stingray. Under what circumstances would you approve its use?
>
> I want to make clear: I don’t have a problem with stingray itself—I
> understand that this can be a valuable tool in law enforcement’s
> arsenal. My problem is that I want it to be used pursuant to a high
> standard of proof that it’s needed, and that I want the approval
> process to be more transparent. One of the reasons I’d like to see
> some more documentation of stingray applications and orders is because
> I have this suspicion—but there’s no way of confirming it one way or
> another—that some judges are signing approvals to use this technology
> thinking that they’re just signing a pen register. If a judge thinks
> it’s [just] another pen register application, they’re just going to
> sign it without giving it much pause.
>
>
> Now that the use of this stingrays and related technologies has been
> made public, where will this issue be a year or a few years from now?
>
> A year from now I think we’re in the same position. You’re dealing
> with outdated statutes concerning new and very different technology.
> It’s possible in five years maybe that Congress will step in and do
> something. More likely, state legislatures will take most of the
> action to monitor this type of surveillance. Washington State,
> California [and others] have already acted, and Texas is evaluating
> the standards for approving stingray use.
>