Law enforcement and intelligence agencies in Canada won’t say whether they use covert tools called International Mobile Subscriber Identity (IMSI) catchers to track the location of mobile phones and devices – even as the extent of their use by U.S. government agencies is raising serious questions among civil libertarians.
The devices colloquially known as Stingrays – which is the trademarked name for a widely used model sold by Florida-based Harris Corp. – commonly work by masquerading as a legitimate cellular communications tower and tricking nearby devices into connecting and sharing your phone’s IMSI (a unique identifier tied to every mobile device), typically without the knowledge of device owners.
Once connected, an operator can collect identifying information on all connected devices in a geographic area, or home in on the location of a specific device. In certain circumstances, it can even intercept phone calls and text messages.
In the U.S., the American Civil Liberties Union has identified 43 agencies in 18 states that own Stingrays, including the FBI, NSA and DEA. Some agencies have attempted to hide their use of such technology from reporters and lawyers, going so far as to obscure references to IMSI catchers in court documents, for fear that criminals will learn how to evade such surveillance.
IMSI catchers are of particular concern to privacy groups because they capture data indiscriminately from all phones in a given area, many of which will not be the target of an investigation. It is also nearly impossible for most users, innocent or otherwise, to detect whether an IMSI catcher is being used.
The RCMP, in response to inquiries by journalists, has refused to confirm or deny whether Stingrays or other IMSI catchers have been used. RCMP spokesperson David Falls said the agency “[does] not release information pertaining to capabilities/tools as that can have an impact on our investigations.”
According to Tobi Cohen, a spokesperson for the Office of the Privacy Commissioner of Canada, “We have not been made aware by the RCMP of their use of this technology. If they were looking to use this type of technology, we would expect to be consulted.”
Mr. Cohen also said that the Commissioner’s Office has not been made aware of Stingray use by other government departments or agencies.
E-mails sent to the Harris Corporation were not returned.
Recently, the technology’s potential for misuse by criminals and foreign intelligence agencies has become more widely known. In July, former FBI deputy director Tim Murphy told Newsweek that there’s no doubt that IMSI catchers have been used illegally – at least, against the U.S. and its citizens.
“This type of technology has been used in the past by foreign intelligence agencies here and abroad to target Americans, both [in the] U.S. government and corporations,” Mr. Murphy is quoted as saying.
When deployed passively, IMSI catchers merely snoop on wireless signals as they travel through the air to a cellular base station, and do not interfere with or disrupt the signals while in transit. “These devices are thus far more covert in operation – indeed effectively invisible – but they can only detect signals of nearby phones when those phones are actually transmitting data,” according to a paper published in May by Christopher Soghoian, principal technologist for the American Civil Liberties Union, and Stephanie Pell, former federal prosecutor and non-residential fellow at The Center for Internet and Society at Stanford Law School.
More often, IMSI catchers are deployed actively, wherein they act as “cell site simulators.” In this mode a Stingray pretends to be a legitimate cell tower, forcing all nearby devices to connect. In this mode, a Stingray could be configured to identify nearby phones, locate them with “extraordinary precision,” according to Mr. Soghoian and Ms. Pell, intercept outgoing calls and text messages, as well as to block service to all or some devices in an area.
An IMSI identified using a Stingray can then be used to request other pieces of identifying information tied to that device from the network operator – such as the name and address of the owner. If the operator knows a device’s IMSI ahead of time, a Stingray could be used to monitor its location.
Tallahassee police testimony describing an investigation from 2008 is perhaps the best description on record of how Stingrays are used, testimony that was unsealed by a Florida judge at the behest of the ACLU in June of this year.
According to the ACLU’s description: “Police drove through the area using the vehicle-based [IMSI catcher] device until they found the apartment complex in which the target phone was located, and then they walked around with the handheld device and stood ‘at every door and every window in that complex’ until they figured out which apartment the phone was located in.”
The Globe and Mail asked Canada’s big three cellular providers whether Stingrays had been used against their subscribers, and whether they had the technical ability to detect when an IMSI catcher is in use.
Rogers spokesperson Patricia Trott, declining to get into specifics for “security reasons” would only say that “Rogers complies with the GSM [Global System for Mobile] Association’s network security and encryption requirements, and has deployed the most advanced versions of encryption available.”
However, security researchers such as cryptographer and John Hopkins University reseasrch professor Matthew Green have argued in the past that Stingrays can sidestep such encryption by forcing devices, in the case of GSM networks such as Rogers, or AT&T in the U.S., to fall back on less secure 2G networks that can then be exploited instead.
Mr. Trott did not reply to a follow-up question.
According to a Bell spokesperson, the company has “found no evidence that Bell’s wireless networks are exposed to IMSI Catchers.” The spokesperson claimed that IMSI catchers are focused on GSM networks, and that Bell’s legacy network relies on the incompatible Code division multiple access (CDMA) standard.
However, in the Tallahassee case, investigators used a Stingray to locate a subscriber belonging to Verizon, which also maintains a legacy CDMA network. Mr. Soghoian and Ms. Pell’s paper also notes that companies such as Harris Corp. have developed IMSI catchers that are compatible with CDMA networks, as well as GSM.
“As part of our regular conversations with law enforcement and industry partners, including carriers that employ GSM networks, IMSI catchers have not been identified as a significant issue in Canada,” the Bell spokesperson added.
Telus declined to comment.
Some mobile devices are now capable of recognizing and evading an IMSI catcher. GSMK, a German developer of secure phones, sells a hardened, high-end Android phone called the CryptoPhone 500 for over $3,000 that includes a so-called “baseband firewall” that can detect when a Stingray is likely in use, and then block that tower from connecting to the phone.
Elsewhere, researchers have been working on a freely available piece of software called Darshak, which also allows owners of certain Samsung Galxy S3 smartphones to detect possible Stingray use.
In late January, NDP Member of Parliament for Terrebonne-Blainville Charmaine Borg, tabled a list of questions to all government agencies on their tracking of communications devices, including the use of IMSI catchers.
Communications Security Establishment, Canada’s cyberspy agency, declined to reply, citing national security exemptions, as did CSIS. Both agencies reiterated this stance when contacted for this story. The RCMP, again, declined on the basis that doing so would “compromise the RCMP’s ability to conduct criminal investigations.”
Ms. Borg says that her office has received no new information on the use of Stingrays since.Report Typo/Error
Follow us on Twitter: