Privacy SOS

Feds’ dragnet cell phone tracking scheme highlights dire need to update obsolete privacy law

The curiously named Department of Justice has been conducting dragnet cell phone location tracking throughout the United States using powerful spy technologies called “dirtboxes” flown high above our homes in single engine Cessna planes, a Wall Street Journal report reveals. Various arms of the DOJ have been conducting these surveillance flights—sucking up the private cell phone location information of thousands or even millions of people—since at least 2007. As of June 2014, this type of dragnet cell phone location tracking is arguably illegal in at least the 11th circuit, where a federal court found that law enforcement must get a warrant to obtain even one piece of historical cell site information.

But in the rest of the country, the legal landscape is far murkier. It shouldn't be that way, and we shouldn't need to wait for the Supreme Court to rule to change it. The DOJ’s mass, secret tracking of our cell phones highlights the importance of updating electronic privacy law to reflect our world today. Unfortunately, in many places, federal agents and police do not need to obtain warrants to track our phones. That gap in the law has produced a loophole large enough for federal agents to fly dragnet cell phone snooping planes through it—how often and where, we still aren’t sure.

Privacy law stuck in the big hair era

Officials told the Journal that they obtain ‘court orders’ to conduct these cell phone snooping operations, suggesting that they do not provide judges with probable cause to show information derived from the spy technology will reveal evidence of a crime. Search warrants—the gold standard of American justice—require probable cause. But under the obsolete Electronic Communications Privacy Act (ECPA) of 1986, officials must only show that the information sought through a surveillance operation is ‘relevant and material’ to an ongoing investigation—a very low bar.

Historically, these orders—called 2703(d) orders, a reference to the portion of the statute that authorizes them—have usually been deployed when law enforcement wants to implement a pen register or trap and trace on someone’s phone, to find out who a target calls and who calls them, as well as how long the phone calls last, and when they are made. Police and federal agents also get (d) orders to access stored communications content older than 180 days, or to tap an internet connection. More recently, cops and agents have used (d) orders to obtain cell phone location information, although in light of court rulings requiring probable cause for cell site location information, many carriers now require police provide warrants.

Unlike search warrants, (d) orders are often shrouded in secrecy. Too frequently, people targeted by surveillance under this legal regime never find out they were spied on. The orders sometimes remain secret forever, and unlike search warrants, are often obtained in secret dockets, never to be posted on the court’s PACER system so researchers, journalists, and advocates can inspect them. At least one federal judge believes the underlying statute needs a major rewrite in order to fix these problems. In 2012, Federal Magistrate Judge Stephen Smith wrote a paper blasting the secret (d) order surveillance regime. Smith wrote that, judging from his experience and research, it’s ”reasonable to infer that far more law-abiding citizens than criminals have been tracked” by police and agents using (d) orders.

The Feds are watching your phone, but who’s watching them?

The problems with (d) orders are compounded when police and federal agencies use cell site simulators (sometimes called ‘Stingrays’) to do cell phone tracking, instead of going straight to the phone company. That’s because unlike demands to telephone companies for specific user information, cell site simulators by design suck up the information of non-targets who happen to be within physical proximity of the targeted user. If the FBI or DEA flies a surveillance plane over a neighborhood looking for one drug dealer, in other words, the agency is in the process also going to suck up the data of all the other people in that neighborhood. Because agencies are likely not obtaining warrants to fly these dragnet spy missions, judges are probably in the dark about how they are executing the surveillance orders. That makes a significant difference for ordinary people’s privacy.

The court orders granting the federal government the power to fly its cell phone spying missions are sealed, so we don’t know for sure whether prosecutors and agents are telling judges they intend to use powerful cell site simulator devices. But if evidence from similar cases around the country is any indication, they are not. The reason this distinction matters is that judges cannot impose minimization requirements on agencies if the judges don’t know the agencies will be scooping up tens or thousands of non-targets’ data. If judges simply think police are going to phone companies to get user information, as they long have, they won’t require agencies to report back that they've deleted information obtained about non-targets.

Anonymous DOJ sources who spoke to the Journal raised precisely this concern:

Within the Marshals Service, some have questioned the legality of such operations and the internal safeguards, these people said. They say scooping up of large volumes of information, even for a short period, may not be properly understood by judges who approve requests for the government to locate a suspect’s phone.

Some within the agency also question whether people scanning cellphone signals are doing enough to minimize intrusions into the phones of other citizens, and if there are effective procedures in place to safeguard the handling of that data.

Absent strict orders from judges, and in light of the federal government’s seemingly insatiable appetite for information about the activities of ordinary Americans, we can safely assume there are no such effective procedures in place.

That agencies are not likely getting warrants is even more disturbing in light of the spy plane cell site simulators’ wiretap capabilities. The Journal reports that the devices do more than just locate specific phones; they "can also jam signals and retrieve data from a target phone such as texts or photos."

One "person familiar with the program" told the Wall Street Journal that the ‘dirtbox' dragnet phone tracking program as implemented "on U.S. soil is completely legal. Whether it should be done is a separate question."

Due to the secrecy surrounding even the existence of the program until now, no one has been able to test the government's theory that this surveillance is legal under the constitution. But one thing is clear: The obsolete (d) order regime under the Electronic Communications Privacy Act of 1986 provides very little protection for personal privacy in the 21st century, and gives law enforcement much too much latitude to conduct invasive surveillance in the shadows.

If we want to stop this unaccountable, possibly unconstitutional, dragnet tracking—whether through ‘dirtboxes’ or whatever other sneaky technology the feds have up their sleeves—we need to update the law to reflect the way we live and communicate today. If we don't, we will be reading about another program like this in a few months.

© 2019 ACLU of Massachusetts.