Privacy took a blow last week when the NSA got permission to keep operating a massive dragnet. Here's some better news: As of today, US agents should have a harder time using Stingrays to spy on mobile phones.
Today, the Department of Justice issued a new policy that requires federal agencies to get a search warrant before they deploy a "cell-site simulator", aka Stingray, in all but the most dire circumstances.
(The Stingray is just the name of one specific device, made by the Harris Corporation, which pretends to be a cell tower in order to trick nearby phones into connecting to it.)
What kinds of exceptions are there? If the FBI or NSA or Homeland Security want to spy on a crowd filled with mobile phones without a warrant -- according to the policy -- they will have to be actively trying to keep someone from getting killed or injured, keep evidence from being destroyed, or be in hot pursuit of a criminal who might otherwise escape. And even then, they need to note how many times they use those exceptions so someone can audit them later.
In addition, the new policy prohibits federal agents from collecting actual data from those phones. They shouldn't be able to read email or text messages or even get a phone's GPS coordinates -- only the general location of a certain phone when they're pursuing a suspect. And they need to erase that information, too, once per day, or as soon as they're done with it. Whichever comes first.
Plus, they also need to get a court order justifying the surveillance in the first place.
Sounds like it should be pretty hard for anyone to use a Stingray to spy on your phone, yes? Well, sadly, there may still be some loopholes in here. The policy sounds pretty well-meaning, but it only applies to federal agencies, not the regular police who've been buying up Stingrays and misusing them for all sorts of minor things.
And while it sounds like a lot of Ts to cross and Is to dot, so does the court order that these agencies are required to get. Except in the policy document, the Department of Justice says that these agencies were already satisfying that requirement, so perhaps they may find a way to easily rubberstamp the search warrant request or the dire circumstances too.
The American Civil Liberties Union calls the policy "a positive first step":
However, this policy does not adequately address all concerns. Disturbingly, the policy does not apply to other federal agencies or the many state and local police departments that have received federal funds to purchase these devices. In addition, the guidance leaves the door open to warrantless use of Stingrays in undefined "exceptional circumstances," while permitting retention of innocent bystander data for up to 30 days in certain cases.
"The Justice Department must close these loopholes, and Congress should act to pass more comprehensive legislation to ensure that Americans' privacy is protected from these devices and other location tracking technologies.
You can read the full policy for yourself right here.