September 20, 2020

Appeals Court Tells Baltimore PD To Start Coughing Up Information About Its Cell Site Simulators

The Baltimore Police Department was an enthusiastic early adopter of cell site simulator technology. In 2015, a Baltimore detective admitted the department had deployed its collection of cell tower spoofers 4,300 times since 2007.

The best estimate on how many of those 4,300 deployments ever showed up in court documents remains near zero. The Baltimore PD hid its deployments behind pen register orders, ensuring judges and defendants never knew the departments was using cell site simulators to track down suspects.

A little bit of information has reached the public domain in recent years, showing the Baltimore PD was more willing to toss cases than expose its use of Stingray devices. Judges were willing to toss cases too, once it was determined these secret deployments violated the Fourth Amendment.

There are now three Supreme Court rulings that directly affect Stingray deployments, with the most recent being the Carpenter decision. If the government needs a warrant to obtain historical cell site location info, it stands to reason a warrant should be required to engage in real-time tracking using Stingrays, even if the court did not specifically address this.

There’s also the Kyllo decision, which found the use of an infrared device to search a house for occupants violated the Fourth Amendment. An intrusion in which the government never actually enters the house is still an intrusion. Cell site simulators force phones inside houses to give up certain identifying information even if officers never approach the residence.

Finally, there’s the Riley decision that implemented search warrants for cellphones. A Stingray device searches cellphones, even if the search is “limited” to identifying info and location data. (Stingrays can also be used to intercept communications, but there’s been no confirmed use of this particular configuration by US law enforcement agencies.)

All of these are in play in this recent decision [PDF] by the Fourth Circuit Court of Appeals. The court does not explicitly find that a Hailstorm deployment by the Baltimore PD in 2014 was unconstitutional. But it does find that the lower court did not do enough fact-finding to determine whether it fell on the wrong side of the Fourth Amendment.

The Baltimore PD has pretty much conceded some of these points already.

Defendants concede that the Hailstorm simulator searched, at minimum, Andrews’s phone, and that its use thus required a warrant. Nor do Defendants controvert Andrews’s assertion that the Hailstorm simulator searched other cellular devices in the vicinity, or that it searched nearby homes by transmitting spoofed cell tower signals through the walls.

But the PD is still arguing that its use of a pen register order was the Constitutional equivalent of a search warrant.

Defendants instead argue that the Pen Register Order satisfied the warrant requirement and that any intrusions on third parties’ privacy interests are irrelevant to Andrews.

Those “third parties” would be everyone else in the vicinity of Andrews whose phone connected to the PD’s fake cell tower and coughed up identifying info.

Andrews prevailed in the state court, resulting in the suppression of evidence. However, his federal civil rights lawsuit hit a wall when the lower court inexplicably decided “possibly relevant to an ongoing investigation” = “probable cause.”

The federal district court found that the Pen Register Order constituted a warrant authorizing use of a Hailstorm simulator.

Pen registers do not require probable cause. If the judge had been informed that the PD was going to deploy a device that would search dozens of phones to find the one possessed by Andrews (and locate him that way), they would likely have demanded a higher standard than this bare minimum.

The Appeals Courts says there’s not enough on the record to reach a conclusion about the Constitutionality of this cell site simulator deployment. So, it’s handing it back to the lower court with a long list of questions that need to be answered before a decision can be reached.

Specifically, on remand, the district court is directed to conduct factfinding into the following characteristics of the Hailstorm cell site simulator:

(1) The maximum range at which the Hailstorm simulator can force nearby cellular devices to connect to it.

(2) The maximum number of cellular devices from which the Hailstorm simulator can force a connection.

(3) All categories of data the Hailstorm simulator may collect from a cellular device, regardless of whether such data is displayed to the Hailstorm simulator’s operator in the course of locating a target phone, including by way of example and without limitation: cellular device identifiers (such as international mobile equipment identity (“IMEI”) numbers, international mobile subscriber identity (“IMSI”) numbers, and electronic serial numbers (“ESN”)); metadata about cellular device operations (such as numbers dialed or texted, or webpages visited); and, most especially, the content of voice or video calls, text messages, emails, and application data.

(4) What data in (3) may be stored by the Hailstorm simulator.

(5) What data in (4) are accessible by law enforcement officers.

(6) All means by which the Hailstorm simulator was configured to minimize data collection from third party cellular devices not belonging to Andrews.

We’ll see what the Baltimore PD chooses to do on remand. That’s a lot of info it’s not in any hurry to share with the general public. It may be able to keep some of this out of the public hand’s with sealed filings but it can’t keep all of this buried. It may decide it’s time to settle. I hope it doesn’t. This info should have been made public years ago. The PD spent years hiding this from everyone. It’s time to open the books.

Via:: Appeals Court Tells Baltimore PD To Start Coughing Up Information About Its Cell Site Simulators