Disclosure: I am currently a Visiting Scholar at the ACLU.
Ars Technica has an interesting story concerning documents released under the Freedom of Information Act to the ACLU and EFF.
Courts in recent years have been raising the evidentiary bar law enforcement agents must meet in order to obtain historical cell phone records that reveal information about a target’s location. But documents obtained by civil liberties groups under a Freedom of Information Act request suggest that “triggerfish” technology can be used to pinpoint cell phones without involving cell phone providers at all.
Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that because of range limitations, triggerfish were only useful for zeroing in on a phone’s precise location once cooperative cell providers had given a general location.
As one of the documents intended to provide guidance for DOJ employees explains, triggerfish can be deployed “without the user knowing about it, and without involving the cell phone provider.” That may be significant because the legal rulings requiring law enforcement to meet a high “probable cause” standard before acquiring cell location records have, thus far, pertained to requests for information from providers, pursuant to statutes such as the Communications Assistance for Law Enforcement Act (CALEA) and the Stored Communications Act.
The Justice Department’s electronic surveillance manual explicitly suggests that triggerfish may be used to avoid restrictions in statutes like CALEA that bar the use of pen register or trap-and-trace devices—which allow tracking of incoming and outgoing calls from a phone subject to much less stringent evidentiary standards—to gather location data. “By its very terms,” according to the manual, “this prohibition applies only to information collected by a provider and not to information collected directly by law enforcement authorities.Thus, CALEA does not bar the use of pen/trap orders to authorize the use of cell phone tracking devices used to locate targeted cell phones.”
The ACLU also blogged about the documents.