US Security Agencies Broke IMSI-Catcher Laws

One problem with using IMSI-catchers to protect national security and uphold the law is that they also invade the privacy of every phone user within range, and not just the targets that spies and police are interested in. This is why many countries, including the USA, have strictly-worded rules that are supposed to ensure IMSI-catchers are only deployed when appropriate. However, a rule can hardly be considered ‘strict’ if it can be routinely ignored in practice. The Electronic Frontier Foundation (EFF) was amongst the first to notice a litany of failures detailed in an audit by the Office of Inspector General of the Department of Homeland Security. As the EFF explains…

…federal agencies like Immigration and Customs Enforcement (ICE), Homeland Security Investigations (HSI), and the Secret Service have conducted surveillance using cell-site simulators (CSS) without proper authorization and in violation of the law. Specifically, the office of the Inspector General found that these agencies did not adhere to federal privacy policy governing the use of CSS and failed to obtain special orders required before using these types of surveillance devices.

The title of the report did not pull any punches, although some of its contents were redacted before being made public.

Secret Service and ICE Did Not Always Adhere to Statute and Policies Governing Use of Cell-Site Simulators

The detail within the report is also frank about the failures of the agencies that were audited.

The United States Secret Service and U.S. Immigration and Customs Enforcement, Homeland Security Investigations (ICE HSI) did not always adhere to Federal statute and cellsite simulator (CSS) policies when using CSS during criminal investigations involving exigent circumstances. Separately, ICE HSI did not adhere to Department privacy policies and the applicable Federal privacy statute when using CSS. For the cases we reviewed, the Secret Service and ICE HSI obtained required search warrants for [redacted] CSS uses, respectively. However, the Secret Service and ICE HSI did not always obtain court orders required by CSS policies and Federal statute when using CSS during investigations that included exigent circumstances.

Two explanations were given for these failures.

First, CSS policies do not include sufficiently detailed guidance on working with external law enforcement agencies. Second, the Secret Service and ICE HSI did not correctly interpret CSS policies reflecting the statutory requirement to obtain court orders before using CSS or, in emergency situations, apply for court orders within 48 hours of installing, or beginning to install CSS.

A bureaucratic privacy safeguard dating back to 2002 was also ignored, seemingly for a long time.

Additionally, ICE HSI did not adhere to DHS’ privacy policy and the E-Government Act of 2002 that require CSS, as a privacy sensitive technology, to have an approved privacy impact assessment (PIA) before its use. According to ICE officials, resource limitations and changes in personnel resulted in a lengthy review and clearance process for a PIA. Although DHS approved an ICE HSI CSS-related PIA in January 2022, prior to this approval, DHS may not have identified and mitigated the privacy risks associated with CSS use.

Agencies must obtain a pen register order when they are seeking to collect data about phone numbers involved in communications with targets instead of listening to their conversations, and when they believe there is not enough time to obtain a conventional surveillance warrant. However, the audit concluded that even the lesser requirement of obtaining a pen register order was sometimes ignored.

The Secret Service and ICE HSI did not always adhere to the Pen Register Statute incorporated into CSS policies. CSS policies establish requirements to ensure CSS use is consistent with the requirements and protections of the Constitution, including the Fourth Amendment, and applicable statutory authorities, including the Pen Register Statute. However, based on our review of the Secret Service and ICE HSI investigations employing CSS in fiscal years 2020 and 2021, we determined that in exigent circumstances, the Secret Service and ICE HSI did not always obtain pen register court orders pursuant to the Pen Register Statute as incorporated into CSS policies.

The authorities in the USA are addicted to using communications networks to gather information about targets both within the country and abroad. That means many other countries will also have spies and police that routinely ignore legal limits on what they can do. Advocates of surveillance technology often plead that it will not be abused because laws will place limits on its usage. They are either stupid or they seek to deliberately mislead. Any rule formulated in words can be broken, or we would never need police or surveillance in the first place.

Privacy-conscious phone users must seek technological means of protecting themselves because the enforcers of the law often feel entitled to break the law, whilst remaining confident they will never suffer any repercussions. Privacy cannot survive as surveillance technologies like IMSI-catchers become more common unless the population takes real action to protect itself, sometimes by favoring those device manufacturers and communications providers that also show most respect for privacy.

The redacted public version of the audit report into IMSI-catcher usage by the Office of Inspector General of the Department of Homeland Security is available here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.