ARS Technica - FCC to examine “unauthorized” cell snooping devices
A newly published letter from FCC Chairman Tom Wheeler to Rep. Alan Grayson (D-FL) states that Wheeler has created a task force that recently took “immediate steps to combat the illicit and unauthorized use of IMSI catchers. The mission of this task force is to develop concrete solutions to protect the cellular networks systemically from similar unlawful intrusions and interceptions.”
Relatively little is known about how stingrays are used by law enforcement agencies nationwide, although documents have surfaced showing how they have been purchased and used in some limited instances. Worse still, cops have lied to courts about the use of such technology. Not only can stingrays be used to determine location, but they can also intercept calls and text messages. Grayson seems primarily concerned with stingray use by criminals, terrorists, and foreign government agents.
Grayson’s office did not immediately respond to further requests for comment.
The FCC didn't have much to add, either.
"I don’t have a lot to give you right now," Bartees Cox, an FCC spokesman, told Ars. "As the announcement was made only yesterday, but the task force will draw on expertise from across the agency."
“I am disturbed”
Grayson appears to have only been made aware of stingrays recently. The congressman does not seem to know that the best-known manufacturer of stingrays, the Harris Corporation, is based in Melbourne, Florida—just 70 miles from the congressional district that he represents.
“Americans have a reasonable expectation of privacy in their communications and in information about where they go and with whom they communicate,” Grayson wrote to Wheeler on July 2, 2014. “It is extremely troubling to learn that cellular communications are so poorly secured and that it is so easy to intercept calls and track people’s phones.
“I am disturbed by reports which suggest that the FCC has long known about the vulnerabilities in our cellular communications networks exploited by IMSI catchers and other surveillance technologies. According to the Associated Press, the FCC licenses to American companies that manufacture such interception technology.”
Foxes guarding the henhouse
Christopher Soghoian, a technologist with the American Civil Liberties Union and one of the nation's experts on stingrays, told Ars that he applauded the FCC task force.
However, he also pointed out on Twitter that the FCC partially denied a Freedom of Information Act request filed by the ACLU to learn more about prior FCC discussion and actions pertaining to stingrays.
"They're still suppressing public discussion and debate about these issues and that combination is troubling because what it shows is that the FCC and many other parts of our government still consider it to be a secret technology even though graduate students and others have shown that they can build them themselves," Soghoian said.
"It was a secret 20 years ago; it's not a secret anymore," he continued. "What's happening is that the government wants to have its cake and eat it too. It's pretty unrealistic that this thing will remain a secret forever. Our view is that once you can buy these things online, once there are PhD dissertations describing the stuff in detail, and once you can download stuff from the Internet, then it's not a secret anymore, and the FCC should stop treating it as one."
Stephanie Pell, a professor at the Army Cyber Institute at the West Point Military Academy told Ars that she believed the task force is a "positive first step."
"Ultimately, however, a solution that is only focused on further 'outlawing' the unauthorized, unlawful use of the IMSI-catcher technology is not a strong, or likely successful solution," she said. "The FCC will need to examine the vulnerabilities in cellular networks that allow the technology to intercept our communications. Chinese spies and tech-savvy criminals won't be deterred because their use of the technology is illegal—they will be deterred and hopefully thwarted if cellular networks aren't vulnerable to IMSI catchers."
As far as the task force is concerned, Soghoian said he was not aware of the details of what precisely it would entail. He hoped that it would include bona fide technical experts who have well-known credentials in mobile security and privacy.
"If the task force is just NSA, FBI, and the Secret Service, then that's like asking a group of foxes to guard the henhouse," he said. "Really what we would hope that the task force would include the Federal Trade Commission, the Department of Commerce, the National Institute of Standards and Technology, and agencies that have a more protective mission with regard to protecting consumers from hackers and other threats to their privacy. What's clear is that the FCC has known about these things for 20 years. The only way you will protect members of Congress, journalists, lawyers, or doctors is through encryption. Any effort to go after the devices is futile."