FBI admits using Stingrays, hacking computers and software

© Edgard Garrido
A top official in the FBI’s Operational Technology Division admitted that in addition to using biometric databases and rapid DNA-matching machines, the agency hacks computers and software, and uses Stingrays to mimic cell phone towers.

The revelations came in a Washington Post profile of the executive assistant director for science and technology, Amy Hess, who oversees the Bureau’s Operational Technology Division.

“All of the most interesting and troubling stuff that the FBI does happens under Amy Hess,” Christopher Soghoian, principal technologist at the American Civil Liberties Union, told The Washington Post. “If it’s high-tech and creepy, it’s happening in the Operational Technology Division.”

Soghoian called Hess “the queen of domestic surveillance,” as she admitted the agency uses cell site simulators, or Stingrays, which mimic cell phone towers to trick other cell phones into connecting to them. The device is controversial because to operate effectively it indiscriminately collects and intercepts data from any phone in the vicinity, as well as the targeted device.

The FBI’s use of Stingrays has been well documented despite the secrecy surrounding the device. Privacy advocates, however, have been hampered in their investigation into the use of the technology by government agencies and local law enforcement. Many departments signed non-disclosure agreements with the Harris Corporation, which manufacturers the spying technology and wants to protect its intellectual property.

Yet new details keep emerging about the power of the surveillance tool. In November, the ACLU acquired the Justice Department’s guidelines on the use of Stingray technology, showing the surveillance tools are capable of recording the numbers of a mobile phone’s incoming and outgoing calls, as well as intercepting the content of voice and text communications.

Hess told the Washington Post the FBI never insisted on a gag on local police over the use of Stingrays.

“The bureau does not object to revealing the use of the device. It’s the ‘engineering schematic,’ details on exactly how the tool works, that the FBI wants shielded,” Hess told the newspaper.

Other revelations from the story include the technicians who, with the power of a warrant, can hack computers to identify suspects, a method called “network investigative techniques.” Privacy attorneys say that the problem remains that the bureau’s warrant does not describe the technique’s use in detail, making it unclear whether violations have occurred.

Equally troubling is the Bureau’s use of “zero-day” exploits, or malware that attacks code to exploit vulnerabilities – often unknown by the company or organization that designs the product – that remain unpatched in software. Hess acknowledged the agency uses “zero-day,” but said it is not a favored technique.

“It’s frail,” Hess said. “As soon as a tech firm updates its software, the tool vanishes. It clearly is not reliable in the way a traditional wiretap is.”

The FBI also makes use of facial and iris recognition without seemingly any limits or restrictions, although it said it struggles with what surveillance to use and how.

“What is the greater good – to be able to identify a person who is threatening public safety? …How do you balance that? …That is a constant challenge for us,” said Hess.

Despite these tools, the agency faces technology challenges. In cyber investigations, it has admitted that it lacks the tools to analyze massive amounts of digital data. The FBI created a platform to analyze data for counterterrorism and criminal probes called ‘Insight.’ It can track websites a suspect has visited, pull emails from a suspect’s account and even reconstruct deleted emails, but it struggles with large amounts of network data, the Post reported.

Surveillance revelations by National Security Agency whistleblower Edward Snowden have also chilled the relationship between the FBI and Silicon Valley, Hess said, before adding that conversations with companies have become more productive in recent months.

The power of Stingrays to vacuum up vast troves of cellphone data met resistance last month when an Illinois judge issued requirements that federal law enforcement working with local police must follow when applying for a warrant to use the tech during an investigation.

Judge Ian Johnson of the Northern District of Illinois said that prosecutors in his district will have to follow three rules in order to receive warrants to use Stingrays.

Firstly, prosecutors cannot use the devices when "an inordinate number of innocent third parties’ information will be collected." Secondly, citing adherence to Fourth Amendment principles, Johnson demanded federal law enforcement "immediately destroy" superfluous data collected during the investigation within 48 hours. Proof of this act must be given to the court. And third, law enforcement agents cannot use any collected data outside of what is "necessary to determine the cell phone information of the target."

This is not the first restriction on federal agents' use of Stingrays, either. In September, the US Department of Justice said its agents must acquire a search warrant before utilizing a cell-site simulator, though the policy allows for exceptions in the case of "dire circumstances." These instances include when agents are attempting to avoid a death or injury, to keep a cellphone or other device they are tracking from being destroyed, or when a pursued criminal is in danger of escaping.