He took every step very carefully and made sure he covered his tracks. But on Aug. 3, 2008, Daniel Rigmaiden was arrested by the FBI near his apartment in northern California.
Rigmaiden had, by his own admission, been making hundreds of thousands of dollars by filing the tax returns of dead people and collecting the refunds.
As authorities dragged him to the ground, he wondered how the FBI had found him. Rigmaiden had built what he thought was a foolproof system to avoid detection. He was always anonymous on the Internet, and used fake IDs and prepaid debit cards.
Rigmaiden went through all the possible loopholes in his mind, and then realized he may have been exposed through the cellular broadband modem, or AirCard, that he plugged into his computer to connect to the Internet.
He decided to represent himself in court, which gave him access to all the documents regarding his case. His pretrial research uncovered mentions of strange "new investigative techniques" regarding cellphone towers and a device called a Stingray.
MORE: Can You Hide Anything from the NSA?
It turned out that the U.S. government had been secretly using the Stingray for years, first for military use and then for law enforcement, to locate and track suspects by their cellular connections. Rigmaiden became among the first civilians to learn about this technology, and his case opened the doors to public knowledge about it.
Yet several years later, as more information about Stingrays — also called IMSI catchers, cell-site simulators or fake cell towers — has become available, use of the devices by law enforcement appears to be routinely obscured in court records. At least one major manufacturer allegedly requires police departments to never disclose that they use the devices.
Nevertheless, on Sept. 3, 2015, the Department of Justice (DOJ) issued a new policy that requires its agencies — including the FBI, U.S. Marshals Service, Drug Enforcement Administration (DEA) and Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) — to, in routine cases, get a warrant before using a Stingray. The policy also directs the agencies to destroy data collected from non-suspects as soon as a targeted suspect is located.
After nearly six years of pretrial proceedings, during which he was in custody, Rigmaiden pleaded guilty in April 2014 to several counts of tax fraud and was sentenced to time served. He walked out of court on probation, and now spends his time conducting research on electronic surveillance and working as a consultant on Stingray technology.
Meanwhile, the use of Stingrays has become commonplace across the United States at all levels of law enforcement.
The most widespread surveillance tool you've never heard of
With a Stingray, which can be mounted in a car or van, law-enforcement agencies can intercept your cellphone signal and become the middleman between you and the nearest cell tower. Using protocols built into the cellular networks, your phone's location can be determined and telephone calls in and out can be logged. Once a target device is located, further steps often allow text messages and phone calls to often be deciphered.
StingRay, with a capital "R," is a brand name held by Harris Corp. of Melbourne, Florida, but IMSI catchers built by other companies are also colloquially called Stingrays. A purported one-page Harris brochure written about 10 years ago about a StingRay says the device provides "a complete target tracking and location solution" and is a "low-power system designed for vehicular operations."
The American Civil Liberties Union (ACLU) contends that the FBI, DEA, Secret Service, National Security Agency (NSA), U.S. Marshals Service, Immigration and Customs Enforcement (ICE) and ATF — as well as the U.S. Army, Navy and Marine Corps — all use Stingrays.
Early law-enforcement cases involving IMSI catchers indicated that only federal agencies were using such technology. However, post-9/11 Department of Homeland Security (DHS) funding programs made such devices, some of which can cost $150,000, affordable to state and local police forces.
The DOJ's new rules do not apply to law-enforcement agencies overseen by other federal departments, although a deputy U.S. attorney general told The New York Times that the DHS — which oversees ICE, the Border Patrol and the Secret Service — was developing a similar in-house policy of its own. Either agency could change the rules again at any time.
Nor do the DOJ rules apply to military or intelligence agencies, such as the NSA or CIA, nor to state and local law-enforcement agencies that use Stingrays. But they indicate that the federal government is aware of the constitutional issues surrounding use of the devices. (In several recent cases, the U.S. Supreme Court has ruled that other cellphone-tracking methods violated the Fourth Amendment if performed without a warrant.)
How does a Stingray work?
A Stingray impersonates a cellular tower, causing nearby cellphones to try to connect to it. Some models can forward incoming and outgoing calls and texts from a legitimate cell tower, and cellphone users will be none the wiser.
Because each phone that tries to connect to a cell tower identifies itself, a Stingray can track not just the suspect's cellphone, but any cellular-enabled device within range, And like any regular cellphone signal, the Stingray's signal can find devices in vehicles and buildings.
"A Stingray forces all cellphones within range to connect to it by broadcasting a signal that is stronger than the signal being transmitted by real cell towers in the area — or by simply telling cellphones that its signal is the strongest," Rigmaiden told Tom's Guide.
"Once a cellphone is connected," he added, "the Stingray requests that the phone give up its identifying serial number, which is compared to one or more serial numbers already in law-enforcement possession."
One such number is an International Mobile Subscriber Identity, or IMSI, number, which each phone with a SIM card presents to a cell tower upon first connection. Older phones without SIM cards have a similar number, called an electronic serial number (ESN) or mobile equipment identifier (MEID), baked into the device itself.
Law enforcement officers obtain IMSI numbers of phones belonging to persons of interest from cellular-service providers. Investigators use Stingrays to collect IMSI numbers directly from cellphones in the area where the target device is thought to be located.
"Law enforcement then does a comparison of the serial numbers to determine when the target connects to the Stingray," Rigmaiden said to Tom's Guide.
Once the Stingray detects the suspect's cellphone, law enforcement officers begin a technique called "interrogation." The Stingray sends signals to the targeted phone in a manner that causes the phone to send more signals in response.
"These signals are then collected and subject to geolocation techniques, including measuring the angle from which the signals are coming from (to get direction), the signal strength (to get distance) and the signal time of flight (also used to get distance)," Rigmaiden said.
But to find the targeted device, a Stingray has to gather identification data from all compatible devices in the area. That has sparked a lot of criticism, since this includes innocent civilians' information.
"The only way to find the target cellphone is to force all phones in the area to identify themselves," Rigmaiden said. "It's like going to a masquerade party and having to lift the mask of each partygoer to find the person you are looking for."
Once the target phone is found, law enforcement stops querying other phones. (The new DOJ rules mandate that data collected from other phones be destroyed by the end of the day.)
The FBI says it cannot comment on the use of Stingrays by other law-enforcement agencies, such as state or local police. Purportedly leaked documents and police testimony indicate that police departments have had to sign non-disclosure agreements that forbid Stingrays or similar devices from being mentioned in court records.
A USA Today story published in August 2015 revealed that Baltimore police had used IMSI catchers more than 4,000 times since 2007, often to track down stolen cars or credit card thieves. Even in cases where a person's life may have been in danger, the fact that suspects had been located using Stingrays was omitted from court records. Prosecutors sometimes didn't know Stingrays were involved, and defense attorneys rarely did.
One leaked document indicates that the FBI would rather have charges against a suspect dropped than have information about Stingrays enter the public record. Minnesota's state investigative agency in 2012 reportedly agreed to notify the FBI if anyone tried to use the Freedom of Information Act to obtain information about the Minnesota agency's use of Stingrays.
Are Stingrays effective on all cellphones?
Because 2G connections do not require that a cell tower authenticate itself when initiating contact with cellphones, it's not difficult for a Stingray – or any other device with the right software and hardware – to impersonate a cell tower. (Hackers have shown how to do this at several security conferences.)
In other words, it's easy to fool older phones, yet there is a misperception that a 3G- or 4G-enabled phone is immune from Stingray detection. All an IMSI catcher need to do is trick those phones into thinking 3G or 4G connections are unavailable, and the phones will automatically downgrade to 2G.
Hailstorm, the latest model from Harris, and competing products are believed by some experts to directly intercept 4G connections, without a forced downgrade. It's not clear how they would do so, but there's a demand for such capabilities, because the major U.S. cellular carriers will begin to turn off 2G service in 2017.
"Law enforcement can identify and interrogate any cellphone under 4G without downgrading the signal," Rigmaiden said. "If you look at the 4G LTE specification, you will see that the phone still identifies itself before it authenticates the cell tower, and that there is plenty of room for interrogation prior to the Stingray failing to authenticate as a service provider cell tower. … I assume the Hailstorm takes advantage of this."
How to avoid Stingray surveillance
Right now, you can't stop an IMSI catcher from detecting an active cellphone. The only way to prevent that is to turn the phone off or put it into Airplane Mode.
An app called SnoopSnitch claims to detect Stingray activity on Android devices running certain Qualcomm chipsets, and there are other "IMSI-catcher-catcher" apps out there on the market.
But Les Goldsmith, CEO of ESD America — a Las Vegas company that sells the Cryptophone, a $3,500 German smartphone that encrypts calls and also detects Stingrays — said many of the apps fall short on quality.
"To be effective, an app would need to have access to the phone's baseband and radio stack," Goldsmith said. "It also needs to possess the right technicalities in order to distinguish between a true IMSI catcher and a poorly configured cell tower."
Goldsmith pointed out that the CryptoPhone sold by his company can tell the difference, and also alerts the user if someone tries to remotely control the phone through malware or spyware. In 2014, his company released a list of possible IMSI catchers spread across the United States.
"The CryptoPhone only alerts you when you are under attack," Goldsmith said. "If it provides a warning, it's safe to say that you are within half a mile of the IMSI catcher."
Even if you switch SIM cards, a Stingray can still read your phone's International Mobile Station Equipment Identity (IMEI) number, which is baked into every SIM-card-based handset. If the targeted phone's IMEI is known to investigators, that's as good as catching the IMSI. (Phones that work without SIM cards broadcast only the ESN or MEID.)
The future of Stingrays
Some states require police officers to get a search warrant before they can use a Stingray. Despite the Department of Justice's own recent rules change, which could always be reversed, Congress is considering instituting a blanket warrant requirement for the federal government.
But those moves may be leapfrogged by newer developments. Smaller, cheaper phone-tracking equipment can now replicate the results of larger IMSI catchers, and do much of it passively in ways that may never require a warrant. Ordinary citizens may come to regard cellphones, as many privacy experts already do, as tracking devices that need to be shut off for users to maintain anonymity.
