A recent federal court decision out of Arizona brought attention to one of law enforcement’s lesser-known tools for finding bad guys.
The device in question has several brand names, but the “StingRay” seems to be the most commonly used. The StingRay and some related products with similarly icthyological names like KingFish and AmberJack are produced by Harris Wireless Products Group of Melbourne, Florida.
A StingRay mimics a cell phone tower and pings cell phones within its range for a signal. By measuring the signal strength, the operator can determine the approximate location of the cell phone.
All of this happens without the knowledge of the cell phone’s owner or the cellular network the phone uses. The device is reportedly about the size of a shoebox and is easily transported to wherever it’s needed. It’s not used for monitoring the conversations or text messages sent to or from the phone.
The StingRay got some unexpected notice in the case of U.S. v. Daniel David Rigmaiden — the man known to IRS and FBI agents as “the Hacker.”
Rigmaiden operated a number of scams that included identity theft and filing for income tax refunds he wasn’t entitled to. Nearly all of his activities were conducted online, using a laptop and a wireless “aircard” that sent and received data over the cellular network.
He was quite successful at this, filing more than 1,200 fraudulent tax returns and collecting more than $3 million in tax refunds (maybe there really is something to those ads telling me I can make $250,000 per year working on my computer at home).
The investigation began when an IRS eFile provider notified the IRS that an unusually large number of returns had been filed through its website by a single person. IRS agents researched the IP addresses used by this filer and tied it to an aircard subscribed to Verizon and purchased by Travis Rupard in San Jose (Calif.).
Rupard turned out to be a false name associated with a non-existent address and a California driver’s license number assigned to a woman.
The story gets a little complex from here, involving multiple informants, locations, wireless accounts, and other details. You can read it yourself in the published opinion in U.S. v. Rigmaiden, but be forewarned it runs 35 pages and is about 20,000 words.
It is interesting reading, if you like that sort of thing.
Rigmaiden was caught, in part, through the use of a StingRay device. He sought to suppress the information supplied by the device on the grounds that the search warrant requested by the FBI was not specific, failing to properly describe what information was sought and the way the FBI intended to get it.
Rigmaiden said the government failed in their “duty of candor” to fully inform the judge issuing the warrant of what they intended to do. The trial judge in the case denied that motion.
The case has not yet gone to trial, but the tone of the judge’s decision on the several motions filed by the defendant and the government indicates that unless Rigmaiden catches some huge breaks from this point forward, he won’t be surfing the Internet again anytime soon.
The role of the StingRay in the case is interesting because it illustrates one of the many ways that the law has not caught up with advances in technology. Not long ago, the Supreme Court of the United States (SCOTUS) ruled that law enforcement has to get a search warrant to place a GPS tracker on someone’s vehicle.
If Rigmaiden or another case involving this technology makes it to the SCOTUS, what will they have to say about it? Is there a reasonable expectation of privacy in the location of your cell phone?
The lesson here, if there is one, is for cops to be forthcoming when seeking search warrants using technology that may be unfamiliar to the issuing judge. The police may need to educate the judge about how some of the new toys work. If that doesn’t happen, a judge in another case may decide the government didn’t meet its “duty of candor” and suppress the evidence.