Please note this page is no longer being maintained. For our current primer on cell-site simulators, please visit: https://www.eff.org/pages/cell-site-simulatorsimsi-catchers
- What is a cell-site simulator?
- How does it work?
- What data can a cell-site simulator collect?
- Does it matter what kind of network a phone is on?
- What is the range of cell-site simulators?
- How do law enforcement agencies use cell-site simulators?
- If I’m a defendant in a criminal case, how would I know if the government used a cell-site simulator?
- Who else uses cell-site simulators?
- If I’m not a target of a criminal investigation, why do I have to worry about cell-site simulators?
- Where are cell-site simulators are in use?
- I heard U.S. Marshals have special spy planes with cell-site simulators. Is that true?
- Are Stingrays, Hailstorm, Dirt Boxes, and cell-site simulators all the same thing?
- How much do cell-site simulators cost?
- How much money are these companies really making?
- Are there any laws or policies regulating cell-site simulators in the U.S. at the federal level?
- Are there laws or policies regulating cell-site simulators at the state level in the US?
- Have there been any major court decisions about cell-site simulators?
- How have manufacturers of cell-site simulators influenced the spread of the technology and the secrecy around it?
- Can cell-site simulators be detected?
- Can I prevent having my data captured by cell-site simulators?
- My city/county is considering adopting cell-site simulators. What can I do?
Cell-site simulators, also commonly known as IMSI catchers or Stingrays, are devices that masquerade as a legitimate cell phone tower, tricking phones nearby into connecting to the device in order to log the IMSI numbers of mobile phones in the area or capture the content of communications. IMSI stands for International Mobile Subscriber Identity, and it’s an identifying number that is unique to each cell phone. Because cell-site simulator more accurately describes the full capability of these devices, we encourage the use of this phrase.
As SBA Research explains, cell-site simulators work by “exploit[ing] the phone’s behavior to prefer the strongest cell phone tower signal in vicinity to maximize the signal quality and minimize its own power consumption.” A University of Pennsylvania researcher further explains they “actively interfere[e] in communications between mobile phones and base stations by acting as a transceiver (simultaneously transmitting and receiving).” Cell-site simulators receive signals from users and typically pass those on to base stations, skimming off various types of data in the process. They can be used to determine the phone that an individual is using by collecting the identification information for the phones in areas the target is known or expected to be in—a practice which necessarily requires the indiscriminate collection of the information of all phones in the area. It should be noted that, while cell phones do use encryption for content, the encryption can be turned off easily by a cell-site simulator itself, and there’s no notification that encryption is no longer operating.
U.S. agencies have publicly stated that they use cell-site simulators for locational information. However, in addition to identifying, tracking, and locating, cell-site simulators can perform much more active operations as well:
- Collect the information that identifies a cellular device, such as an IMSI number.1
- Determine the previously unknown IMSI number of an individual by collecting IMSI numbers in areas where the individual is believed to be using a device.
- Track location by triangulating the signal strength of other cell towers that the device can see.
- Collect metadata about calls including the “call’s incoming or outgoing status, the telephone number dialed, the cellular telephone’s ESN [Electronic Serial Number], the date, time, and duration of the call, and the cell-site number/sector (location of the cellular telephone when the call was connected).”2
- Send fake text messages and make fake calls to and from a target.3
- Send geo-targeted SMS spam.
- Eavesdrop on and record communications content like voice calls and text messages by performing man-in-the-middle attacks.
- Intercept data transmissions, including numbers dialed, Web pages visited and other such information
- Conduct denial of service attacks that prevent cell phone users from placing calls or even accessing data services.4
- Potentially deliver malware or “flash” (rewrite) firmware, the permanent software programmed into a read-only memory that governs essential processes.5
- 1. Harris Corporation doesn’t publicly advertise a lot about its cell-site simulator capabilities, but other companies do. One company, Septier, advertises its equipment by noting that its “cellular extractor” “provides interception capabilities of cellular traffic, including voice, SMS and data, as well unique abilities to also intercept BlackBerry encrypted traffic. Various types of traffic may also be modified to manipulate targets’ knowledge and actions.”
- 2. The link provided is to materials obtained by the ACLU of Northern California through Freedom of Information Act litigation.
- 3. Marketing materials from the Gamma Group, for instance, say that its equipment has the following abilities: “The communication of Target(s) under surveillance can be captured without their knowledge, including: all Voice calls & SMS either made or received by Target(s); spoof the identity of Target(s) to falsely send SMS or Voice calls; divert Calls/SMS so they are not received by the Target(s); the ability to edit all SMS before they are received by the Target(s)...”
- 4. The link provided is to marketing materials for a re-seller of Harris equipment. The materials specifically note that Gossamer can perform the following operations: “Negação do Serviço: Incondicional (ver texto); Objetiva (ver texto)” translation: “Denial of Service: Unconditional (see text); Objective (see text)”
- 5. Security expert John McAfee claims he has detected the use of cell-site simulators by Chinese airlines to install a Silent Logging malware app. Documents obtained by the ACLU of Northern California show conversations between Justice Department officials noting “It may also be possible to flash the firmware of a cell phone so that you can intercept conversations using a suspect’s cell phone as the bug.”
Although there are some cell-site simulators that only work with GSM (Global System for Mobiles) networks, there are cell-site simulators that work with CDMA (Code Division Multiple Access) networks, like Verizon, which only exist in the U.S. Some cell-site simulators only work on 2G or 3G networks. However, cell-site simulators have kept up with changing technology, and we know that at least Harris’ Hailstorm equipment can operate on 4G networks as well. Furthermore, when a phone is on 3G or 4G, it can be forced to downgrade in order to facilitate the use of a cell-site simulator.
It’s hard to get exact details, but at this point it appears cell-site simulators can cover a range of “a mile for a low-grade IMSI catcher; as much as 100 miles for a passive interception device with a very large antenna.” DHS told the House Oversight Committee that its devices have a range of “usually under 1000 feet.”
The secrecy surrounding the use of cell-site simulators is often couched in terms of national security or counter-terrorism, but the fact is that they are frequently used for ordinary criminal investigations. The bulk of cases in the U.S. that have been made public about the use of cell-site simulators involve suspected fraud or drug trafficking. They are also being used to monitor demonstrations. In 2003, the Miami-Dade Police Department used an advanced cell-site simulator during demonstrations opposing the Free Trade Area of the Americas summit—demonstrations that were handled so brutally that they resulted in an extensive follow-up investigation by city government. While this is one of few documented instances, it is unlikely that it’s the only one. In fact, activists in Chicago have made public a recording of an exchange between field officers and the Chicago Police Department Directives System (CPIC) that activists believe indicates use of cell-site simulators at demonstrations protesting the police killing of Eric Garner. CPIC is a fusion center, one of approximately 80 information centers that enable intelligence sharing between local, state, tribal, territorial, and federal agencies.1
Field officer: "Yeah, this uh, one of the girls here, ...(unintelligible)... guys are here, um, she's been on her phone a lot, uh, you guys picking up, uh, any information, uh, where they're going, possibly?" CPIC:"Yeah, we're keeping an eye on it, we'll let you know if we hear anything. Officer: "Okay, 10-4. They're compliant and they're doing okay now, but she's spending a lot of time on the phone." CPIC: "10-4."
- 1. Fusion centers are staffed by local law enforcement and other local government employees as well as Department of Homeland Security personnel, and they are partly funded by the federal the Homeland Security Grant Program.
If I’m a defendant in a criminal case, how would I know if the government used a cell-site simulator?
Unfortunately, the police haven’t been forthcoming in the past about their use of cell-site simulators to locate criminal suspects. They have actively hidden this information from defense attorneys and even sometimes from prosecutors and judges. Sometimes they do this by failing to mention the use of the technology, and sometimes they use obscure terms to refer to it to try to hide its use:
- digital analyzers
- WITT (FBI’s “wireless intercept tracking team”)
- “confidential source”
If you have reason to question how the police found you, your attorney could file a discovery motion specifically asking about the use of a cell-site simulator and what legal process (generally a “pen register/trap and trace order” but sometimes a warrant) the police obtained to authorize the use of the technology. If the police did not obtain a warrant—or worse, did not seek legal authorization at all—your defense attorney could challenge this in a motion to suppress the evidence obtained using the cell-site simulator.
Cell-site simulators aren’t just available to law enforcement. They can be purchased easily online, and building one (for as cheap as $1500) isn’t particularly difficult, as demonstrated by Kristin Paget at DEF CON 18 in 2010. They are already used by spam marketers in China. Malicious individuals like thieves could use them to steal data. Former FBI deputy director Tim Murphy told Newsweek: “There’s no doubt in my mind that [foreign intelligence agencies abroad and in the U.S.] are using” cell-site simulators, and former head of the Czech Military Intelligence Agency Andor Šándor has speculated that “security firms or rival businesses, or even companies trying to win high-stakes tenders,” are the most likely private users of IMSI catchers in the Czech Republic. His speculation isn’t unfounded. In August of 2015, South African police and intelligence authorities busted “a top businessman in the gold industry and a bank employee” trying to illegally sell a cell-site simulator, which police sources say “had been used to advance certain parties in commercial transactions…The men are believed to have used the information to influence and blackmail people who were involved in the tender.”
You don’t have to do anything wrong or be the target of an investigation to have your data sucked up by indiscriminate cell-site simulator use. According to marketing materials from one manufacturer, “operating [a cell site simulator] within busy or crowded areas will result in many thousands of identities being acquired, most of whom will not be of interest or unwanted collateral.” Each of these “identities” is linked to a specific cell phone. This means if you’re in the area where the police are using a cell-site simulator, your phone information would be captured as well—even though you may have absolutely no connection to the person or people who are the target of the search. Yet as one court opinion pointed out, applications for orders allowing the use of this technology seldom “address what the government would do with the cell phone numbers and other information concerning seemingly innocent cell phone users whose information was recorded by the equipment.” Furthermore, as we discuss elsewhere in this FAQ, we know cell-site simulators have been used at demonstrations, and we know that non-governmental entities can, and likely are, using cell-site simulators.
It’s hard to get an accurate count in the United States—and elsewhere—because of the secrecy around cell-site simulators. Please email email@example.com if you have news articles or documents demonstrating the use of cell-site simulators elsewhere. Currently, the ACLU lists at least “58 agencies in 23 states.” The Department of Homeland Security (which includes Customs and Border Patrol and Immigration and Customs Enforcement), the Internal Revenue Service, and the Department of Justice (which includes the FBI) have all confirmed that they have cell-site simulators. In the United Kingdom, London’s Metropolitan Police are using cell-site simulators that can “shut off phones remotely, intercept communications and gather data about thousands of users in a targeted area.” German intelligence uses cell-site simulators. They are also required to report on their use directly to the German Parliamentary Control Panel. The Czech Republic recently purchased new devices, and older models are already in use by police and private parties. As noted above, attempts to illegally sell cell-site simulators have been made in South Africa using a “fraudulently acquired letter of authority from the South African government.” Spammers are using the devices in China. Cell-site simulators appear to be in use in Oslo, Norway. In December of 2014, Norwegian paper Aftenposten conducted an independent investigation that it said revealed the use of cell-site simulators to monitor Norwegian government officials in Oslo. The Norwegian Police Security Service denied that cell-site simulators were in use, but in June of 2015 the paper published a report from an independent security firm along with statements from multiple security experts agreeing with its original assessment.
Yes. The Marshals have been flying small, fixed-wing Cessna planes mounted with cell-site simulators. EFF has been seeking records about these spy planes in a Freedom of Information Act lawsuit against the DOJ, the Marshals, and the FBI.
Cell-site simulators have many different names. Stingray and Hailstorm are both brand names for products from Harris Corporation. “Dirt box” refers to Digital Receiver Technology products. As noted above, we have also seen cell-site simulators referred to as:
- digital analyzers
- IMSI catchers
- WITT (FBI’s “wireless intercept tracking team”)
- “confidential source"
These products have different specific capabilities. In addition to Harris, the following companies manufacture (or have manufactured) various types of cell-site simulators:
- Martone Radio Technology
- Digital Receiver Technology, Inc. (subsidiary of Boeing)
- Septier Communication
- PKI Electronic Intelligence
- Datong (which now appears to be part of “Seven Technologies Group.”)
- Ability Computers and Software Industries, Ltd.
- Gamma Group
- Rohde & Schwarz
- Meganet Corporation
Harris Corporation’s pricelist, compiled by Ars Technica “by scrutinizing publicly available purchasing contracts published on government websites and marketing materials obtained through equipment resellers,” is a useful way to get an idea of how much these systems cost:
- Stingray: $68,479 for the original Stingray; $134,952 for Stingray II.
- Triggerfish: between $90,000 and $102,000
- Gossamer: $19,696.
- Kingfish: $25,349
- Amberjack: $35,015
- Harpoon: $16,000 to $19,000
- Hailstorm: “$169,602 as a standalone unit. The price is reduced when purchased as an upgrade.”
There is a lot of money in defense technology, and cell-site simulators are no exception. For example, Ars Technica reported that since 2004 "Harris has earned more than $40 million from spy technology contracts with city, state, and federal authorities in the US, according to procurement records.” The Guardian further reported that it's not just U.S. companies:
Between 2004 and 2009, Datong won over $1.6 million in contracts with the U.S. Secret Service, Special Operations Command, the Bureau of Immigration and Customs Enforcement and other agencies. In February 2010, the company won a $1.2 million contract to supply tracking and location technology to the U.S. defense industry. It also sells technology to regimes in the Middle East.
Yes. At the federal level, in September 2015 the Department of Justice (DOJ) announced its new policy that going forward, all components within the DOJ (including FBI, US Marshals, DEA, and ATF) will be required to obtain a search warrant supported by probable cause before they use cell-site simulators. This new policy also applies to situations where DOJ components are using cell-site simulators “in support of other Federal agencies and/or State and Local law enforcement agencies.” The IRS has indicated that it will comply with the DOJ policy. Shortly after DOJ issued its policy, the Department of Homeland Security followed suit. This policy applies to all of the components of DHS, including ICE, U.S. Customs and Border Protection, and the Secret Service. These policies also include important requirements that DOJ and DHS agents be very clear with the court that they are using a cell-site simulator, and minimization protections that require agents to delete data quickly after the target is located. Unfortunately, the policies don’t apply to the use of cell-site simulators outside of the criminal investigation context. For instance, when federal agents use cell-site simulators for “national security” purposes, they won’t be required to obtain a warrant by the terms of this policy. The “exceptional circumstances” exception in these policies is also particularly concerning—watch members of the House Oversight Committee question representatives from DHS and DOJ about these policies for an idea of why. At this time, the DHS and DOJ policies are self-imposed. This means they don’t have the force of law and could be changed by the agencies at any time. They also both have exceptions to the warrant requirement in cases of “exigent” and “exceptional” circumstances. Nevertheless, both policies are a step in the right direction—and a long way from where the agencies started. After the House Oversight Committee’s hearing, legislation was introduced at the federal level to require a warrant for the technology. The Cell-Site Simulator Act of 2015 1would require a warrant in most circumstances, but has exceptions for foreign intelligence surveillance and emergencies.
- 1. Link is to a pdf of the legislation as introduced. Language may have changed since then.
Yes, but much of this legislation doesn’t specifically mention cell-site simulators. Instead, statutory language focuses on tracking or real-time location information. Many of these pieces of legislation also address obtaining location information directly from providers like your cell phone company. The majority of bills that address location information and create a warrant requirement include exceptions for calls for emergency services, consent from the user or owner of a device, if the device has been reported stolen, or for exigent circumstances that would fall under an already-existing exception to the 4th Amendment’s warrant requirement. California recently passed the California Electronic Communications Privacy Act (CalECPA) and S.B. 741. CalECPA is a comprehensive digital privacy bill that, among other things, requires cops to get a warrant before they can use a cell-site simulator. Evidence obtained unlawfully is inadmissible in court under CalECPA. S.B. 741 requires notification to the public and the creation of a use policy before local governments purchase cell-site simulators. Washington state passed H.B. 1440 in 2015. This legislation is specifically aimed at cell-site simulators. It prohibits law enforcement from using cell-site simulators without a warrant, except where there is a “legally recognized exception to the warrant requirement.” It also imposes requirements for a warrant to address privacy concerns, such as addressing “whether or not the cell site simulator device will incidentally collect metadata, data, or information from any parties or devices not specified in the court order,” and requires law enforcement agencies to limit unnecessary collection and delete information that was wrongfully collected or after it is no longer needed for an active criminal investigation. Colorado passed S.B. 193, codified as 16-3-303.5, in 2014. Like most of the state legislation, the bill does not specifically refer to cell IMSI catchers or cell-site simulators, but it prohibits collection of location information without a warrant and excludes that evidence from being used in court. It also has a long list of exceptions that are present in many of these state bills. However, this bill also has exceptions for a good faith belief on the part of law enforcement that the search was legal, as well as an exception for when the user or owner of the device has publicly disclosed location information. Considering the concern around use of cell-site simulators at demonstrations, this could be a big exception. Would this include tagging photos? Clicking “yes” on an invitation to attend a demonstration on Facebook? Checking in on Four Square? Other similar everyday disclosures of location? It’s unclear. Indiana’s H.B. 1009, passed in 2014 and codified as Sec. 146.4. IC 35-33-5-13, requires an order based on probable cause for location information, and has an “exigent circumstance” exception.
Maine’s S.P. 157, passed in 2013 and codified as Sec. 1. 16 MRSA c. 3, sub-c. 10, requires a warrant to collect real-time location information, and limits the exceptions to consent and “immediate danger of death or serious injury.” It also requires law enforcement to notify the owner or user of an electronic device that their location information has been collected. Maryland bill S.B. 698, passed in 2014, requires an order based on probable cause for collection of real-time location information. It also provides exceptions to the order requirement for consent and undefined exigent circumstances and requires notice to an individual that they were tracked. Minnesota bill S.F. 2466, passed in 2014 and codified as chapter 626A, prohibits collection of location data without a warrant and has the same exceptions present in most of these bills. It also creates a notice requirement for the person targeted, excludes unlawfully obtained evidence, and creates an annual report on the use of warrants for tracking. The legislation does not specifically use the language "real-time location information," but does require a "tracking warrant." Montana bill H.B. 603, passed in 2013 and codified in part as 46-5-110, requires a warrant to get locational information, and has the same exceptions that most of the other bills have. It specifically makes it clear that evidence obtained in violation of the law is not admissible and applies a small civil fine for violating the section.It does not specifically use the language “real-time location information.” Tennessee bill S.B. 2087, passed in 2014, also requires a warrant to get locational information and has the same exceptions seen in other bills. However, it also makes it a misdemeanor crime to collect locational information under any other circumstances. The legislation does not specifically use the language "real-time location information." Utah bill H.B. 128, passed in 2014 and codified as section Section 77-23c-101, follows the same patterns as other legislation, requiring a warrant with several exceptions. It has notice requirements for the target of surveillance and requires destruction of data that doesn't fall under the warrant. It also has the problematic exception—like Colorado—for situations where an individual has “voluntarily and publicly disclosed the location information.” Virginia bill H.B. 17, codified as § 19.2-70.3, lists the limited times when real-time location information can be disclosed without a warrant, including consent, emergency services, or for “an emergency involving the immediate danger to a person.” In 2014, H.B. 1408 amended §19.2-70.3 to add a specific prohibition on using “any device to obtain electronic communications or collect real-time location data,” without meeting the same requirements. Wisconsin bill A.B. 536, passed in 2013 and codified as 968.373 and 968.375(4)(c), prohibits “identify[ing] or track[ing] the location of a communications device” without a warrant except for situations where the customer or subscriber consents or there is “danger of death or serious physical injury.” This bill also addresses obtaining location information from providers, and it allows judges to issue a gag order accompanying such a warrant—an especially troubling provision. One legislator in South Carolina is sponsoring legislation that would completely prohibit the use of cell-site simulators in the state. Texas also has legislation pending from last year that didn’t move.
Cell-site simulators are almost certainly being litigated about daily in criminal courts around the country, as cell-site simulator evidence is being used against defendants—with or without notification to attorneys. Courts have had the opportunity to rule on the use of cell-site simulators in two contexts: where their use has been challenged by a criminal defendant and where a judge has been asked to sign an order authorizing their use. This means that, although cell-site simulators are used in both state and federal cases, magistrate judges in federal courts have been the main source of opinions on the use of cell-site simulators—many of which are unpublished or not public.1 The following decisions are all particularly key to the case law around cell-site simulators: 1995 Central District of California decision This case appears to be the first public opinion about cell-site simulators. The technology Judge Elgin Edwards described, a “digital analyzer,” was incredibly primitive compared to what law enforcement can use now. The judge ruled that “no court order is required to use the digital analyzer... Numbers dialed by a telephone are not the subject of a reasonable expectation of privacy, and their interception does not violate the 4th Amendment…. as long as they are not used to intercept the contents of any communication.” The court cited an outdated case from 1979 called Smith v. Maryland, which addressed obtaining very limited dialing information from a landline phone.2 However, the judge did not grant the order as requested by the government, because “ the digital analyzer takes on some of the characteristics of a pen register and some of the characteristics of a trap and trace device,” and it didn’t fit into the statutory scheme used for these two types of devices. Drawing an analogy, however, the court indicated that “any proper order should contain, instead, a requirement that the investigative agency maintain a time log identifying each target cellular telephone analyzed (by ESN and telephone number), together with all intercepted telephone numbers dialed or pulsed from each such telephone,” to ensure accountability. United States v. Rigmaiden. The most well known challenge to Stingray evidence in a criminal case was United States v. Rigmaiden. In this case, Daniel Rigmaiden was convicted of fraud based on Stingray evidence that wasn’t revealed during his prosecution. In fact his claims sounded so “Twilight Zone” that his first attorney withdrew from his case. He did research from prison and eventually appealed his case. EFF and ACLU submitted an amicus brief in support of his claim that the collection of his location data was unconstitutional, since it was done under what was essentially a general warrant. Unfortunately, the judge in his case denied the motion to suppress this evidence in May of 2013. 2012 Southern District of Texas Magistrate Decision In this decision, Judge Brian Owsley denied an application for an order allowing the use of a cell-site simulator. The judge pointed out that “The application has a number of shortcomings. It does not explain the technology, or the process by which the technology will be used to engage in the electronic surveillance to gather the Subject's cell phone number.” In fact, the opinion noted, both the FBI special agent and the Assistant United States Attorney “appeared to understand the technology very well. At a minimum, they seemed to have some discomfort in trying to explain it.” In denying the application, the judge pointed out:
the application seeks an order authorizing the use of this equipment as a pen register as opposed to seeking a warrant. The government has not provided any support that the pen register statute applies to stingray equipment.
2015 Northern District of Illinois Magistrate Decision This recent decision from a Magistrate Judge in the U.S. District Court for the Northern District of Illinois imposed privacy safeguards that must be complied with by the government in order to use a cell-site simulator. Judge Johnston noted, that “there is no dispute that a warrant meeting the probable cause standard is necessary to use a cell-site simulator under” the circumstances of the case, and instead focused on “the collection of innocent third parties’ information, an occurrence that appears inevitable by the cell-site simulator’s use.” The court determined that using a cell-site simulator to determine the cell phone information of a target is only allowable if the government follows minimizing procedures:
a) must make reasonable efforts to minimize the capture of signals emitted from cellular telephones used by people other than [the target], (b) must immediately destroy all data other than the data identifying the cellular telephones used by [the target] (such destruction must occur within forty-eight (48) hours after the data is captured, and the destruction must be evidenced by a verification provided to the Court with the return of the warrant), and (c) are prohibited from using the data acquired beyond that necessary to determine the cellular telephones used by [the target].”
- 1. Stephanie Pell and Christopher Soghoian did a good review of the relevant cases in 2013 in their law review article: Stephanie Pell and Christopher Soghoian. "A Lot More Than a Pen Register, and Less Than a Wiretap: What the StingRay Teaches Us about How Congress Should Approach the Reform of Law Enforcement Surveillance Authorities." Yale Journal of Law & Technology 16.1 (2013): 134.
- 2. Smith has stood for the idea that people have no expectation of privacy in information they expose to others—but the decision was made based on very specific and limited facts, and as we’ve pointed out before, this narrow decision upholding the warrantless collection of the phone numbers one person dialed over three days has been stretched beyond belief to justify forms of electronic surveillance that would have been the stuff of science fiction in 1979.
How have manufacturers of cell-site simulators influenced the spread of the technology and the secrecy around it?
This is one of the most disturbing parts of the story of the use of cell-site simulators in the U.S.: the Department of Justice appears to have colluded with Harris Corporation to keep the technology secret. As Federal Magistrate Judge Ian Johnston points out in his recent order denying an application use cell-site simulators, the Harris Corporation “is extremely protective about information regarding its device. In fact, Harris is so protective that it has been widely reported that prosecutors are negotiating plea deals far below what they could obtain so as to not disclose cell-site simulator information." Across the country, the Justice Department has intervened in local public records battles to prevent the release of information about these technologies, employing tactics such as signing nondisclosure agreements with state and local law enforcement agencies, seizing records held by those agencies, and withholding key pieces of information about the technology from judges and criminal defendants. Prosecutors have not only accepted plea deals to hide the use of cell-simulators—they’ve even dropped cases rather than reveal information about the use of the technology. Unsurprisingly, many manufactures of cell-site simulators offer little or no details on their products on their websites.
Researchers have argued that cell-site simulators can be detected because they create anomalies in cell phone service that mobile apps can show to a user. The most popular such app is SnoopSnitch. Unfortunately, it can only run on a rooted Android phone with a Qualcomm chipset. Another such app is called Android IMSI-Catcher Detector (AIMSICD); it does not require any root privileges. These apps generally work by looking for anomalous behavior indicative of a potential cell-site simulator such as an unexpectedly changing location area code (LAC). Unfortunately none of these measurements guarantee the presence of a cell-site simulator so these tools are prone to false positives and false negatives. Rayzone, an Israeli manufacturer of cell-site simulator technology also manufactures “ArrowCell,” which it claims can detect, prevent, and locate GSM interception. EFF has not tested any of the apps available for detecting cell-site simulators, and cannot comment on or guarantee their reliability.
As of now, we know of no way to avoid having your signal captured by a cell-site simulator if your phone is turned on. The best way to avoid cell-site simulators at this time is to not have a cell phone with you—obviously impractical for most of us. One piece of good news however—if you use end-to-end encrypted methods of communication, such as Signal, the contents of your communications will remain unreadable to anyone other than the intended recipient. However, this won’t prevent a cell-site simulator from detecting the identifying number from your phone.
Now that cell-site simulators are catching the eye of lawmakers, it’s worth alerting any privacy-friendly lawmaker in your area to the problems the surveillance technology raises. Using these FAQs to educate lawmakers about the capabilities of cell-site simulators can be an effective tool to stop or delay funding. It’s important to note that often times, funding for cell-site simulators doesn’t come from a general budget, but rather from federal programs earmarked for such equipment. Lawmakers can decline to approve these grants, but they will often simply rubber stamp them. Bringing the problems with cell-site simulators to the attention of local lawmakers can be effective. In Santa Clara County, CA, the Board of Supervisors put the acquisition of a cell-site simulator on hold after members of the public expressed concern, and ultimately decided against it. In Alameda County, CA, the Board of Supervisors declined to approve a grant upgrading the county’s cell-site simulator system without a use policy in place. The Alameda County District Attorney’s office, which would be the owner of the equipment, created a policy before the board was willing to approve the upgrade. While the D.A.’s policy wasn’t perfect, having one in place at all is a far cry from the secrecy surrounding these devices even a few months ago.