IRS Talks About Stingray,
FCC Doesn't
In the above letter from IRS Director John Koskinen to Sen. Wyden is a clear discussion of IRS' use of Stingray, a cell site simulator/"IMSI catcher". In October The Guardian revealed purchasing documents it had FOIA'd from IRS showing the purchase of such units.
They're not cheap! The IRS contract shows that just upgrading a Stingray to the newer "HailStorm" model costs $65,652! Training an extra 6k.
The IRS contract that The Guardian obtained also shows that IRS knows how to properly mark redactions on FOIA documents with the exemption number as mandated by 5 USC 552 (b)(9) - something that FCC has generally not done in the past. (An FCC insider has assured me that FCC has been in general compliance with this requirement, but since FCC does not make readily available past FOIA releases as CIA, NSA, FBI, and NRC do, it is not readily possible to see if FCC has been compliant with the law in the past. However, we have shown in this blog numerous other FCC FOIA releases, including one from the FCC IG, that were not properly marked with exemption numbers. Indeed, the only FCC FOIA release that I have ever seen is that is properly marked dealt with Stingray and it is likely it was actually redacted and properly marked by FBI since its redactions include information readily available elsewhere on the FCC website that FCC staffers would have been aware of.)
The ACLU website contains a map that allegedly shows how broadly Stingray is used by local and state as well as listing 12 federal agencies that reportedly posses this technology - although a few are military and their units may be intended for overseas operation.
As we have stated before, operation of Stingray and similar IMSI catchers in USA by either federal agencies or nonfederal agencies requires some degree of FCC coordination and acquiescence. As several commissioners are concerned about delegation of authority abuse and legislation is being considered that would require more explicit public documentation of delegations of authority (most, but not all of which, are now enumerated in Subpart B of Part 0 of the Commission's Rules) perhaps the commissioners and congressional committees should ask who at FCC authorized this broad use of Stingray-like technology and whether proper procedures were followed.
The IRS letter at the top of this post demonstrates that the basic facts of Stingray use are both now public and are being discussed publicly by other agencies. FCC's continued silence is thus puzzling.
Stingray: DOJ Reforms Its Rules While FCC Silence Continues Delegation of Authority Issues
Stingray is apparently a device develop by the Navy (hence the nautical name) and now used by federal and some local law enforcement agencies (apparently under strict rules from FBI) to track cell phone use. It has been granted FCC equipment authorization and one model has grant number NK73092523 (Search here for public details.) The device spoofs cellular base stations to force cell phone to transmit information and receives such information.
Today the Washington Post and Wall Street Journal both reported that the Department of Justice will be "adding more judicial and internal supervision to a practice that critics say invades privacy and has had too little oversight for years." However the new DOJ rules do not necessarily apply to state and local police departments according to WSJ.
There are 2 key FCC issues here:
- The FCC equipment authorization grant is somewhat questionable especially due to the extreme and probably illegal redaction of documents from the manufacturer in the FCC FOIA release. Note that this redaction included information in the public equipment authorization grant. Most likely the redaction was made by FBI and rubber stamped by FCC. (The good news: FBI understands FOIA somewhat better than FCC staff and at least the FOIA exemptions are clearly marked on this release, something FCC has, at best, been inconsistent about in other releases.)
- Use of such equipment by state and local law enforcement requires an FCC license or STA/waiver. Who at FCC approves such actions? and consent of cellular carriers. Has this been done?
- Use of such equipment by federal agencies also requires carrier consent and FCC/NTIA coordination. Who approves such actions?
Delegation of Authority Issues
In your blogger's paper at this month's TPRC conference he raises the issue of low FCC throughput on various spectrum policy issues, even ones favored by CTIA other than incentive auction. One root cause of this problem is probably the Commission's outdated delegations of authority under Section 5(c) of the Comm Act. Many truly noncontroversial items end up on the 8th Floor and getting delayed. These are both technical issues discussed in the TPRC paper and nontechnical ones such as this example raised by my former FCC colleague Randy May.
But many issues that would benefit from commissioner attention may not be seen by them under the present delegations. Comm. O'Reilly has voiced concern about "depriving commissioners of the right to vote". But maybe the issue is that the commissioners are voting on the wrong subset of issues, delaying obscure noncontroversial issues and not giving oversight to important issues like Stingray.
Your blogger has no view on the merits of Stingray use, but today's news from DOJ confirms that its initial use was not well thought out. Did the 5 presidential appointees at FCC add any value to this process? Were they even aware? Note that the Bush43 Administration abuses of illegal NSA surveillance of phone and Internet was - in you blogger's view - almost certainly explicitly condoned by someone in FCC. Were the 5 commissioners at that time aware of this? Did they have meaningful input?
Rationalizing and reforming the FCC's delegations of authority will both improve FCC productivity as well as help maintain the rule of law.
"StingRay" FOIA Release Shows Continuing FCC FOIA Problems
“Stingrays, also known as ‘cell site simulators’ or ‘IMSI catchers,’ are invasive cell phone surveillance devices that mimic cell phone towers and send out signals to trick cell phones in the area into transmitting their locations and identifying information. When used to track a suspect's cell phone, they also gather information about the phones of countless bystanders who happen to be nearby.”
The magazine reports that “ A heavily redacted copy of a 2010 user manual covering both StingRay and KingFish devices was delivered by the FCC last week”. When they say “ heavily redacted copy” they weren’t kidding! Here is a sample of what was released:
But lest we be seen as too critical of FCC here, let’s first report 2 positive aspects of what has happened:
- The magazine actually got the release directly from FCC. This is a real improvement. We previously described a FOIA request to FCC for documents Motorola had submitted to FCC explaining why multiple units of hardware they made had caused interference to NOAA weather radars. In that case, FCC apparently allowed (requested?) Motorola to redact the documents any way they wanted and just send us whatever they thought was appropriate. We received the redacted copy directly from Motorola! In the present case, Harris Corp may have controlled all the redactions, but at least FCC wrote a cover letter and sent it to the magazine.
FCC Discovers and Starts Complying with 2007 FOIA Amendment
- FCC now finally recognizes the requirement of Section 12 of the OPEN Government Act of 2007 that “the exemption under which the deletion is made, shall be indicated at the place in the record where such deletion is made.” As can be seen in examples of previous FCC FOIA releases below, including even one by the FCC Inspector General, this statutory provision has been consistently ignored by FCC previously. (Perhaps Harris Corp.’s lawyers read the FOIA legislation better than FCC staff or Motorola staff in previous cases?)
Ignoring Obama/DOJ FOIA Guidance - See, FCC Really is Independent!
In the recent Net Neutrality issue there has been consistent recurring accusations that FCC takes secret orders from the Obama White House. Such accusations have even been echoed by the 2 Republican commissioners. Well, this excessive fealty to the Obama White House may be disproven by FCC consistent and ongoing dismissal of the concepts in President Obama’s publicly stated FOIA policy: On his first full day in office, President Obama signed the Memorandum on Transparency and Open Government calling for unprecedented openness and transparency in government and declaring information maintained by the Federal Government is a national asset. Here is an excerpt:
The Freedom of Information Act should be administered with a clear presumption: In the face of doubt, openness prevails. The Government should not keep information confidential merely because public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears. Nondisclosure should never be based on an effort to protect the personal interests of Government officials at the expense of those they are supposed to serve. In responding to requests under the FOIA, executive branch agencies (agencies) should act promptly and in a spirit of cooperation, recognizing that such agencies are servants of the public.
All agencies should adopt a presumption in favor of disclosure, in order to renew their commitment to the principles embodied in FOIA, and to usher in a new era of open Government. The presumption of disclosure should be applied to all decisions involving FOIA.
This memorandum is not binding on FCC as an independent agency, and it is pretty clear that it has been almost completely ignored. So much for FCC’s alleged total fealty to the Obama White House!
Consistent Excessive Redactions
There have been a few recent cases where documents requested under FOIA were released by FCC and then released with fewer redactions. This allows a direct view of when FCC was redacting and whether it was justified. (By contrast, the document released by the FCC IG shown above has never been released in a less redacted form so one can only guess at whether the redactions were actually legitimate. However, we have previously speculated that this document was over redacted in some places and under redacted in others.)
Below is a Motorola submission to FCC in conjunction with the enforcement action concerning interference from Motorola equipment to NOAA weather radars. This was released, actually mailed by Motorola to your blogger after a FOIA request to FCC. Following it is a less redacted version after your blogger appealed to the full Commission and waited a year:
(Click on above images to expand the document)
Another pair of releases comes in the enforcement action concerning Google’s Spy-Fi operation and its legality. The top document is the document with redactions by Google that FCC nodded at when it released the document. After a public outcry, Google released the lower document with minimal redactions. Now that we can see what redactions FCC authorized/condoned in the upper document, were those redactions consistent with the law? Was it consistent with President Obama’s nonbinding guidance to FCC (but binding on Executive Branch agencies)?
A suggestion to readers: Compare the first redaction in the above 2 cases with the 2nd version. You can see the exact words that FCC redacted (or condoned the submitting party’s redaction) and see if you can find any plausible justification in the FOIA legislation for such redaction? If you happen to agree with your blogger that these redactions have no plausible justification, please communicate such to FCC leadership.
If CIA Has an Online Reading Room of Prior FOIA Releases, Why Not FCC?
While FCC claims to have a “Freedom of Information Act Electronic Reading Room” that allegedly includes “Records disclosed in response to a FOIA request that ‘the agency determines have become or are likely to become the subject of subsequent requests for substantially the same records”, past FOIA releases are not readily available. FCC does not post previous FOIA requests and resulting releases except in very rare cases. Try to find the StingRay release on the FCC website, for example! (Although we must admit that in one case FCC released to us a document someone else had FOIA’s in only 3 days after we requested it! By contrast, CIA, NSA, FBI, and NRC do post previously released documents regardless of whether they are embarrassing to the agencies.
Remaining StingRay Issue: Who Authorized Its Use per § 301 or § 305?
While it appears that FCC made a minimal/slight attempt to comply with the FOIA request that asked for the StingRay information, there is another key spectrum policy issue here that has been unanswered dealing with StingRay: Who authorized its use under § 301 of the Communications Act? Use by a state or local law enforcement agency requires some sort of § 301 authorization. There are 2 obvious possibilities:
- FCC has been giving licenses to state/local law enforcement organizations under waivers
- State/local law enforcement agencies have been leasing spectrum from cellular carriers
What about StingRay use by federal agencies, e.g. FBI or DEA? Such use could have been authorized by NTIA pursuant to § 305 and § 902 of the Communications Act. NTIA is not known for transparency. But since StingRay almost certainly transmits in cellular bands (note that even this was redacted in the manual provided in response to the FOIA request), NTIA authorization would have required coordination with FCC pursuant to an interagency agreement. (The basic terms of this agreement have been in place since 1940 and have been strictly adhered to by both agencies.) So if anyone wants an exercise in frustration, feel free to FOIA FCC on correspondence with NTIA on permitting its use by federal agencies.
Maybe it is also time for an independent review of FCC FOIA practices?
UPDATE - Wild Inconsistency of FCC Redactions
After thinking about this for a while, your blogger wondered about the complete redaction of any quantitative data such as frequency and power in the redacted material that FCC finally released. How could this data be exempt from FOIA? So we took the FCC ID of the FOIA request, NK73092523, and went to the FCC “Authorization Search” page.
It was amusing to note that all the routine application documents were listed but virtually all were granted confidentiality and none had links available. Even 6 documents that were not granted confidentiality were missing:
- “Revised ID Label”
- “Final Request for Confidentiality of Harris Corporation”
- “Revised RF Exposure 850MHz”
- “Revised RF Exposure 1900MHz”
- “Revised Test Report 1 of 2”
- “Revised Test Report 2 of 2”
But even more surprising was the official FCC equipment authorization grant which at the time of this writing can be access with this link. (Don’t be surprised if it disappears quickly.) The grant is shown above right and clicking on it will yield a larger image. It clearly shows the bands in which StingRay operates and the powers and modulations - all information redacted from the document FCC delivered for the FOIA request!
Why the wild inconsistency? There are hints throughout this issue that FBI is involved. Matthew Keys, the journalist behind the FOIA request, provided us with this statement:
“During the FOIA process, I was told that an outside agency was assisting the FCC in its fulfillment of the requested documents. Specifically, the outside agency was helping the FCC determine what information should be made public and what information should be redacted. To date, the FCC has refused to tell me the name of the outside agency.”
Note the grant contains a cryptic condition: “State and local law enforcement agencies must advance coordinate with the FBI the acquisition and use of the equipment authorized under this authorization.” In posted e-mail correspondence with FCC on the FOIA request, a delay due to an “outside agency” is mentioned. Also mentioned is an NDA between FBI and a local police department -- although it is hard to see how that was germane to the FOIA issue.
-So perhaps FBI, not Harris, actually redacted the document.
-Perhaps this explains the long processing of the FOIA request?
-This might explain why the redacted paragraphs are marked properly even though FCC had perviously ignored that requirement in FOIA releases. FBI may comply more with the letter of the FOIA legislation than FCC does.
-Perhaps FBI was more stubborn than FCC and demanded near total redaction even though the basic technical data was already public and the law and Obama Administration policy (binding on FBI but not FCC) did not allow such extreme redaction?
-Perhaps FBI did not know the information was already public in the grant?
-Perhaps FBI was so pig headed and arrogant in demanding total redaction that FCC didn’t bother to tell them about this contradiction? The world wonders.
Oh what a tangled web we weave,
When first we practise to deceive!
- Sir Walter Scott, Marmion, Canto vi. Stanza 17.
But this inconsistency is not unlike the FOIA release of the IG “porno” report: In that report parts were over redacted and parts were under redacted allowing identification of groups that were under suspicion for porno access from FCC computers. Further indication of long term basic FOIA problems at FCC.
UPDATE - 4/11/15
UK’s The Guardian has now also written about StingRay. They go into detail about the NDA’s between FBI and local police, presumably of no concern to FCC although FCC conditioned equipment authorization on user agreement with FBI in each case.
They also found a total of 5 different StingRay models with FCC equipment authorization and show the FCC grants with the frequencies and powers listed. The same information that was redacted in the StingRay manual FOIA!