How a Hacker Proved Cops Used a Secret Government Phone Tracker to Find Him

On a warm summer’s day in 2008, police spotted a man walking outside his apartment in Santa Clara, California, one of the many bedroom communities spread across Silicon Valley. Undercover FBI officers saw him outside the building and began following him on foot, radioing to their colleagues nearby. The man saw the agents, and so he began to walk quickly. They followed suit.

After months of tracking him via sting bank accounts and confidential informants, the officers had their man. He had told the apartment complex’s manager that he was Steven Travis Brawner, software engineer: a profile that fit right in with many other tenants in the area. But at the time of his arrest, officers didn’t know his real name: After watching his activities at a distance, they called him simply the “Hacker.” Between 2005 and 2008, federal investigators believed that the Hacker and two other men filed over 1,900 fake tax returns online, yielding $4 million sent to over 170 bank accounts.

The Hacker was found out through the warrantless use of a secretive surveillance technology known as a stingray, which snoops on cell phones. Stingrays, or cell-site simulators, act as false cell phone towers that trick phones into giving up their location. They have become yet another tool in many agencies’ toolbox, and their use has expanded with little oversight—and no public knowledge that they were even being used until the Hacker went on an obsessive quest to find out just how law enforcement tracked him that summer day. When he tugged on that thread, he found out something else: that police might be tracking a lot more than we even know on our phones, often without the warrants that are usually needed for comparable methods of invasive surveillance.

The Hacker began breathing more heavily. He may have thought about heading toward the nearby train station, which would take him out of town, or perhaps towards the San Jose International Airport, just three miles away. The Hacker couldn’t be sure if there were cops following him, or if he was just being paranoid. But as soon as he saw the marked Santa Clara Police Department cars, he knew the truth, and he started running.

But the Hacker didn’t get far. He was quickly surrounded, arrested and searched. The police found the key to the Hacker’s apartment. Later, after police obtained a warrant to search his apartment, they found there a folding chair and a folding table that served as a desk. There was no other furniture—his bed was a cot. Law enforcement also found his Verizon Wireless mobile Internet AirCard, and false driver’s licenses with the names “Steven Travis Brawner,” “Patrick Stout” and more. A 2010 FBI press release later stated that the agency also “seized a laptop and multiple hard drives, $116,340 in cash, over $208,000 in gold coins, approximately $10,000 in silver coins, false identification documents, false identification manufacturing equipment, and surveillance equipment.”

Investigators identified the Hacker, via his fingerprints, as Daniel Rigmaiden, previously convicted of state-level misdemeanors. According to an Internal Revenue Service special agent’s search warrant, Rigmaiden’s computer also included “email regarding leaving the United States for the country of Dominica . . . [and] documents regarding obtaining citizenship in other countries; emails regarding paying off Dominican officials to get Dominican birth certificates and passports; and a Belize residency guide.”

Rigmaiden’s case dates back several years. In 2007 and early 2008, the IRS identified a bank account at Compass Bank in Phoenix that was receiving fraudulent tax refunds under an LLC as being involved in the possible scheme.

Rigmaiden’s indictment was initially sealed, pending cooperation with a federal investigation. But from the start, Rigmaiden declined to cooperate, and moved to represent himself (after firing three attorneys), and the case was subsequently unsealed in 2009.

“The question is what’s the law that governs its use?” Eric King, a longtime London-based privacy activist, said when I asked him about the stingray. “We know that the police have them and we know that the police use them, not that they’ve ever admitted it, and have done so for 10 years. They refuse to engage, they refuse to say that they bought them. We need a public debate around this sort of stuff.”

That debate is very slowly starting to happen. And that is due, in large part, to Rigmaiden’s unlikely exposure of the stingray.

Rigmaiden found out about fraudulent tax return schemes in the mid-2000s. He quickly figured out that tax returns are largely voluntary. The IRS simply doesn’t have enough agents and auditors to do a thorough check of everyone. Most IRS personnel do the best they can, but a few slip through the cracks. This meant that Rigmaiden could file a fake tax return for someone who had died, and pocket the refund. He would file dozens at a time, sometimes more, before one would come back with money. His first successful one netted $9,000. “I was going to make a million and then I was going to stop,” he said. (He told WNYC’s podcast Note to Self in 2015 that he was planning on leaving the country after making the million dollars.)

In late 2007, Rigmaiden moved to Santa Clara. The city, then as now, is home to students and lots of tech workers. He had a comfortable life in an urban area, and lived near a train station and airport should he need to make a quick getaway. But he knew that the longer he stayed in one place, the more exposed to law enforcement he would be. Unbeknownst to the fraudster, federal prosecutors in Arizona—one of the places where he had stashed his money—filed a sealed indictment against Rigmaiden on July 23, 2008.

By the time he was arrested, Rigmaiden had made about $500,000. After Rigmaiden was arrested in California, he was quickly transported to the Florence Correctional Center, about 65 miles southeast of Phoenix. Despite being incarcerated, Rigmaiden could not sit still. He knew that he had been careful. He had used multiple fake identities, with fake documents, and paid in cash. How could law enforcement have not only found him out, but found him in his own apartment, where hardly anyone knew he lived?

Rigmaiden thought there might be something that the government wasn’t telling him—there might be some secret surveillance tool afoot. He tried pressing his federal public defenders to listen, but they wouldn’t. Within two months, he’d fired one of his lawyers, and then another. In essence, he didn’t feel that they were technically sophisticated enough to be able to help him get the answers he needed. Eventually, the accused fraudster got permission to represent himself (pro se), a legally risky move.

Once he was representing himself, he was allowed to use the law library for five hours a day (up from the usual three hours a week). It became a full-time job, immersing himself in legal procedures—but it was likely the most productive way to spend his time behind bars. Fortunately, at the beginning, a fellow inmate and disbarred attorney helped him out with some of the basics, including general court procedure, how to draft a motion and correct legal citation. By October 2009, Rigmaiden had received boxes and boxes (over 14,000 pages in total) of criminal discovery that would help him understand how the government planned to prosecute its case. In the penultimate box, he saw the word “stingray” in a set of notes.

As a prisoner, he wasn’t allowed Internet access, but sometimes a “case manager,” a sort of guidance counselor, could be convinced to run online searches for inmates who were pursuing legal research. Though this process, Rigmaiden located a Harris Corporation brochure with the StingRay name. Bingo. The device advertised various types of cellular interception.

Although Rigmaiden was pro se, he had a shadow counsel, or a lawyer who was ready to step in if the pro se defendant wished to take on formal counsel. That lawyer had a paralegal, a man named Dan Colmerauer. Rigmaiden could call Colmerauer from a jailhouse pay phone and ask him to run Google searches for him, and tell him the results by phone. Then Colmerauer would print those webpages, and put them in the mail to Rigmaiden, who in turn would have to make handwritten notes about which links to follow and mail that back to Colmerauer. It’s how he found out everything he knew about stingrays.

While StingRay is a trademark, stingray has since become so ubiquitous in law enforcement and national security circles as to also often act as the catch-all generic term—like Kleenex or Xerox. A stingray acts as a fake cell tower and forces cell phones and other mobile devices using a cell network (like Rigmaiden’s AirCard, which provided his laptop with Internet access) to communicate with it rather than with a bona fide mobile network. Stingrays are big boxes—roughly the size of a laser printer—like something out of a 1950s-era switchboard, with all kinds of knobs and dials and readouts. Stingrays can easily be hidden inside a police surveillance van or another nearby location.

All of our cell phones rely on a network of towers and antennas that relay our signal back to the network and then connect us to the person that we’re communicating with. As we move across a city, mobile networks seamlessly hand off our call from one tower to the next, usually providing an uninterrupted call. But in order for the system to work, the mobile phone provider needs to know where the phone actually is so that it can direct a signal to it. It does so by sending a short message to the phone nearly constantly—in industry terminology this is known as a ping. The message basically is asking the phone: “Are you there?” And your phone responds: “Yes, I’m here.” (Think of it as roughly the mobile phone version of the children’s swimming pool game Marco Polo.) If your phone cannot receive a ping, it cannot receive service. The bottom line is, if your phone can receive service, then the mobile provider (and possibly the cops, too) know where you are.

Rigmaiden eventually pieced together the story of his capture. Police found him by tracking his Internet Protocol (IP) address online first, and then taking it to Verizon Wireless, the Internet service provider connected with the account. Verizon provided records that showed that the AirCard associated with the IP address was transmitting through certain cell towers in certain parts of Santa Clara. Likely by using a stingray, the police found the exact block of apartments where Rigmaiden lived.

This tracking technology is even more invasive than law enforcement presenting a court order for location data to a mobile phone provider, because rather than have the government provide a court order for a company to hand over data, the stingray simply eliminates the middleman. The government, armed with its own stingray, can simply pluck the phone’s location (and possibly the contents of calls, text messages or any other unencrypted data being transmitted at the time, depending on the configuration) directly out of the air.

The Harris Corporation, a longstanding American military contractor, won’t say exactly how stingrays work, or exactly who it’s selling to, but it’s safe to say that it’s selling to lots of federal agencies and, by extension, local law enforcement. The company’s 2017 annual financial report filed with the Securities and Exchange Commission shows that in recent years Harris has increased its sales of surveillance equipment and related tactical radio systems. It works with not only the U.S. military and law enforcement, but also Canada, Australia, Poland and Brazil, among other countries. The company has profited over $1.8 billion from fiscal year 2013 through 2017.

A 2008 price list shows that its StingRays, KingFish and related devices sell for tens to hundreds of thousands of dollars. But like everything else in the tech world, they’re getting cheaper, smaller and better all the time.

Like many other enforcement tools, the federal government has used grants to encourage local law enforcement to acquire stingrays in the name of fighting terrorism. But, as the Rigmaiden case shows, over time, particularly as these tools become cheaper and more commonplace—they’re used to bust criminal suspects like him.

So far, judges and courts are not in universal agreement over whether locating a person or device, as the stingray helps to do, should require a warrant. Stingrays don’t necessarily mean that conversation will be picked up, so wiretap laws, which require warrants, don’t apply. In most cases, police officers would need at least a “pen register” court order, named for a kind of technology that allows police to get call logs. The pen register court order has lesser standards than a warrant: Rather than requiring that officers show probable cause, a pen register court order requires that law enforcement only needs relevance to an ongoing investigation. But stingrays are more invasive that pen registers, and as Rigmaiden’s case would show, law enforcement didn’t have any kind of specified protocol about what it needs to do to use this new technology.

As 2010 rolled around, Rigmaiden decided that he needed allies. He began sending his case details and research file out to various privacy and civil liberties organizations, including the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF). There were likely two major red flags that led to him being ignored—he was representing himself without the benefit of counsel, and believed that the government had used some secret surveillance tool against him. They likely thought he was totally nuts—despite the fact that there was already some evidence that the police were using phones as tracking devices. None of the organizations ever responded.

One of the people Rigmaiden sent his file to was Christopher Soghoian, a bearded and ambitious privacy researcher. At the time, Soghoian was a computer science doctoral student always looking for another way to push the envelope, as well as discover how surveillance was actually being conducted in the real world. Years earlier, as a first-year doctoral student at the University of Indiana, Soghoian figured out by futzing around with Facebook which of his classmates likely moonlighted at local strip clubs. In 2009 and 2010, Soghoian worked at the Federal Trade Commission, and at one point used his government ID to get into a security industry trade show and made a surreptitious recording of Sprint executives bragging about how they’d handed over customers’ GPS information to law enforcement eight million times in a single year. In short, Soghoian was the perfect match for Rigmaiden.

On Monday April 11, 2011, while visiting the offices of the EFF in San Francisco, Soghoian received an unsolicited e-mail from Colmerauer.

Daniel Rigmaiden instructed me to e-mail you the attached Memorandum. This is in regard to cell phone tracking and locating. He thinks it may be of interest to you but you may have to read past the introduction before understanding why. If you want the exhibits please e-mail Dan Colmerauer at [email protected] and make said request. Dictated but not read.

Soghoian tried to get other lawyers that he knew interested, but they saw the extensive pro se filings as a huge red flag. Lots of people think they’re being surveilled by the government with secret technology, but hardly anyone can prove it. Soghoian didn’t dismiss it out of hand. “My reaction wasn’t, ‘what is this strange device,’” Soghoian told The Verge in 2016. “It was, ‘oh I read about this in graduate school.’ But I read about it as a thing that was possible, not a thing that the police . . . were using.” But the grad student was skeptical.

Still, Soghoian asked Colmerauer to send what he had. What Soghoian received back was a 200-page “meticulously researched” document that had been originally handwritten in a jailhouse library.

Soghoian understood how to get lawmakers’ attention—through the media and advocacy organizations. He eventually sent it on to a friendly Wall Street Journal reporter, Jennifer Valentino-DeVries, as she was boarding a plane bound for Las Vegas, where she was going to attend the 2011 DEF CON, the annual hacker conference. On September 22, 2011, Valentino-DeVries’ story hit the paper: “‘Stingray’ Phone Tracker Fuels Constitutional Clash.” (It was her first front-page story for the Journal.)

This was also the first time that a major American media outlet had reported on the issue, and likely how many lawmakers first heard about the device that had already been in use for years. In short, Rigmaiden unveiled a new chapter in the story of sophisticated surveillance to the public—citizens, journalists, lawyers, judges—that law enforcement had already known for years, mostly without telling anyone.

In February 2012, the Electronic Privacy Information Center (EPIC) filed a FOIA request, which resulted in a lawsuit. Its efforts definitively showed that government law enforcement agencies have not been completely upfront about using stingrays when they asked federal magistrate judges for permission to conduct electronic surveillance. In fact, search warrants have generally not been used at all. Most police applications of this era seeking judicial authorization for a stingray did not even mention the name of the device, nor did they describe how it worked.

The Rigmaiden story in the Journal hadn’t only grabbed the attention of journalists, but also the attention of lawyers. One lawyer, Linda Lye of the ACLU of Northern California, took particular notice. Lye was new to the ACLU, having largely focused on labor and civil rights issues in her previous decade as an attorney. Quickly, Lye pushed the federal court in San Francisco to unseal the court orders that had authorized the initial use of the stingray against Rigmaiden, as it was unclear from the Arizona case (where the prosecution against Rigmaiden was unfolding) what the order specifically authorized the government to do.

“What on Earth was this technology?” she told me years later. “It seemed that there would be all kinds of novel and troubling issues. What sort of court authorization was being obtained? How widespread was it? It was also just a very unlikely story.”

Initially what drew her in wasn’t the technology itself, but the fact that the government was keeping “novel surveillance orders” a secret. In October 2012, Lye and other ACLU and EFF attorneys decided that they would formally jump into the case, not as Rigmaiden’s lawyer, but rather as amici, or “friends of the court”—in this case, attorneys who were not party to a case but could file a brief to articulate the broader social concerns it raised. They wrote to the court, noting that this case would “likely result in the first decision to address the constitutional implications” of stingrays.

In early May 2013, the judge ruled in the government’s favor on the issue that Lye raised in court, finding that Rigmaiden lacked a “reasonable expectation of privacy” while shrouded under multiple false identities—after all, his AirCard, his apartment and postboxes that he paid for were all done under fake names.

By late January 2014, Rigmaiden and federal prosecutors reached a plea deal: He’d plead guilty and prosecutors would recommend that he be given a sentence of time served. The agreement was signed on April 9, 2014.

While the Rigmaiden case wound down, Soghoian (who had joined the ACLU as its chief technologist) and his colleagues were just getting started. The ACLU, along with other privacy groups, including EPIC and the EFF, spearheaded efforts to speak publicly, file record requests, sue and campaign for meaningful legislative reform.

Several months later, in April 2015, the New York Civil Liberties Union (the New York State chapter of the ACLU) managed to do what no one else could: successfully sue to obtain an unredacted copy of the NDA that the FBI had law enforcement agencies sign when they acquired stingrays. In essence, the document explained that due to the authorization granted by the Federal Communications Commission to the Harris Corporation, any law enforcement agency had to sign an NDA with the FBI. The six-page letter essentially said that agencies that acquired stingrays could not talk about them “in any manner including but not limited to: press releases, in court documents, during judicial hearings, or during other public forums or proceedings.”

In May 2015, the FBI issued a bizarre public statement saying that despite the NDA’s language to the contrary, it “should not be construed to prevent a law enforcement officer from disclosing to the court or a prosecutor the fact that this technology was used in a particular case.”

Later that same month, Washington Governor Jay Inslee signed a bill that passed both houses of the state legislature specifically requiring that law enforcement seek a warrant before using a stingray. Rigmaiden worked on the drafting of this bill with Jared Friend of the ACLU of Washington. (Before its passage, Soghoian even testified in support of the bill.) Months later, California followed suit, with its comprehensive California Electronic Communications Privacy Act, which, among other things, also required a warrant for stingray use.

But the most prominent change regarding stingrays came in September 2015, when the DOJ said it would require a warrant in most situations in which a stingray is used. The policy, which took effect the day it was announced (September 3, 2015), applied to numerous agencies, including the FBI; the Bureau of Alcohol, Tobacco and Firearms; the Drug Enforcement Administration; and the U.S. Marshals Service, among others.

The new state laws and federal policies came as a result of dogged activism by the ACLU and other privacy groups, which all stemmed from Rigmaiden’s case. After all, it was Rigmaiden who had initially reached out to Soghoian and presented him with a 200-page memo on a technology that few outside the government had known about. “It was the most well-researched memo I’d ever seen on this technology,” Soghoian later told WNYC. “Written by a guy rotting in jail.”

Now that lawyers know what to look for and how to challenge them, some of those efforts have been successful. Notably, in March 2016 a state appellate court in Maryland took local law enforcement to task, and ruled unequivocally: “We determine that cell phone users have an objectively reasonable expectation that their cell phones will not be used as real-time tracking devices through the direct and active interference of law enforcement.” The three-judge panel in the State of Maryland v. Andrews case also noted that such a non-disclosure agreement is “inimical to the constitutional principles we revere.”

In other words, judges now seem to be resoundingly echoing the 1967-era Supreme Court language—“reasonable expectation of privacy”—of a landmark privacy case known as Katz v. United States, finding that the use of a stingray does require a warrant. But as of this writing, no cases challenging the use of stingrays have reached the Supreme Court, so this legal theory hasn’t been cemented just yet, as stingrays continue to be used in everyday law enforcement.

What these judges have realized is that there is now a turning point with respect to smartphones: We carry them with us and they hold all of our secrets. No wonder the police find them valuable during an investigation. But should the police need to get a warrant to find our phones? And what other opportunities for high-tech, low-oversight surveillance might they offer in the future?

This article was excerpted from HABEAS DATA: PRIVACY VS. THE RISE OF SURVEILLANCE TECH by Cyrus Farivar. Copyright © 2018 reprinted by permission of the publisher, Melville House Publishing, LLC.

Cyrus is senior tech policy reeporter at Ars Technica, and is also an author and radio producer.