A Surreptitious Stingray is FOILed

A fascinating bit of legal news has come out of my old stomping grounds in Buffalo, New York. In the context of a lawsuit concerning a Freedom of Information Law (FOIL) request to the Erie County Sheriff’s Office, it was revealed that (1) local police forces like the Erie County Sheriffs have been using arguably military-grade surveillance technology to track suspects; and (2) the FBI was so scared of the public finding out the details of this technology, that it directed police forces using it, to drop criminal cases rather than reveal any information concerning the cell site simulator.

The “cell site simulator” is commonly called a “Stingray” device and is produced by the Harris Corporation. In essence, it is a movable device which mimics a cell phone tower, thereby tricking nearby cell phones into transmitting location data and other data to the device, rather than a real cell phone tower. Even more troubling, as Judge NeMoyer of the NYS Supreme Court in Erie County noted in his trial court order: “[e]vidently, cell site simulators also can be used to ascertain telephone calling information, such as the time of, the location from which, and the number of the call, and the device apparently allows for storage of that kind of information also for future review and analysis.” In re New York Civil Liberties Union v. Erie County Sheriff's Office, 2015 WL 1278798, at *2 (N.Y. Sup. 2015).

While the Fourth Amendment and various federal and state statutes do allow for the targeted collection of data such as call records, phone location, and even recordings of texts and conversations (i.e. wiretaps) from the phones of persons suspected of criminal activity, the Stingray device is apparently capable of collecting data from all cell phones in the area in which it is deployed. That is, it spoofs and surveils innocent phone users in the area as well as the suspected criminal’s phone.

So what is a concerned privacy advocate to do? According to the Court, “the cell phone must be ‘on,’ with some battery life remaining, in order to be located and tracked by the device, but a call need not be in progress.” Therefore, if you turn your phone off when not in use, or the battery dies (a not uncommon occurrence with an iPhone), it might be protected from this type of roving law enforcement spying.

Beyond the obvious civil liberties concerns inherent in this kind of cell phone tracking and data collection by local police forces, Judge NeMoyer also unearthed a very practical law enforcement problem with use of this technology. According to a nondisclosure agreement that the Court reviewed, the FBI required the Erie County Sheriff’s Office “to conceal from the public the existence, technological capabilities, or uses of the device. Indeed, the Sheriff's Office is instructed, upon the request of the FBI, to seek dismissal of a criminal prosecution (insofar as the Sheriff's Office may retain influence over it) in lieu of making any possibly compromising public or even case-related revelations of any information concerning the cell site simulator or its use. If that is not an instruction that affects the public, nothing is.” In re New York Civil Liberties Union v. Erie County Sheriff's Office, 2015 WL 1278798, at *13 (N.Y. Sup. 2015).

So, ironically enough, local police may use this technology to track, trace, and apprehend criminals, but if the circumstances of their identification is possibly revealed by the ensuing prosecution, the police are required to drop the case against that person. In which case, the current use of these Stingray devices may be unique in being simultaneously violative of civilians’ Fourth Amendment rights against unlawful search and seizure, and ineffective at obtaining useful evidence in a criminal prosecution.

An E-mail PSA (or Nine Nifty Tips to Avoid Ruin)

The following is a public service announcement aimed toward my fellow attorneys (especially small firms and solo practitioners), but the advice described below is worthwhile for anyone to bear in mind when receiving unsolicited e-mails.

Every once in a while, I am chagrined to read about some poor (i.e. ignorant) attorney who lost a fortune (sometimes of his own and sometimes of his client’s money) and who faces significant possible penalties, because he or she succumbed to the latest e-mail “phishing” scam.  As attorneys, I think we’re bred to be skeptical people, but often greed (or really need) for new clients can cloud our better judgment.  On top of this fact, it is increasingly difficult to automatically weed out “spam” e-mails from our inbox because phishing hackers are getting better at circumventing the normal spam filters, and we often don’t want to set our filters too conservatively, for fear of missing a good potential client with an otherwise zany e-mail address.

But after receiving more than a few of these “phishing” e-mails in the past 8 years, I’ve come recognize patterns in the ones that should be deleted right away.  Here are some tell-tale signs that an e-mail from a potential “client” is, more likely than not, just a scam:

1. The e-mail address is wacky, like [unrecognizable word]@[domain you’ve never heard of].com.[foreign country code].  Especially if you have a relatively focused geographic practice, it’s unlikely that you will attract very many clients from overseas.
2. The sender includes a “link” to another (equally odd-looking) e-mail address in the body of the e-mail, which differs from the sender’s e-mail address appearing in the "From" header.  NEVER CLICK ON SUCH A LINK.  More likely than not, it’s a hidden virus or other problematic part of the scheme.
3. The e-mail is generically addressed to “Dear Counsel” or “Dear Attorney”.  If you have a small or solo practice (and your e-mail address is some variation of your actual name), it’s unlikely a potential client would be (a) so lazy as to neglect to use your name in greeting; or (b) so uninterested in his or her case as to use an e-mail “blast” to hundreds of different attorneys.
4. There are one or more other apparent attorneys in the "CC" or "To" headers of the e-mail.  Even if this might be a legitimate potential client, do you really want someone who is just “blasting” a generic request to everyone on some attorney e-mail list?
5. The language of the e-mail uses horrible grammar and is completely devoid of facts, other than the generic request “… Do you handle X cases?”.
6. Conversely, if the grammatically-poor e-mail contains relatively succinct facts that seem too good to be true … it is.  For example, if a “potential client” e-mails you from overseas stating that he or she received a settlement in a divorce proceeding, but needs a U.S. attorney to cash the $250,000 check and return the proceeds to the sender (of course, keeping 10% for your fee), this is nothing more than a clever variation of the old “Nigerian Prince” scam.
7. The request/legal matter is something that you’ve never handled and/or never advertised as part of your firm’s services.  I believe that I am a good estates and family law attorney, and that my website has all the right SEO for my areas of practice, but I am not so blindly conceited to believe that, out of the blue, a Dutch shipping company decides that they want to hire me to craft the documents for a major merger with another international shipping company.  That would no doubt be fun, but I would be very worried about the judgment of the Board of Directors of such a company.
8. The nationality of the sender’s name does not match the apparent derivation of the e-mail address.  For example, a distinctly Japanese name at the end of an e-mail from a sender with an “.au” (Australia) country code in their e-mail address.
9. The sender does not bother to provide any contact information other than the original e-mail address (or the afore-mentioned dangerous “e-mail” link embedded in the text).  Most legitimate people – even overseas – will provide you with multiple avenues through which to contact them if they are truly interested in assistance.  One caveat on this point: even if there is a signature block on the e-mail that contains an official-sounding business name and mailing address, check to make sure that the purported e-mail matches said business domain.  It is possible (because I’ve seen it happen) that a clever phisher will spoof the name/mailing address of a real business, but direct victims to his or her fake e-mail address.

A scam or phishing e-mail may not contain all of these elements, but if any of these red flags are present, you should be very cautious before responding (if you don’t delete the e-mail outright).  A couple of minutes of due diligence on your part can save you not only thousands of dollars of potential loss, but your reputation, and possibly your very livelihood, as well.