NYPD Says Talking About Its IMSI Catchers Would Make Them Vulnerable to Hacking
The police department refuses to say which models it uses in an FOI tussle with the NYCLU.
Typically, cops don't like talking about IMSI catchers, the powerful surveillance technology used to monitor mobile phones en masse. In a recent case, the New York Police Department (NYPD) introduced a novel argument for keeping mum on the subject: Asked about the tools it uses, it argued that revealing the different models of IMSI catchers the force owned would make the devices more vulnerable to hacking.
Civil liberties activists are not convinced. Christopher Soghoian from the American Civil Liberties Union (ACLU) wrote in an affidavit as part of a petition against the NYPD's decision not to share this information, "It would be a serious problem if the costly surveillance devices purchased by the NYPD without public competitive bidding are so woefully insecure that the only thing protecting them from hackers is the secrecy surrounding their model names."
The New York Civil Liberties Union (NYCLU), an affiliate of the ACLU, has been trying to get access to information about the NYPD's IMSI catchers under the Freedom of Information Law. These devices are also commonly referred to as "stingrays", after a particularly popular model from Harris Corporation. Indeed, the NYCLU wants to know which models of IMSI catchers made by Harris the police department has.
"Public disclosure of this information, and the amount of taxpayer funds spent to buy the devices, directly advances the Freedom of Information Law's purpose of informing a robust public debate about government actions," the NYCLU writes in a court filing. The group has requested documents that show how much money has been spent on the technology.
After the NYPD withheld the records, the FOI request was escalated to a lawsuit, which is where the NYPD's strange argument comes in (among others).
"Public disclosure of the specifications of the CSS [cell site simulator] technologies in NYPD's possession from the Withheld Records would make the software vulnerable to hacking and would jeopardize NYPD's ability to keep the technologies secure," an affidavit from NYPD Inspector Gregory Antonsen, dated August 17, reads.
Antonsen then imagines a scenario where a "highly sophisticated hacker" could use their knowledge of the NYPD's Stingrays to lure officers into a trap and ambush them.
But Soghoian responded in his affidavit, "There is no legitimate cybersecurity justification to keeping secret the names of the particular Harris products used by the NYPD."
The financial documents requested by the NYCLU won't include the sort of detail needed by a hacker to break into or otherwise tamper with these devices, and the group has said the NYPD can redact extra information, such as which network the devices target.
According to Soghoian, none of the purchase or invoice records for Stingrays he has seen have revealed which specific software updates an agency has used—"just as records revealing that an agency had purchased iPhones for officers would not reveal which particular iOS security updates the agency had or hadn't installed on those devices," he adds.
Want more Motherboard in your life? Then sign up for our daily newsletter.