Wiretap expert fears bill will open ‘back door’ for police

There is a major problem with the wiretap bill that passed the state Senate and is currently making its way through the Wisconsin Assembly, says telecommunications expert Ben Levitan.

“A judge’s order is an order on the cell phone company, not a license to go wiretap on your own,” Levitan, an engineer who spent 30 years with Verizon, Sprint and other phone companies, told the Wisconsin Examiner. As someone who helped design the wiretap system used by phone companies and a holder of a patent in that field, Levitan is very familiar with how wiretaps for law enforcement actually work.

Republican elected officials who testified on the bill say it merely updates antiquated state laws. On June 2, Sen. Andre Jacque (R-DePere) said the measure would help police secure pen register and trap/trace warrants for social media. On Aug. 18, Rep. Jeffrey Mursau (R-Crivitz) testified before a different committee that the bill would help law enforcement and prosecutors secure warrants, “to capture over-the-air or cell data that could be crucial to a criminal investigation.”

However, neither social media nor cell data are mentioned within the bill text of either AB-253 or its Senate counterpart SB-241. On Aug. 19, the day after the last hearing on the bill, Rep. Samba Baldeh (D-Madison) withdrew as a sponsor of the bill. Baldeh had been the lone Assembly Democratic supporter of AB-253, with a staffer explaining that the state Department of Justice (DOJ) helped craft and vet the measure. The bill passed in the Senate, however, on a voice vote (a sign of a noncontroversial bill) with no one registering a vote in opposition.

Levitan fears that this new law essentially amounts to a back door for law enforcement, cutting out the service provider and freeing police investigations from legal restrictions. “The only intention of this law is to allow law enforcement in Wisconsin to claim that they have a court order, but that’s just lying,” stressed Levitan. “They’re basically saying, ‘Hey we got permission to do a wiretap.’ No, you don’t have  permission to do a wiretap. You have permission to order the cell phone company to help you.” He added, “You know, I support law enforcement, this is just B.S.”

In registering to lobby against the bill the ACLU of Wisconsin gave this explanation: “The bill not only replicates problems with the federal law it purports to mirror but also differs in ways that leave even lower protections from privacy intrusions by local law enforcement than the public has from the federal government.”

The bill affects the definition of pen register and trap/trace wiretapping methodologies and grants more flexibility to prosecutors for requesting court orders for their use. Levitan explained that pen register and trap/trace are interchangeable terms for the same kind of intercept. “Pen register currently is an order, by a judge, upon a service provider (like Verizon or Sprint) to turn over certain data,” Levitan told Wisconsin Examiner. “This bill seems to specifically redefine ‘pen register’ to not be the standard pen register offered by the service provider.”

Levitan points especially to language in the bill which states that the term “pen register” “does not include any device or process used by a provider or customer of a wire or electronic communication service,” particularly in regards to billing, cost accounting, or “like purposes in the ordinary course of business.” The Wisconsin District Attorneys’ Association, Inc. has registered in favor of the bills, while the ACLU of Wisconsin registered against them.

That language is at odds with Levitan’s extensive knowledge of how wiretap services work. “Back in the 80’s,” Levitan recalls, “the police actually…we had to bring them into the phone company, we had to give them a set of headsets, and we had to clip their headsets to two wires.” This only would occur after a court order had been sent to a judge, who approved the intercept service provided by the phone company to law enforcement. Intercepts are conducted on what’s referred to as “the target” or the phones of those being investigated. Levitan notes that there are two parts of a wiretap. “Pen register. which gets you numbers called and calling,” he said, “and Title III which gets you voice content. There is no ‘device’ in the current wiretap law. It’s a service provided by cell phone companies.”

A spokesperson for the Wisconsin DOJ countered, “the proposed legislation does not add the word ‘device’ to the definitions of either ‘pen register’ or ‘trap and trace device.’ That word already appears in the current statutory definitions for both terms.” DOJ’s statement to Wisconsin Examiner argued that the legislation “would bring Wisconsin law in line with federal law and would allow pen registers and trap/trace devices to be used in conjunction with social media accounts, which are increasingly used as a means of facilitating criminal conduct. The definition of ‘pen register’ under current Wisconsin law limits operations to ‘telephone lines,’ so law enforcement cannot utilize a pen register to analyze the routing or addressing information about incoming and outgoing messages on social media platforms.”

A key part of the equation, however, is the Communications Assistance for Law Enforcement Act (CALEA) of 1994. It requires telecommunications companies to design their facilities and equipment to ensure they have “the necessary surveillance capabilities to comply with legal requests for information,” according to the Federal Communications Commissions’ website. That’s why Levitan rejects arguments that this bill will simply update Wisconsin law beyond landline phones. He also highlights that wiretap systems, like cellular networks themselves, are standardized. Levitan himself can listen to recordings from law enforcement wiretaps and tell just by listening whether the intercept came from the phone company, he says, or whether it came from some other means achieved by the police themselves.

Levitan’s concern is that members of the general public and their elected representatives most likely do not understand how wiretaps actually work. Levitan believes the bill would be entirely unnecessary except for one thing. “This is just a sneaky law that allows law enforcement to request a ‘pen register’ from a judge and mislead him into thinking that he is demanding cooperation from the phone company to assist law enforcement when in reality, he is giving law enforcement permission to ‘use [their own] device.’” He stresses again that, “a judge’s order is an order on the cell phone company, not a license to go wiretap on your own. Remember; there is no ‘device’ in the current wiretap system. It’s all an internal process within the phone company.”

If you’re asking how that is even possible, Levitan says he has seen it before in court as an expert witness. Not only can it be difficult to get a wiretap warrant, but there are various rules to ensure “minimization,” such as restrictions against listening to a call longer than 30 seconds if nothing relevant to an investigation is said. “This frustrates law enforcement,” said Levitan. “So one of the ways they beat the system is they buy a Stingray.”

The term “Stingray” is a generic term for devices known as cell site simulators, or IMSI catchers. Powerful and portable, the devices intercept phone signals by imitating legitimate cell phone towers. “There’s 23 companies that sell Stingray,” explained Levitan. “So what they do is they bring it into a neighborhood right outside this guy’s apartment.” In short, “every time the suspect uses their phone, it connects to their cell tower. So number 1: First thing they get is his phone number. If he’s changing his phone number up every 30 days, they always have his phone number. ‘Cause you have to go to the judge with a phone number, otherwise he won’t give you the wiretap. Second thing they can do with this fake cell tower is they can listen in on your call.”

In interviews with Wisconsin Examiner local law enforcement officers in Wisconsin have asserted their Stingray devices can only track location based on signal strength. While that’s certainly something the devices can do, Levitan warns that claims that they’re unable to listen to calls shouldn’t be believed. Cell site simulators, as a family of technologies, are also capable of sending fake short messages or denying service to target phones.

Capabilities vary between federal and local law enforcement, and are often just a software update away. These powerful devices are also often distributed among law enforcement agencies with non-disclosure agreements which further obscures their use. Even in courts, such as in 2016, when privacy advocates found that the Milwaukee Police Department had hidden its use of Stingray technologies from judges.

DOJ’s statement on the legislation pushed back at the concerns around use of wiretaps. “The aim of this legislation is to ensure Wisconsin’s law enforcement agencies can respond effectively to evolving technology utilized by criminals. Importantly, the law applies to the routing, addressing, and signaling of information for social media messages, not their content. The new legislation does not make these devices into the equivalent of a wiretap, which would allow the real-time capturing of the content of communications. Rather, the ‘information’ retrieved is limited to the social media equivalent of a telephone number.  In addition, there will continue to be appropriate judicial oversight. A court order will still be required for the installation of pen register and trap and trace devices.”

That returns to the point, however, that the legislation itself does not explicitly reference “social media.”

Meanwhile, the use of Stingray devices can have unforeseen consequences. “You understand that every innocent person close by that area their cell phone hooks up to this fake cell tower,” stressed Levitan. “So what they’re doing is they’re basically hacking the telephone network. So they’re sitting there and they’re waiting and they’re waiting. Then this guy puts his telephone up to his ear and makes a call and they go, ‘Aha that must be his number.’ Because you see it come in immediately, so that’s already an illegal search. And then they verify that.” Once they have the number of a person being investigated, police can then go to a judge and ask for a court order for a pen register or wiretap through a phone company. “More likely than not,” said Levitan, “they already got the Stingray in hand. They just turn it on and start listening.”

Believe it or not though, there just might be a silver bullet. Cell site simulators, if nothing else, are illegitimate cell towers. “We as the cell phone industry are aware of these fake cell towers,” said Levitan. “And in the standards — in 4G and 5G — there’s ways to detect if a cell tower is fake or not.” Companies could flag fake towers for consumers, and prevent their phones from connecting to those towers. “So this problem may go away if the carriers implement it.”

Just because a feature may be available, however, doesn’t mean the carriers will utilize it. “What changed in 4G and 5G is not only does the phone company validate that you’re a good subscriber, your phone can validate that the cell tower is a real cell tower. So the standard exists, it just hasn’t been implemented broadly.” Once that happens, Levitan predicts one of two things will happen. “The Stingray market will be dead. Or, what will more likely happen is the guys who designed Stingrays will find a way to beat the system.”