Checklist 321: Not Phoning It In
On The Checklist this week:
- The government is using Stingrays illegally
- What to know about Customer Proprietary Network Information
- Russia and the iPhone
Fake cell towers may be stealing your data
In both a civil rights and a digital privacy story, it turns out that the U.S. Secret Service and Immigration and Customs Enforcement (ICE) have been using cell-site simulators (CSS) improperly, according to The Register.
A CSS is a device that spoofs a cellular tower so effectively that nearby cell phones try to connect to it—allowing the CSS to collect metadata, communications data, and location data from those devices.
Also known as Stingrays and IMSI catchers, these surveillance tools are widely used by law enforcement agencies around the country.
The Fourth Amendment, of course, prohibits unreasonable search and seizure—and the use of CSS devices is supposed to be regulated by internal policies that protect citizen privacy. But it seems that the Secret Service and ICE were breaking their own rules.
As for why the government did this, it might be down to negligence…or good old-fashioned government overreach. Whatever the reason, existing federal guidelines don’t seem to be helping matters. To quote The Project on Government Oversight (POGO):
Current federal, state, and local policies regulating Stingrays are confusing and inconsistent, opening the door to abuse and unconstrained, invasive surveillance by law enforcement.
To learn more about digital security in public places, see: Checklist 188: Don’t Let Your iPhone Give You Away. For a primer on secure communications, see our guide to E2EE messaging apps.
Customer Proprietary Network Information and your privacy
Security website Krebs on Security has just published an excellent article called “Why You Should Opt Out of Sharing Data With Your Mobile Provider.”
It’s worth reading, despite the length, but for those short on time, here are the highlights.
Wireless carriers handle a class of data called Customer Proprietary Network Information (CPNI). CPNI includes information about call logs, call details, the cost and billing of a user’s calls, as well as service features used.
Legally, that data can be shared with other cellular providers for operational reasons, but may not be used for marketing or advertising. However, according to TechTarget:
Under current U.S. law, cellphone use is only protected as CPNI when it is being used as a telephone. During this time, the company is acting as a telecommunications provider requiring CPNI rules. Internet use, websites visited, search history or apps used are not protected CPNI because the company is acting as an information services provider not subject to these laws.
In other words, all of the internet activity that happens on your device can be used by your telecom for marketing and advertising purposes—or sold to a third-party that wants to use it for those purposes. Krebs advises users to opt out of sharing CPNI data with their wireless carriers, and provides links and opt-out walkthroughs for several major carriers in the article.
Of stopped clocks and iPhones
9to5Mac reports that Russia has banned its government officials from using iPhones. Per a Reuters report, Russian authorities are worried about interference in their upcoming 2024 elections—and are concerned that western intelligence agencies may be able to compromise their devices.
Kremlin spokesman Dmitry Peskov was quoted as saying:
Smartphones should not be used for official business…Any smartphone has a fairly transparent mechanism, no matter what operating system it has—Android or iOS. Naturally, they are not used for official purposes.
The directive may come from the very top. Per Reuters, Russian President Vladimir Putin has always claimed not to have a smartphone. After this week’s Checklist, we kind of see his point.