What happens when a $1,500 device for tracking cell phones goes mass market?
When Daniel Rigmaiden was a little boy, his grandfather, a veteran of World War II and Korea, used to drive him along the roads of Monterey, California, playing him tapes of Ronald Reagan speeches. Something about the ideals of small government and personal freedom may have affected him more deeply than he realized. By the time Rigmaiden became a disaffected, punk-rock- loving teenager, everything about living in America disappointed him, from the two-party system to taxes. “At that age, everybody’s looking for something to rebel against,” he tells me over Mexican food in Phoenix—where, until recently, he was required to live under the conditions of his parole. “I thought, ‘I either have to fight the rigged system, or I have to opt out completely.’ ”
Rigmaiden is 35 and slender, quiet with a sardonic smile and thick shock of jet-black hair. Speaking softly and rapidly, he tells the story of how he evolved from a bottom-feeding Internet outlaw to one of the nation’s most prescient technological privacy activists. Rigmaiden left home in 1999 after graduating high school and spent almost a decade knocking around college towns in California, living under a series of assumed names. “I didn’t want to be constrained by all the rules of society,” he says. “It just didn’t seem real to me.” He’d spend weeks living in the woods, scrounging for food and water, testing his limits; then he’d find a place to crash for a while and make a little money on the Internet—first selling fake IDs, then moving on to more serious crimes. In 2006 he wrote software to mine information from databases on the Internet—names, birthdates, Social Security numbers, and the employer identification numbers of businesses. Then he filed fake tax returns, hundreds of them, collecting a modest refund with each.
He bought gold coins with cash, built a nest egg of about $500,000, and planned to move to South America when the time was right. Then, in 2008, an FBI, IRS, and U.S. Postal Service task force grabbed Rigmaiden at his apartment in San Jose and indicted him on enough wire fraud and identity theft charges to put him away for the rest of his life. Only after he was caught did the authorities learn his real name.
The mystery, at least to Rigmaiden, was how they found him at all. He’d been living completely off the grid. The only thing connecting him to the world outside his apartment, he knew, was the wireless AirCard of his laptop. To find him, he reasoned, the people who caught him would have had to pluck the signal from his particular AirCard out of a wilderness of other signals and pinpoint his location. To do that, they’d need a device that, as far as he knew, didn’t exist.
Rigmaiden made it his mission to find out what that device was. He was jailed but never tried; he slowed down the process by filing endless motions contesting his arrest, insisting he’d been essentially wiretapped without a warrant. In the prison library, he became a student of telecommunications. Among the most important things he learned was that whenever a cell phone communicates with a cell tower, it transmits an International Mobile Subscriber Identity, or IMSI. His AirCard, like a cell phone, had an IMSI. He reasoned that the government had to have a gadget that masqueraded as a cell tower, tricking his AirCard into handing over its IMSI, which was then matched up to the IMSI connected to all his online phony tax filings. It was all inference, at first, but if it was true, that would be enough for him to make the case that what was done to his AirCard was an illegal search.
It took two years before Rigmaiden found the first real glimmer of proof. He was plowing through a stash of records the Electronic Frontier Foundation had unearthed in the files of the FBI’s Digital Collection System Network—the bureau’s technological communications monitoring program—and noticed a mention of a Wireless Intercept and Tracking Team, a unit set up specifically for targeting cell phones. He connected what he found there to an agenda he’d found from a city council meeting in Florida in which a local police department was seeking permission to buy surveillance equipment. The attachment gave the equipment a name: StingRay, made by Harris Corp.
The StingRay is a suitcase-size device that tricks phones into giving up their serial numbers (and, often, their phone calls and texts) by pretending to be a cell phone tower. The technical name for such a device is IMSI catcher or cell-site simulator. It retails for about $400,000. Harris and competitors like Digital Receiver Technology, a subsidiary of Boeing, sell IMSI catchers to the military and intelligence communities, and, since 2007, to police departments in Los Angeles, New York, Chicago, and more than 50 other cities in 21 states. The signals that phones send the devices can be used not just to locate any phone police are looking for (in some cases with an accuracy of just 2 meters) but to see who else is around as well. IMSI catchers can scan Times Square, for instance, or an apartment building, or a political demonstration.
Rigmaiden built a file hundreds of pages thick about the StingRay and all its cousins and competitors—Triggerfish, KingFish, AmberJack, Harpoon. Once he was able to expose their secret use—the FBI required the police departments that used them to sign nondisclosure agreements—the privacy and civil-liberties world took notice. In his own case, Rigmaiden filed hundreds of motions over almost six years until he finally was offered a plea deal—conspiracy, mail fraud, and two counts of wire fraud—in exchange for time served. He got out in April 2014, and his probation ended in January. Now Rigmaiden is a free man, a Rip Van Winkle awakening in a world where cell phone surveillance and security is a battleground for everyone.
In the ongoing scrum over cell phone privacy, there are at least two major fields of play: phone-data encryption, in which, right now, Apple is doing its best not to share its methods with the government; and network security, in which the police and the military have been exploiting barn-door-size vulnerabilities for years. And it’s not just the government that could be storming through. The same devices the police used to find one low-rent tax fraudster are now, several years later, cheaper and easier to make than ever.
“Anybody can make a StingRay with parts from the Internet,” Rigmaiden tells me, citing a long litany of experiments over the years in which researchers have done just that. “The service provider is never going to know. There’s never any disruption. It’s basically completely stealth.” In the coming age of democratized surveillance, the person hacking into your cell phone might not be the police or the FBI. It could be your next-door neighbor.
Continue reading your story on the app
Continue reading your story in the magazine
The RV business is booming and shows no sign of slowing down. To find out why, our correspondent dragged his reluctant family to the RV capital of the world— the cutest city in north central Indiana!—and hit the road
The Fortnite Fallout
Apple and Epic meet in court, making the collapse of a once-close relationship complete
Yes, Streaming Ads Are on Repeat
Commercials on services like Hulu, Pluto, and Discovery+ have become an $11 billion business
Laggard Doesn't (Always) Mean Loser
At least a few companies still in the vaccine race will likely succeed as Covid lingers
Why Don't More Women Run Money?
The gender imbalance in portfolio management persists even as some women take top fund jobs
COME AT ME
When a gossip rag went after Jeff Bezos, he retaliated with the brutal, brilliant efficiency he used to build his business empire. From the new book Amazon Unbound , an untold story of money, sex, and power
More Merchants Are Courting Cash
Surcharges for credit card purchases become common as businesses try to avoid swipe fees
Covid Means There's Even Less Joy in Mudville
Capacity constraints and distancing rules bring big headaches for season ticket holders
Justin Zhu was fired for taking LSD before an important meeting. The whole situation was even weirder
Facebook Won't Apologize for Instagram Youth
It’s making a kid-focused version of its photo-sharing app, regardless of what critics say
The Group Portrait: Running Zoom on Zoom
How this group of executives managed a period of explosive growth while working from their own platform.
Zooming into the Future
This year, ZOOM transformed from a business tool into a lifeline. How did the company keep up? Simple, says founder and CEO Eric Yuan: It focused on fundamentals.
German Privacy Watchdog Fines H&M $41M For Spying On Workers
A German privacy watchdog said Thursday that it is fining clothing retailer H&M 35.3 million euros ($41 million) after the company was found to have spied on some of its employees in Germany.
Zoom Got Big Fast. Then videobombers made it rework security
Back in March as the coronavirus pandemic gathered steam in the U.S., a largely unheralded video-conferencing service suddenly found itself in the spotlight.
Credit Crunch In the battle between surveillance capitalists and privacy advocates, the latest front is the credit card.
How To Navigate New Privacy Features In Apple iPhone Update
Apple’s iOS 13 software update comes with plenty of privacy enhancements — but in some cases, only if you take the time to understand how they work.
Activist Loses UK Court Case On Police Facial Recognition
A British court ruled Wednesday that a police force’s use of automated facial recognition technology is lawful, dealing a blow to an activist concerned about its implications for privacy.
Apple Apologizes For Use Of Contractors To Eavesdrop On Siri
Apple is apologizing for allowing outsiders to listen to snippets of people’s recorded conversations with its digital assistant Siri, a practice that undermined its attempts to position itself as a trusted steward of privacy.
UK Health Service To Use Amazon Alexa To Give Medical Advice
Alexa will see you now.
9 Tricks To Improve Your Life
Cleaning up pet hair, and more