Recent news stories, notably this story in USA Today and this story in the Washington Post, have brought to light extensive use of "Stingray" devices and "tower dumps" by federal -- and local -- law enforcement agencies to track cellular telephones.
Just how how does all this tracking and interception technology work? There are actually a surprising number of different ways law enforcement agencies can track and get information about phones, each of which exposes different information in different ways. And it's all steeped in arcane surveillance jargon that's evolved over decades of changes in the law and the technology. So now seems like a good time to summarize what the various phone tapping methods actually are, how they work, and how they differ from one another.
Note that this post is concerned specifically with phone tracking as done by US domestic law enforcement agencies. Intelligence agencies engaged in bulk surveillance, such as the NSA, have different requirements, constraints, and resources, and generally use different techniques. For example, it was recently revealed that NSA has access to international phone "roaming" databases used by phone companies to route calls. The NSA apparently collects vast amounts of telephone "metadata" to discover hidden communications patterns, relationships, and behaviors across the world. There's also evidence of some data sharing to law enforcement from the intelligence side (see, for example, the DEA's "Hemisphere" program). But, as interesting and important as that is, it has little to do with the "retail" phone tracking techniques used by local law enforcement, and it's not our focus here.
Phone tracking by law enforcement agencies, in contrast to intelligence agencies, is intended to support investigations of specific crimes and to gather evidence for use in prosecutions. And so their interception technology -- and the underlying law -- is supposed to be focused on obtaining information about the communications of particular targets rather than of the population at large.
In all, there are six major distinct phone tracking and tapping methods used by investigators in the US: "call detail records requests", "pen register/trap and trace", "content wiretaps", "E911 pings", "tower dumps", and "Stingray/IMSI Catchers". Each reveals somewhat different information at different times, and each has its own legal implications. An agency might use any or all of them over the course of a given investigation. Let's take them one by one.
Every call made or received generates a CDR record. Data services, such as SMS messaging and Internet access, also generate CDRs. (Apps on modern smartphones will often access the Internet frequently without explicit action by the user, so your phone may be generating CDRs even when you're not actually using it.) All phone companies routinely maintain CDRs internally for all their subscribers, not just those under investigation by the police. These records are typically stored for anywhere from a few years to forever, depending on the policy of the particular company.
Although CDRs are sometimes called "billing records", they are still generated for subscribers who have flat rate services or who otherwise might not receive itemized bills that list every call made.
Law enforcement agencies can generally request CDRs about a particular subscriber with what amounts to a simple subpoena that attests that the request is relevant to an investigation. These requests are supposed to be targeted; they ask for the CDRs associated with a given phone number during a given time period. Because CDRs are routinely generated for everyone, this allows an investigator to retrospectively examine the phone activity of just about anyone, even activity from before they came to the attention of the authorities.
Whether the CDRs delivered to law enforcement in response to a subpoena will (or should) include the cell base station information (which effectively reveals the target's location) is a matter of some controversy. A number of courts are requiring warrants (a much higher legal standard) for requests that include location information (see for example this opinion [pdf]). How revealing is base station location information? It depends, but can be quite precise; see my testimony earlier this year in the House Judiciary Committee [pdf] for a discussion.
SMS text content is usually not delivered to law enforcement in response to a CDR request; that generally requires a content warrant. But the fact that a text message was sent or received will be included in the records delivered.
Next are a variety of targeted real time, prospective intercept techniques.
In the days of analog wired telephones, pen registers involved physically tapping into the target's phone wires and installing a device that detected rotary dialed digit pulses on the line, electro-mechanically registering them as ink marks on paper (hence the term). Today, telephone company switches (for both wired and cellular phones) are required to include a so-called "lawful access" interface that can be configured to electronically deliver call information about targeted subscribers to law enforcement agencies in real time. This feature is sometimes called the "CALEA interface" (for the law that mandated it) or the "J-STD-25 interface" (for the technical standard that it follows). The CALEA interface is supposed to be controlled by the telephone company, which configures it to deliver activity associated with the phone numbers specified in law enforcement requests. While it may take some time for the phone company to set up a new intercept for a particular phone number, once this is done all call information is delivered to the law enforcement agency as soon as it occurs.
The legal standard for getting a pen register / trap and trace is similar to that for a CDR request: essentially an attestation to a court that the information is relevant to an investigation.
As with CDRs, pen registers (and trap and traces) for cellular phones can include cell site information giving the target's location at the time of each call event. And as with CDRs, this is a matter of some controversy, with some courts requiring a warrant for requests that include location data. (Again, see the links in the previous section for more discussion.)
Also, content wiretaps are governed by much more stringent legal standards than CDR requests and pen registers. Federal wiretap law requires a special warrant based on a showing of probable cause that the wiretap will yield evidence of a crime, and that other investigative methods would be ineffective.
Call audio of the target of a content tap is delivered to law enforcement in real time using the same "lawful access" phone switch features used to deliver pen register and trap and trace data. The mechanism is the same as a pen register; the only difference is how the intercept is configured by the phone company.
In addition to call audio, content wiretaps will generally include the pen register and trap and trace data that identifies the numbers dialed and the numbers of incoming callers. For cell phones, it will also generally include the texts of SMS messages and the base station information that effectively reveals the phone's location during calls.
But cellular networks also keep track of the location of any subscriber phones that are powered on and in range of the network, even those not in the process of making or receiving calls. Cellular phones work by periodically scanning for and "registering" with the nearest base station (generally the one with the strongest radio signal). When a phone moves out of range of one base station, it will search for and register with a base station in its new area. The latest base station with which a phone has registered is maintained in a central telephone company database that is used to route incoming calls to the correct base station. This process is automatic and transparent to the user; it happens as soon as the phone is turned on. That is, the current location of every powered on phone in the network is always known to the cellular carrier.
Law enforcement can request the location of particular subscriber phones from the phone company. Most cellular companies have the ability to deliver this information from its databases to law enforcement in near real time, once the agency has certified that it has legal authorization to request it. (The legal standard for obtaining this data is, as before, currently a matter of some controversy). Law enforcement "pings" for a target's location can typically be performed on demand or at periodic intervals.
Depending on the technical capabilities of the carrier and the subscriber's handset, the location information delivered in response to a law enforcement ping might consist simply of the currently registered base station or it might be more precise than that. Current generation handsets are required to have the capability to calculate their position to within several meters. This location information is designed for emergency use and is automatically transmitted when the subscriber calls 911. In some cases, the carrier can trigger the "E911" precise location feature remotely (or use signal triangulation techniques to calculate precise location itself) at law enforcement request.
Finally, and perhaps less widely known until recently, are two un-targeted, location-specific cell phone tracking techniques that are increasingly being used by US federal and local law enforcement. These methods were the subject of the recent Washington Post and USA Today articles mentioned above.
A tower dump lists the CDRs (and, in some cases, new handset registrations) generated for a particular base station over some time period. That is, it is effectively a list of all the telephones and call activity in an area at a particular time. This allows an investigator to request information about everyone who was in a given area without having to specify who is being asked about in the request.
The ability to obtain tower dumps was relatively little known until recently, but they are now a standard wiretapping service offered to law enforcement by almost every major cellular carrier. However, the legal requirements for obtaining tower dumps remain somewhat unclear. They are, by their nature, untargeted, delivering information about activities of everyone in an area, most of whom are presumably not, and will never be, suspects. Tower dumps do not appear to have been anticipated by the pen register statute, which assumes more particular targeting. As awareness and use of tower dumps grows, this will likely become an issue addressed by the courts.
Called, variously, "IMSI catchers" or "Stingrays" (the trade name of the dominant product marketed to law enforcement), these devices identify the active cellular telephones at a particular location. A Stingray is essentially a portable "fake" cellular base station that can be carried (or driven) to the location of interest. Once enabled, the Stingray presents a strong signal to the cellular phones within its range, causing nearby phones to attempt to register with the Stingray as if it were a real base station operated by the cellular carrier. But instead of providing service, the device simply records the identity of each cellular phone that registered with it and then shuts itself down.
Stingrays come in a variety of configurations, including semi-portable models equipped with directional antennas that can be used to identify the phones in particular streets, houses or rooms. Use of the devices can cause some disruption to cellular service in an area, so, unlike carrier-based tracking techniques, they are potentially alerting to the target.
Stingrays are typically used early in an investigation to identify suspects and their telephone numbers. Once identified by the Stingray, conventional CDR requests, pen registers, or content taps can be used for further tracking.
As with tower dumps, the legal requirements for using Stingrays remains somewhat unclear; at least one recent court case has challenged evidence obtained by them without a warrant.
Those are the major law enforcement techniques. They aren't the only tracking and interception methods that an agency could theoretically use, but these are the six that relate to tracking phones based on their interaction with a cellular network. That said, there are other phone-related surveillance tools at law enforcement's disposal as well. There's some evidence, for example, that the FBI has the ability to install surveillance malware on the devices of high-value targets, and this could possibly include cellphones. Location information may also be stored by third parties (such as companies that provide mapping apps), whose records law enforcement can get. And we're excluding things like forensic analysis of seized handsets to obtain stored contact lists, which, while commonly done, isn't really "tracking" in the sense of this post.