Matt Blaze's
Science, Security, Curiosity
How Law Enforcement Tracks Cellular Phones
A brief taxonomy of wiretapping esoterica.

Recall NGNR2000 DNR Recent news stories, notably this story in USA Today and this story in the Washington Post, have brought to light extensive use of "Stingray" devices and "tower dumps" by federal -- and local -- law enforcement agencies to track cellular telephones.

Just how how does all this tracking and interception technology work? There are actually a surprising number of different ways law enforcement agencies can track and get information about phones, each of which exposes different information in different ways. And it's all steeped in arcane surveillance jargon that's evolved over decades of changes in the law and the technology. So now seems like a good time to summarize what the various phone tapping methods actually are, how they work, and how they differ from one another.

Note that this post is concerned specifically with phone tracking as done by US domestic law enforcement agencies. Intelligence agencies engaged in bulk surveillance, such as the NSA, have different requirements, constraints, and resources, and generally use different techniques. For example, it was recently revealed that NSA has access to international phone "roaming" databases used by phone companies to route calls. The NSA apparently collects vast amounts of telephone "metadata" to discover hidden communications patterns, relationships, and behaviors across the world. There's also evidence of some data sharing to law enforcement from the intelligence side (see, for example, the DEA's "Hemisphere" program). But, as interesting and important as that is, it has little to do with the "retail" phone tracking techniques used by local law enforcement, and it's not our focus here.

Phone tracking by law enforcement agencies, in contrast to intelligence agencies, is intended to support investigations of specific crimes and to gather evidence for use in prosecutions. And so their interception technology -- and the underlying law -- is supposed to be focused on obtaining information about the communications of particular targets rather than of the population at large.

In all, there are six major distinct phone tracking and tapping methods used by investigators in the US: "call detail records requests", "pen register/trap and trace", "content wiretaps", "E911 pings", "tower dumps", and "Stingray/IMSI Catchers". Each reveals somewhat different information at different times, and each has its own legal implications. An agency might use any or all of them over the course of a given investigation. Let's take them one by one.


The first of these techniques involves targeted, retrospective records requests.

1. Call Detail Records (CDR) Requests
"Call detail records" ("CDRs") are the official billing records maintained by the telephone company about call activity -- the incoming and outgoing calls made and received by each subscriber. This includes the date and time of the call, the telephone number dialed (or from which the subscriber was called), whether the call was completed, and the length of the call. For cellular phones, CDRs will typically also identify the local cellular "base stations" that serviced the call. Because a phone generally registers itself with the nearest base station, knowing the base station that served a call tells you the location of the subscriber at the time the call occurred (but see below). Note that CDRs do not record the voice content of phone calls, although SMS messaging text is typically stored. (Voicemail content is also generally stored by the phone company, but that's different from a CDR for wiretapping purposes).

Every call made or received generates a CDR record. Data services, such as SMS messaging and Internet access, also generate CDRs. (Apps on modern smartphones will often access the Internet frequently without explicit action by the user, so your phone may be generating CDRs even when you're not actually using it.) All phone companies routinely maintain CDRs internally for all their subscribers, not just those under investigation by the police. These records are typically stored for anywhere from a few years to forever, depending on the policy of the particular company.

Although CDRs are sometimes called "billing records", they are still generated for subscribers who have flat rate services or who otherwise might not receive itemized bills that list every call made.

Law enforcement agencies can generally request CDRs about a particular subscriber with what amounts to a simple subpoena that attests that the request is relevant to an investigation. These requests are supposed to be targeted; they ask for the CDRs associated with a given phone number during a given time period. Because CDRs are routinely generated for everyone, this allows an investigator to retrospectively examine the phone activity of just about anyone, even activity from before they came to the attention of the authorities.

Whether the CDRs delivered to law enforcement in response to a subpoena will (or should) include the cell base station information (which effectively reveals the target's location) is a matter of some controversy. A number of courts are requiring warrants (a much higher legal standard) for requests that include location information (see for example this opinion [pdf]). How revealing is base station location information? It depends, but can be quite precise; see my testimony earlier this year in the House Judiciary Committee [pdf] for a discussion.

SMS text is usually not delivered to law enforcement in response to a CDR request; that generally requires a content warrant.

Next are a variety of targeted real time, prospective intercept techniques.

2. Pen Register / Trap and Trace
CDRs are retrospective. They reveal past activity, but the records may require some time to deliver after being requested. However, the same data contained in CDRs can also be delivered to law enforcement in real time, whenever calls are made or received by the target. For historical reasons, information delivered about the numbers dialed in outgoing calls is called a "pen register" (also sometimes called a "dialed number recorder" or "DNR"), while information about incoming calls is called a "trap and trace". In practice, pen registers and trap and traces for a target are almost always requested and delivered together, and the term "pen register" is sometimes used to refer to both kinds of real time data.

In the days of analog wired telephones, pen registers involved physically tapping into the target's phone wires and installing a device that detected rotary dialed digit pulses on the line, electro-mechanically registering them as ink marks on paper (hence the term). Today, telephone company switches (for both wired and cellular phones) are required to include a so-called "lawful access" interface that can be configured to electronically deliver call information about targeted subscribers to law enforcement agencies in real time. This feature is sometimes called the "CALEA interface" (for the law that mandated it) or the "J-STD-25 interface" (for the technical standard that it follows). The CALEA interface is supposed to be controlled by the telephone company, which configures it to deliver activity associated with the phone numbers specified in law enforcement requests. While it may take some time for the phone company to set up a new intercept for a particular phone number, once this is done all call information is delivered to the law enforcement agency as soon as it occurs.

The legal standard for getting a pen register / trap and trace is similar to that for a CDR request: essentially an attestation to a court that the information is relevant to an investigation.

As with CDRs, pen registers (and trap and traces) for cellular phones can include cell site information giving the target's location at the time of each call event. And as with CDRs, this is a matter of some controversy, with some courts requiring a warrant for requests that include location data. (Again, see the links in the previous section for more discussion.)

3. Content Wiretaps
When we think of "wiretaps", we generally think of an investigator listening in to the actual audio of calls. In fact, compared with CDR requests and pen registers, audio content wiretaps by law enforcement are relatively rare. There are two reasons for this. First, they are quite labor intensive. Modern computer techniques make call records -- "metadata" -- relatively easy to automatically process and analyze in the aggregate, allowing a human investigator to quickly discern patterns of activity without having to examine each record by hand. Call content, on the other hand, has to be interpreted by a human. Every minute the subject talks is a minute an investigator must spend listening, who then must try to figure out what, exactly, was meant by what was said.

Also, content wiretaps are governed by much more stringent legal standards than CDR requests and pen registers. Federal wiretap law requires a special warrant based on a showing of probable cause that the wiretap will yield evidence of a crime, and that other investigative methods would be ineffective.

Call audio of the target of a content tap is delivered to law enforcement in real time using the same "lawful access" phone switch features used to deliver pen register and trap and trace data. The mechanism is the same as a pen register; the only difference is how the intercept is configured by the phone company.

In addition to call audio, content wiretaps will generally include the pen register and trap and trace data that identifies the numbers dialed and the numbers of incoming callers. For cell phones, it will also generally include the texts of SMS messages and the base station information that effectively reveals the phone's location during calls.

4. E911 Pings
The cellular base station IDs contained in CDRs and pen register records for cellular phones is only one way for law enforcement to obtain the location of a target. (As noted above, the legal standard for when law enforcement can get this is currently somewhat unsettled, but, in any case, it is available to them with a warrant). But this approach has a number of limitations. In more sparsely populated areas, where base stations are located far from one another, the nearest base station ID may only locate the target to within a relatively large area. And CDRs and pen register records are only generated when a call event occurs (e.g., when a target makes or receives a call).

But cellular networks also keep track of the location of any subscriber phones that are powered on and in range of the network, even those not in the process of making or receiving calls. Cellular phones work by periodically scanning for and "registering" with the nearest base station (generally the one with the strongest radio signal). When a phone moves out of range of one base station, it will search for and register with a base station in its new area. The latest base station with which a phone has registered is maintained in a central telephone company database that is used to route incoming calls to the correct base station. This process is automatic and transparent to the user; it happens as soon as the phone is turned on. That is, the current location of every powered on phone in the network is always known to the cellular carrier.

Law enforcement can request the location of particular subscriber phones from the phone company. Most cellular companies have the ability to deliver this information from its databases to law enforcement in near real time, once the agency has certified that it has legal authorization to request it. (The legal standard for obtaining this data is, as before, currently a matter of some controversy). Law enforcement "pings" for a target's location can typically be performed on demand or at periodic intervals.

Depending on the technical capabilities of the carrier and the subscriber's handset, the location information delivered in response to a law enforcement ping might consist simply of the currently registered base station or it might be more precise than that. Current generation handsets are required to have the capability to calculate their position to within several meters. This location information is designed for emergency use and is automatically transmitted when the subscriber calls 911. In some cases, the carrier can trigger the "E911" precise location feature remotely (or use signal triangulation techniques to calculate precise location itself) at law enforcement request.

Finally, and perhaps less widely known until recently, are two un-targeted, location-specific cell phone tracking techniques that are increasingly being used by US federal and local law enforcement. These methods were the subject of the recent Washington Post and USA Today articles mentioned above.

5. Tower Dumps
Above, we discussed how law enforcement can request the call records associated with a particular subscriber over a given time period. But what if they don't know what telephone number to ask for, e.g., they want to identify potential suspects who were in a certain area at a particular time? In such cases, they can request a "tower dump" of the cellular base station (or stations) that serve the target area for the time period of interest.

A tower dump lists the CDRs (and, in some cases, new handset registrations) generated for a particular base station over some time period. That is, it is effectively a list of all the telephones and call activity in an area at a particular time. This allows an investigator to request information about everyone who was in a given area without having to specify who is being asked about in the request.

The ability to obtain tower dumps was relatively little known until recently, but they are now a standard wiretapping service offered to law enforcement by almost every major cellular carrier. However, the legal requirements for obtaining tower dumps remain somewhat unclear. They are, by their nature, untargeted, delivering information about activities of everyone in an area, most of whom are presumably not, and will never be, suspects. Tower dumps do not appear to have been anticipated by the pen register statute, which assumes more particular targeting. As awareness and use of tower dumps grows, this will likely become an issue addressed by the courts.

6. Stingrays / IMSI Catchers
All of the wiretapping and tracking technologies discussed to this point are implemented by the telephone company in response to a (presumably legal) law enforcement request. That is, law enforcement cannot conduct them without the active cooperation of the phone company (which, of course, can be compelled by a court). However, it is also possible for law enforcement to use special devices that track cellular phones directly,

Called, variously, "IMSI catchers" or "Stingrays" (the trade name of the dominant product marketed to law enforcement), these devices identify the active cellular telephones at a particular location. A Stingray is essentially a portable "fake" cellular base station that can be carried (or driven) to the location of interest. Once enabled, the Stingray presents a strong signal to the cellular phones within its range, causing nearby phones to attempt to register with the Stingray as if it were a real base station operated by the cellular carrier. But instead of providing service, the device simply records the identity of each cellular phone that registered with it and then shuts itself down.

Stingrays come in a variety of configurations, including semi-portable models equipped with directional antennas that can be used to identify the phones in particular streets, houses or rooms. Use of the devices can cause some disruption to cellular service in an area, so, unlike carrier-based tracking techniques, they are potentially alerting to the target.

Stingrays are typically used early in an investigation to identify suspects and their telephone numbers. Once identified by the Stingray, conventional CDR requests, pen registers, or content taps can be used for further tracking.

As with tower dumps, the legal requirements for using Stingrays remains somewhat unclear; at least one recent court case has challenged evidence obtained by them without a warrant.

Those are the major law enforcement techniques. They aren't the only tracking and interception methods that an agency could theoretically use, but these are the six that relate to tracking phones based on their interaction with a cellular network. That said, there are other phone-related surveillance tools at law enforcement's disposal as well. There's some evidence, for example, that the FBI has the ability to install surveillance malware on the devices of high-value targets, and this could possibly include cellphones. Location information may also be stored by third parties (such as companies that provide mapping apps), whose records law enforcement can get. And we're excluding things like forensic analysis of seized handsets to obtain stored contact lists, which, while commonly done, isn't really "tracking" in the sense of this post.