The U.S. Department of Justice will regularly delete extra data collected in a controversial cellular surveillance tool called a stingray, the agency said Thursday.
A new DOJ policy on the use of stingrays, or cell-site simulators, requires the agency to delete all data as soon as a mobile device is located through the technology, and data must be deleted no less than once daily when DOJ investigators are targeting a known device.
The new policy covers DOJ divisions such as the FBI and Drug Enforcement Administration.
Stingrays, which function by transmitting as if they are cell towers, are used by law enforcement agencies to identify and track mobile devices used by suspects. They do not capture emails, texts and other mobile data, the DOJ said. Some critics of stingrays have suggested the technology can extract encryption keys, conduct denial-of-service attacks and write metadata to a device's internal storage.
Privacy groups have criticized the increasing use of stingrays by law enforcement agencies in the U.S. "When used to track a suspect's cell phone, they also gather information about the phones of countless bystanders who happen to be nearby," the American Civil Liberties Union says on its stingray webpage.
Stingrays are "military-grade surveillance," the ACLU says.
The DOJ's new policy says that if the agency is using a stingray to locate an unknown mobile device, all other data must also be deleted as soon as the targeted device is identified and no less than every 30 days.
DOJ investigators must also get court-ordered search warrants to set up stingrays, the new policy said.
But the use of stingrays by the DOJ and the FBI will continue, the policy suggests. "Cell-site simulator technology provides valuable assistance in support of important public safety objectives," the policy says. "Whether deployed as part of a fugitive apprehension effort, a complex narcotics investigation, or to locate or rescue a kidnapped child, cell-site simulators fulfill critical operational needs."
The ACLU called the DOJ's new policy "a positive first step" but said the policy needs to cover other federal agencies and state and local police departments. An exception to the warrant requirement in "exceptional circumstances" also leaves the door open to abuse, the civil liberties group said.
"After decades of secrecy in which the government hid this surveillance technology from courts, defense lawyers, and the American public, we are happy to see that the Justice Department is now willing to openly discuss its policies," Nathan Freed Wessler, a staff attorney in the ACLU's Speech, Privacy, and Technology Project, said in a statement.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.