The Office of the Privacy Commissioner of Canada recently announced it will investigate the Royal Canadian Mounted Police (RCMP) over their refusal to admit whether or not they use the mobile phone surveillance device called “Stingray.”
What is a Stingray?
A Stingray is a hardware device that mimics a cell tower in order to force all mobile phones within range to connect to it. Once the phones connect to the Stingray, the Stingray may be able to collect the phone’s unique identifiers (IMSI and ESN), which can be connected to an identifiable individual if the Stingray-user has otherwise obtained that information from a wireless carrier. Stingrays can also be used to track and locate a mobile phone, intercept content of communications, and extract encryption keys. Since all mobile phones within a Stingray’s range are forced to connect to it, the Stingrays do not distinguish between mobile phones of suspects in criminal cases and those of law abiding citizens. As such, use of a Stingray may violate Canadian privacy legislation, the Charter of Rights and Freedoms, and telecommunications laws.
The Privacy Commissioner’s Investigation
The Office of the Privacy Commissioner opened its investigation after a complaint was filed based on media reports about the RCMP’s refusal to answer questions about Stingrays. The RCMP indicated that records relating to any such use of technology are exempt from disclosure under the Access to Information Act in response to the Toronto Star’s access request. The Privacy Commissioner’s investigation is expected to determine whether the RCMP are using Stingrays and, if they do use them, the impact on the privacy rights of the individuals whose cell phone data is re-routed and collected by the Stingrays.
Other Actions Targeting Use of Stingrays
The Privacy Commissioner’s investigation is not the first of its kind. In both the US and Canada, the Government’s use of Stingrays has been challenged:
- In August 2015, the Office of the Information and Privacy Commissioner of Ontario upheld the Toronto Police Services Board’s right to neither confirm nor deny that it owns Stingrays;
- The Office of the Privacy Commissioner of Canada is investigating the alleged use of Stingrays by Correctional Service Canada at Warkworth Institution in Campbellford, Ontario which, if used, could have captured mobile phone data of inmates; of prison staff and visitors (including lawyers, psychiatrists, nurses, and family members) while in the parking lot of the prison; or individuals in the area surrounding the prison;
- Finally, the Office of the Information and Privacy Commissioner for British Columbia is investigating the Vancouver Police Department’s alleged use of Stingrays, as they have also failed to respond to requests whether or not they use the technology; and
- In the United States, the Maryland Court of Special Appeals in Maryland v. Andrews[1] was the first state court to rule on whether police were required to disclose the use of Stingrays to the defense in criminal proceedings. The state police had argued that their non-disclosure agreement with the F.B.I. precluded them from doing so. The Maryland Court of Appeals held that the use of non-disclosure agreements to prevent the disclosure of Stingrays is “inimical to the constitutional principles we revere.” The court’s ruling is binding only in the state of Maryland. It seems unlikely that a case will arise in the context of a federal prosecution, because, in 2015, the U.S. Department of Justice changed its policy relating to keeping the use of Stingrays a secret. Under the new policy, federal agencies are required to disclose the use of Stingrays to judges, and to obtain a warrant for the use of the technology.
Our Take
A recent media report has surfaced RCMP factsheets indicating that in the past the RCMP has used Stingrays, knowing full well that they would, in so doing, intercept and temporarily disrupt innocent cell phone users’ communications, including those attempting to place 911 emergency calls. While the outcome of the Privacy Commissioner’s investigation may hinge on whether the RCMP obtained proper judicial authorization prior to the use of Stingrays in particular cases, the validity of the legislation providing for such authorization could be open to an attack under the Canadian Charter of Rights and Freedoms and might also contravene telecommunications legislation. Whatever the legal outcome, the disclosure of the use of Stingrays has already sparked a public debate that could act as a catalyst for new legislation specifically regulating the use of Stingray devices.
[1] No. 1496 (Md. Ct. Spec. App. Mar. 30, 2016).
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.