What might the Internal Revenue Service do with a person’s cell phone location information? Why does it even need it in the first place? And how much money has the agency spent on Stingrays, devices that mimic cell towers to covertly extract sensitive information from cell phones? Privacy advocates have long asked these questions, and now Congress is as well. In fact, federal agencies have disclosed so little information about how they use these devices that lawmakers have found themselves largely in the dark.
On Monday, leaders of the House Oversight Committee sent letters to the IRS, the State Department, and 22 other federal agencies seeking information about how Stingrays are deployed and what sorts of protocols have been put in place to regulate their use.
The letters highlight a growing tension between Congress and the executive branch on a bundle of tech issues challenging conceptions of privacy and due process in the digital age. Over the past year, Oversight Committee hearings have served as a central stage for these disputes, pitting administration officials against lawmakers on issues of encryption, GPS surveillance, phone-tracking, and cybersecurity.
Oversight chair Jason Chaffetz, a Republican from Utah, has been an outspoken critic of the government’s secrecy surrounding Stingrays. His previous inquiries, which focused on the need for transparency and consistent rules, prompted the Justice Department and Homeland Security to make public their policies on phone surveillance technology.
“As it was with DOJ and DHS before those agencies issued department-wide policies governing use of the devices, the Committee is concerned that other federal agencies may be governed by a patchwork of policies,” stated the letter.
The Oversight Committee also expressed concern that the legal standard for the use of cell-site simulators by federal agencies might be set too low, as there are no common rules requiring agencies to establish probable cause and obtain a search warrant before a Stingray is deployed.
Echoing criticism from civil liberties groups like the Electronic Frontier Foundation and the American Civil Liberties Union, Chaffetz and his colleagues argue Stingrays are invasive — devices capable of violating the privacy rights not just of those targeted by criminal investigations, but of other citizens in their vicinity. Stingrays can hoover up the location of a cell phone owner, the numbers a person calls and texts, and even the content of an individual's calls. As the questions posed by lawmakers suggest, it’s not known what government rules control the collection and retention of that information.
The committee asked that the 24 agencies turn over their policy guidelines on cell phone surveillance as well as an inventory of the number of cell-site simulators in use, their cost, and a list of alleged abuses by Nov. 12.
Earlier this month, Chaffetz introduced legislation that would limit the use of Stingrays by state and federal agencies. “The abuse of Stingrays and other cell-site simulators by individuals, including law enforcement, could enable gross violations of privacy,” Chaffetz said. "The fact that law enforcement agencies, and non-law enforcement agencies such as the IRS, have invested in these devices raises serious questions about who is using this technology and why.”
“These questions demonstrate the need for strict guidelines that carry the weight of the law."
Hamza Shaban is a technology policy reporter for BuzzFeed News and is based in Washington, DC.
Contact Hamza Shaban at Hamza.Shaban@buzzfeed.com.
Got a confidential tip? Submit it here.