Details about StringRays have trickled out slowly, but each new revelation comes with concerning implications for government agencies' ability to access the mobile communications of individuals. The surveillance tools, which pretend to be cell towers so mobile phones will be tricked into connecting to them and revealing their data, are manufactured by the Florida-based Harris Corp. In September, Matthew Keys at the Blot filed a Freedom of Information Act request with the FCC to see the manual for the controversial devices. Six months later, he finally got the documents.
The manual describes two surveillance products, the StingRay and the KingFish (a cheaper and smaller option). Keys writes:
The manual indicates the StingRay and KingFish devices are sold as part of a larger surveillance kit that includes third-party software and laptops. Tables that contain the names of the other equipment is redacted in the copy provided by the FCC, but other records reviewed by TheBlot indicate the laptops are manufactured by Dell and Panasonic, while the software is designed by Pen-Link, a company that makes programs for cellphone forensics.
Redactions in the manual cover things like instructions for operating the devices and diagrams. The manual is loaded with warnings that it contains proprietary information and shouldn't be shared or copied. The document also says that it includes information protected under the International Traffic in Arms Regulation.
The manual is difficult to read, to say the least. One chapter summary says, "This chapter provides a list of features and capabilities of the StingRay II hardware, an equipment inventory, system specifications, and StingRay II setup," followed by near-complete redaction. For example, "The StingRay II chassis REDACTED as shown in Figure 2-5." Figure 2-5 is ... also redacted. Shocking.
As the Blot notes, the manual says that its contents are “associated with the monitoring of cellular transmissions,” even though this phrase seems to be blacked out in other similar parts of the document. The FCC redacted information under the trade secret FOIA Exemption 4.
The most important thing the document reveals is concrete evidence of how StingRays are purchased and distributed, and hints about how they work. Plus, the FCC clearly feels that it and the company that makes these products have something to lose by revealing even just the use manual.
If you’re in the market for a powerful mobile surveillance device, keep in mind that StingRays come with a limited 12-month warranty!