It was a move that should have made headlines, but it didn’t. In 2014, the U.S. government chose to drop a rock-solid case against a man they knew had committed massive fraud—because revealing how they found him would have exposed a shady surveillance tactic, one that they didn’t want you and I to know about.
This is the story of a hacker named Daniel Rigmaiden. From 2005 to 2008, Rigmaiden managed to file for $4 million in fraudulent tax returns online using a combination of fake IDs, false bank accounts, and falsified utility bills.
The Feds eventually narrowed down the source of the false refund applications to a particular Air Card, a sort of early WiFi Hotspot device. But when they asked Verizon who owned that Air Card, they hit a dead end. Rigmaiden had paid cash for the device, using a fake ID for the name and address.
The Feds had no idea where Rigmaiden was, but they had a plan to track him down using a combination of legal and illegal data.
What your cell service knows about you
Cell service providers generally just collect metadata, meaning data about your data. They need to know your phone number and who you’re calling so they can route the call and display your number on the other person’s phone. For text messages, they track the number you texted and when you sent it, so they can deliver the message and display the sent time, but they generally don’t keep the content of your text messages for long—maybe a few days at most—just long enough to ensure delivery. After that, they’re gone, and all that’s left is the metadata.
If you use an Air Card to connect to the internet, your provider will track how long you were connected, and it can track the websites you go to, in some circumstances. Nowadays, most websites provide a secure encrypted connection, and in that case, the cell provider can’t see it. Or if you use a VPN, they can’t see it.
What the cell provider doesn’t do, ever, is track what you’re doing at the website, like what pages you’re looking at or what kind of pet treats you’re searching for at Chewy.com.
In fact, tracking your internet activity in great detail, or recording the content of your calls, or keeping your texts beyond what they need to in order to provide the service, is prohibited by law, by The Electronic Communications Privacy Act (ECPA) of 1986.
The Fourth Amendement and your cell data
These rules about what your cell provider can and can’t keep about your cell activity is also governed to a large degree by the Fourth Amendment to the Constitution, which protects the privacy of US citizens. Allow me to refresh you with the actual 4th amendment. Here it goes:
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
It basically means that law enforcement or tax collectors or government officials can’t just randomly barge into your house whenever they feel like it to rifle through your cabinets. They need a search warrant to do this.
Cell towers and locations
Cell providers also store information about which towers the device pinged when it connected.
When you use your cell phone, it pings off the three or four cell towers closest to you. To understand how this works, imagine that you draw a circle around each of these three cell towers. Where all the circles intersect, somewhere in there is where your cell phone or Air Card is. The cell towers can get a little more accurate by comparing how long it takes the signal to arrive. This tells the system which tower you’re closer to, and it can make some educated guesses about where your cell phone is.
This process is called triangulation, which is an old term related to surveying land for angles between this and that. By measuring how far your phone is from this or that tower, the cellular system can kind of figure out your general area.
But the cell towers can’t figure out exactly where you are, down to the pinpoint. It can be off by several hundred feet in city areas, or in places where the cell towers are far apart, like out in the country, it can be off by half a mile.
So, for the Feds, being able to trace Daniel Rigmaiden’s Air Card to this one neighborhood in California didn’t tell them exactly where he was. Just the general area. And they weren’t about to go door-to-door to look for him.
So the Feds had to get a bit more clever to pinpoint Rigmaiden’s location. For that, they used something called a Stingray.
What is a Stingray?
A Stingray is basically a cell tower in a box, like around the size of a small suitcase. The Stingray works by pretending to be a cell tower, sending out a signal for cell phones and air cards.
And the Stingray collects up things like, your phone number, your phone’s identifier, basically all the stuff a cell tower would grab. And it can also tell how far it is from any of these devices that connect to it.
So, how is a Stingray different from a stationary cell tower? Because, if the Stingray picks up a signal from a particular cell device that it’s looking for, it can keep moving around to try and get as close as possible to the device.
So the Feds put the Stingray in a van, and they start driving around Rigmaiden’s neighborhood, waiting for his Air Card to connect to it.
The Feds eventually narrowed down Rigmaiden’s location using the Stingray. They arrested him, and he sat in jail for five years while he tried to figure out how he got caught. He read thousands of pages of court documents, and he eventually figured out that the Stingray was used.
The problem is, the use of the Stingray is a violations of people’s Fourth Amendment rights.
Rigmaiden’s argument of Fourth Amendment violations
While he’s in jail, Rigmaiden does not dispute that he committed tax fraud, but he thinks he’s got an argument that will get all the evidence against him thrown out, down to the last fake ID. And the way he’s going to get there is by challenging the Feds for violating this tiny little legal principle called the Fruit of the Poisonous Tree.
Rigmaiden’s case argued that using a Stingray device without telling the judge—or getting a proper warrant—was that poisonous tree. The Stingray wasn’t disclosed in the warrant application, and the judge who signed the warrant had no idea this kind of surveillance technology was being used.
And based on this one omission from the search warrant, Rigmaiden made his case. He argued that all the evidence that the Feds found in his apartment as a result of using the Stingray, was poisoned fruit. And if all that fruit got tossed out the window, there was basically zero evidence against him, and the case should be dropped.
But, the judge on Rigmaiden’s case did not agree. He called the Stingray an unimportant “detail of execution” that didn’t need to be mentioned in the warrant. So Rigmaiden’s motion to suppress the evidence was denied.
Rigmaiden’s “Get out of jail free” card
But with all the attention the case got from organizations like the ACLU and publications like the Wall Street Journal, this is maybe making the Feds a little nervous. The Department of Justice never comes out and says so, but you can imagine that they do not want to try this case, and have all this information about the Stingray come out in court, and get even more attention.
So in 2014, the prosecution made a decision. They offered Rigmaiden a deal: plead guilty, and he’d just get sentenced to time served. In other words, don’t take this case to trial, sign this piece of paper, and you can walk out of jail, a free man.
So Rigmaiden got out, having served only five and a half years.
In September 2015, the Justice Department announced a new policy requiring the FBI and other federal agents, and law enforcement, to obtain a search warrant before using Stingrays.
And as for Rigmaiden, he went on to consult with the ACLU, and even helped draft a bill in the state of Arizona about the use of Stingrays. At cybersecurity conferences, he gives presentations on everything he learned about the Stingray.
So while you might not be thrilled about Rigmaiden’s crimes, he’s been instrumental in exposing government surveillance overreach and helping to protect our fourth amendment rights.
