Powerful Mobile Phone Surveillance Tool Operates in Obscurity Across the US
POWERFUL MOBILE PHONE SURVEILLANCE TOOL OPERATES IN OBSCURITY ACROSS THE COUNTRY
CellHawk helps law enforcement visualize large quantities of information collected by cellular towers and providers.
UNTIL NOW, the Bartonville, Texas, company Hawk Analytics and its product CellHawk have largely escaped public scrutiny. CellHawk has been in wide use by law enforcement; the software is helping police departments, the FBI, and private investigators around the United States convert information collected by cellular providers into maps of people’s locations, movements, and relationships. Police records obtained by The Intercept reveal a troublingly powerful surveillance tool operated in obscurity, with scant oversight.
CellHawk’s maker says it can process a year’s worth of cellphone records in 20 minutes, automating a process that used to require painstaking work by investigators, including hand-drawn paper plots. The web-based product can ingest call detail records, or CDRs, which track cellular contact between devices on behalf of mobile service providers, showing who is talking to whom. It can also handle cellular location records, created when phones connect to various towers as their owners move around.
Such data can include “tower dumps,” which list all the phones that connected to a given tower — a form of dragnet surveillance. The FBI obtained over 150,000 phone numbers from a single tower dump undertaken in 2010 to try and collect evidence against a bank robbery suspect, according to a report from the Brennan Center for Justice at NYU.
Police use CellHawk to process datasets they routinely receive from cell carriers like AT&T and Verizon, typically in vast spreadsheets and often without a warrant. This is in sharp contrast to a better known phone surveillance technology, the stingray: a mobile device that spies on cellular devices by impersonating carriers’ towers, tricking phones into connecting, and then intercepting their communications. Unlike the stingray, CellHawk does not require such subterfuge or for police to position a device near people of interest. Instead, it helps them exploit information already collected by private telecommunications providers and other third parties.
CellHawk’s surveillance capabilities go beyond analyzing metadata from cellphone towers. Hawk Analytics claims it can churn out incredibly revealing intelligence from large datasets like ride-hailing records and GPS — information commonly generated by the average American. According to the company’s website, CellHawk uses GPS records in its “unique animation analysis tool,” which, according to company promotional materials, plots a target’s calls and locations over time. “Watch data come to life as it moves around town or the entire county,” the site states.
The tool can also help map interpersonal connections, with an ability to animate more than 20 phones at once and “see how they move relative to each other,” according to a promotional brochure.
CellHawk helps police exploit information already collected by
private telecommunications providers.
The company has touted features that make CellHawk sound more like a tool for automated, continuous surveillance than for just processing the occasional spreadsheet from a cellular company. CellHawk’s website touts the ability to send email and text alerts “to surveillance teams” when a target moves, or enters or exits a particular “location or Geozone (e.g. your entire county border).”
On its website, Hawk Analytics claims this capability can help investigators “view plots & maps of the cell towers used most frequently at the beginning and end of each day.” But in brochures sent to potential clients, it was much more blunt, claiming that CellHawk can help “find out where your suspect sleeps at night.”
A screenshot showing the previously more honest version of their marketing. Screenshot: Sam Richards
Data Sharing and Loose Regulation in Minnesota
The sheriff’s office in Hennepin County, Minnesota, which includes Minneapolis, certainly seemed impressed after it started using the software in early 2015. One criminal intelligence analyst lauded CellHawk’s ease of use in a February 2016 email comparing the subscription software to a competing tool. “CellHawk is pretty new and a lot cheaper! The great thing about cellhawk is that it is ‘hands off’ by the user, as the software does everything for you. It is drag and drop. The software can download calls from all major phone companies. The biggest selling point is of course the mapping. it also has animation, which is cool!”
Hennepin County Sheriff’s Office uses CellHawk as part of an effort to share intelligence through a Minnesota fusion center known as the Metro Regional Information Center, which brings together the FBI and eight counties serving up to 4 million people, according to the St. Cloud Times. In February 2018, the latest year for which The Intercept obtained HCSO invoices, the sheriff’s office renewed its annual subscription, providing the capability to store 250,000 CDRs.
A spokesperson for the sheriff’s office, Andrew Skoogman, said the office used certain CellHawk features infrequently. For example, it is “extremely rare” for HCSO to analyze tower dumps, he said, and “fairly rare” for it to use CellHawk’s automated location alerting service, which is used “based in the analytical needs of the investigator.”
The telecommunications data at the heart of CellHawk is shared extensively by providers. For example, Verizon in 2019 received more than 260,000 subpoenas, orders, warrants, and emergency requests from various U.S. law enforcement entities, including more than 24,000 for location information. But the legal requirements for obtaining that information are sometimes unclear. The American Civil Liberties Union in 2014 called the legal standards related to tower dumps “extremely murky.” A 2018 Brennan Center report stated that the courts were “split” on the handling of such dumps, with some lower courts allowing access to the data using a court order, which under the Stored Communications Act is obtained using a lower evidentiary standard than a warrant, requiring only “reasonable grounds to believe” the records are relevant to an ongoing investigation. Location records particular to a given subscriber, meanwhile, can be obtained with just a court order — unless they span seven days or more, in which case police need to get a full warrant, according to a 2018 Supreme Court ruling. Courts have also been divided on whether police need a court order or warrant to obtain “real-time” cellular location data.
Hennepin County defined its own legal standards to rely upon in
deploying technology like CellHawk.
Hennepin County defined its own legal standards to rely upon in deploying technology like CellHawk. These were articulated in a sheriff’s office policy document dated August 2015 — months after CellHawk was already in use. The document, titled “Criminal Information Sharing and Analysis,” was released following a data request that was initiated in 2018 and fulfilled several years later following the election of a new sheriff. It stated that the office needed “[r]easonable suspicion,” which was deemed “present when sufficient facts are established to give … a basis to believe that there is, or has been, a reasonable possibility that an individual or organization is involved in a definable criminal activity or enterprise.”
The policy does not say that investigators must receive approval from a judge to retain information. Skoogman did not respond to The Intercept’s question about what legal standard is applied to the collection of CDRs.
Chad Marlow, senior advocacy and policy counsel for the ACLU, when asked to review Hennepin County’s CellHawk policy, said the CellHawk technology was “not inherently problematic” but that the county set a low standard for how it handles the collection of CellHawk data. Requiring “reasonable suspicion” is a typical threshold for traffic stops, not for intrusive searches, which require probable cause. CellHawk’s capabilities — combing through data from calls, texts, ride-hailing applications, etc. — are patently more intrusive than a traffic stop. Beyond that, Marlow said, the county’s “definition of reasonable suspicion is bizarrely convoluted” and should require that investigators “have to have a reasonable basis for a crime being committed not MAY BE being committed.”
Hennepin County’s policy continued:
Criminal intelligence information shall be retained for up to five years from the date of collection of use, whichever is later. After that time, this information shall be deleted unless new information revalidates ongoing criminal activities of that individual and/or organization. When updated criminal intelligence information is added into the file on a suspect individual or organization, such entries revalidate the reasonable suspicion and reset the five year standard for retention of that file.
The policy empowers HCSO investigators to scoop up this data and retain it for five years based on a fairly low legal standard.
And while this policy says the sheriff may not retain information based “solely” on support for “unpopular causes” or an individual’s “race, gender, age or ethnic background” and “personal habits and/or predilections that do not break any laws or threaten the safety of others” — mentioning activities covered by the First Amendment — if a crime were to occur during a protest, as is routine, that data is considered fair game by law enforcement. Under such low standards and with such a powerful surveillance utility, it wouldn’t take long to map out the social network of an entire protest movement.
Under such low standards
and with such a powerful surveillance utility, it wouldn’t take long to map out
the social network of an entire protest movement.
For instance, during a protest outside a detention center in downtown Minneapolis to show solidarity with demonstrations in neighboring Wisconsin following the shooting of an unarmed Black man by the Kenosha Police Department, Dave Hutchinson, the Hennepin County sheriff, said, “11 individuals were arrested and are being held on probable cause riot, damage to property and unlawful assembly,” according to an HCSO press release. Should the criminal intelligence investigators at the fusion center run those individuals’ information through CellHawk, it is not at all a stretch to say that the police would then possess a map of those individuals’ associations based on calls, texts, and other records. That map of social interactions could include thousands of activists who were not at all party to the crimes of which those 11 individuals are accused. Hawk Analytics markets such social network analysis as a primary feature.
When asked whether the use of CellHawk undermined the presumption of innocence — essentially reversing the investigative process, so that evidence comes first and suspicion of a specific crime after — Skoogman replied, essentially, that innocent people had nothing to fear. “People come under suspicion of having committed a crime based on information developed by investigators,” he wrote. “Based on evidence developed by those investigations, a suspect’s cell phone records may be obtained and analyzed. On occasion, that analysis has developed information suggesting that the suspect did not commit the crime under investigation. This is the investigative process. It is exactly why data is analyzed. To determine whether the data available supports continued focus on an individual as a suspect or perhaps rules them out.”
Deployed — and Promoted — Across the Country
Hawk Analytics CEO Mike Melson, whose bio on the company website describes him as a former NASA engineer, offers free trials to law enforcement organizations to which he hopes to sell his product. Additionally, Melson has worked as an expert witness, ready to testify on behalf of prosecutors. His testimony sometimes appears in local news outlets without mention of the fact that he is the CEO of the company that could stand to financially benefit, albeit indirectly, from a conviction. Hawk Analytics failed to comment on the record after multiple attempts were made over the phone and by email.
“This highlights how the rapid development of surveillance tech
outstrips existing laws.”
In December 2013, Heather Elvis went missing from her South Carolina home after becoming embroiled in a lovers’ quarrel. Several years later, an 11-day trial resulted in two 30-year sentences for one Tammy Moorer. During the second day of that trial, Melson made an appearance as “an expert witness when it comes to analyzing cell phone data,” according to WBTW News 13. The station did not include that Melson was intimately involved in the creation of software that helped connect the dots in this case.
Additionally, according to reports from Northern Virginia, Hawk Analytics was reimbursed for their expert services which led to “the prosecution of a man convicted of first-degree murder in the 2017 shooting death of a … CVS store manager.” For their “cellular data analysis and two days of expert testimony,” Hawk Analytics was paid $8,175. That certainly isn’t a windfall, but it rivals the amount made from the sale of a small number of CellHawk subscriptions, and it effectively compounds revenue streams from multiple sides of the criminal justice system.
CellHawk is not the only technology that investigators in the Twin Cities use to process intelligence about suspects and others. Hennepin County and their law enforcement partners use automated license plate readers; stingrays and competing, similar devices; aerial surveillance; and social media intelligence, among other spy tech. CellHawk alone is powerful — but added to the area police’s already expansive arsenal, it tips local law enforcement toward becoming more like intelligence agencies than municipal cops.
Lengthy data retention policies and the power of these surveillance tools create a litany of frightening possibilities for overreach and abuse. While HCSO has acknowledged its use of some of these tools, it has not released any public reports on its use of CellHawk. Rachel Levinson-Waldman, deputy director of the Brennan Center’s liberty and national security program, who reviewed Hennepin County’s policy said, “The reference to use is concerning, since that could significantly expand the time for retention.”
Minnesota state law requires an individual whose electronic device was subject to a tracking warrant be notified within 90 days if that evidence did not end up in court. This “tracking warrant” law has been on the books since 2014 and yet, judging from press reports in recent years, it’s not clear anyone in the state has ever received such a notice or if a tracking warrant has ever been unsealed by the courts. The law seems to have been thwarted in part by police avoiding warrants and obtaining instead court orders under the much lower “reasonable suspicion” standard. This, despite the fact that Minnesota law clearly states, under a subdivision titled “Tracking warrant required for location information,” that “a warrant granting access to location information must be issued only if the government entity shows that there is probable cause the person who possesses an electronic device or is using a unique identifier is committing, has committed, or is about to commit a crime.”
Julia Decker, policy director for the ACLU of Minnesota, said that “there doesn’t seem to be oversight” for the use of CellHawk in the state, even though surveillance should get oversight of “the highest standard possible.” She also said that Hennepin’s policy to retain CellHawk and similar data for five years raises the potential for harm to civil liberties.
“I think this highlights how the rapid development of surveillance tech outstrips existing laws, and how that can be really problematic,” said Decker. “Without oversight/regulation, powerful surveillance technology is integrated into already-existing investigatory frameworks, instead of being examined and considered beforehand for its potential to actually expand or push the limits/bounds of those frameworks and encroach on civil liberties. … In this moment of talking about police reform, use of surveillance tech needs to be part of the discussion.”
Hawk Analytics has many clients around the United States. This reporter conducted a survey using the Freedom of Information Act to collect invoices for CellHawk subscriptions from agencies referenced on CellHawk’s website, referred to in CellHawk’s training sessions, or mentioned in local news reports. He found numerous agencies fielding the technology: Atlanta and Fayette County, Ga.; Kansas City, Kan.; Franklin County, Va.; Utah County, Utah,; Fort Collins, Colo.; Hidalgo County, Texas; Orange County, Calif.; and, of course, the FBI all have paid for CellHawk in the last several years. The Madison, Wisconsin, police department appears to have thousands of potential CellHawk records from 2018 alone but has demanded close to $700 to examine and provide them.
Post a Comment