Today the Department of Justice announced the arrest of a Pakistani man for writing and selling the StealthGenie spyware app that can monitor all communication from a cell phone, and can do so undetected.  The grounds for the arrest was based on the fact that it was advertised for spying on one’s spouse, enabling stalkers and domestic abusers:

“StealthGenie has little use beyond invading a victim’s privacy” said U.S. Attorney Boente. “Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners.”

“This application allegedly equips potential stalkers and criminals with a means to invade an individual’s confidential communications,” said FBI Assistant Director in Charge McCabe.

While that is understandable, I can think of a scenario in which the software would be otherwise useful, not to mention similar to other phone recovery programs that allow users to look up the current location of their device, have similar features and are simply marketed differently.  If my phone was stolen, it could be immensely useful to be able to see what the individual using it is doing with it, including who they’re calling and what they’re accessing via the data connection. Some parents may also want to monitor what their children are doing as well (whether or not you agree with that as being good parenting is another question…).

Also included in the press release was an additional statement from McCabe:

“They do this not by breaking into their homes or offices, but by physically installing spyware on unwitting victim’s phones and illegally tracking an individual’s every move. As technology continues to evolve, the FBI will investigate and bring to justice those who use illegal means to monitor and track individuals without their knowledge.”

It would seem that accessing a system to which you are not legally provided permission (i.e. someone else’s cell phone in order to install this app) would already be against the law, and has been for decades.  It’s also interesting that this statement is referencing users of the software, rather than anything regarding the creator who was arrested.

The ultimate irony of this statement is that the FBI itself has been illegally monitoring and tracking individuals without warrants.  The device they use is manufactured by Harris Corporation and goes by a number of names including Stingray.  Basically, the device is a fake cell tower that any cell phone will automatically connect to since phones constantly look for the best cell signal possible — even if they don’t connect they’ll still handshake with the tower.  Law enforcement is then able to collect all individually-identifying IMSI/IMEI codes of the phones that have connected and are able to locate individuals based on this information.

The FBI, US Marshalls and local law enforcement agencies have gone to extreme lengths to keep the program secret and out of the court system, including the FBI even using non-disclosure agreements with local law enforcement agencies using the surveillance product.  The Marshalls, after the ACLU drew attention to their use of the device, seized local law enforcement records to prevent them from being exposed in court proceedings. Considering the recent discovery that there are many fake cell towers across the country, and it is unknown who is operating them, a reasonable assumption would be that it is local or federal law enforcement.

So how exactly does the DoJ and FBI rationalize arresting a man for creating a product that could be used in nefarious ways, when the FBI itself contracts with a private company that makes an even more invasive and privacy-eliminating product?  We shall see: I left a message with the DoJ’s press office asking for a statement regarding usage of Stingray in the face of this arrest.  My guess will be that my call will not be returned, or if it is, it will be “No Comment”.  Feel free to give them a call: 202-514-2007.

Will the CEO of Harris Corp be arrested for creating a product that has “little use beyond invading an individual’s privacy”?  The device they manufacture literally has no other purpose than to violate the civil rights of Americans by law enforcement when used for blanket data collection with or without a warrant.  It has no other valid use.  How can we trust our law enforcement when they arrest people for doing the same thing they do?  How can we trust them when they won’t even get a warrant to utilize such a device?  How can we trust them when they do everything in their power to suppress how the device has actually been used from coming to light in court?

Perhaps we should go back to the tried and true reasons for arresting and convicting:  an actor commits a crime against a specific victim or victims.  Creating software that can be used by those with ill intent is not a crime; using the software in a malicious fashion is.

I don’t believe anyone is suggesting we arrest the manufacturers of encryption software or hardware because it can be used to cover up evidence of criminal activity, yet that’s what we’re doing in this case despite heavy feature overlap between this product and many others currently available.

• If the major difference is marketing, is it really a crime?
• If I use innuendo instead or marketed the same exact product with a different stated purpose, is it still a crime?
• If I suggest that you could re-purpose a Square card reader to steal credit card numbers, am I liable for marketing an identity theft device?

Simple marketing has no victim.  The people who would buy such a product and use it against another are the ones committing a crime.

I’ll post an update if and when I hear back from the DoJ regarding their comment.  This pissed me off enough to make an inaugural blog post about it.  More to come on technology, personal projects, and freedom.