Habeas Data
Page 24
Like many other enforcement tools, the federal government has used grants to encourage local law enforcement to acquire this hardware in the name of fighting terrorism. But, as the Rigmaiden case shows, over time, particularly as these tools become cheaper and more commonplace—they’re used to bust criminal suspects like him.
The Los Angeles Police Department (LAPD), for example, first purchased stingrays back in 2006 with a grant from the Department of Homeland Security for the purpose of “regional terrorism investigations.” However, they’re also being used for burglary, drug, and murder cases, too.
Already, national security and federal law enforcement agencies are putting stingrays on drones, and are likely flying them over locations (like political protests) to ascertain who is present. What happens when a stingray is small enough to be innocuously worn on an article of clothing, or hidden in someone’s eyeglasses? What happens when a local police force has the capability to locate and capture voice traffic at any time, essentially for any reason? What happens when a criminal group captures data on men’s phones and uses it to extort money from those men cheating on their wives?
The Czech police are already concerned that stingrays have fallen into the hands of local criminals. “It’s been a known fact for a few years now that some companies do sell these devices,” Andor Šándor, the former head of the Czech Military Intelligence Agency, told Radio Prague in 2012. “But if their use will not be in any way regulated, and access to these devices will not be in any way controlled, then a regular citizen can do absolutely nothing. The only way people can safeguard themselves is if they reveal only the necessary information during their mobile communication. But, obviously that goes against normal behavior of free persons.”
And this is one of the biggest problems: purchase and use of such devices is unregulated. Law enforcement agencies worldwide claim the right to use them, but such evidence has rarely been challenged in court by either a criminal suspect or by unwitting bystanders, whose data has been captured (and likely kept) by the cops.
“The question is what’s the law that governs its use?” King said, who was trained as a law student in the United Kingdom. “The use of IMSI catchers is completely unclear. We know that the police have them and we know that the police use them, not that they’ve ever admitted it, and have done so for 10 years. They refuse to engage, they refuse to say that they bought them. We need a public debate around this sort of stuff.”
That debate is very slowly starting to happen. And that is due, in large part, to Rigmaiden’s unlikely exposure of the stingray.
* * *
Rigmaiden grew up in Seaside, California, a small, working-class town about 70 miles south of San Jose. His father was (and remains) a civilian employee for the Navy, working primarily on space systems at the Naval Postgraduate School in nearby Monterey. In his off hours, the elder Rigmaiden serves as a local Boy Scout leader. Today, Daniel’s brother co-owns a local bicycle shop in Monterey.
Growing up, Rigmaiden had a Commodore 64, a popular mid-1980s computer. His parents more or less left him alone as he explored the machine.
“I had the Commodore 64 from age five to about age nine,” Rigmaiden told me. “I used to program on it starting at age five, but became discouraged and gave up because it had no floppy disk drive to save my work. Imagine if it had a disk drive? I’d probably be a lot more skilled at computers and technology than I am currently.”
In elementary school and moving into middle school, Rigmaiden considered himself something of a rebel. He didn’t feel like he fit in with society “as the adults were currently running it.” This point was driven home when he was 12, and participated at school in a mock 1992 presidential election, between Bill Clinton, George H. W. Bush, and Ross Perot.
“I remember thinking that it wasn’t fair—how I didn’t get the whole two-party system,” he said.
They were attacking Perot a lot and weren’t giving him a fair shot. I felt like there was some problem there. I was confused as to why anyone couldn’t just be president. They always tell you that, but it doesn’t pan out that way. That’s when I realized there were problems with the political system. I guess I have to choose between the Republicans and the Democrats, and I don’t really fit in with either of these.
The nascent World Wide Web arrived at the Rigmaiden household in 1996, when Daniel was 16. Mostly, his parents left him to his own devices, and allowed him to explore online as he saw fit.
“They understood what I could get into, but they didn’t think I would get into anything,” he said.
Still not feeling like he fit in anywhere politically or socially, Rigmaiden decided he wasn’t going to lead a conventional life. He was going to try to “beat the system in some way that involves breaking all the rules that I didn’t agree with.”
In the mid and late 1990s, Rigmaiden spent some time on various Internet Relay Chat (IRC) rooms—a now-waning form of text-based chat.
“I think I was first in IRC chat rooms and there was some fake ID chat rooms,” he said. “I started making IDs in high school, they were crappy but they seemed to work at certain liquor stores. I had a laminator from Staples—I didn’t even have a color printer.”
His parents never caught wind of his activities, but they knew that he didn’t seem to be on a predictable path towards university or an obvious job. Rigmaiden’s father told him that he had to leave the house when he turned 18, and so he did. With no other source of income in the late 1990s, Rigmaiden hit the road as a semi-nomadic salesman, plying the one trade that he knew: making and selling fake IDs.
His website was called FakeID.tv, and at least as of 2003, it purported to sell “replica driver license identification cards available for movie productions only.” Rigmaiden initially charged $150, which was eventually upped to $250 and $500 for rush jobs.
“I did it based on supply and demand,” he said. “They would take a long time to make.”
Rigmaiden was precise and methodical. Unlike his competition at the time, he said, his fakes were the correct thickness and weight—30 millimeters thick and 3.4 grams. He advertised on ShadowCrew, a notorious online criminal message board that operated from 2002 until 2004, and also on Counterfeit Library, a British-hosted website. He’s pretty sure that Max Vision (aka Max Butler, aka Iceman), a convicted hacker scheduled for release from federal prison in 2019, bought one. Rigmaiden specialized in California driver’s licenses and made nothing else.
“I think I had the best quality,” he said. “I wasn’t the most ‘out there,’ I think there were other people and they would say I was a scammer.”
Here’s how his operations would work: Rigmaiden would first set up shop in a city, oftentimes using college towns as a plausible cover where he could easily pass as a local student, and tell people that he was a programmer. This took him as far north as Humboldt County and as far south as Santa Barbara County. He’d stay in each place for a few months, or maybe a year at the most, often in small motels, sometimes a single room occupancy (SRO) hotel.
Moving from place to place required transporting a pair of bulky 25-gallon containers—with snap-on tops—that contained all of his equipment, including a die cutter, an inkjet printer, a hologram printer, a laminator, and more.
Rigmaiden was detail oriented and he worked hard to make sure that his own physical and digital protocols were followed to a t. (In military parlance, this is what’s known as good OPSEC, or operational security.) By keeping his operation small, nimble, and constantly moving, it was easy for him to stay ahead of local authorities. He only accepted payment in e-gold, an early electronic payment system that was not particularly scrupulous as to who could open accounts. Money orders and Western Union would have been too risky. He required that all customer interactions occur over encrypted e-mail, and provided customers with a computer program that guided them through the process. For shipping, he would buy prepaid priority mail envelopes, and was careful to not do more than one order at a time. He only
shipped out from public mailboxes, never from post offices.
“I was definitely overly paranoid,” he told me. “I never got caught for the IDs, I got caught for the tax stuff.”
This assertion is not entirely accurate: In 1999, Rigmaiden was sentenced to probation and 180 days in Monterey County jail for four counts of “acquisition of access card information.” He failed to appear at a probation hearing, and a warrant remained outstanding for his arrest until 2014. (The warrant issue was partly why he never left California.)
In the mid-2000s, Rigmaiden decided to move on to something bigger. His fake ID business, while stable, wasn’t making tons of money. Mostly he was just breaking even (thanks to constantly moving around), and paying in cash for nearly everything was becoming exhausting.
“I wanted to make a bunch of money so I wouldn’t have to worry about money,” he said. “I didn’t want to make fake IDs forever.”
But while he sought profit, there were limits. He wasn’t going to use violence, or expose himself. Mostly, he didn’t want to get caught.
Rigmaiden eventually found out about fraudulent tax return schemes. He quickly figured out that tax returns are largely voluntary. The IRS simply doesn’t have enough agents and auditors to do a thorough check of everyone. Most IRS personnel do the best they can, but a few slip through the cracks. This meant that Rigmaiden could file a fake tax return for someone who had died, and pocket the refund. He would file dozens at a time, sometimes more, before one would come back with money. His first successful one netted $9,000.
“I was going to make a million and then I was going to stop,” he said. (He told WNYC’s Note to Self in 2015 that he was planning on leaving the country altogether.)
Rigmaiden spent weeks at a time camping in the Los Padres National Forest, a large swath of land that stretches from near his childhood home in Monterey, down the coast hundreds of miles to Ventura, California, one county north of Los Angeles. He’d only pop back up in cities when he needed to use the Internet or withdraw cash.
In late 2007, Rigmaiden moved to Santa Clara. The city, then as now, is home to students and lots of tech workers. He had a comfortable life in an urban area, and lived near a train station and airport should he need to make a quick getaway.
“I didn’t want to go through the stress of moving again,” he thought to himself, as he considered perhaps staying there long term. But he knew that the longer he stayed in one place, the more exposed to law enforcement he would be.
Unbeknownst to the fraudster, federal prosecutors in Arizona—one of the places where he had stashed his money—filed a sealed indictment against Rigmaiden on July 23, 2008.
By August 2008, his lease was nearly ending, and so he packed up all of his things into the blue plastic bins. Doing tax fraud entirely electronically, after all, didn’t require nearly as much equipment. But he hadn’t actually moved yet.
By the time he was arrested, Rigmaiden had made about $500,000.
* * *
After Rigmaiden was arrested in California, he was quickly transported to the Florence Correctional Center, about 65 miles southeast of Phoenix. Despite being incarcerated, Rigmaiden could not sit still. He knew that he had been careful. He had used multiple fake identities, with fake documents, and paid in cash. How could law enforcement have not only found him out, but found him in his own apartment, where hardly anyone knew he lived?
Rigmaiden thought there might be something that the government wasn’t telling him—there might be some secret surveillance tool afoot. He tried pressing his federal public defenders to listen, but they wouldn’t. Within two months, he’d fired one of his lawyers, and then another. In essence, he didn’t feel that they were technically sophisticated enough to be able to help him get the answers he needed. Eventually, the accused fraudster got permission to represent himself (pro se), a legally risky move.
Once he was representing himself, he was allowed to use the law library for five hours a day (up from the usual three hours a week). It became a full-time job, immersing himself in legal procedures—but it was likely the most productive way to spend his time behind bars. Fortunately, at the beginning, a fellow inmate and disbarred attorney helped him out with some of the basics, including general court procedure, how to draft a motion, and correct legal citation. By October 2009, Rigmaiden had received boxes and boxes (over 14,000 pages in total) of criminal discovery that would help him understand how the government planned to prosecute its case. In the penultimate box, he saw the word “stingray” in a set of notes.
As a prisoner, he wasn’t allowed Internet access, but sometimes a “case manager,” a sort of guidance counselor, could be convinced to run online searches for inmates who were pursuing legal research. Though this process, Rigmaiden located a Harris Corporation brochure with the StingRay name. Bingo. The device advertised various types of cellular interception. Soon enough, he found evidence that this same device was being acquired by law enforcement nationwide, including in Maricopa County, just one county over from where he was being held in Pinal County. Eventually, he was able to get patent filings and other records to better understand what, exactly, the StingRay was, how it worked, and who had them.
Although Rigmaiden was pro se, he had a shadow counsel, or a lawyer who was ready to step in if the pro se defendant wished to take on formal counsel. That lawyer had a paralegal, a man named Dan Colmerauer. Rigmaiden could call Colmerauer from a jailhouse pay phone and ask him to run Google searches for him, and tell him the results by phone. Then Colmerauer would print those Web pages, and put them in the mail to Rigmaiden, who in turn would have to make handwritten notes about which links to follow and mail that back to Colmerauer.
As 2010 rolled around, Rigmaiden decided that he needed allies. He began sending his case details and research file out to various privacy and civil liberties organizations, including the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF). There were likely two major red flags that led to him being ignored—he was representing himself without the benefit of counsel, and believed that the government had used some secret surveillance tool against him. They likely thought he was totally nuts—despite the fact that there was already some evidence that the police were using phones as tracking devices. None of the organizations ever responded.
One of the people Rigmaiden sent his file to was Christopher Soghoian, a bearded and ambitious privacy researcher. At the time, Soghoian was a computer science doctoral student always looking for another way to push the envelope, as well as discover how surveillance was actually being conducted in the real world.
Years earlier, as a first-year doctoral student at the University of Indiana, Soghoian figured out by futzing around with Facebook which of his classmates likely moonlighted at local strip clubs. The next month, October 2006, however, he caused something of a stir when he created a website titled “The Northwest Airlines Boarding Pass Generator. Or the TSA Emperor Has No Clothes.” The website allowed anyone to create a boarding pass, with the click of a button, that would let them through an airport TSA checkpoint. The net result was that Soghoian was subject to an FBI raid, and a sitting congressman called for his arrest.
In 2009 and 2010, Soghoian worked at the Federal Trade Commission (FTC), and at one point used his government ID to get into a security industry trade show and made a surreptitious recording of Sprint executives bragging about how they’d handed over customers’ GPS information to law enforcement eight million times in a single year. In short, Soghoian was the perfect match for Rigmaiden.
On Monday April 11, 2011, while visiting the offices of the EFF in San Francisco, Soghoian received this unsolicited e-mail from Colmerauer.
From: Dan Colmerauer
Date: Mon, Apr 11, 2011, at 7:28 PM
Subject: Cell Phone Tracking and Locating re: United States of America v.
Daniel Rigmaiden
To: chris@soghoian.net
Dear Mr. Sohoian[sic],
Daniel Rigmaiden instructed me to e-mail you the attached Memorandum.
This is in regard to cell phone tracking and locating. He thinks it may be of interest to you but you may have to read past the introduction before understanding why. If you want the exhibits please e-mail Dan Colmerauer at screenwriter2@earthlink.net and make said request.
Dictated but not read.
Daniel Rigmaiden
Soghoian tried to get other lawyers that he knew interested, but they saw the extensive pro se filings as a huge red flag. Lots of people think they’re being surveilled by the government with secret technology, but hardly anyone can prove it. Soghoian didn’t dismiss it out of hand.
“My reaction wasn’t, ‘what is this strange device,’ ” Soghoian told The Verge in 2016. “It was, ‘oh I read about this in graduate school.’ But I read about it as a thing that was possible, not a thing that the police…were using.”
But the grad student was skeptical. Still, Soghoian asked Colmerauer to send what he had. What Soghoian received back was a 200-page “meticulously researched” document that had been originally handwritten in a jailhouse library.
Soghoian understood how to get lawmakers’ attention—through the media and advocacy organizations. He eventually sent it on to a friendly reporter, Jennifer Valentino-DeVries, as she was boarding a plane bound for Las Vegas, where she was going to attend the 2011 DEF CON. (This was the same reporter who would later break the story about Mike Katz-Lacabe’s experiences with license plate readers.)
On September 22, 2011, Valentino-DeVries’ story hit the Wall Street Journal: “ ‘Stingray’ Phone Tracker Fuels Constitutional Clash.” (It was her first front-page story for the Journal.)
This was also the first time that a major American media outlet had reported on the issue, and likely how many lawmakers first heard about the device that had already been in use for years. In the same article, Sherry Sabol, a veteran FBI attorney, sent the Journal a statement about stingrays, noting that the technology is “considered Law Enforcement Sensitive, since its public release could harm law enforcement efforts by compromising future use of the equipment.”