You Are a Rogue Device
A New Apparatus Capable of Spying on You Has Been Installed Throughout Downtown Seattle. Very Few Citizens Know What It Is, and Officials Don’t Want to Talk About It.
by*MATT FIKSE-VERKERK*AND*BRENDAN KILEY
PHOTOS BY MALCOLM SMITH*COMMENTS (111)*PRINT+ Enlarge this ImageMALCOLM SMITHA WIRELESS ACCESS POINT (AP) HIGH ON A POLE*What are these things for? SPD “is not comfortable answering policy questions when we do not yet have a policy.”
The QuestionsThe StrangerAsked SPD That They Declined to Answer by*MATT FIKSE-VERKERK AND BRENDAN KILEY Nov 6, 2013
How Mayor Ed Murray Unraveled Two Years of Police Reform in Only Two Months by*DOMINIC HOLDEN Apr 15, 2014
If you're walking around downtown Seattle, look up: You'll see off-white boxes, each one about a foot tall with vertical antennae, attached to utility poles. If you're walking around downtown while looking at a smartphone, you will probably see at least one—and more likely two or three—Wi-Fi networks named after intersections: "4th&Seneca," "4th&Union," "4th&University," and so on.
That is how you can see the Seattle Police Department's new wireless mesh network, bought from a California-based company called Aruba Networks, whose clients include the Department of Defense, school districts in Canada, oil-mining interests in China, and telecommunications companies in Saudi Arabia.
The question is: How well can this mesh network see you?
How accurately can it geo-locate and track the movements of your phone, laptop, or any other wireless device by its MAC address (its "media access control address"—nothing to do with Macintosh—which is analogous to a device's thumbprint)? Can the network send that information to a database, allowing the SPD to reconstruct who was where at any given time, on any given day, without a warrant? Can the network see you now?
The SPD declined to answer more than a dozen questions from*The Stranger, including whether the network is operational, who has access to its data, what it might be used for, and whether the SPD has used it (or intends to use it) to geo-locate people's devices via their MAC addresses or other identifiers.
Seattle Police detective Monty Moss, one of the leaders of the mesh-network project—one part of a $2.7 million effort, paid for by the Department of Homeland Security—wrote in an e-mail that the department "is not comfortable answering policy questions when we do not yet have a policy." But, Detective Moss added, the SPD "is actively collaborating with the mayor's office, city council, law department, and the ACLU on a use policy." The ACLU, at least, begs to differ: "Actively collaborating" is not how they would put it. Jamela Debelak, technology and liberty director of the Seattle office, says the ACLU submitted policy-use suggestions months ago and has been waiting for a response.
Detective Moss also added that the mesh network would not be used for "surveillance purposes... without City Council's approval and the appropriate court authorization." Note that he didn't say the mesh network*couldn't*be used for the surveillance functions we asked about, only that it wouldn't—at least until certain people in power say it can. That's the equivalent of a "trust us" and a handshake.
His answer is inadequate for other reasons as well. First, the city council passed an ordinance earlier this year stating that any potential surveillance equipment must submit protocols to the city council for public review and approval within 30 days of its acquisition and implementation.
This mesh network has been around longer than that, as confirmed by Cascade Networks, Inc., which helped install it. Still, the SPD says it doesn't have a policy for its use yet. Mayor McGinn's office says it expects to see draft protocols sometime in December—nearly nine months late, according to the new ordinance.
Second, and more importantly, this mesh network is part of a whole new arsenal of surveillance technologies that are moving faster than the laws that govern them are being written. As Stephanie K. Pell (former counsel to the House Judiciary Committee) and Christopher Soghoian (senior policy analyst at the ACLU) wrote in a 2012 essay for the*Berkeley Technology Law Journal:
The use of location information by law enforcement agencies is common and becoming more so as technological improvements enable collection of more accurate and precise location data. The legal mystery surrounding the proper law enforcement access standard for prospective location data remains unsolved. This mystery, along with conflicting rulings over the appropriate law enforcement access standards for both prospective and historical location data, has created a messy, inconsistent legal landscape where even judges in the same district may require law enforcement to meet different standards to compel location data.
In other words, law enforcement has new tools—powerful tools. We didn't ask for them, but they're here. And nobody knows the rules for how they should be used.
This isn't the first time the SPD has purchased surveillance equipment (or, as they might put it, public-safety equipment that happens to have powerful surveillance capabilities) without telling the rest of the city. There was the drones controversy this past winter, when the public and elected officials discovered that the SPD had bought two unmanned aerial vehicles with the capacity to spy on citizens. There was an uproar, and a few SPD officers embarked on a mea culpa tour of community meetings where they answered questions and endured (sometimes raucous) criticism. In February, Mayor Mike McGinn announced he was grounding the drones, but a new mayor could change his mind. Those SPD drones are sitting somewhere right now on SPD property.
Meanwhile, the SPD was also dealing with the port-camera surveillance scandal. That kicked off in late January, when people in West Seattle began wondering aloud about the 30 cameras that had appeared unannounced on utility poles along the waterfront. The West Seattle neighborhood blog (westseattleblog.com) sent questions to city utility companies, and the utilities in turn pointed at SPD, which eventually admitted that it had purchased and installed 30 surveillance cameras with federal money for "port security."
That resulted in an additional uproar and another mea culpa tour, much like they did with the drones, during which officers repeated that they should have done a better job of educating the public about what they were up to with the cameras on Alki. (Strangely, the Port of Seattle and the US Coast Guard didn't seem very involved in this "port security" project—their names only appear in a few cursory places in the budgets and contracts. The SPD is clearly the driving agency behind the project. For example, their early tests of sample Aruba products—beginning with a temporary Aruba mesh network set up in Pioneer Square for Mardi Gras in 2009—didn't have anything to do with the port whatsoever.)
The cameras attracted the controversy, but they were only part of the project. In fact, the 30 pole-mounted cameras on Alki that caused the uproar cost $82,682—just 3 percent of the project's $2.7 million Homeland Security–funded budget. The project's full title was "port security video surveillance system with wireless mesh network." People raised a fuss about the cameras. But what about the mesh network?
Detective Moss and Assistant Chief Paul McDonagh mentioned the downtown mesh network during those surveillance-camera community meetings, saying it would help cops and firefighters talk to each other by providing a wireless network for their exclusive use, with the potential for others to use overlaid networks handled by the same equipment. (Two-way radios already allow police officers to talk to each other, but officers still use wireless networks to access data, such as the information an officer looks for by running your license plate number when you've been pulled over.)
As Brian Magnuson of Cascade Networks, Inc., which helped install the Aruba system, explained the possible use of such a system: "A normal cell-phone network is a beautiful thing right up until the time you really need it—say you've just had an earthquake or a large storm, and then what happens? Everybody picks up their phone and overloads the system."
The network is most vulnerable precisely when it's most needed. A mesh network could be a powerful tool for streaming video from surveillance cameras or squad car dash-cams across the network, allowing officers "real-time situational awareness" even when other communication systems have been overloaded, as Detective Moss explained in those community meetings.
But the Aruba mesh network is not just for talking, it's also for tracking.
After reviewing Aruba's technical literature, as well as talking to IT directors and systems administrators around the country who work with Aruba products, it's clear that their networks are adept at seeing all the devices that move through their coverage area and visually mapping the locations of those devices in real time for the system administrators' convenience. In fact, one of Aruba's major selling points is its ability to locate "rogue" or "unassociated" devices—that is, any device that hasn't been authorized by (and maybe hasn't even asked to be part of) the network.Which is to say,*your*device.
The cell phone in your pocket, for instance.
The user's guide for one of Aruba's recent software products states: "The wireless network has a wealth of information about unassociated and associated devices." That software includes "a location engine that calculates associated and unassociated device location every 30 seconds by default... The last 1,000 historical locations are stored for each MAC address."For now, Seattle's mesh network is concentrated in the downtown area.
But the SPD has indicated in PowerPoint presentations—also acquired by*The Stranger—that it hopes to eventually have "citywide deployment" of the system that, again, has potential surveillance capabilities that the SPD declined to answer questions about. That could give a whole new meaning to the phrase "real-time situational awareness."So how does Aruba's mesh network actually function?
Each of those off-white boxes you see downtown is a wireless access point (AP) with four radios inside it that work to shove giant amounts of data to, through, and around the network, easily handling bandwidth-hog uses such as sending live, high-resolution video to or from moving vehicles. Because this grid of APs forms a latticelike mesh, it works like the internet itself, routing traffic around bottlenecks and "self-healing" by sending traffic around components that fail.
As Brian Magnuson at Cascade Networks explains: "When you have 10 people talking to an AP, no problem. If you have 50, that's a problem." Aruba's mesh solution is innovative—instead of building a few high-powered, herculean APs designed to withstand an immense amount of traffic, Aruba sprinkles a broad area with lots of lower-powered APs and lets them figure out the best way to route all the data by talking to each other.
Aruba's technology is considered cutting-edge because its systems are easy to roll out, administer, and integrate with other systems, and its operating system visualizes what's happening on the network in a simple, user-friendly digital map. The company is one of many firms in the networking business, but, according to the tech-ranking firm Gartner, Aruba ranks second (just behind Cisco) in "completeness of vision" and third in "ability to execute" for its clever ways of getting around technical hurdles.
Take the new San Francisco 49ers football stadium, which, Magnuson says, is just finishing up an Aruba mesh network installation. The stadium has high-intensity cellular service needs—70,000 people can converge there for a single event in one of the most high-tech cities in America, full of high-powered, newfangled devices. "Aruba's solution was ingenious," Magnuson says. It put 640 low-power APs under the stadium's seats to diffuse the data load. "If you're at the stadium and trying to talk to an AP," Magnuson says, "you're probably sitting on it!"
Another one of Aruba's selling points is its ability to detect rogue devices—strangers to the system. Its promotional "case studies" trumpet this capability, including one report about Cabela's hunting and sporting goods chain, which is an Aruba client: "Because Cabela's stores are in central shopping areas, the company captures huge quantities of rogue data—as many as 20,000 events per day, mostly from neighboring businesses." Aruba's network is identifying and distinguishing which devices are allowed on the Cabela's network and which are within the coverage area but are just passing through.
The case study also describes how Cabela's Aruba network was able to locate a lost price-scanner gun in a large warehouse by mapping its location, as well as track employees by the devices they were carrying.It's one thing for a privately owned company to register devices it already owns with a network. It's another for a local police department to scale up that technology to blanket an entire downtown—or an entire city.
Full article at link
Seattle Shield membership roster (2013-06)
Requested by*pmocek*on May 29, 2013 for the*Seattle Police Department*of*Seattle, WA*and fufilled on Nov. 4, 2013