A California-based privacy activist who has filed hundreds of public records requests to learn about how cell-site simulators are used nationwide had a request denied earlier this week by the Indiana State Police.
However, the reason for the denial is a bit strange—the department seems to claim that releasing the requested information constitutes a possible risk to terrorism or even “agricultural terrorism.”
The Indiana State Police specifically cited Indiana Code 5-14-3-4(b)(19), which states:
(19) A record or a part of a record, the public disclosure of which would have a reasonable likelihood of threatening public safety by exposing a vulnerability to terrorist attack. A record described under this subdivision includes:
(A) a record assembled, prepared, or maintained to prevent, mitigate, or respond to an act of terrorism under IC 35-47-12-1 or an act of agricultural terrorism under IC 35-47-12-2;
Ars was unable to find any examples of terrorism (agricultural or otherwise) in the Hoosier State in the last 25 years. (We did find an example from 1988 of a failed plot to blow up the southern Indiana town of Salem.)
However, in 2006, Indiana topped the National Asset Database, which included what The New York Timesdescribed as a “tally of terrorist targets that a child might have crafted: Old MacDonald’sPetting Zoo, the Mule Day Parade, Sweetwater Flea Market, and an unspecified ‘Beach at End of a Street.’”
“Months ago, I hadn’t seen the myriads of reasons that agencies and their lawyers give for claiming records are exempt,” Katz-Lacabe told Ars. “I think the reference to agricultural terrorism is perplexing and perhaps ludicrous. Maybe it’s a Midwest thing.”
John Brown, of the Indiana Department of Homeland Security, did not immediately respond to Ars’ request for comment.
Capt. David R. Bursten, of the Indiana State Police, declined to respond to specific questions.
“Specific to your inquiry referenced in the twitter link of your email, that reply stands on its own and the Indiana State Police have nothing further in response to that inquiry,” he said in an e-mail.
As Ars has reported previously, stingrays, IMSI catchers, or cell-site simulators can be used to determine location by spoofing a cell tower, but they can also intercept calls and text messages.
Once deployed, the devices snatch data from a target phone as well as information from other phones within the vicinity. For years, federal and local law enforcement have tried to keep their existence a secret while simultaneouslyupgrading their capabilities. But over the last year, as the devices have become scrutinized, more information about the authorities’ little surveillance secret has been revealed.
At times, cops have gone as far as to falsely claim the existence of a confidential informant while in fact deploying this particularly sweeping and invasive surveillance tool. As such scenarios continued to become public, the Department of Justice announced in May 2015 that it would be reviewing its stingray policies, just four months after claiming that it did not need a warrant to use the device in public. (Private residences are considered different, as that is a location where a person has a “reasonable expectation of privacy.”)
Among other things, Katz-Lacabe specifically requested a “Letter from the FBI to Harris Corporation acknowledging an approved non-disclosure agreement with the Indiana State Police and granting approval for Harris Corporation to sell hardware and software to the Indiana State Police.”
Ars has obtained such agreements from other law enforcement agencies in other states, includingearlier this year in San Bernardino County, California—it’s quite likely that the Indiana State Police has this non-disclosure agreement (NDA) with the FBI as well.
The NDA indicates that the local law enforcement agency will work with local prosecuting authority to dismiss cases rather than reveal information in court about stingrays. (This has happened in at least some known jurisdictions elsewhere in the country—Baltimore defense lawyers are nowreviewing over 2,000 such cases as a result.)
At least some legal experts in Indiana don’t believe that this blanket exemption to the state public records law is justified.
“The FBI can write these all they want, but there’s no enforcement mechanism, not unless they have some kind of US Code or Code of Federal Regulation to back that up,”Luke Britt, the Indiana Public Access Counselor (PAC), told Ars.
“They can’t really make their own executive orders,” he said. “They have to have a statute to back that up. And if they do, they can put it in the agreements.”
Britt previously authored a response to a 2013 public records request made by a fellow resident to the Indiana State Police regarding purchase orders and contracts of stingrays. That request was also denied, and Britt upheld the denial.
However, he acknowledged that Katz-Lacabe’s request was much more tailored and that the NDA was not previously requested. Britt suggested that Katz-Lacabe appeal and then file a complaint with his office if necessary—Katz-Lacabe told Ars he planned on appealing soon.
This denial may still stand unless Katz-Lacabe or someone else challenges it in court.
“I’ve never seen this cited before in a denial and there doesn’t appear to be any case law interpreting its scope or applicability to certain fact scenarios,” Bill Groth, an Indianapolis lawyer, told Ars. “I also can’t say if it mirrors similar exceptions in other states’ public records laws.”
Tyler Helmond, another Indianapolis attorney, concurred.
“The question is whether disclosing that information about an investigation or prevention capability ‘would have a reasonable likelihood of threatening public safety by exposing a vulnerability to terrorist attack.’ Ind. Code 5-14-3-14(b)(19). I think the word ‘vulnerability’ would be important to a court resolving this question,” he said. “At least colloquially, that would seem to suggest that a non-disclosure agreement about a specific technology used for investigation may very well not be subject to invoking the non-disclosure provision. But again, I think in light of the PAC’s advisory opinion, this is a difficult question that is largely unresolved.”
When Ars pointed out that such NDAs had already been released in other states, he agreed that this could put a damper on such secrecy: “That’s a great point—the capability at this point has been exposed, so I think it is harder to make the case for non-disclosure on that basis.”