State and local law enforcement agencies that use StingRays must weigh their obligations under public records statutes against nondisclosure agreements with the FBI and the device’s manufacturer. While some police departments have ruled that they cannot share any documents whatsoever, a handful of key disclosures in recent weeks — including the cleanest version of the NDA released to date — together shed new light on the FBI’s involvement in cell-site simulator deployments nationwide.

At one end are agencies such as the Boston Police Department, which last week flatly rejected a request for fiscal and procedural documents pertaining to StingRays.

“Disclosure of the information contained in these documents would not be in the public interest and would prejudice the possibility of effective law enforcement,” wrote BPD senior staff attorney Nicole Taub in a February 13 emailed response. “More specifically, the protection of such investigatory materials and reports is essential to ensure that the Department can continue to effectively monitor and control criminal activity and thus protect the safety of private citizens.”

The same day, Taub mailed an identical response to Mike Katz-Lacabe, a blogger based in California who is also investigating StingRay use by police nationwide.

Both letters cite provisions in the Massachusetts public records statute that exempt “investigatory records” — exemption (f) — and “records relating to the security or safety of persons or buildings, structures, facilities, utilities, transportation or other infrastructure” — exemption (n).

MuckRock will appeal BPD’s wholesale rejection, particularly given that the investigatory exemption does not, in the words of Massachusetts’ public records czar, “create a blanket exemption for all records that investigative officials create or maintain.”

Boston’s response is very much aligned with federal law enforcement’s desire to keep details of StingRay deployment out of the public sphere. In an October press conference taped in part by The Charlotte Observer, FBI Director James Comey was explicit about requesting that the Bureau’s “local brothers and sisters” not discuss technologies that gather cell phone data.

“So one of the reasons that we ask local authorities who are working with us and using our equipment not to talk about it,” said Comey, “is not because I have something to hide from good people, but because I’ve got a lot to hide from bad people.”

And hide the FBI has, on a number of fronts. In addition to fighting FOIA requests, the agency has for years coordinated with the Harris Corporation, which manufactures the device, to ensure that all law enforcement agencies sign nondisclosure agreements before acquiring a StingRay.

New details regarding these nondisclosure provisions have emerged in recent weeks across a number of states.

While a heavily redacted NDA released by Tacoma police in September confirmed their compulsory nature, subsequent disclosures in other states further reveal the extent of the FBI’s oversight.

Police and prosecutors in Charlotte-Mecklenburg, North Carolina, committed last week to share more details when requesting court authorization for StingRay deployments. This followed several months of investigation by The Charlotte Observer and Charlotte’s WBTV.

A September email between a city attorney and the lead WBTV reporter following weeks of delay revealed, notably, that nondisclosure agreements require agencies to check in with the FBI before releasing StingRay documents or information.

Attorney Judith Emken explained that, “due to a nondisclosure agreement with the FBI (based on FCC and Harris) we are required to consult with them before releasing certain information.”

“Consequently, we have shared the information we believe is public record under NC state law with the FBI and are currently attempting to reconcile federal policies and federal law with NC public records law.”

“Unfortunately, it has taken much longer than I would have wished,” Emken apologized, “but we do not want to run afoul of the FBI.”

This FBI consultation requirement appears to be standard.

Among the documents obtained in December by the Minneapolis Star Tribune is a copy of the StingRay NDA signed by the Minnesota Bureau of Criminal Apprehension in June 2012. Although many provisions are blacked out, this is the least-redacted version of the six-page NDA released to date.

BCA+Cellular+Exploitation+Equipment (PDF)

BCA+Cellular+Exploitation+Equipment (Text)

One key paragraph that was previously shrouded further explains the Bureau’s rationale for requiring an NDA in the first place.

The StingRay’s viability as an investigative tool, the FBI and signatory agencies contend, relies on “precluding disclosure of this information to the public in any manner.”

Six of the NDA’s eleven conditions include either prohibitions on disclosure of StingRay information or requirements to notify the FBI ahead of such a release. The eleventh and final condition pertains specifically to requests for documents under the federal FOIA statute, state transparency laws or court orders.

In such cases, the agency “will immediately notify the FBI of any such request telephonically and in writing in order to allow sufficient time for the FBI to seek to prevent disclosure.”

Again, in both format and length, the nondisclosure agreement released by the BCA appears to match the NDA template as gleaned from other, much more heavily redacted versions. But the unprecedented clarity of the Minnesota release was hard-won under the state’s public records statute.

Similar to Boston police, the Minnesota BCA attempted to reject in its entirety a June 2014 request for StingRay documents. But, upon appeal by the Minneapolis Star Tribune, the state’s Information Policy Analysis Division — IPAD, beautifully — ordered the agency to limit redactions.

“[C]ontracts contain standard clauses such as definitions, general provisions, etc., as well as data specific to the contract, like names of vendors, addresses, dates, total cost, etc., all of which are presumptively public,” concluded IPAD in November.

“Similarly, NDAs contain data such as terms, effective dates, names of authorized representatives, etc., all of which are presumptively public. Even if BCA appropriately redacted everything else, those data elements have ‘informational value.’”

The Minnesota BCA thus had to comb over its StingRay contracts and NDA line-by-line for portions specifically exempted under Minnesota public records law. Provisions requiring huddles with the FBI apparently did not qualify for redaction.

Critically, these provisions open a fresh avenue for inquiry into use of cell-site simulators nationwide. As agencies that sign the FBI’s NDA must alert the Bureau to any inquiries regarding StingRays, MuckRock will submit new requests for these communications.

Special thanks to journalists and their legal counsel in Charlotte and Minneapolis - without the dogged tenacity this key information may never have come to light.

This piece is part of the Spy in Your Pocket Project

Image via Minneapolis Star Tribune