The FBI and National Security Agency are not the only government bodies capable of gathering information about people’s cell phones. San Diego’s police department has invested in technology that can track mobile signals.

View the Video Stingray helps police swipe data

Officers can deploy the electronic surveillance equipment, known as a Stingray, that collects data on criminals, as well as hundreds or thousands of phones carried by people with no connection to any criminal investigation.

San Diego police say the Stingray is a valuable tool that allows them to locate suspects in serious crimes much faster than they otherwise might, but privacy advocates have pushed for more transparency about how the technology is being used.

The briefcase-sized devices, manufactured in Florida, already are front and center in a public-records lawsuit filed against the city of San Diego by the open-government group First Amendment Coalition.

And now a new state law taking effect this month requires any California city or county that deploys Stingrays or other so-called cell-site simulators to approve and publish a usage and privacy policy. It must say who is using the equipment, how the data is retained, how the program is monitored, whether information is shared and other details.

The law requires the policy to be available to the public and posted on the Internet if the city or county operates a website, something San Diego has yet to do.

Several other cities using the technology apparently have not posted their policies yet either. The San Diego Union-Tribune has asked for explanations from departments in Los Angeles, Oakland and San Jose but has not heard back. San Francisco said it has stopped using the technology and therefore doesn’t need to post a policy.

U-T Watchdog requested a copy of the policy from San Diego on Jan. 6. Five days later, San Diego police said the website is in the midst of an upgrade and the document could not be posted. The department released an untitled, undated policy of just over one page.

“We have been working to ensure compliance with the law and have made the necessary amendments to our operational procedures,” Lt. Scott Wahl said in a statement last week. “We have made the necessary changes to comply with the law.”

Privacy groups said the policy fell short of meeting provisions of the law — and not just because the document was not posted on the Internet.

“There are several things missing,” said Dave Maass of the Electronic Frontier Foundation, a San Francisco nonprofit group that has been monitoring mass-surveillance issues for years. The Union-Tribune asked the foundation to review the San Diego policy for compliance.

“The thing that’s most alarming is they have not explicitly stated the retention period for the data they collect,” Maass said. “The law says they need to say the length of time they will retain the information and what the process will be for determining when to destroy it.”

Also missing from the policy, Maass said, was any discussion of whether San Diego police have signed any agreements with other law enforcement agencies to share the technology or data collected by the equipment.

Wahl released an amended policy Tuesday, after the Union-Tribune asked why the document released Monday omitted such mandatory elements.

The amended policy, which also is undated and untitled, stretches just over two pages and includes language stating that data the department collects during any particular investigation “must be deleted at the conclusion of the operation.”

It also says San Diego does not share Stingray data with other law enforcement groups and notes the job titles and training standards for people deploying the equipment and monitoring the program as required.

“We are always revising our policies to assure they reflect best practices,” Wahl said Tuesday. “So what you have is a draft that will be posted once our new website is brought online. I imagine the document we post will have a more ‘professional appearance’ than the raw content we are providing to you.”

The law, Senate Bill 741, was sponsored by Sen. Jerry Hill , D-San Mateo. It passed both the Assembly and Senate on unanimous votes.

The legislation calls for a city or county’s elected board to publicly adopt a resolution or ordinance outlining the policy. The City Attorney’s Office did not respond to questions this week about whether that vote has taken place, or whether the policy complies with state law.

Stingrays, also known as International Mobile Subscriber Identity catchers, are hand-held devices that act as makeshift cell-phone towers. Essentially, they trick mobile phones into bouncing their information off the devices rather than towers, allowing police to rake in all of the phone numbers and locations in nearby use.

The devices do not record or even eavesdrop on cell-phone conversations. Rather, they relay contact numbers and locations for all of the users within the radius reached by the equipment — a distance that is not clear from records that have been released.

Activists and others are concerned that police agencies may use the technology to collect data from people attending a protest or some other constitutionally protected event — targeting people that public officials may disagree with politically.

San Diego police say they only use Stingrays once they secure a warrant from a judge or in so-called exigent circumstances, such as when they are up against a time element that getting a warrant could delay catching a murder suspect. Wahl said the department avoids discussing the program so it won’t become obsolete.

“Our concern with media attention to this technology,” he said, “is the wrong people will become educated on how to defeat these tracking measures to include going dark when evading arrest or apprehension.”

Officials did not formally acknowledge using the equipment until the summer of 2014, when a national correspondent for The Associated Press included San Diego police in report detailing expanding government surveillance.

The AP story relied on a single purchase order from San Diego police dated Dec. 12, 2012. The invoice was for $33,000 from the Harris Corp. of Melbourne, Fla., although the item and description were redacted. Harris manufactures the Stingray and other surveillance equipment.

The First Amendment Coalition filed a California Public Records Act request with San Diego police later that year, seeking copies of other documents related to the purchase and use of the Stingray technology.

After department officials declined to release additional records, the coalition sued the city for failure to comply with the open-records law.

In December 2014, The San Diego Union-Tribune reported that San Diego police had sought $738,000 in federal grant funds in 2009 to pay for cell-phone tracking equipment and related expenses. The grant was approved the same year.

The grant application and award letter were not released by the city after the department was asked for Stingray-related records. City officials said they were confidential under nondisclosure agreements the city made with the FBI and with Harris Corp.

Attorney Kelly Aviles, who represents the First Amendment Coalition, said there may be practical law-enforcement benefits to deploying the cell-phone tracker technology, but the issue should be discussed and considered openly.

“We don’t necessarily want them to stop using the program,” Aviles said. But “the public should have all the information it needs to have an intelligent debate about whether the technology should be used.”

In court papers, city lawyers called documents sought by the First Amendment Coalition “highly sensitive law enforcement records about a relatively new technology that, if made public, could severely endanger public safety and national security.”

The city’s opposition motion filed Monday in San Diego Superior Court says the city already has turned over approximately 922 pages of records related to the Stingray system to the coalition, although 177 pages were redacted in whole or in part.

“The people’s right to know, however, is not absolute,” the City Attorney’s Office said.

Three San Diego police officers have received the training and authority required to allow them to access Stingray data, according to the motion.

“In fact, the majority of SDPD officers are not even aware that the department has documents relating to the system,” it states.

A hearing in the case is scheduled Jan. 29 before Judge Judith F. Hayes.

It’s not clear how many police and sheriff’s departments in California use Stingrays or other electronic surveillance devices. Agencies are reluctant to advertise their ability to monitor the public and manufacturers and federal officials often require confidentiality agreements.

The San Diego Police Department appears to be the only local agency deploying the technology. Officials from the Sheriff’s Department and cities of Carlsbad, Chula Vista, El Cajon, Escondido and Oceanside all said they do not own or operate such equipment,

According to the American Civil Liberties Union of Northern California, which has monitored government surveillance issues for years, at least a dozen police and sheriff’s departments have purchased Stingrays in recent years, including Los Angeles, San Francisco, San Jose, Oakland and Sacramento.

ACLU attorney Matthew Cagle said that list is probably incomplete, as many cities and counties he contacts do not respond to questions or requests for public records.

Like Aviles, the attorney representing the First Amendment Coalition, Cagle said citizens should have some role in determining the level and practices of electronic surveillance conducted by local police and sheriff’s investigators.

“There needs to be a robust public debate about whether these tools are appropriate, and if they are what safeguards should be in place,” he said. “These are decisions for communities and their elected leaders to make — not for law enforcement agencies to make on their own in secret.”

Wahl said San Diego police are focused on catching criminals and rescuing victims of violent crime.

“Certainly we will take advantage of any legal technology that is available to help us do that,” he said. “The law is intended to prevent unauthorized or irresponsible use, not educate criminals on how to evade detection.”