Exclusive: Fake cellphone tower likely surveilled protesters at Portland ICE facility
PORTLAND, Ore. — Law enforcement officials may have deployed a secretive cellphone surveillance technology last weekend at Portland’s Immigration and Customs Enforcement (ICE) facility. The site was the focus of highly publicized protests against the Trump administration’s immigration policies. On-site analysis of cellular signals by Straight Arrow News found evidence suggesting that a cell-site simulator, commonly referred to as a Stingray or IMSI-catcher, was likely used to collect identifying information from cellphones near the protest site. Researchers found that under normal conditions, an average of about 3% of messages sent by legitimate cell towers contain requests for phones’ unique identifiers. SAN's analysis found that up to 18% of observed cellular connections in the vicinity of the ICE building contained those requests. Law enforcement agencies may use the data collected by a cell-site simulator to identify individual protesters and track their movements. Cellphone surveillance expert Daniel Rigmaiden said SAN’s findings “raise suspicion that a cell-site simulator was present.” SAN analyzed cellular signals outside the Portland ICE facility last weekend as President Donald Trump attempted to deploy National Guard troops to a city he described as “war-ravaged.” A federal judge — appointed by Trump — blocked the move twice. The protests were confined to a small area outside the facility and sometimes involved no more than a handful of people. Crowds grew larger on Friday and Saturday evening, and officers fired nonlethal munitions and released tear gas to drive protesters away from the facility. Spikes in trackingCell-site simulators are devices that mimic cellphone towers in order to capture a phone’s IMSI, or International Mobile Subscriber Identity. An IMSI is a unique number tied to a phone’s SIM card, usually 15 digits in length, that is used by mobile networks to identify individual users. To prevent phones from being tracked through their IMSI, mobile networks assign users a temporary IMSI, or TMSI. However, a cell-site simulator establishes a connection with phones within its radius by broadcasting a stronger signal than nearby towers. The cell-site simulator can then passively collect or obtain a phone’s IMSI by sending it specific messages. Cell-site simulators can be placed in backpacks, attached to aircraft or vehicles or installed at fixed locations such as government facilities. They can be used to track down specific cellphones or to gather information on all devices present in a certain location. More targeted attacks can intercept unencrypted texts and phone calls. “Most people think they’re safe if they’ve restricted their location sharing settings on their phone, or if they’re on a VPN,” John Doyle, CEO of the privacy-first cellphone service CAPE, told SAN. “None of these application-level solutions prevent your phone from leaking network information to nearby cell towers, including fake ones.” The processSAN analyzed signals in Portland using a device called Marlin. Marlin’s developers, composed of teams from the University of Florida and ETH Zurich, spent 400 hours analyzing cellular signals across two continents to establish a baseline of normal network behavior. In multiple 24-hour test scans, Marlin’s developers rarely saw the percentage of messages asking for an IMSI rise above 10%, while the highest spikes witnessed never rose past 14%. And across all tests, a median of less than 3% of cellular signals contained IMSI-exposing messages. SAN conducted roughly 14 hours of analysis with Marlin from Friday evening to Sunday morning outside the ICE facility. The scans detected over half a dozen IMSI-exposure ratios above 10%, and three separate 18% spikes in just a one-hour window — significantly higher than what the developers ever registered under normal conditions. Away from the building, that percentage began to drop. At a hotel 3/10s of a mile away, the percentages hovered around 1% to 4% with occasional spikes as high as 9% over a roughly two-hour period. “If the Marlin researchers found that less than 3% of cell phones expose IMSIs to legitimate cell towers per minute on average, it raises suspicion that a cell-site simulator was present if the ICE protest had several one-minute spikes of 18%,” said Rigmaiden, whose landmark 2014 federal court case first revealed the existence of cell-site simulators. When presented with SAN’s findings, Portland City Council member Angelita Morillo, who made headlines earlier this month after urging protesters to bring burner phones to anti-ICE protests, accused the Trump administration of “relying on surveillance tools to maintain control over their critics.” “Whenever federal officials determine there is an ‘emergency’ (in this case, someone in a frog costume dancing too close to a federal building), they feel empowered to forcibly sweep up data from every cellphone within a several block radius — regardless of whether they belong to protesters, residents, business owners or kids going to school,” Morillo said. “Agencies like ICE continue to collect and store this data, effectively building detailed maps of people and their movements: who you are, who your family is, where you eat, worship, work and gather. “This is a tech-driven surveillance state that chills speech, violates the rights of millions of people, and does nothing to keep us safe,” she said. ICE's use of simulators is well knownNeither ICE nor the Department of Homeland Security responded to questions from SAN regarding the use of a cell-site simulator at the Portland facility. The Portland Police Bureau denied any knowledge of such surveillance occurring. “PPB has not deployed any sort of simulators,” Mike Benner, the Portland Police Bureau’s public information manager, told SAN. “You’d have to reach out to the federal government to gauge their awareness.” Although the potential presence of a cell-site simulator cannot be definitely linked to any specific operator, detecting such cellular activity during a protest at an ICE facility raises serious questions. In SAN’s extensive use of Marlin over the past four months, the only other time that an IMSI-exposure ratio was detected was outside an ICE facility in Washington state. That location, much like the one in Portland, has been the site of ongoing protests, including on July 4 when SAN conducted its analysis. ICE’s use of cell-site simulators is well known. A recently unsealed search warrant reviewed by Forbes showed that the agency used such a device in Utah in an attempt to track down a man who had been ordered to leave the U.S. in 2023. It’s unclear whether authorities ever located the man, who agents said had escaped from a prison in Venezuela while serving a sentence for murder. Although warrants are required to operate cell-site simulators, the devices can be used without judicial authorization in certain circumstances, such as when there is an immediate threat to national security. Contract records show that ICE purchased $825,000 worth of “cell-site simulator vehicles” in May. ICE has an active $4.4 million contract as well for “equipment to determine the location of targeted mobile handsets” with a company known to produce cell-site simulators. According to documents obtained by the American Civil Liberties Union in 2020, ICE shows that the agency used cellphone-tracking technology at least 466 times from 2017 to 2019. SAN’s findings at the Portland ICE facility come just weeks after Todd Lyons, the acting director of ICE, placed all agency facilities on high alert in response to a shooting at a field office in Dallas. The post Exclusive: Fake cellphone tower likely surveilled protesters at Portland ICE facility appeared first on Straight Arrow News.
