The StingRay is a suitcase-size device that tricks phones into giving up their serial numbers (and, often, their phone calls and texts) by pretending to be a cell phone tower. The technical name for such a device is IMSI catcher or cell-site simulator. It retails for about $400,000. Harris and competitors like Digital Receiver Technology, a subsidiary of Boeing, sell IMSI catchers to the military and intelligence communities, and, since 2007, to police departments in Los Angeles, New York, Chicago, and more than 50 other cities in 21 states. The signals that phones send the devices can be used not just to locate any phone police are looking for (in some cases with an accuracy of just 2 meters) but to see who else is around as well. IMSI catchers can scan Times Square, for instance, or an apartment building, or a political demonstration.

Rigmaiden built a file hundreds of pages thick about the StingRay and all its cousins and competitors—Triggerfish, KingFish, AmberJack, Harpoon. Once he was able to expose their secret use—the FBI required the police departments that used them to sign nondisclosure agreements—the privacy and civil-liberties world took notice...

In the ongoing scrum over cell phone privacy, there are at least two major fields of play: phone-data encryption, in which, right now, Apple is doing its best not to share its methods with the government; and network security, in which the police and the military have been exploiting barn-door-size vulnerabilities for years. And it’s not just the government that could be storming through. The same devices the police used to find one low-rent tax fraudster are now, several years later, cheaper and easier to make than ever.