Stingray Part II: The Fight for Privacy Artwork

How Hacks Happen

Hacks, scams, cyber crimes, and other shenanigans explored and explained. Presented by your friendly neighborhood cybersecurity gal Michele Bousquet.

All Episodes

How Hacks Happen

Stingray Part II: The Fight for Privacy

May 15, 2025 • Many Worlds Productions • Season 4 • Episode 8

In this episode we continue the story of Daniel Rigmaiden, a man arrested for tax fraud in 2008 who reveals the Stingray surveillance device used by the Feds to track his location. Despite being in jail, Rigmaiden tirelessly researches and files numerous motions, arguing that the use of Stingrays violated citizens' Fourth Amendment rights. His determination attracts the attention of the ACLU and the EFF, ultimately influencing government policy on surveillance practices, policies that protect privacy for all of us.

Resources

Rigmaiden court documents
DOJ: Justice Department Announces Enhanced Policy for Use of Cell-Site Simulators
The News Tribune: Stingray snared him, now he helps write rules for surveillance
ACLU: Fighting for Transparency
Wall Street Journal: Judge Questions Tools That Grab Cellphone Data on Innocent People
ACLU website
EFF website

Send us a text

Digital Disruption with Geoff Nielson
Discover how technology is reshaping our lives and livelihoods.

Listen on: Apple Podcasts Spotify

Support the show

Join our Patreon to listen ad-free!

Stingray Part II: The Fight for Privacy

Welcome back to How Hacks Happen. In our last episode, we told the story of Daniel Rigmaiden, a man who stole millions of dollars from the US government through tax fraud and how the feds tracked him down using a mobile cell tower kind of device called a Stingray. If you haven't listened to part one yet, you might wanna listen to that one first to get the full picture.

This is Michele Bousquet, your friendly neighborhood cybersecurity gal, and today we're going to continue the story of how Rigmaiden fought back against his prosecution, and in the process kinda blew the lid off of one of the government's most secret surveillance tools.

When we left Daniel Rigmaiden in the last episode, he was in jail being held without bail while awaiting trial after being arrested for tax fraud and Rigmaiden, although he doesn't deny he committed fraud, is focused on one specific aspect of his case, how he got caught.

Rigmaiden knew he'd been careful. He lived in an apartment under a false identity called Steven Travis Bronner, paying cash to a landlord he'd never met. He'd bought an air card prepaid. With another fake ID in the name of Travis Rupert with his address as a PO box he'd abandoned a long time ago. He never used cable internet and connected to the IRS website only via the Verizon Cellular Network with that air card.

Rigmaiden knew that the air card was the only possible weak point in his setup, and it had to be the key to how he got caught.

You see, while you and I know that the Feds use the Stingray to find Rigmaiden's exact location and get a warrant for his apartment, Rigmaiden didn't know that. In fact, nobody outside law enforcement had even heard of a thing called a Stingray. The court documents relating to Rigmaiden's arrest were vague about how they tracked him down, but he had an inkling that it had to be some kind of specialized device used to pinpoint the location of his air card.

He knew that even if the feds had traced the fraudulent tax returns to his air card, that cell tower information wasn't enough to pinpoint where he was. The card was in one name and the apartment was in another name, so it couldn't be his name. In fact, the first few warrants, the feds got to search his apartment.

Were under one of the other fake names, Stephen Travis Brawner. So Rigmaiden knew it couldn't be the name.

He was convinced that there had to be something else to it, some device that tracks cellular activity down to the street address, but there was nothing in the court documents that identified this tracking device, and he was pretty sure that whatever this device was, the Feds didn't want him to know about it, and that made Rigmaiden even more determined to find out what it was.

As a little refresher, the Stingray is a portable device that pretends to be a cell tower, intercepting all the cellular activity in the area, inspecting each and every device that connects to it to see if it's the droid they're looking for. So this means if you happen to be in an area when a Stingray goes by, it would fool your cell phone into connecting to it, and it would scoop up all the information a cell tower would like, who you are, who you're calling, how long you talk to them, what websites you visited, or who you were texting.

Only cell providers are supposed to be able to do this, and by law they keep that information under lock and key and give it out only to the subscriber themself. Like you can't just call up at and t and ask them for your girlfriend's cell records so you can see if she's been cheating on you.

If you don't believe me, try it. They'll shut you down faster than you could say. Illegal search and seizure.

Cell providers will give your data to police, but only if they have a warrant signed by a judge. The police can't just call up and ask nicely. Nope. They absolutely have to have a warrant. So in light of this, some random police driving around grabbing an entire neighborhood's worth of cell activity, to Rigmaiden, that smelled an awful lot like a violation of all those people's Fourth Amendment rights.

And that just ain't right. But Rigmaiden was also pretty sure that a public defender wasn't gonna do a deep dive and figure out how the Feds actually found him and whether there were Fourth Amendment violations going on. So he decided to fire his public defender and be his own lawyer.

You've heard the expression, A man who is his own lawyer has a fool for a client? Well, maybe that's true most of the time, but not for Rigmaiden. We're talking about a smart guy here, one with access to the prison's law library and with a fire in his belly to figure out how he got caught. Even his filings early on are pretty amazing to read.

There's handwritten motions formatted and written in near perfect legalese, requesting things like extended access to the law library and that he get to keep his legal documents on his person even while in prison.

Rigmaiden: The Bounds decision held that inmates shall be entitled to access to law libraries, or access to help from individuals trained in law. By stripping me of my legal research materials, the US Marshal put me into a position the same as before Bounds was decided…

Anytime he felt like the US Marshals were mistreating him or singling him out for poor treatment, like not feeding him for hours when they were transporting him around, or having a suspicion that the postal delivery service was messing with his mail, he would write another motion.

Rigmaiden: …acquired according to the Bounds decision, stay in my possession during pretrial custody, including during transfer to other holding facilities or prisons. The defendant humbly requests that Your Honor…

Rigmaiden was relentless. He would not be mistreated. He would not have his rights violated. And while I'm not a big fan of tax fraud, I kind of admire this guy. He used every tool at his disposal to make sure he was getting a fair shake from the legal system.

Rigmaiden: …denied. I've been denied my right to law library access at CCCA- CADC under the Bounds decision. Until roughly 11:30 Arizona time, I was in the custody of US Marshals operating the airlift operation. Most of this time I spent in flight. I was not given a lunch meal during this time or any food or water. At roughly 11:30 AM…

And here's something I didn't know when I started writing this story: prisoners can submit motions directly to the court through the prison mail system. So Rigmaiden didn't need a lawyer.

He could just write them up and submit them himself, and so he did, over and over and over and over. Pages and pages of meticulously handwritten motions, painstakingly written in legalese.

Rigmaiden: …hours of 10:30. Some other inmates and I were told by a US Marshal that none of us would be able to eat lunch. At roughly 3:30 PM I had an interview with my attorney. During the interview and during court, I had a diminished mental competency due to low blood sugar.

His early motions are more about his right to do legal research, but then things get a little more interesting. Eventually, after reviewing over 15,000 pages of court documents and investigative records, Rigmaiden finds something in one document from the US Postal Inspection Service.

He sees a reference to something called a stingray.

Now you might be thinking, what does the US Postal Service have to do with high-tech surveillance? I mean, aren't they just delivering mail and why are they talking about stingrays? Shouldn't that be like the FBI talking about that? That's a good question, but here's the thing.

Rigmaiden's fraud involved the mail. He was having refund money sent through the mail as checks or prepaid debit cards. And the minute you start using the mail to commit a crime, it becomes a federal offense. And that means the US Postal Inspection Service gets involved. And postal inspectors, these are fully sworn federal agents and they got badges and guns and surveillance stools. In fact, they were working with the FBI and the IRS to track down Rigmaiden, and it's in one of their reports that Rigmaiden sees this reference to the Stingray for the very first time. Here's the entry.

“On July 16th, 2008, we were informed that they were able to track a signal and were using a stingray to pinpoint the location of the air card.”

That one little line tipped off Rigmaiden and put him on a trail. He needed to know what this Stingray thing was.

So he starts a long game. The information Rigmaiden wanted was on the internet, but he didn't have internet access while he was in jail. But what he did have was Shadow Counsel, which is basically a lawyer standing by to help him if he needs it. And there was also a paralegal that was helping him out too. So Rigmaiden would ask one of them to do a search on certain terms on the internet and bring him or mail him the search results. Then Rigmaiden would do some more reading and he'd ask for more searches and around and around and around they went. It took months.

But Rigmaiden was like a dog with a bone. He was determined to find out what the Stingray thing was, how it was used, and whether it was legal for the government to even use it. Along the way, he looked at patent filings from Harris Corporation, who's the manufacturer of the Stingray, and he filed requests under the Freedom of Information Act to get even more documents.

Rigmaiden eventually figures out exactly what the Stingray is: a cell site simulator. From that one US Postal Service document, he followed the trail from the Feds, getting his air card's general location to the use of the stingray to narrow down his location, and then the search warrant that a judge signed off on giving the Feds permission to bust into his apartment and find all his fake IDs and other evidence against him.

But all this took years. Can you imagine being in jail and being so persistent and motivated to find this one little thing that you might be able to prove that maybe the feds maybe overstepped themselves? So motivated that you read thousands of pages of law books and court documents, and you file hundreds of pages of handwritten motions.

I can't imagine being that person. Now remember, Rigmaiden does not dispute that he committed tax fraud, but he thinks he is got an argument that will get all the evidence against him thrown out down to the last fake ID. And the way he's gonna get there is by challenging the Feds for violating this little teeny tiny legal principle called the Fruit of the Poisonous Tree.

Maybe you've heard this term in crime shows. Fruit of the poisonous tree refers to evidence that was gained unlawfully. The unlawful means is the poisonous tree, and the fruit is the evidence that comes from that tree. So if you had a tree that was poisoned like in your backyard, you wouldn't eat the fruit, right?

You'd throw it away. It's the same with our legal system. If the police do an illegal search, any evidence they find during that search is not admissible in court. Even if the fruit looks really tasty, if it came from a poisonous tree, it's off the table.

I was being sarcastic when I said that fruit of the poison tree is a tiny little thing. It's actually a pretty major thing and taken very seriously by the court. It can be frustrating for cops who have a ton of circumstantial evidence that someone committed a crime, like they're certain that this person committed a crime, but they don't have enough hard evidence to get a search warrant. They can't just barge in and find it.

But Fruit of the Poisonous Tree is designed to protect you and me from Fourth Amendment violations. It means the police can't just barge into your house without a warrant or probable cause. And if they do, anything they find is inadmissible in court. Like even if they find a big pile of drugs or a meth lab or, or a dead body, or a bunch of fake IDs and evidence of tax fraud.

Now in Rigmaiden's case, he argued that using a Stingray device without telling the judge or getting a proper warrant, that was a poisonous tree. And the stingray wasn't disclosed in the warrant application, and the judge who signed the warrant had no idea this kind of surveillance technology was being used.

And based on this one little omission from the search warrant, Rigmaiden made his case. He argued that all the evidence that the Feds found in his apartment as a result of using the Stingray was poisoned fruit. And if all that fruit got tossed out the window, there was basically zero evidence against him and the case should be dropped.

You know what? He had a point, a really good one, one that caught the attention of the Americans Civil Liberties Union, otherwise known as the ACLU. The ACLU is a nonprofit organization that focuses on defending and preserving the individual rights and liberties guaranteed by the US Constitution and US laws, and they've been around since 1920.

The ACLU has been instrumental in helping individuals win cases involving free speech, desegregation, gender equality, and privacy violations by the government, and they are not to be messed with. If the ACLU gets interested in something, the US government takes note of that.

At this point in the story, it's 2014, five years after Rigmaiden's arrest, five years of research, filing motions to continue the case, which means putting off the trial until he could gather more information, and years of Rigmaiden reading in the law library, asking his shadow counsel to bring him internet searches and write motions for the court and send emails to the ACLU.

Now the ACLU gets a lot of emails from prisoners looking for justice, but the one they received from Rigmaiden stood out. The Electronic Frontier Foundation also takes an interest. The EFF is another nonprofit, but dedicated more to digital rights and civil issues in the online world. In the ACLU and EFF, they're interested enough that they even get involved in Rigmaiden's case and they file an amicus brief to the court.

An amicus brief is a friend of the court statement. It's a legal document submitted by a person or organization who is not. The plaintiff or the defendant, but they have a strong interest in the outcome.

The amicus brief from the ACLU and the EFF argue that when the government plans to use invasive surveillance technology for a search and seizure, and they're asking the judge to sign the search warrant. The government has an obligation to explain to the court information about that technology, like its impact on innocent people who are not mentioned in the warrant.

So in this way, the judge signing the warrant can do their due diligence in determining whether such a search would violate those people's Fourth Amendment rights. Their argument went something like this. Say the government has probable cause to believe a suspect lives at a particular address in a 100 unit apartment building.

And they want a search warrant, but they're gonna need to search all 100 units until they find the suspect. They should tell the court when they apply for the warrant, right?

So Rigmaiden files a motion to dismiss based on this fruit of the poisonous tree argument and the ACLU and EFF submit this amicus brief. But the judge on Rigmaiden's case does not agree that this is fruit of the poisonous tree. He calls the stingray an unimportant “detail of execution” that didn't need to be mentioned in the warrant.

So Rigmaiden's, motion to suppress the evidence is denied. So that's the end of the story, right? There's a trial, Rigmaiden is sentenced and no, that's still, that's still not what's happening.

With all this attention on this case from the ACLU and EFF, the Wall Street Journal newspaper gets wind of Rigmaiden's story and so does the New York Times and some other news outlets. They find this story of a Stingray thing that snorts up the cell phone data of innocent people, they find it alarming enough to report on it.

And all this attention, this is maybe making the feds a little nervous. The Department of Justice never comes out and says so, but you can imagine that they do not want to try this case in open court and have all this information about the stingray come out and get even more attention. So in 2014, the prosecution makes a decision.

They offer Rigmaiden a deal: plead guilty, and you'll get time served. In other words, don't take this case to trial. Sign this piece of paper and you can walk outta jail a free man. This is a tough decision for Rigmaiden because he really wants to expose government overreach, but if he doesn't take the deal and goes to trial, he risks going to prison for 20 years or more for the massive amount of tax fraud, not to mention identity theft and mail fraud. And I could imagine that by that time, Rigmaiden has had enough of being in jail. So he signs the plea deal and he gets out having served only five and a half years.

Even after Rigmaiden gets out, his case continues to influence government policy about Stingrays and other surveillance devices. In 2015, the Justice Department announces a new policy requiring the FBI and other federal agents and law enforcement to obtain a search warrant before using Stingrays.

There are also rules about what data they can collect and how long it can be kept for. And as for Rigmaiden, he went on to consult with the ACLU, and he even helped draft a bill in the state of Arizona about the use of Stingrays. And at cybersecurity conferences, he sometimes gives presentations on everything he learned about the Stingray.

So, while you might not be thrilled about Rigmaiden's crimes, he's been instrumental in exposing government surveillance overreach and helping to protect our Fourth Amendment rights.

That's some story. Thank you for letting me share it with you. I'm not a big fan of tax fraud, but I'm always grateful when violations of our civil rights are exposed and when new policies and regulations come out of it that limit how much the government can invade our privacy.

This is Michele Bousquet from How Hacks Happen. And remember, dance like no one is looking, sing like no one is listening, and text like it's all discoverable.