The Maryland Court of Special Appeals has handed down a ruling [PDF] on quasi-cell site location info. The evidence offered by the state isn't being so much suppressed as it is being rejected. The information wasn't obtained illegally and no rights were violated. Rather, the court finds the evidence to be questionable, as in "evidence of what, exactly?" [via EvidenceProf Blog]
The defendant in the case is charged with murder. Bashunn Phillips filed a motion to exclude the evidence, which was granted by the lower court. The state appealed. But there's nothing in it for the state.
The "evidence" -- which is going to carry around scare quotes for the remainder of this post -- doesn't tie Phillips to anything. What was submitted isn't even the equivalent of coarse cell site location info. What the state submitted is something that can easily be obtained without a warrant… because it doesn't actually target any person at all.
Phillips filed a motion in limine on August 7, 2015, seeking to exclude the RF signal propagation map and related testimony. Phillips argued that the method used to create the map was not generally accepted as reliable within the relevant scientific community under Maryland’s Frye-Reed test for admissibility of evidence based on novel scientific methodology. Phillips acknowledged that cell phone tower “ping” evidence is admissible, but drew a distinction between the method used to create the RF signal propagation map and the collection of historical cell phone “ping” evidence.
This is an interesting form of evidence -- something that amounts to cell tower hearsay. It's not like it's much trouble to obtain historical cell site data. This can be done without a warrant in Maryland, despite the recent ruling that requires warrants for Stingray deployment. Historical cell site location data is still a third-party record as far as the federal courts are concerned, so good faith, if nothing else, would have salvaged the warrantless harvesting of this data.
For whatever reason, local law enforcement chose to have the FBI perform a "drive test" of cell towers in the area of the criminal activity, ten months after it happened. Perhaps law enforcement wanted to believe this data would indicate something and allowed itself to be persuaded by pitches like this one, from a company that offers "cell site forensics" to law enforcement agencies.
Cell Site Analysis (CSA) the science of reconstructing the physical movements of a mobile telephone or telecommunication device. The evidence produced from such advanced investigations can be especially powerful in attributing contact between individuals, proximity to a scene of crime, patterns of movement of suspects, and testing the strength of alibi evidence.
These assertions are undermined further down the page when the company explains the limits of drive tests:
How accurate is Cell Site Analysis? This is a common question and there is no short answer. A number of factors come into play, including the type of signalling technology used (GSM/UMTS/CDMA), the local topology (man made or natural obstructions), the height of the antennae, type of CDRs available, physical location of other masts, angling of the transceivers, and degree of network activity (other subscribers). In some instances Cell Site Analysis can be accurate to a few metres, or sometimes a few streets (approximately a postcode).
In other words, most likely not all that accurate. Pinning down a historical cell signal based on a 10-month post facto RF analysis is extremely iffy. Being within a few streets of a committed crime proves nothing. Given the number of variables, these tests are perhaps best left to their original purpose: providing cell service providers info on possible dead zones. That doesn't stop Afentis Forensics from wrapping up this paragraph in an overconfident manner.
However, the technique remains an extremely powerful tool to test an alibi, to show that a number of people were together at a certain time, or to highlight the fact that a suspect was at a crime scene.
The defense in this case pointed out drive tests are indicative of nothing:
Phillips maintained that drive tests are routinely performed by cell phone companies to improve coverage and minimize “dropped calls,” but that they are not generally accepted in criminal investigations. Testifying for the defense, William Folson, accepted as an expert witness “in the field of cellular technology and historical cell site analysis” explained that he “consider[s] [drive tests] a waste of time” because “[t]hey add no value to the historical analysis of a cell phone.” He further testified that the manner in which Special Agent Fennern had performed the drive test was not accepted as reliable in the relevant scientific community. Mr. Folson explained that the RF signal range in December 2013 when the murder occurred would be different than the range in October 2014 when the drive test was conducted because the strength of RF signals fluctuate. Because of this, according to Mr. Folson, a drive test is not representative of the strength of the RF signals on any other date. He also pointed out that drive tests were not peer reviewed, accepted by the scientific community, or used in criminal investigations.
It's almost impossible to find a drive test submitted as evidence in a criminal investigation. Granted, a search for this terminology is bound to miss a few cases, especially those behind the US government's PACER paywall, but the lack of hits suggests this "evidence" is very rarely submitted in criminal trials. What can be found suggests the method used by the FBI agent in this case is completely wrong. Ten months after the fact gives you nothing but garbage.
[T]he coverage area of a cell tower should never be part of an analyst's mapping or court presentations unless that information comes directly from the wireless telephone company in the form of a radio propagation map or in some rare cases, in the form of drive testing that occurred contemporaneous to the date and time of the incident.
Apparently, this "evidence" is a bit more popular in Australia. A paper by a legal aid group discusses several problems with using drive tests/RF signal propagation maps as evidence.
Topography, weather, usage load, broadcast wattage, and overlap of cell coverage entail that to go to point A and make test calls now with the result that some or all of those test calls go through a specified sector of a particular base station does not ‘prove’ that at some other earlier time calls from point A went through that same specified sector. At that other time they may have gone through another sector. When a user places a call, the cell phone connects to the cell site with the strongest signal. Indoor or outdoor use of the phone and cell phone orientation to the user’s head can alter the strength of the signal. These are important considerations when attempting to recreate an alleged past event.
In general it is often easier to be more definitive about the converse proposition, namely that from the Cell ID information it is unlikely that the call was made (or received) outside a specified area. Access from the Telcos to propagation prediction modelling (ie for both ‘dominant’ and ‘possible’ coverage of relevant sectors) is helpful but insufficient to be certain about phone location.
In this context of qualified uncertainty, it is highly misleading to infer positive location with the phrase ‘the Cell ID identified with a call is consistent with the call being made in that location.’
In the Maryland case, the state offered up two witnesses to rebut the "this data doesn't prove anything" defense argument.
Providing a different opinion and testifying for the State, Special Agent Fennern was accepted as an “expert in the field of historical cell site analysis, cellular technology, and  radio frequency drive testing for cell phone mapping.” Agent Fennern opined that factors such as weather only have a “minimal” impact on radio frequency strength. He also testified that, relying on information provided by cell phone companies, the RF signal strength only varied by five or ten percent.
The State also offered the testimony of T-Mobile employee Stephen Willingham, accepted as an expert in radio frequency engineering. He testified that cell phone companies use drive tests for “competitive analysis reasons.” He explained that when a customer complains about a missed call, a cell phone company will use a drive test to attempt to recreate that dropped call to identify a gap in service. Mr. Willingham testified that, over time, radio frequency “[f]ootprints remain consistent as long as nothing major has changed[,]” referring to the physical layout of the cell site, such as antennas and equipment. He stated that the maximum variation he had seen for a footprint was a quarter mile.
Even if all the variables stay the same, the only thing that can truthfully be said is they're possibly accurate within a quarter mile. If that's the case, it's impossible to claim someone was at the scene of a crime using nothing more than an RF propagation map. And, if the arguments made by the defendant are any indication, the state never bothered obtaining or submitting historical cell site location info (the "ping" evidence).
The appeals court agrees with the lower court's opinion: the state can't show anyone has accepted drive tests as a reliable source of evidence in criminal cases.
After determining that the digital forensic science field is the relevant scientific community, the court found that the State’s experts lacked familiarity with that field and were unable to produce studies or peer-reviewed articles in that field supporting the reliability or general acceptance of drive tests for forensic purposes. The court ultimately concluded that the State did not establish that drive tests as used by the FBI are generally accepted in the digital forensic science community. The court then mused that, even if the drive test were considered generally accepted and reliable, the State’s experts were not qualified to testify because they were not members of the digital forensic science community and failed to satisfy the requirement of Maryland Rule 5-702.
This case is exceptionally weird, considering local law enforcement had help from the FBI. Unless the defendant's provider was extremely proactive in scrapping old location data and/or was unresponsive to subpoenas for call records, the state should have had something better than a drive test to place the defendant at the scene. But this is the only evidence the defendant sought to exclude, which suggests other cell records were never introduced. If so, this is a case where law enforcement had several options, but for some reason chose to use the worst one.