Even if they're off, cellphones allow FBI to listen in

It should come as no surprise that cellphone calls may be tapped by law enforcement.

But authorities also can use cellphones to eavesdrop on suspects, even when the devices are off.

The FBI converted the Nextel cellphones of two alleged New York mobsters into "roving bugs," microphones that relayed conversations when the phones seemed to be inactive, according to recent court documents.

Authorities won't reveal how they did this. But a countersurveillance expert said Nextel, Motorola Razr and Samsung 900 series cellphones can be reprogrammed over the air, using methods meant for delivering upgrades and maintenance. It's called "flashing the firmware," said James Atkinson, a consultant for the Granite Island Group in Massachusetts.

"These are very powerful phones, but all that power comes with a price. By allowing ring tones and stock quotes and all this other stuff, you also give someone a way to get into your phones," Atkinson said.

Privacy advocates called such use of roving bugs intrusive and illegal. Webcams and microphones on home computers soon may be fair game for remote-control gumshoes, too, they said.

"This is a kind of surveillance we've never really seen before. The government can and will exploit whatever technology is available to achieve their surveillance goals. This is of particular concern, considering the proliferation of microphones and cameras in the products we own," said Kevin Bankston, a lawyer for the Electronic Frontier Foundation.

Converting cellphones into stealth microphones violates the Fourth Amendment protection against overly broad searches, Bankston said. FBI spokesman James Margolin said the bureau's use of roving bugs is monitored closely by the courts.

"The operative thing for any concerned citizen is, we only do this when we get authorization from the judiciary, when we meet the probable-cause threshold," he said.

Legally, he said, bugging cellphones differs little from placing microphones "in a chair or a wall or behind a picture."

"It's not a situation where we just turn the tape on and we gather everything," Margolin said. "By law, we only listen to what the warrant authorizes us to listen to."

However, hackers probably can pull this off, too, said Lauren Weinstein, who warned of the possibility in 1999 on his online Privacy Forum. "A lot of people know an awful lot about the inner workings of these phones," he said.

The roving bugs came to light last month in an opinion by U.S. District Judge Lewis Kaplan in New York.

Kaplan's opinion, reported online by CNET, upheld FBI bugging of cellphones used by John "Buster" Ardito, allegedly a high-ranking member of the Genovese crime family, and his lawyer and associate, Peter Peluso.

A listening device in Ardito's phone "functioned whether the phone was powered on or off, intercepting conversations within its range wherever it happened to be," Kaplan wrote.

Investigators got permission for the bug from another judge in 2003, after learning that Ardito's associates had discovered FBI bugs planted in restaurants where they gathered.

A spokeswoman for the U.S. Attorney's Office in the Southern District of New York declined to comment.

Margolin declined to say if an eavesdropping device was planted in Ardito's cellphone or if agents remotely programmed the phone for real-time eavesdropping or for recording audio to transmit at specified times.

"For obvious reasons, we don't discuss what we are or are not capable of doing, technologically," Margolin said.

Sprint Nextel spokesman Mark Elliott said the company cooperates with authorities when they have warrants and subpoenas. "In this case, we were not aware of any investigation and were not asked to participate," Elliott said.

Samsung spokesman Jose Cardona said he had not heard of any privacy issues with 900 series phones.

Nextel phones are made by Motorola, which also makes the popular Razr. Motorola spokeswoman Molly Sheehan said the company's phones were not designed or intended to violate privacy rights or laws, "and Motorola neither supports nor condones such use." She referred further questions to the FBI.

While all commercial mobile services can be tapped, Nextel is the easiest because its network uses a technology called TDMA, said the Granite Island Group's Atkinson, who was trained by the government and advises corporations about security.

TDMA conveys a constant audio stream to cell towers. That stream can be monitored surreptitiously with another Nextel phone, Atkinson said.

A walkie-talkie feature has made Nextel popular with businesses. But Atkinson said more convenience can mean less security.

That goes for Nextel-toting FBI agents, too, he said. If they gather in Washington, "I can tell you from a few blocks away where the FBI agents are, and how far apart they're sitting in the building."

Asked if the FBI uses Nextel phones, spokeswoman Cathy Milhoan said, "We use a variety of phones and providers."

Atkinson said the only sure way to shield a mobile phone from the prying ears of police, hackers and jealous spouses is to remove the battery. But don't get cocky.

"A smart eavesdropper will bug the battery," he said.