A federal agent looks through binoculars from the U.S. Immigration and Customs Enforcement building towards protesters before U.S. Department of Homeland Security Secretary Kristi Noem visits to Portland on Tuesday, Oct. 7, 2025.
Eli Imadali / OPB
Protesters at the Immigration and Customs Enforcement facility in Portland may have had their identifiable information from their cellphones surveilled, new reporting from Straight Arrow News found.
An analysis done by the news organization found evidence that suggests a cell-site simulator was used in the area. These devices mimic cell towers and are able to capture a phone’s unique SIM card number known as an International Mobile Subscriber Identity. Mikael Thalen is a tech reporter for Straight Arrow News and used a research tool known as Marlin to report this story. He joined “Think Out Loud” on Wednesday to share more.
Note: The following transcript was transcribed digitally and validated for accuracy, readability and formatting by an OPB volunteer.
Dave Miller: This is Think Out Loud on OPB. I’m Dave Miller. Recent protesters at the Immigration and Customs Enforcement Building in Portland may have had identifiable information from their cell phones surveilled. That is according to recent reporting from Straight Arrow News. Mikael Thalen reported on this, and he joins us now with the details. It’s great to have you on Think Out Loud.
Mikael Thalen: Hey, thanks for having me.
Miller: So in order to understand the analysis you did, that the technology that you used, I think we need to start with a little bit of a grounding in how our cell phones normally interact with the towers where they get their signals. So can you explain how they normally work?
Thalen: Absolutely, yeah. So let’s say your phone’s off and you turn on your phone. The first thing it’s gonna do is look for the strongest tower connection because your phone’s constantly looking for the strongest signal to connect to. And so from there, your phone’s actually going to hand over to the tower something called your I-M-S-I or your IMSI, and this is your international mobile subscriber identity, and it’s a unique 15-digit code tied to your SIM card. And that’s sort of how the network identifies you.
So once the cell tower obtains your IMSI, it will then give you a temporary IMSI that actually rotates and changes as you jump from tower to tower. And the reason they do this is because your IMSI is unique to you and it can be used to track you.
Miller: Okay, and to prevent tracking, the normal state of affairs is a tower assigns us a temporary one. And then does it… Is it then after that saying, ‘wait, are we sure you are who you are’ or after it does that once, it’s good until we turn it off and on again?
Thalen: Yeah, it just continually rotates through these different temporary identifiers. If you were to turn your phone off and then back on again, or there are certain circumstances where maybe you lose coverage and you reach out to a new cell tower and it’ll ask for that IMSI again, but overall it’s fairly rare for your phone to be asked for that. It’s not something that it’s constantly being asked to give up.
Miller: Okay, so what is a cell site simulator?
Thalen: A cell site simulator is a surveillance device that simply put mimics a cell phone tower. It can obtain an assortment of information by forcing phones in its vicinity to connect to it. So as I said before, your phone is constantly looking for the strongest signal. So a cell site simulator will give off a stronger signal than the different cell towers in the area and force your phone to connect to it. And then they can obtain different information from your phone during that. These devices can be handheld. They can be placed in backpacks. They’re often placed in vehicles and they can be affixed to locations such as buildings and they’re even attached to airplanes.
Miller: Would I just as a regular, old, not particularly savvy cell phone user, would I know that my phone has latched on to a simulator, a fake tower.
Thalen: No, it’s very unlikely you’d be able to notice anything. If there was any sort of issue… Yeah, this isn’t something that the average person would be able to pick up.
Miller: Okay. You’re not exactly an average person. You’re a tech reporter who had a special tool which costs thousands of dollars. Can you describe this device that’s called the Marlin that you used for this story? What does it do?
Thalen: Yeah, so I used a software-defined radio, which is basically a device that can read different wireless signals. And I had an antenna on there that can specifically read cellular signals. And there was a team of researchers from the University of Florida and ETH Zürich, who created a software called Marlin. And essentially what they did is they spent 400 hours on two continents scanning cellular signals to see how often does a legitimate tower actually ask for this unique identifier – this IMSI – and they found that over the 400 hours of scans, they had a median of less than 3% of the messages being sent at any time by a cell tower asking for this IMSI. And they would occasionally see spikes, but they never went past 14%. So 14% of messages at any given point or less might ask for this. So that was normal.
But this device I went and I was scanning outside the ICE facility and what I saw were numbers outside that normal range.
Miller: How far outside the normal range?
Thalen: So as I said, over a 24-hour scan, their median was less than 3%, and very, very rare occasional blips as high as 14. In a one-hour period, I saw three spikes to 18% outside of the ICE facility. What’s also interesting is that I was staying at a hotel about 1,500 feet down the street on the same road, and as I walked away, those percentages actually dropped down – still slightly elevated – but they dropped down to what you would expect more normal numbers to give off. And as I walked back to the facility, they increased again. So that sort of gave me an indication that whatever the issue was, it was potentially localized to that area.
Miller: Okay, so just to be clear, not exactly a smoking gun. But very strong, at the very least, circumstantial evidence that a cell site simulator was being used at that location. The closer you got to it, the higher the the hits went in terms of of these requests for this information. That when you went further away, those requests, the percentage went down.
Thalen: Yeah, which could suggest that I was reaching the outside perimeter of this device’s range. And as you said, this device isn’t intended – or really any detection technology isn’t intended – to give you a yes or no answer. There’s more digging you have to do, but it’s definitely meant to show you anomalies and say, ‘hey, this isn’t what you would normally expect in a normal environment’.
And as you said, if we put this in context, we’re outside of an ICE facility that’s been the subject of protests. There’s been clashes with law enforcement. There’s been some vandalism there. We also know that after the shooting in Dallas at an ICE facility, Acting Director Todd Lyons of ICE placed all facilities on high alert. So yeah, if we just look at in the context, there’s there’s smoke there I would say.
Miller: You did ask Immigration and Customs Enforcement and the Department of Homeland Security about your findings. What did you hear?
Thalen: Nothing at all. They did not answer. And I reached out to the police in Portland, and they said ‘we did not deploy any simulator of any type. You’ll have to reach out to the federal government and ask them instead.’
Miller: Okay, so ICE didn’t respond to your requests for comment, but what is already publicly known about the agency’s use of this technology in the past?
Thalen: Yeah, so documents obtained by the ACLU in 2020 showed that ICE used these cell site simulators at least 466 times from 2017 to 2019. So we know they’re used fairly often. There’s also a recently unsealed search warrant that showed ICE using one of these devices in Utah in August to track down a man who was ordered to leave the U.S. back in 2023.
And so we also know that contract records show that ICE just recently purchased $825,000 worth of “cell site simulator vehicles” in May, and they also have an active $4 million contract with a well-known defense contractor who produces these devices. So, yeah, again, taken in the in the context of everything, all the recent events with ICE, the protests, and then clearly purchasing the devices very recently in large amounts. Yeah, it’s just interesting.
Miller: What did your organization find when you took this same tool recently up to Seattle?
Thalen: So, I’ve used this tool quite a bit over the past four months. The only other time I saw an alert was actually outside of an ICE facility in Washington state. And I do plan to take it to some other protests in the future. And just to explain, a cell site simulator, when it’s used at a fixed location, is usually just trying to grab the IMSIs in that area. So if after the fact, police want to investigate who was maybe in that area, they can go look through that.
But these devices are also used in a more targeted way where, let’s say they have your phone number, they want to find you, they don’t know where you are. So they’d reach out to your, let’s say T-Mobile, your cell phone service provider, and they say, ‘Hey, we have this phone number. Give us their information, including their IMSI.’ And once they get that, they’ll actually plug that into their cell site simulator. They’ll get in a vehicle and go to an area where they think you are and drive around until your phone connects to it.
Now that requires a warrant, but the reason it’s so controversial is because when you’re driving around, you’re forcing all the other devices in the area to connect you as well. So you’re obtaining their IMSIs. And so it by default works by grabbing everyone’s information. Now law enforcement will argue, ‘Hey, we’re not keeping those other IMSIs. We’re just sort of filtering through them to look for this one person.’ So yeah, it’s sort of a very controversial thing and very secretive thing. That’s why it’s so hard to learn anything about how the federal government is using these.
Miller: What can federal law enforcement, or any agency, any person do with IMSI data alone? So let’s go back to the South Portland, the ICE building example. Let’s assume that you’re correct and they deployed this technology and they got 200 people’s IMSIs: people in frog costumes, people just biking on the way to work, people dropping their kids off at a ballet class, people protesting, whatever. They had these 15-digit numbers. Is any legally available information tied to those digits?
Thalen: So yeah, first of all, they could just map which phones are commonly in the area. They could just map out outlier information of devices that only showed up once or twice. I don’t have any knowledge that they have some sort of master list of IMSIs, but like I said, you see these devices also commonly deployed at embassies. And so I think it’s more about collecting that information and after the fact, let’s say there’s someone law enforcement arrests at the protest site. They could theoretically find out their phone number and then go and ask T-Mobile, whoever, for some historical data on their movements based on that IMSI. It’s just sort of a way to map people’s movements, map their interactions, map their activity in an area.
Miller: But in this scenario you just identified, unless there’s some kind of backdoor channel, the only way they could actually connect a person to their phone is if they actually got that information from a cell phone provider. If they went to Verizon or T-Mobile and said, ‘Hey, we have this 15-digit number, we have this IMSI. Who is it?’
Thalen: Yeah. Well, so MC catchers, as they’re also called, can do other things. They can grab your IMEI, which is a unique number that will tell them exactly, which you don’t have to look up. You can look up an IMEI online. You don’t need a special access, and it’ll tell you the exact model of the phone.
There’s also cell site simulators that can trick your phone into downgrading to 2G, which is why you should disable 2G connections on your phone if possible. And then they can actually intercept unencrypted text message, unencrypted voice calls. Again, so yeah, it’s hard to say without knowing what model they potentially could be using to know exactly how much data they’re getting, because an MC catcher in its most simplistic form is describing those IMSIs. But there’s also a lot of other capabilities that can be attached onto it.
Miller: And there’d be no way to know if you’re like you’re not using Signal, you’re just using text messages, unencrypted text messages, say, there’d be no way to know if if the feds had been reading or listening to your unencrypted communication.
Thalen: Absolutely, yeah. And that’s important emphasis, that if you’re using something like Signal, they’re not going to be able to see that going over the wire, so to speak.
Miller: You mentioned that people should be disabling 2G. I didn’t even know that was something that could be enabled. I also didn’t know it could be disabled. What do you recommend that people do if they don’t want their phones to to ping fake cell towers or to be susceptible to this kind of digital surveillance? What options do we have?
Thalen: Yeah, so as you noted about 2G, 2G is being phased out. It’s pretty much not available anywhere in the country. But a lot of phones still by default are allowed to read 2G signals because 2G is still used overseas. So phones can still pick up 2G. And if you have an Android or an iPhone, you can look up options on how to tell your phone not to ever connect to 2G so that way you can’t be downgraded.
Miller: What about, is that LTE? I’ve seen that on my phone if it’s not getting 5G, is that the same thing?
Thalen: No, LTE is fine. LTE’s fine. Yeah, you’re good.
Miller: I feel like I called tech support and I’m just an ancient person asking for help.
Thalen: No, you’re fine.
Miller: Okay, but more broadly, what options do we have besides that – besides disabling 2G – to do our best to prevent surveillance?
Thalen: Yeah, so when it comes to cell phones, there’s not much. If you trust putting your phone in airplane mode, theoretically, that will stop, of course, your phone being able to speak with the towers. There’s a lot of people who say, ‘oh, you can buy a Faraday pouch,’ – like a little Faraday bag where you put your phone in and it blocks signals – but they’ve done tests in the past of these things, and a lot of time signals can still get through. So unless you’re buying one that’s been third-party tested by a credited laboratory, then I wouldn’t rely on that.
People talk a lot about burner phones, which is probably not practical for a lot of people. And to be honest, most people don’t really know how to properly use burner phones. So if you wanted, you could have a secondary cell phone that you store very little information on, maybe numbers of people close to you and a lawyer that you bring to protest and you only turn it on when you get to the protest, and you turn it off when you leave. But beyond that, there’s really not much you can do. There are some companies coming out with technology. I actually have a phone right now that’s not available to the public, but it actually rotates the IMSIs, so I can tell my phone every two minutes to rotate to a different IMSI. So, if someone locked onto it and was trying to find me, theoretically they wouldn’t be able to. That is something that could be coming to the public soon though, but again, this is all quite extreme. And I know the average person usually doesn’t want to invest that much time and effort into just going about their lives.Yeah, so unfortunately phones are kind of, it’s almost better to leave them home. I mean, for me, as a journalist, I know I’m gonna be seen, so I’m not gonna necessarily hide my phone when I’m at a protest. But again, it all just depends on the individual, like how far they want to go, how concerned they are about potentially being detected.
Miller: Mikael Thalen, thanks very much.
Thalen: Thank you.
Miller: Mikael Thalen is a tech reporter for Straight Arrow News.
“Think Out Loud®” broadcasts live at noon every weekday and rebroadcasts at 8 p.m.
If you’d like to comment on any of the topics in this show or suggest a topic of your own, please get in touch with us on Facebook, send an email to thinkoutloud@opb.org, or you can leave a voicemail for us at 503-293-1983.
