As Federal authorities offer local police help cracking iPhones, a Maryland judge has ruled that another form of technological surveillance has been used improperly. The Wednesday decision found that the Baltimore City Police Department’s use of a so-called “cell site simulator” without a warrant, and a subsequent search warrant executed based on the simulator’s detection of a suspect’s phone, constituted an unreasonable search under the fourth amendment.
Get Data Sheet, Fortune’s technology newsletter.
The device in question is the Hailstorm, manufactured by the Florida-based Harris Corporation (HRS). It’s the latest version of technology known collectively as “stingrays,” or more formally, IMSI catchers. The devices pretend to be cell phone towers, then track the locations of nearby devices that attempt to connect. The more advanced Hailstorm also reputedly has the ability to intercept calls and even hijack a phone.
The technology has been used by local police departments nationwide for the better part of a decade—often without warrants. In Baltimore, a stingray has been used in nearly 2,000 investigations, again, mostly without a warrant. USA Today reports that following the ruling, the city’s public defender is conducting a review of those cases, and has identified 200 in which defendants were sent to prison based on now-questionable evidence.
Maryland Attorney General Brian E. Frosh has not said whether or not his office will challenge the ruling in a higher court, but in a filing earlier in proceedings, Frosh seemed to defend police rights to track anyone’s cell phone, at any time, for any reason—or none at all.
For more on security and law enforcement, watch our video:
“While cell phones are ubiquitous, they all come with ‘off’ switches,” wrote Frosh. “Because [defendant Kerron] Andrews chose to keep his cell phone on, he was voluntarily sharing the location of his cell phone with third parties.”
Privacy advocates have more to be upset about than stingray technology, or police methods. Harris Corporation also seems to have worked to obscure the tool’s use in investigations through NDAs with client agencies, earning it recognition from Wired as one of the “Most Dangerous People On the Internet” last year.