by Anthony W. Accurso

The shady economy of data brokers vacuums up personal data from hundreds of millions of people — mostly in the U.S. but also in other countries­ — and this data is sold to anyone willing to pay for it, including law enforcement, intelligence agencies, and the military.

Including games, the Apple app store has around 4.5 million apps, and the Google Play store has around 2.5 million. An unknown number of these apps include tracking software that records user location data and transmits it to one of several data brokers, who then monetize it by selling it to any number of interested parties.

This, of course, includes advertisers and any company that wants to know more about its users. This is just one part of the framework known as surveillance capitalism. But this practice enables regular old surveillance as well, as government agencies are buying this data to spy on Americans (and everyone else).

A company that acts as a data broker obtains user data (often “just location data,” but various methods of analyzing this data can reveal where a person lives, shops, and worships) and then sells it. They obtain it either by collecting it directly from apps installed on user devices or by purchasing it from a company that collects it.

For example, take the following marketing email sent to an app developer by data broker SafeGraph: “SafeGraph can monetize between $1–$4 per user per year on exhaust data (across location, matches, segments, and other strategies) for US mobile users who have strong data records. We already partner with several GPS apps with great success, so I would definitely like to explore if a data partnership indeed makes sense.”

Even a moderately popular app might have tens of thousands of active users, so it is easy to understand why an app developer might sign up for such a lucrative deal.

Companies like SafeGraph enroll developers in “data partnerships,” and companies at this level have an average of a few hundred apps enrolled and collecting data. Other examples of brokers on this level include Complementics, Predicio, Mobilewalla, and X-Mode.

These brokers then sell the data to larger brokerage firms like Gravy Analytics. The larger firms also buy access to location data from advertising monetization companies (like Google). These companies have markets where other companies bid on raw user data for ad purposes, but several brokers record this “bidstream” data for later use.

Venntel, a subsidiary of Gravy Analytics, claims to gather data from “over 80,000” apps. Though Venntel states that it does not gather bidstream data, testimony by government officials before congressional hearings indicates otherwise. Gravy Analytics also claims to collect data from multiple sources, including Venntel, and claims to have access to “over 150 million” devices.

Many of the users from whom this data is collected assume this data will be bought by companies that just try to sell them more junk, food, or junk food. But some of these data brokers have begun specializing in selling this data to government agencies with the power to imprison or kill people or otherwise make their lives extremely unpleasant.

Babel Street and A6 are two such companies, and open records requests have revealed that their customers include the IRS, CBP, ICE, DEA, FBI, Defense Intelligence Agency (“DIA”), Secret Service, Air National Guard, U.S. Special Forces Command (“SOCOM”), and its subdivisions SOCAFRICA and MARSOC. X-Mode doesn’t appear to sell directly to government agencies but instead sells to several defense contractors, including Systems & Technology Research and the Sierra Nevada Corporation.

What these agencies do with the data should come as no surprise. ICE says it uses the data to generate “arrests, seizures, and new leads.” CBP was exposed as having used the data to “look for cellphone activity in unusual places,” which led to the discovery of previously unknown tunnels along the U.S. and Mexico border. But Motherboard has reported that “CBP purchases location data about people all around the United States, not just near the border.”

The Des Moines-based 132d Wing of the Air National Guard disclosed it used a Babel Street product to “support federal mission requirements overseas” — a frightening thought since the unit’s mission involves “long-endurance coverage” and “dynamic execution of targets” with MQ-9 Reaper drones. When translated from government jargon into plain English, they are saying that they buy location data so that they can hunt and kill people overseas.

The DIA has disclosed that it “provides funding to another agency,” which purchases location data from all over the globe, though it claims it “segregates U.S. data points into a separate database as it arrives.” It further claims that it requires a “specific process” to access U.S. location data and has only exercised this process “five times in the previous two and a half years.”

And how much blood money are we talking about? The contract for the Air National Guard cost $35,000 for a one-year license. But Venntel sells “direct access to all of its data from a region, updated daily and uploaded to a government-controlled server,” for $650,000 per year. The latter contract was for “Geographic Marketing Data – Western Hemisphere,” purchased by DHS through HSARPA to obtain data from Central America and Mexico to support its Data Analytics Engine — the software ICE uses to generate new leads.

Many of these data brokers defend the sale of this data by claiming it is “anonymized” or “disaggregated” in such a way that identifying information is not included. But Venntel employees have revealed how one office game involved using the data, in conjunction with other open-records databases, to identify people they know.

To demonstrate the abilities of its location product, A6 “tracked 183 devices that had visited both the NSA and CIA headquarters to show where American intelligence personnel might be deployed” and then “followed one suspected intelligence officer around the United States, to an American airfield in Jordan, and then back to their home.”

You would think that the sheer potential for abuse and breaches of national security would be enough to convince Congress to take swift action to regulate or eliminate the collection and sale of such data. But that would be like expecting a drug addict to quit cold turkey because someone told them drugs are bad.

Not all legislators are so myopic. Senator Ron Wyden (D-OR) has put forward legislation to restrict law-enforcement agencies from buying location data, but that is just the first step. The sale of user location data should be regulated and transparent, so users know who is buying and selling their data and which apps are being used to collect it.

Apple and Google, despite massive ad campaigns touting their privacy-protection measures, created and maintain the advertising ID systems underpinning this lucrative market. However, a coordinated backlash aimed at these companies’ hypocrisy could end this practice.

These companies have pioneered and popularized behavioral advertising, but companies like DuckDuckGo have shown that companies can sell ads and be profitable without collecting data on individual users.

Finally, users can take steps now by disabling the location access to apps that don’t need it. Your weather app will function reasonably well with just your zip code. It doesn’t need your GPS coordinates and neither does your prayer app. And the Electronic Frontier Foundation publishes instructions on how to disable ad ID tracking on iOS and Android.

Allowing companies to continue business as usual means giving any government, company, or malicious actor the power to “look forwards or backwards at the location histories of hundreds of devices at once, learning where their owners live, work, and travel.” Nobody should have this power, and every person has the power to stop it from happening to them. 

Source: eff.org

Subscribe today

Already a subscriber? Login