According to recent reporting, the US government is using aggregated location data from smartphone apps to track people. What does it mean and how do we protect against it?

Howdy! This is the third episode of The Private Citizen and we’re a bit early this time, because I’m taking a few days off and I want to provide you with some episodes beforehand to tide you over the lean times. So expect a second episode to land later this week.

On this one, I’m going to talk about how mobile phone location data can be aggregated across multiple sources to track people and how this data is bought and sold, including to governments. Once again, we have tech companies doing the dirty work for the state.

But before we get into this, let’s revisit episode 1 of the podcast and Clearview AI. A few days after my episode came out, The New York Times (which originally broke the story) also talked about it on their podcast. While it’s something to read a story and then wonder how naïve the reporter seems to be, it’s something entirely else to hear the naivety in the reporter’s voice while talking about the story. No wonder they were so surprise that this technology existed…

How Location Data is Aggregated and Sold

At the beginning of February, The Wall Street Journal published a story titled “Federal Agencies Use Cellphone Location Data for Immigration Enforcement”. In it, the paper reveals how the US government is buying mobile phone location data and what it’s using this data for.

The Trump administration has bought access to a commercial database that maps the movements of millions of cellphones in America and is using it for immigration and border enforcement, according to people familiar with the matter and documents reviewed by The Wall Street Journal. The location data is drawn from ordinary cellphone apps, including those for games, weather and e-commerce, for which the user has granted permission to log the phone’s location.

The Department of Homeland Security has used the information to detect undocumented immigrants and others who may be entering the U.S. unlawfully, according to these people and documents. The federal government’s use of such data for law enforcement purposes hasn’t previously been reported.

Experts say the information amounts to one of the largest known troves of bulk data being deployed by law enforcement in the U.S. – and that the use appears to be on firm legal footing because the government buys access to it from a commercial vendor, just as a private company could, though its use hasn’t been tested in court. “This is a classic situation where creeping commercial surveillance in the private sector is now bleeding directly over into government," said Alan Butler, general counsel of the Electronic Privacy Information Center, a think tank that pushes for stronger privacy laws.

According to federal spending contracts, a division of DHS that creates experimental products began buying location data in 2017 from Venntel Inc. of Herndon, Va., a small company that shares several executives and patents with Gravy Analytics, a major player in the mobile-advertising world. Contracting records show the federal government is buying the location data from Venntel. Venntel, in turn, purchased the information from private marketing companies that sell the location data of millions of cellphones to advertisers, people familiar with the matter say.

The data is pseudonymised – meaning that each cellphone is represented by an alphanumeric advertising identifier that isn’t linked to the name of the cellphone’s owner. Cellphone users can change their identifier in their phone’s settings menu or limit the apps that have access to their location. Marketing data is widely used by the government to gather intelligence abroad, say people familiar with the matter. But those contracts are frequently classified, so the extent to which intelligence agencies are buying such data cannot be determined.

The WSJ story also explains why the US government is buying this data, instead of simply getting it from the network providers (such cell tower data would be more accurate and basically viewable in real time):

In 2018, the Supreme Court issued a landmark ruling in the case Carpenter v. United States saying that geographic location data drawn from cellphones in the U.S. is a specially protected class of information because it reveals so much about Americans. The court put limits on law enforcement’s ability to obtain such data directly from cellphone companies without court supervision.

But the federal government has essentially found a workaround by purchasing location data used by marketing firms rather than going to court on a case-by-case basis. Because location data is available through numerous commercial ad exchanges, government lawyers have approved the programs and concluded that the Carpenter ruling doesn’t apply. “In this case, the government is a commercial purchaser like anybody else. Carpenter is not relevant,” said Paul Rosenzweig, a former DHS official who is a resident senior fellow at the R Street Institute, a conservative and libertarian think tank that promotes free markets. “The government is just buying a widget.”

Of course, experts in the field of IT security and privacy long knew that this was possible. But it’s important that these deals have finally been exposed and documented. Ignoring the obvious and clickbaity Trump/immigrant angle from the WSJ, it is important that we are aware of this stuff happening.

The implications are clear: Tracking data from apps make mobile phone surveillance possible for companies and government agencies from local police forces to intelligence services – the latter of which probably use this data to supplement their more accurate tracking data from phone providers. We should also be aware of the fact that location data, by its very nature, allows people to be identified. This pseudonymisation bullshit usually doesn’t work. You just need to amass enough metadata and you’ll sooner or later be able to identify individuals.

Is Legislation Any Use?

In an opinion piece written on the same day as the WSJ article, The New York Times calls for legislation to solve this problem.

“When the government tracks the location of a cellphone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user,” wrote John Roberts, the chief justice of the Supreme Court, in a 2018 ruling that prevented the government from obtaining location data from cellphone towers without a warrant. “We decline to grant the state unrestricted access to a wireless carrier’s database of physical location information,” Chief Justice Roberts wrote in the decision, Carpenter v. United States.

The data used by the government comes not from the phone companies but from a location data company, one of many that are quietly and relentlessly collecting the precise movements of all smartphone-owning Americans through their phone apps. Since that data is available for sale, it seems the government believes that no court oversight is necessary.

The use of location data to aid in deportations also demonstrates how out of date the notion of informed consent has become. When users accept the terms and conditions for various digital products, not only are they uninformed about how their data is gathered, they are also consenting to future uses that they could never predict.

Chief Justice Roberts outlined those stakes in his Carpenter ruling. “The retrospective quality of the data here gives police access to a category of information otherwise unknowable. In the past, attempts to reconstruct a person’s movements were limited by a dearth of records and the frailties of recollection. With access to [cellphone location data], the Government can now travel back in time to retrace a person’s whereabouts, subject only to the retention polices of the wireless carriers, which currently maintain records for up to five years. Critically, because location information is continually logged for all of the 400 million devices in the United States — not just those belonging to persons who might happen to come under investigation — this newfound tracking capacity runs against everyone.”

The courts are a ponderous and imperfect venue for protecting Fourth Amendment rights in an age of rapid technological advancement. Exhibit A is the notion that the Carpenter ruling applies only to location data captured by cellphone towers and not to location data streamed from smartphone apps, which can produce nearly identical troves of information.

For far, far too long, lawmakers have neglected their critical role in overseeing how these technologies are used. Surely, Congress has time to hold hearings about a matter of urgent concern to everyone who owns a smartphone or cares about the government using the most invasive corporate surveillance system ever devised against its own people.

At the end of its argument there, the Times explains quite clearly why its own line of thinking is flawed: Courts are reactive and, as this very case clearly shows, can be easily outmanoeuvred with technology these days.

Datensparsamkeit

So what can we do? The only way to act against data collection and evaluation like this is making sure that you produce as little data as possible which can be analysed. The German word for this is Datensparsamkeit, which can be roughly translated as “data thrift”.

  • Be aware of what apps you use and question that you actually need to use them
  • Think about what permissions you give an app and why
  • Turn off features that you don’t actually need (like location tagging)
  • Be aware that this data collection is going on

I’m not saying we don’t also need laws to prevent companies and the government to collect and abuse such data, but my foremost interest is in helping individual people protect themselves. Therefore, I find it important that we try to develop a feeling for the data we create and emit first. As a second step, we can then concentrate on legislation.

Pushing for legislation without understanding what is going on and without adjusting our own behaviour at the same time is pretty dumb, I think.

Feedback

With regards to episode 1, I had a very interesting discussion with Patreon supporter RikyM about the ethics of facial recognition and AI. If you are interested in that topic, I wholeheartedly recommend listening to the talk about three freedoms of AI at FOSDEM 2020. It’s by two researchers who raise good questions and have some ideas that should definitely be developed further.

Patreon supporter Butterbeans references episode 2 and asks:

I think your point about paper ballots is valid, but what are your thoughts on an open source voting platform? Steve Gibson talks about it regularly on Security Now and I know Microsoft has been developing ElectionGuard for this purpose. Do you think it’s realistic that code like this could allow for transparent and auditable electronic voting on a mass scale or should we not even bother trying? Is the risk of undermining the democratic process from poor implementation of a digital voting system (in any form) too high?

Open source software is always held up as being more secure than proprietary, closed systems. And it usually is. But this basically comes down to Linus’s Law:

Given enough eyeballs, all bugs are shallow.

The question there is always do we have enough eyeballs? Or with other words: Open source software might be more secure, but is it secure enough in this case?

Fadi Mansour wrote another nice email, saying he’s looking forward to more episodes.

Steve Hoos says:

My God man, I must love you, you are at least 50% of my patreon spending a month. I try to compare Patreon to Netflix, but to falls down. Any how… I am from the LO days, and I have been missing the morning piss, I mean the the morning stream morning stream… Good to see you’re back at it. I know you just need to pay the bills like normal people do. I hope this goes well for you.

Of course, despite me mentioning on the first episode that I’m working on migrating the site to TLS – and that it isn’t trivial and won’t be done overnight – I had somebody being snarky on social media about the site not being on TLS. If only I had the feeling that these people did it to actually improve other people’s privacy and security. Instead, I feel they do it to feel smug and superior.

If you also have thoughts on the things discussed here, please feel free to contact me.

Toss a Coin to Your Podcaster

I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.

This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me, pard. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.

Thanks and Credits

I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show.

Aside from the people who have provided feedback and research and are credited as such above, I’m thankful to Raúl Cabezalí, who composed and recorded the show’s theme, a song called Acoustic Routes. I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.

But above all, I’d like to thank the following people, who have supported this episode through Patreon and thus keep this show on the air: Niall Donegan, Michael Mullan-Jensen, Jonathan M. Hethey, Georges Walther, Dave, Kai Siers, Matt Jelliman, Fadi Mansour, Joe Poser, Mark Holland, Steve Hoos, Butterbeans, Shelby Cruver, Dave Umrysh, RikyM and drivezero.