If you are relying on Apple and Google’s App Store rules to protect your location data from companies that sell it to the government, you might want to rethink this policy. But if you’re relying on the legal system to stop government agencies from buying this data, you might be in luck – maybe.
A new Inspector General of the Treasury report says they don’t believe agencies have a legal right to purchase location data from commercial services without obtaining a warrant. The watchdog had investigated the Internal Revenue Service (IRS) for doing just that, but the IRS is not the only agency who buys location data on the open market. The military, Federal Bureau of Investigation (FBI), Drug Enforcement Administration (DEA), and Department of Homeland Security (DHS) also do this.
The agencies said they were not doing anything illegal since they were simply purchasing commercially available data provided by users who consented to the data being collected. This new report casts doubt on that claim, claiming that a 2018 Supreme Court ruling required law enforcement to obtain a warrant for mobile phone tower data could also be applied to location data.
If the Inspector General is right, this could put an end to the government’s purchase of location data that is obtained through a series of intermediaries, a supply chain that is very difficult to follow and therefore difficult to stop. . App stores have tried to take action, but their bans may be leaked and incomplete. Google recently banned an app tracker from its App Store, but researchers have repeatedly found apps that still contain it. And, with an entire industry dedicated to harvesting and selling location data, even a complete ban on a tracker won’t do much.
The legal gray area exploited by “data laundering” – and that Google will not stop
The source of this data is your mobile phone. More precisely, it is the applications that you put on it, which can send location data to third-party companies that specialize in selling or accessing location data, advertisers, marketers, and data brokers – even other location data providers. It can go through several companies before reaching its end user. The location data supply chain is intentionally opaque, but your data (and that of millions of others) can end up in the hands of any law enforcement agency willing to pay for it.
Sean O’Brien, senior researcher at ExpressVPN’s Digital Security Lab, has a term for it: data laundering.
“There are so many players sharing and selling data that it’s incredibly difficult to follow the trail,” O’Brien told Recode.
Last November, Vice managed to pursue a lead, report that a location data company called X-Mode was selling the data obtained through its software development kit (SDK), which is found in hundreds of apps with millions of users, to defense contractors. These contractors then sold this data to the military. (Senator Ron Wyden (D-OR) had conducted a side quest to investigate data brokers and came to a similar conclusion around the same time.)
As a result of this report, Apple and Google banned the X-Mode SDK from their app stores. But months later, researchers are still discovering this SDK in applications with thousands of users. O’Brien’s digital security lab, with Defense laboratory agency co-founder Esther Onfroy, watched 450 android apps and found the X-Mode SDK in nearly 200 of them, some of which sent data to X-Mode even after the ban. Google removed at least one of those apps after being told it had slipped onto the company’s network. Then ExpressVPN found 25 more apps with the SDK, most of it from a developer called CityMaps2Go. Google removed these apps from the store, admitting that they had passed its filtering process due to an “error in our app process”.
ExpressVPN told Recode that it then found 22 more apps with the X-Mode SDK in the Google Play Store, all developed by CityMaps2Go, indicating that Google’s app process needs some work. Note: Some of these are paid apps, which should dispel the myth that paying for an app guarantees your privacy. Although knowing that some of CityMaps2Go’s applications had the SDK banned, Google did not verify its others. When Recode notified Google of the surveillance, the company removed the apps from the store.
What is happening here? The company behind CityMaps2Go, Ulmon, went bankrupt last year. CityMaps2Go was then bought out by a company called Kulemba. Kulemba told Recode that he is having trouble accessing the code to remove SDKs from Android apps. That leaves it up to Google to find and remove apps that break its rules, and the consumer should just hope they do. With nearly 50 apps slipping through the cracks so far, that hope could be misplaced. O’Brien thinks Google can do better.
“Researchers outside of Google can identify the presence of these prohibited SDKs without having the benefit of owning and operating Google Play,” said O’Brien. “We looked at apps from developers with known links to X-Mode and discovered the offending SDK using well-known methods. Consumers should reasonably expect Google, or the manager of any app store, to protect users from SDKs that have been banned – or there is a serious disconnect between policy and practice. “
But there’s another bigger issue here than a company’s SDK and Google’s apparent difficulty in enforcing its own rules. X-Mode isn’t the only company providing location data to government agencies, and it’s not the only company the government buys it from. Whack-a-mole app store bans won’t be enough to stop the massive, opaque, and labyrinthine, billion-dollar location data industry.
“Location data brokers use many ways to find data from apps,” Wolfie Christl, a researcher who studies the data industry, told Recode. “They can get apps to embed their data collection code, harvest it from the bidstream in digital advertising, get it directly from app vendors or just buy it from other data brokers.
X-Mode did not respond to a request for comment on whether and how it still obtains and uses location data, but even though it is indeed shut down, we already know that there are other companies selling location data to the government: in particular, Babel Street and Venntel. Finding their primary sources of data is difficult – data laundering, again – but recent reports linked Venntel to two SDKs, which sent data to Venntel through a series of intermediaries, including its parent company Gravy Analytics.
One of these SDKs, from a company called Predicio, was banned on the Google Play Store in early February. We will see if Google is able to apply the Predicio ban better than that of X-Mode.
“The mobile app economy has become a data mining cesspool,” Christl told Recode. “The only way to solve this problem is to finally enforce data protection law in the EU and introduce strong legislation in the US and other regions.”
If Google can’t stop location data brokers, maybe a new law can
We may soon have legislation. Wyden, who requested the IRS Inspector General’s report in the first place as part of his investigation into the location data industry and its use by government agencies, told Recode he had the ‘intention to introduce a bill prohibiting law enforcement agencies from purchasing location data.
“Americans need stronger protections for our rights than app stores playing mad with shady data brokers,” Wyden told Recode. “Congress needs to close the loopholes that allow intermediaries to sell our personal data to the government and put it into black letter law, as well as tough consumer privacy law to make it harder to get it right. ‘assembling massive databases where we go, and we read and buy online, and give users back control of our information. “
“That is why I will be bringing forward the Fourth Amendment to the Not for Sale law in the coming weeks, so the government will get a warrant to obtain personal information, instead of just withdrawing a credit card,” a he declared.
There is also a chance, as the Inspector General’s report said, that the location data purchases will be ruled by the courts as a Fourth Amendment violation, which will solve that part of the problem for us.
In all cases, this concerns only one category of location data clients. As Wyden said, consumer privacy laws are also needed. Until (and if) we get them, we have to rely on companies to self-regulate and have confidence that they do. If one of the biggest companies in the world can’t rid their own app store of a single SDK that violates its terms of service, how can we expect them to find and delete the others? When location data companies filter their data sales through multiple middlemen, how are Google and Apple supposed to know who is breaking their rules in the first place?
“Regulations and lawsuits can have a positive effect, but I’m always looking for more solutions at the grassroots,” said O’Brien. “Consumers need to think differently about their relationship with smartphones, social media, and technology in general.”
Open source is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.
Correction: A previous version of this article stated that Writing had acquired Ulmon. Writing acquired only Ulmon’s CityMaps2Go applications.