I’m sure that the security around it is absolutely rock solid and not at all at risk from Chinese state and other hackers.
Consumers have no way of knowing whether software-development kits that can track their locations are embedded in their apps.
By:
Eric De Grasse
Chief Technology Officer
10 August 2020 (Chania, Greece) – As I noted over the weekend in our weekly cyber security “TOP 10 CYBER BITS”, a small U.S. company with ties to the U.S. defense and intelligence communities has embedded its software in numerous mobile apps, allowing it to track the movements of hundreds of millions of mobile phones world-wide. The story was broken by staff members at The Wall Street Journal who did scores of interviews and who had access to a trove of documents provided on a “no names” basis … the only way these stories seem to get out these days.
NOTE: the full story is behind the The Wall Street Journal pay wall but we’ve been given permission to summarise and quote from the quite lengthy piece. Links are to other Wall Street Journal articles which are also behind the pay wall but we’ve put them up on on our Slideshare so you have access.
Anomaly Six LLC is the company (based in Virginia) and was founded by two U.S. military veterans with a background in intelligence. They … and most members of their staff … had worked closely with government agencies for most of their careers so the company was built to cater to these national-security agencies, as revealed in the court records and interviews obtained by the Journal. The company’s marketing material proudly proclaims it is “able to draw location data from more than 500 mobile applications, in part through our own software development kit, or SDK, that is embedded directly in some of the apps”. An SDK allows the company to obtain the phone’s location if consumers have allowed the app containing the software to access the phone’s GPS coordinates.
NOTE: App publishers often allow third-party companies, for a fee, to insert SDKs into their apps. The SDK maker then sells the consumer data harvested from the app, and the app publisher gets a chunk of revenue. But consumers have no way to know whether SDKs are embedded in apps; most privacy policies don’t disclose that information. This was explained in detail in another piece in the Wall Street Journal which you can access here, part of their continuing series of the “death of data privacy”. Anomaly Six says it embeds its own SDK in some apps, and in other cases gets location data from other partners.
So the company has perfected global-location-data products to provide to branches of the U.S. government and private-sector clients.
But here is the thing as we’ve noted in previous pieces addressing the death of data privacy: numerous agencies of the U.S. government have concluded that mobile data acquired by federal agencies from advertising is lawful. Many law-enforcement agencies are using such data for criminal-law enforcement, while numerous U.S. military and intelligence agencies also acquire this kind of data on a regular basis from scores of data brokers. These private-sector companies in the advertising and marketing world buy and sell geolocation data, sometimes reselling it to government agencies or contractors. The direct collection of such data by a business closely linked to U.S. national security agencies should be “unusual” but it’s tossed off with a wink and a nudge.
The firm’s capabilities were described in court documents as well as a “business practices” briefing paper submitted as part of a Congressional probe into the sale of Americans’ location data:
“Anomaly Six is a veteran-owned small business that processes and visualizes location data sourced from mobile devices for analytics and insights. We leverage detailed location data from numerous first-party sources to provide insights into groups, behaviors, and patterns. All the data it works with is commercially available to anybody and we are compliant with all laws.”
Yes. Data “commercially available to anybody”. Which, as we have noted, bemuses us over the current Tik Tok issue, which is just pure Trump political theatre. Just the sort of blunt-tool approach we see in China, India, Turkey, and Russia. It’s the “lets-bash-China-with-whatever-we-have-and-call-it-data-protection-because-that-will-sell”. As we will detail in our forthcoming piece on the Tik Tok imbroglio, if Chinese state hackers want it, they’ll just grab it from data brokers or just access the zillions of unsound web servers out there. Including most U.S. government “see-thru” web servers.
Anomaly Six said it would support regulation to require more disclosure by apps of how data is collected and used. But as far as the exact apps the company embeds … well, it declined to comment, citing “our confidentiality agreements”. But the partnerships between data brokers and app makers are typically closely held trade secrets within the world of commercial-data sales, so no surprise.
NOTE: in the data drawn from apps, each cellphone is typically represented by an alphanumeric identifier that isn’t linked to the name of the cellphone’s owner. But the movement patterns of a phone over time can allow analysts to deduce its ownership—for example, where the phone is located during the evenings and overnight is likely where the phone-owner lives.
Consumers world-wide are often in the dark about governments’ acquisition and use of such data. Despite collecting data from consumer apps, Anomaly Six doesn’t have a privacy policy on its website, nor is it registered as a data broker in California, where a state law passed in 2018 typically requires companies to detail how they are acquiring and using consumer data. The company says it doesn’t meet the definition of a data broker under California law and isn’t required to register. A representative from the California attorney general’s office didn’t respond to a request for comment when asked about the activities of Anomaly Six vis-a-vis the new-kid-on-the-block, the California Consumer Privacy Act other than to say “those activities do not seem to fit in the ambit of the CCPA”.
As we have noted and the Wall Street Journal story confirms, according to scores of interviews with people in the industry, there is little regulation in the U.S. about the buying and selling of location data, leading to what one industry veteran called “the Wild West.” Consumers have come to expect free apps, and app makers have turned to selling user data to pay for the costs of developing and running the software. Anomaly Six’s offerings are similar to those of a company we covered last year, Babel Street, which provides social-media monitoring services to the intelligence community and law-enforcement agencies.
The Journal team uncovered a lawsuit filed by Babel Street two years ago against Anomaly Six and its founders and it offers a window into the competitive and largely secretive market of providing consumer location products to the U.S. government. Just a few points from the lawsuit and the Journal analysis (there is a lot of info so I need to cherry pick):
• The two founders of Anomaly Six formerly worked for Babel Street and left in 2018, according to the lawsuit.
• Brandan Huff, a former Army counterintelligence officer, had managed Babel Street’s relationship with the Defense Department and had also worked for numerous other defense contractors. The other, Jeffrey Heinz, was also previously in the U.S. Army and had managed Babel Street’s relationships with the Justice Department, U.S. Cyber Command, civilian federal agencies and the intelligence community, court records show.
• One of Babel Street’s products, called “Locate X,” includes the location records of millions of cellphones, drawn from consumer apps. The two former employees set out to build a product to compete with it, according to Babel’s lawsuit. Anomaly Six declined to comment on the lawsuit, which was settled out of court last year.
• Babel Street doesn’t publicly advertise Locate X and binds clients and users to secrecy about even its existence, according to contracts and user agreements reviewed by the Journal. Developed with input from U.S. government officials, according to court records, Locate X is widely used by military intelligence units who work on gathering “open source” intelligence, or information taken from publicly available sources. Babel Street also has contracts with the Department of Homeland Security, the Justice Department, and many other civilian agencies, federal contracting data shows. Babel Street didn’t respond to a request for comment.
• Both Babel Street’s and Anomaly Six’s products can be used to combine intelligence gathered in more traditional ways, from clandestine human sources to secret intercepts, with social media data, satellite imagery, and consumer data from the private sector, according to interviews with people familiar with the process and documents reviewed by the Journal.
• The information, gathered into what’s known as a “pattern of life” analysis, can provide a richer understanding of the habits and behaviors of potential intelligence targets, and to possibly predict their future behavior.
The U.S. isn’t alone in attempting to use mobile-location data for strategic advantage. The National Security Agency this month warned military and intelligence community personnel to sharply limit the location-tracking features on their mobile devices, out of concern that the data could be used by adversaries to reveal sensitive national security information about U.S. operations.
And as I noted a few weeks ago in our “TOP 10 CYBER BITS”, a group of academic researchers using Babel Street’s software were able to monitor the movement of devices at Russian military facilities as part of a project for the U.S. Army, as reported in the Journal.
Such revelations showcase the power of even commercial data to reveal sensitive information about some of the most secure facilities in the world – and further showcase the complete blurring of the lines between corporate marketing and government surveillance. Companies like this have years’ worth of location data from all over the world. And the revelations just keep coming. Users have no idea that when they install a weather app, a game, or any other innocuous-seeming app that their private location data is going to be harvested and sold. There is no transparency into the practice.
And these players are tough to investigate. Anomaly Six isn’t listed in any public spending contracts, and many of Babel Street’s sales to government entities aren’t reflected in public documents either. Anomaly Six said its contracts with the U.S. government were unclassified but confidential, and that it couldn’t reveal which agencies it was working with without permission from those agencies. Good luck with that.
For a good overview of this issue, I’ll end with this very informative video from the Wall Street Journal:
[ To read this post on our blog, along with our other articles, consult out archive by clicking here ]
