A secret tool lets police conduct mass surveillance using app data

AppleInsider

Police from around the country have been using data culled from thousands of apps for suspect surveillance, often without search warrants.

Location Services in iPhone settings

The tool, known as "Fog Reveal" uses advertising identifaction numbers from apps such as Starbucks and Waze. It's sold by Fog Data Science LLC to target ads based on a person's location and interests.

Law enforcement agencies from all levels of government have been using Fog Reveal. The report says it's rarely mentioned in court records, and sometimes not at all. Defense attorneys say this makes it difficult to defend their clients in cases that involve the tool.

Fog Data Science

Fog Data Science was formed by two former high-ranking officials in the Deparment of Homeland Security under former President George W. Bush. It purchases raw geolocation data from around 250 million devices collected by tens of thousands of apps, then aggregates it into a searchable database containing "billions of data points."

Fog then provides access into this database to law enforcement as a subscription that can start at $7,500 per year. The company claims the data is anonymized, saying it has no way of linking it back to specific devices or owners.

Analysis can identify individuals

The company often parters with Venntel, Inc., a data broker that also works with law enforcement. Together, they can work to gain further insight into peoples' lives, such as home addresses "and other clues that help detectives figure out people's identities."

Using the data, police can create a geofence around specific areas during an investigation. They can also search a specific device's ad ID number.

Investigators can enter location coordinates into Fog Reveal to see which device IDs were found near a crime scene, going back as far as 180 days. However, emails from a Fog representative reveal the data can go back as far as June 2017.

Even if there is no crime scene, Fog boasts in marketing materials that it can offer police "predictive analytics" that claim to predict future hotspots of crime. The company says that it can provide real-time data on the daily movements of people with their trackable smartphones.

According to the Electronic Frontier Foundation, this mass surveillance is a violation of the Fourth Amendment which protects Americans from unreasonable search and seizures. In one case, Carpenter v. United States, the U.S. Supreme Court ruled that the Fourth Amendment requires police to obtain a warrant before seizing historical location data from phone companies.

Location data and its use

Documents reveal that Fog claims its tool uses data willingly given up by people, even though apps collect data most often without consent. Features such as App Tracking Transparency can be considered consent for advertising.

Data passes through many hands. Users and sometimes even some app makers, have no awareness of their data being sold to law enforcement.

Letter from Fog Data Science

Megan Adams, a Starbucks spokesperson, said the company wasn't aware that its advertising data was used in this manner.

"Starbucks has not approved Ad ID data generated by our app to be used in this way by Fog Data Science LLC," said Adams. "In our review to date, we have no relationship with this company."

A spokesperson from Waze said much the same as Starbucks.

"We have never had a relationship with Fog Data Science, have not worked with them in any capacity, and have not shared information with them," said Waze.

It's reasonable to assume that one's data has been collected inside Fog's database. People can use adblockers and make sure the toggle is off within Settings > Privacy & Security > Tracking on iPhones. Ultimately though, it's up to local, state, and federal governments to limit this and enact -- and enforce -- strong privacy legislation.

Read on AppleInsider

coolfactor

Here we go again.

Police from around the country (snip)

Which country? Why are these articles written as if the US is the only country in the world? Fix your editors! 


Thank goodness that Apple is not in the business of selling data!

stantheman

This is precisely the type of abuse of personal data that Apple has been protecting us from for many years.  Meanwhile Google, Facebook and others have pretended it was not a significant threat at all. 

22july2013

coolfactor said:

Here we go again.

Police from around the country (snip)

Which country? Why are these articles written as if the US is the only country in the world? Fix your editors! 

AppleInsider has the right to ignore the needs of the majority of its readers.

lam92103

stantheman said:

This is precisely the type of abuse of personal data that Apple has been protecting us from for many years.  Meanwhile Google, Facebook and others have pretended it was not a significant threat at all. 

The article says the exact opposite. They are harvesting Location Data from apps on iOS

mr. h

It's as clear as mud to me what exactly this service from Fog Data Science does, or how it does it.

entropys

lam92103 said:

stantheman said:

This is precisely the type of abuse of personal data that Apple has been protecting us from for many years.  Meanwhile Google, Facebook and others have pretended it was not a significant threat at all. 

The article says the exact opposite. They are harvesting Location Data from apps on iOS

Yes,and the granddaddy of them all would be Facebook, messenger apps, and Google ad services in multiple apps.

JFC_PA

Way beyond anonymized traffic data to put those colors on your map roadways.  

Everywhere an ID’d phone has been back to 2017?

citpeks

lam92103 said:

stantheman said:

This is precisely the type of abuse of personal data that Apple has been protecting us from for many years.  Meanwhile Google, Facebook and others have pretended it was not a significant threat at all. 

The article says the exact opposite. They are harvesting Location Data from apps on iOS

Actually, you're both correct.

One of the key pieces of data is the unique advertising ID, which Apple has put limits on in iOS (App Tracking Transparency) and raised a stink from the ad industry when it was introduced.

Third party SDKs that developers use to build apps are leaking and exploiting that data, which is traded in a shadowy industry where different interests buy that information for their own purposes.  In this case, it's law enforcement, to determine location history for a device.  Other buyers may have an interest in the whereabouts of user devices for other purposes, like marketing.

What's of interest here is that law enforcement is purportedly bound by some old document, the U.S. Constitution, which contains a section forbidding unreasonable search or seizure without a warrant.  That pesky 4th Amendment.  And any rational citizen should also recognize that mass surveillance is also counter to the principles of a free society.  Sadly, it's looking like the only difference between us, China, and other despotic countries is that there, it's government sponsored, here it's sponsored by private industry for capital gain.

One of the companies named in this story, Starbucks, may have some plausible deniability, in that it does have an legitimate interest in using the location information a user grants, for its own purposes to help facilitate the sales and marketing of its products, at one of its many outlets.  However, it is troubling that its developers and lawyers, either haven't read, or don't care about the terms under which the leaky SDK in its app, and the company behind it, may also be granted the right to collect that data for itself, and sell it to others, who can then compile and it package it for sale again, like Fog Data is doing for law enforcement.

Starbucks' business is selling coffee.  But there are other companies who have less reliable sources of revenue, arguably less ethics, and may count upon data collection and sale as part of its business, if not the primary business.

Putting one's life on a smartphone has undeniable benefit, and advantages, but it also come with many risks, in that the information stored on them, and how/where they're used can also unintentionally leak a lot of data about the user, which is used in unintended, unknown, and potentially harmful ways.

A cell phone can't practically function without the service provider knowing where the device is located at all times.  And the cell phone companies have been caught selling that information.

A weather, or other app that uses location data to better provide a service also has legitimate and practical use for such data.  But, one app, IBM's Weather Channel app, has been sued for selling that data.

The real issue is that there is a wild west gong on behind the scenes with the data that's captured by our smartphones, whether intentionally and unintentionally, unbeknownst to most users.

And unfortunately, it would be naive to think that Congress has any interest in setting up some rules, or giving the regulators the powers to provide some boundaries, or clamp down on potential abuse of such practices.  Even if one, or more of them, who are as easily tracked as one of us, were to have their information outed, revealing their deeds, naughty or nice.

Anyone who thinks this kind of stuff matters should be proactive, check and re-check your settings, don't instantly click "Agree" on any EULA popups, and don't install an app just because the owner says it will provide a "better experience."

If a company or site can't or won't give you a good experience accessible through a browser on their website, think about the reasons behind that, what they have to gain, and what you have to lose.  Sites such as Yelp and Reddit, which actively cripple their mobile browser experience, should raise eyebrows.

Paul_B

ALL your data goes through your Internet Service Provider (ISP) - They don't need applications, they built the infrastructure - Meaning the cables you are connected on.

appleuseryeah

coolfactor said:

Here we go again.

Police from around the country (snip)

Which country? Why are these articles written as if the US is the only country in the world? Fix your editors! 


Thank goodness that Apple is not in the business of selling data!

It’s a US website. Maybe you should adjust your expectations. When you read a US site, wouldn’t it be logical to think they are talking about the US, rather than naively asking “which country?” and demanding the site fix its editors?

Fix yourself. 

mikethemartian

citpeks said:

lam92103 said:

stantheman said:

This is precisely the type of abuse of personal data that Apple has been protecting us from for many years.  Meanwhile Google, Facebook and others have pretended it was not a significant threat at all. 

The article says the exact opposite. They are harvesting Location Data from apps on iOS

Actually, you're both correct.

One of the key pieces of data is the unique advertising ID, which Apple has put limits on in iOS (App Tracking Transparency) and raised a stink from the ad industry when it was introduced.

Third party SDKs that developers use to build apps are leaking and exploiting that data, which is traded in a shadowy industry where different interests buy that information for their own purposes.  In this case, it's law enforcement, to determine location history for a device.  Other buyers may have an interest in the whereabouts of user devices for other purposes, like marketing.

What's of interest here is that law enforcement is purportedly bound by some old document, the U.S. Constitution, which contains a section forbidding unreasonable search or seizure without a warrant.  That pesky 4th Amendment.  And any rational citizen should also recognize that mass surveillance is also counter to the principles of a free society.  Sadly, it's looking like the only difference between us, China, and other despotic countries is that there, it's government sponsored, here it's sponsored by private industry for capital gain.

One of the companies named in this story, Starbucks, may have some plausible deniability, in that it does have an legitimate interest in using the location information a user grants, for its own purposes to help facilitate the sales and marketing of its products, at one of its many outlets.  However, it is troubling that its developers and lawyers, either haven't read, or don't care about the terms under which the leaky SDK in its app, and the company behind it, may also be granted the right to collect that data for itself, and sell it to others, who can then compile and it package it for sale again, like Fog Data is doing for law enforcement.

Starbucks' business is selling coffee.  But there are other companies who have less reliable sources of revenue, arguably less ethics, and may count upon data collection and sale as part of its business, if not the primary business.

Putting one's life on a smartphone has undeniable benefit, and advantages, but it also come with many risks, in that the information stored on them, and how/where they're used can also unintentionally leak a lot of data about the user, which is used in unintended, unknown, and potentially harmful ways.

A cell phone can't practically function without the service provider knowing where the device is located at all times.  And the cell phone companies have been caught selling that information.

A weather, or other app that uses location data to better provide a service also has legitimate and practical use for such data.  But, one app, IBM's Weather Channel app, has been sued for selling that data.

The real issue is that there is a wild west gong on behind the scenes with the data that's captured by our smartphones, whether intentionally and unintentionally, unbeknownst to most users.

And unfortunately, it would be naive to think that Congress has any interest in setting up some rules, or giving the regulators the powers to provide some boundaries, or clamp down on potential abuse of such practices.  Even if one, or more of them, who are as easily tracked as one of us, were to have their information outed, revealing their deeds, naughty or nice.

Anyone who thinks this kind of stuff matters should be proactive, check and re-check your settings, don't instantly click "Agree" on any EULA popups, and don't install an app just because the owner says it will provide a "better experience."

If a company or site can't or won't give you a good experience accessible through a browser on their website, think about the reasons behind that, what they have to gain, and what you have to lose.  Sites such as Yelp and Reddit, which actively cripple their mobile browser experience, should raise eyebrows.

It has nothing to do with the Fourth Amendment. Law enforcement is entitled to buy information that is made available on the open market just like any private party can.

georgie01

But, but, but … I’ve been told cell phone location tracking data isn’t accurate enough to actually determine where people are and so therefore 2000 Mules is false. But law enforcement is using it, and paying for it?

muthuk_vanalingam

appleuseryeah said:

coolfactor said:

Here we go again.

Police from around the country (snip)

Which country? Why are these articles written as if the US is the only country in the world? Fix your editors! 


Thank goodness that Apple is not in the business of selling data!

It’s a US website. Maybe you should adjust your expectations. When you read a US site, wouldn’t it be logical to think they are talking about the US, rather than naively asking “which country?” and demanding the site fix its editors?

Fix yourself. 

In my view, that would be a very bad assumption to make.

StrangeDays

georgie01 said:

But, but, but … I’ve been told cell phone location tracking data isn’t accurate enough to actually determine where people are and so therefore 2000 Mules is false. But law enforcement is using it, and paying for it?

No, 2000 Mules is false because it’s blathering conspiracy nonsense produced by wingnuts who cannot accept that their preferred candidate lost a free & fair election by 7 million voter, not by shadowy mules of ballot harvesters as claimed. 

StrangeDays

muthuk_vanalingam said:

appleuseryeah said:

coolfactor said:

Here we go again.

Police from around the country (snip)

Which country? Why are these articles written as if the US is the only country in the world? Fix your editors! 


Thank goodness that Apple is not in the business of selling data!

It’s a US website. Maybe you should adjust your expectations. When you read a US site, wouldn’t it be logical to think they are talking about the US, rather than naively asking “which country?” and demanding the site fix its editors?

Fix yourself. 

In my view, that would be a very bad assumption to make.

Not at all. The site editors have said it multiple times, they default things like currency to the country they operate and publish from. As a reader it requires next to no cognitive load to carry that assumption. I do it with the websites I read all over somehow. 

muthuk_vanalingam

StrangeDays said:

muthuk_vanalingam said:

appleuseryeah said:

coolfactor said:

Here we go again.

Police from around the country (snip)

Which country? Why are these articles written as if the US is the only country in the world? Fix your editors! 


Thank goodness that Apple is not in the business of selling data!

It’s a US website. Maybe you should adjust your expectations. When you read a US site, wouldn’t it be logical to think they are talking about the US, rather than naively asking “which country?” and demanding the site fix its editors?

Fix yourself. 

In my view, that would be a very bad assumption to make.

Not at all. The site editors have said it multiple times, they default things like currency to the country they operate and publish from. As a reader it requires next to no cognitive load to carry that assumption. I do it with the websites I read all over somehow. 

Oh, ok. Thanks for the clarification. I must have missed that somehow. Agree with your other points as well. I am from a different country and I do it mostly as you mentioned anyway. But I do get confused when the US seasons (spring, fall etc) are mentioned in the articles.

xyzzy-xxx

I believe it's only relevant if someone allows apps (to ask for) tracking from the iOS Settings and then allows the app to use Ad IDs.

darkvader

mikethemartian said:

citpeks said:

lam92103 said:

stantheman said:

This is precisely the type of abuse of personal data that Apple has been protecting us from for many years.  Meanwhile Google, Facebook and others have pretended it was not a significant threat at all. 

The article says the exact opposite. They are harvesting Location Data from apps on iOS

Actually, you're both correct.

One of the key pieces of data is the unique advertising ID, which Apple has put limits on in iOS (App Tracking Transparency) and raised a stink from the ad industry when it was introduced.

Third party SDKs that developers use to build apps are leaking and exploiting that data, which is traded in a shadowy industry where different interests buy that information for their own purposes.  In this case, it's law enforcement, to determine location history for a device.  Other buyers may have an interest in the whereabouts of user devices for other purposes, like marketing.

What's of interest here is that law enforcement is purportedly bound by some old document, the U.S. Constitution, which contains a section forbidding unreasonable search or seizure without a warrant.  That pesky 4th Amendment.  And any rational citizen should also recognize that mass surveillance is also counter to the principles of a free society.  Sadly, it's looking like the only difference between us, China, and other despotic countries is that there, it's government sponsored, here it's sponsored by private industry for capital gain.

One of the companies named in this story, Starbucks, may have some plausible deniability, in that it does have an legitimate interest in using the location information a user grants, for its own purposes to help facilitate the sales and marketing of its products, at one of its many outlets.  However, it is troubling that its developers and lawyers, either haven't read, or don't care about the terms under which the leaky SDK in its app, and the company behind it, may also be granted the right to collect that data for itself, and sell it to others, who can then compile and it package it for sale again, like Fog Data is doing for law enforcement.

Starbucks' business is selling coffee.  But there are other companies who have less reliable sources of revenue, arguably less ethics, and may count upon data collection and sale as part of its business, if not the primary business.

Putting one's life on a smartphone has undeniable benefit, and advantages, but it also come with many risks, in that the information stored on them, and how/where they're used can also unintentionally leak a lot of data about the user, which is used in unintended, unknown, and potentially harmful ways.

A cell phone can't practically function without the service provider knowing where the device is located at all times.  And the cell phone companies have been caught selling that information.

A weather, or other app that uses location data to better provide a service also has legitimate and practical use for such data.  But, one app, IBM's Weather Channel app, has been sued for selling that data.

The real issue is that there is a wild west gong on behind the scenes with the data that's captured by our smartphones, whether intentionally and unintentionally, unbeknownst to most users.

And unfortunately, it would be naive to think that Congress has any interest in setting up some rules, or giving the regulators the powers to provide some boundaries, or clamp down on potential abuse of such practices.  Even if one, or more of them, who are as easily tracked as one of us, were to have their information outed, revealing their deeds, naughty or nice.

Anyone who thinks this kind of stuff matters should be proactive, check and re-check your settings, don't instantly click "Agree" on any EULA popups, and don't install an app just because the owner says it will provide a "better experience."

If a company or site can't or won't give you a good experience accessible through a browser on their website, think about the reasons behind that, what they have to gain, and what you have to lose.  Sites such as Yelp and Reddit, which actively cripple their mobile browser experience, should raise eyebrows.

It has nothing to do with the Fourth Amendment. Law enforcement is entitled to buy information that is made available on the open market just like any private party can.

That's absolutely not true.  Companies aren't subject to the 4th, the pigs are.  Attempts to bypass the warrant process by buying data are just as unconstitutional as if the pigs collected the data themselves.

michelb76

coolfactor said:

Here we go again.

Police from around the country (snip)

Which country? Why are these articles written as if the US is the only country in the world? Fix your editors! 


Thank goodness that Apple is not in the business of selling data!

If it's about people's privacy invasion or police overstepping, you can safely assume it's the USA.

FileMakerFeller

AppleInsider said:

Fog Data Science

Fog Data Science was formed by two former high-ranking officials in the Deparment of Homeland Security under former President George W. Bush. It purchases raw geolocation data from around 250 million devices collected by tens of thousands of apps, then aggregates it into a searchable database containing "billions of data points."

Fog then provides access into this database to law enforcement as a subscription that can start at $7,500 per year. The company claims the data is anonymized, saying it has no way of linking it back to specific devices or owners.

Then what's the value of the information? That claim is an outright lie; if heretofore unknown visitors to a geofenced location are identified by the tool then it must have some way to distinguish between individual devices - at which point it cannot be credibly argued that it is "anonymized." All they mean is that they have the identifying data but they are not sharing it with their customers (nudge, nudge, wink, wink). And we know that even purportedly anonymised data sets can be used to build profiles of individuals that are accurate enough to identify names, addresses and other private details.

Shady as hell.