The US Military Buys Location Data Generated by Commonly-Used Apps

Today, leveraging data is the standard procedure for most companies, apps, and websites.

Data acquired from consenting users is resold to other parties without users knowing this happens. We now know that telecom companies resell user location data, and scandals like the Cambridge Analytica often reveal dirty secrets.

And recent news exposes yet another damaging privacy intrusion. Instead of requesting search warrants, the US Defense Intelligence Agency is now buying commercially available smartphone location data.

Apps US Military Use to Collect Unwarranted Data

Plenty of mobile apps collect location data and then sell it to data brokers. Some do this without the user’s consent; others bury it deep within their Terms and Conditions or Privacy Policy.

Legally, anyone can buy from data brokers, including the government. And based on The Patriot Act, signed within weeks of the September 11 attacks, the FBI can keep Americans under surveillance without having to notify them.

Data collection, mining, tracking, storage, and analysis have become the cornerstone of US intelligence power. But most users (and sometimes even app developers) have no idea where their information might end up. Plus, the companies that sell user data have little to no safety measures to prevent abuse.

Here are a few recent examples from 2020 that uncover how several US law enforcement agencies have collected people’s data:

How the US Military Gets its Location Data

It looks like the US military is using at least two data flows to access people’s location data:

• • • Locate X, developed by Babel Street, to assist on overseas special forces operations
    • X-Mode, a location broker company, to get data from various apps

Navy Commander Tim Hawkins, a US Special Operations Command spokesperson, confirmed the Locate X purchase. Hawkins also stated:

Our access to the software is used to support Special Operations Forces mission requirements overseas. We strictly adhere to established procedures and policies for protecting the privacy, civil liberties, constitutional and legal rights of American citizens.

A Babel Street document available online states:

“Within the technical specifications of the Locate X Data, Customer’s use of the Locate X Data is not limited by the number of search queries.” The document says the location data may not always be accurate.

Location broker X-Mode collects the app users’ location data through software development kits (SDKs). The company encourages developers to integrate the SDK into their apps, then pays them based on how many users they have.

According to X-Mode CEO Joshua Anton, the company tracks 25 million devices per month inside the United States. But 40 million users outside the US, including in the European Union, Latin America, and the Asia-Pacific region, have an active account for this X-Mode app.

These Are the Targeted Apps

The most popular and used apps for gathering location data are a Muslim prayer and a Quran app, with more than 98 million downloads worldwide.

While it feels like we’re reliving the aftermath of the 9/11 “war on terror” principles, the US military also seems to be interested in location data provided by at least:

• • • A Muslim dating app
    • A Craiglist app
    • An app for following storms
    • A leveling app for installing shelves

At least five more Muslim prayer or similar apps worked with data broker X-Mode, which has sold location data to military contractors and by extension U.S. military intelligence, according to multiple technical analyses. https://t.co/ByH785iiFU

— Motherboard (@motherboard) January 28, 2021

The apps sending data to X-Mode include Muslim Pro. This app reminds users when to pray and what direction Mecca is, based on the user’s current location.

Network analysis research showed that both the Android and iOS versions of the Muslim Pro app sent granular location data to the X-Mode endpoint many times.

In response to the report, Muslim Pro announced it would stop sharing data with X-Mode. Apple and Google said they would ban any apps that use X-Mode’s tracking software from mobile devices that run iOS and Android operating systems.

Another app that sent data to X-Mode was Muslim Mingle, a dating app downloaded more than 100,000 times.

New: Google has banned Predicio from its Play Store after Motherboard investigation. Predicio pays apps (inc. Muslim prayer app) for location data then sells it to clients. Predicio is part of supply chain linked to contractor Venntel; Venntel sells to ICE https://t.co/qNQGHESNWt

— Joseph Cox (@josephfcox) February 9, 2021

The “Third Party Doctrine” Gets a Twist

In 2011, police arrested Timothy Carpenter on suspicion of participating in a series of armed robberies in and around Detroit. During the investigation, FBI agents acquired transactional records from Carpenter’s cell phone carrier. But Carpenter argued that obtaining cellular data without a warrant violated Fourth Amendment rights.

The Fourth Amendment of the US Constitution protects people from unreasonable searches and seizures by the government.

In 2018, the ruling in the Carpenter v. the United States case argued that government entities should get a warrant to access cell site location information from a cell phone company—the detailed geolocation information generated by a cellphone’s communication with cell towers.

Before Carpenter, government entities could have attained cellphone location records by claiming the information is part of an investigation. Despite the ruling in this famous case, US law enforcement and other government agencies keep misusing unwarranted data tracking. Plus, they still rely on cell-site simulators (better known as Stingrays) to intercept phone communications without a warrant.

More Surveillance Towards the American People from the Pentagon

In May 2021, Senator Rob Wyden also revealed that the Pentagon is surveilling American citizens without a warrant.

The senator requested the US Department of Defense (DoD) to release public information about the warrantless surveillance about metadata, including ‘NetFlow'(IP network traffic) and Domain Name System (DNS) records.

In a public letter, Senator Rob Wyden is asked the DoD several questions, such as:

• • • Are these records about “domestic internet communications (where the sender and recipient are both U.S. IP addresses)” and/or international communications (where one side of the communication is a US IP address, and the other side is located abroad”)?
    • “Are any DoD components buying and using without a court order internet metadata, including ‘NetFlow’ and Domain Name System (DNS) records?”
    • Other than DIA, are any DoD components buying and using without a court order location data collected from phones located in the United States? If yes, please identify which components.”
    • “Are any DoD components buying and using without a court order location data collected from automobile telematics systems (i.e. internet-connected cars) from vehicles located in the United States? If yes, please identify which components.”

The DoD replied as follows:

In general, the collection and retention of data by Defense Intelligence Components enable the conduct of authorized intelligence activities (specifically, foreign intelligence and counterintelligence activities), which are subject to applicable law, regulation, and policy, including the Fourth Amendment (as understood through the Carpenter opinion and other relevant case law) and the Attorney General-approved procedures in DoDM 5240.01. We understand that DIA has already provided Senator Wyden’s staff with a document that states DIA’s legal conclusions as regards the DIA activity in question. We have no other analyses to provide in response to this question.

As part of the DoD, the Defense Intelligence Agency (DIA) handles defense and military intelligence. The agency collects and analyzes military-related foreign political, economic, industrial, and geographic intelligence.

DIA’s intelligence operations go beyond combat zones, covering locations and US embassies in 140 countries.

The (DIA) has argued that the rules of surveillance based on a warrant don’t apply to commercial data the government buys.

While senator’s staff received some answers, for now, he is unable to make the information public as some records cover sensitive information.

Here’s Hoping for a Judicial Silver Lining

The intense surveillance activity doesn’t just threaten Americans’ privacy, but any individual’s privacy anywhere in the world.

US Senator Ron Wyden promises a law that will forbid unwarranted data tracking and collection:

I’m drafting legislation to close this loophole and ensure the Fourth Amendment isn’t for sale.

The promised legislation is still a work in progress, but Wyden has an extensive history of introducing legislation supporting people’s right to privacy and condemns illegal surveillance.

Fingers crossed that this new law will be drafted sooner, along with many others that will keep pleading personal data protection, including your digital identity.

However, for these laws to be effective, they should also be respected and applied accordingly.

Let me know in the comments below.