Yet Another Data Broker Found To Give Massive Amounts Of Location Info To Law Enforcement

from the we-can-remember-where-you-were-wholesale dept

The Supreme Court may have extended constitutional protection to historical cell site location info, but that’s not going to stop our public servants — and the private companies that serve them — from finding ways to elude the ramifications of the Carpenter decision.

Over the past couple of years, court documents and public records have exposed this law enforcement-adjacent business. (These brokers also sell data to private companies, but seem to prefer their government contracts.) Bypassing even questionable geofence warrants (ones that perform searches of areas for devices of interest, rather than targeting any specific suspect), government agencies are buying direct access to location data pulled from dozens of apps that collect this information while in use.

The EFF has obtained several documents detailing the offerings of Fog Data Science, yet another entrant in the data broker sweepstakes. Pulling information gleaned from over 100 public records requests, the EFF notes the company has (or has had) contracts with at least 18 law enforcement agencies, including some at the federal level.

Here’s what the company does:

The company, Fog Data Science, has claimed in marketing materials that it has “billions” of data points about “over 250 million” devices and that its data can be used to learn about where its subjects work, live, and associate. Fog sells access to this data via a web application, called Fog Reveal, that lets customers point and click to access detailed histories of regular people’s lives. This panoptic surveillance apparatus is offered to state highway patrolslocal police departments, and county sheriffs across the country for less than $10,000 per year.

And it appears the company (and some of its law enforcement customers) believe obtaining location data through Fog (which the company advertises as being capable of long-term tracking) does not implicate the Fourth Amendment. One of its communications with the California Highway Patrol contains this statement from a Fog representative — one which states it has spoken to other law enforcement customers who believe the Carpenter decision has nothing to do with this particular location data source.

We haven’t done any work on Carpenter. We have had several clients view our solution through the lens of Carpenter, most recently was from a meeting I had with NJ State Police and NJ AG’s Office. The attorneys in the meeting felt that since we are providing non PII [personally identifying info] data, held by third parties, Carpenter doesn’t apply. As you know, in the Carpenter case, the FBI had his cell number and requested specific records pertaining to him. With our data, we have no way of linking signals back to a specific device or owner.

That legal theory can be described most charitably as “untested.” Maybe courts will find that layering third parties (the app sources and the data broker hawking the data) makes it too far removed from the source to make Carpenter applicable. Or maybe some courts will find it’s ultimately close enough to the CSLI-enabled tracking in the Carpenter case (since investigators will use this data to identify suspects and then can go back to the brokers to gather more data on the targeted device/device owner) that warrants are required.

Either way, it shows law enforcement is looking for solutions that don’t require judicial oversight, and Fog Data Science is more than willing to be that solution.

And the company may claim in its Carpenter discussion it doesn’t provide PII and therefore cannot perform location tracking, but it claims otherwise in its marketing for its Fog Reveal product.

Law enforcement can specify one or more devices they’ve identified and a time range, and Fog Reveal will return a list of location signals associated with each device. Fog’s materials describe this capability as providing a person’s “pattern of life,” which allows authorities to identify “bed downs,” presumably meaning where people sleep, and “other locations of interest.” In other words, Fog’s service allows police to track people’s movements over long periods of time. 

Despite all the options the company offers (allegedly up to “15 billion location signals each day” from “250 million devices a month”), Fog Data seems to be having trouble holding onto its law enforcement customers.

Additionally, the records EFF reviewed show that several of the agencies that worked with Fog have since canceled their subscriptions, and at least one said they were not sure if they ever used Fog to successfully solve a case.

That’s not to say that if Fog sucks at its job, that makes it ok. It doesn’t. App users may opt into sharing data with apps, but they’re rarely aware app developers are sending this information on to data brokers, who are now basically forcing app users one step removed from the data broker to share their location data with government agencies.

The first breakdown in responsibility comes from app developers who sell this information to data brokers. The second breakdown comes from Fog’s government customers, who haven’t been exactly open or honest about their frequent use of third-party brokers to obtain bulk data they can’t legally acquire from cell service providers without a warrant.

There’s much, much more in the EFF’s discussion of its findings from its public records haul, including suspected links to Venntel, another data broker with plenty of powerful government clients. And it shows packaging and analyzing app data to track people is still a growth business, one that won’t see any slowdown until it’s either reined in by privacy legislation or courtroom precedent.

Filed Under: , , ,
Companies: fog data science

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Yet Another Data Broker Found To Give Massive Amounts Of Location Info To Law Enforcement”

Subscribe: RSS Leave a comment
7 Comments
Anonymous Coward says:

Simple Privacy Idea

I had an idea just now that I wonder if implemented would be a strong solution to privacy, data collection and children on the internet. Feel free to poke holes….

Make a law stating that to sell or market data the seller must prove the data does not belong to a minor.

Places the burden/cost on the collector, be it Vizio or an app developer. Helps smaller companies not have to comply with some compliance scheme as they can simply not sell (or not collect if unnecessary) said data while still offering their services. Helps children by having FAR less data collected. Helps create awareness of data collection/sales by forcing implementation of some kind of age verification/permission structure. I having seen any downsides yet. Other than obvious corruption elimination/less campaign contributions…..

I may posit this on Mike’s post as well.

Anonymous Coward says:

Re:

Correct me if I’m getting the wrong idea.

I think it’s a bad idea to design a law in such a way that it depends on being inherently hard to comply with rather than on specifying proper practices which a company could reasonably be expected to follow. I have concerns about designing a law whose text is deliberately far removed from the spirit of the law. In other words, such an indirect law is risky.
1. Eventually some smart (cunning, if you will) company will find a way to comply with the text of the law and still violate the privacy of minors and adults.
2. If citizens don’t intend to make a new properly designed privacy law to supersede this one, then the law implicitly will declare that privacy is only for minors. It also implicitly declares that sharing and selling data without consent is ok as long as certain conditions are followed.
3. Without further clarification, it will be very difficult to explain to a court how exactly a company violated the law.

More nebulous concerns of mine:
4. The problem isn’t just selling. It’s also sharing. And even wrt selling right now data brokers and companies such as Google are safe to make money off of data because technically under the law they aren’t “selling” or “marketing” data. (Extra reading about Google: https://www.eff.org/deeplinks/2020/03/google-says-it-doesnt-sell-your-data-heres-how-company-shares-monetizes-and)
5. If the law remains too vague then an understaffed, overextended agency such as the FTC won’t be able to meaningfully enforce the law. (Proving a violation seems too difficult for a private right of action to work.)
6. It may be unethical for a law to have a textual design so far removed from its spirit. Rudimentary analogy: A law seeking to ban graffiti on playgrounds prohibits being in a playground while carrying a spraypaint can.

Partisan Popycock says:

Who didn’t see this coming? Like censorship-by-proxy, we now have full-on warrants by proxy.

And other rights under the two tiered society (that started most recently with the Violence Against Women Act) as yet enumerated?

The VAWA was an assault on common sense, and a harbinger of what has come since–Roe overturned, the 1st, 2nd, 4th, et al. under assault–who couldn’t have predicted that by allowing the false narrative of women’s violence as precipitated by male something-or-other-as-yet-unspecified would result in this?

Patriarchy be damned–but that hidden matriarchy that was instituted should have been called what it is: a negotiable whore that preys upon all of our rights.

Oh, and the Kween died recently-that seems important, especially for the special snowflakes amongst us.

Ku Klux Klan Kamelia’s, “good men” projects, and the “white knights” of journalism like Simon Jenkins are a scourge chewing against structural equality.

Now watch as AC-Holes try to flag me of this forum for saying that–this is what they all do, in practice.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...