If you’re relying on Apple’s and Google’s app store rules to keep your location data safe from companies that sell it to the government, you might want to rethink that policy. But if you’re relying on the legal system to stop government agencies from buying that data, you might be in luck — maybe.
A new Treasury Department inspector general report says that it doesn’t believe agencies have the legal right to buy location data from commercial services without obtaining a warrant. The watchdog had been investigating the Internal Revenue Service (IRS) for doing just that, but the IRS isn’t the only agency that buys location data on the open market. The military, the Federal Bureau of Investigation (FBI), the Drug Enforcement Administration (DEA), and the Department of Homeland Security (DHS) do it, too.
Agencies have said that they aren’t doing anything illegal since they’re simply buying commercially available data supplied by users who consented for that data to be collected. This new report casts doubt on that claim, saying a 2018 Supreme Court ruling that required law enforcement to get a warrant for cellphone tower data could be applied to location data, too.
If the inspector general is correct, this could put a stop to the government purchase of location data that is procured through a series of intermediaries, a supply chain that is very difficult to follow and therefore difficult to stop. App stores have tried to take action, but their bans can be leaky and incomplete. Google recently banned one tracker from apps in its app store, but researchers have repeatedly found apps that still contain it. And, with an entire industry dedicated to harvesting and selling location data, even a complete ban of one tracker won’t make much of a dent.
The legal gray area that “data laundering” exploits — and that Google won’t stop
The source of that data is your mobile phone. More specifically, it’s the apps you put on it, which may send location data back to third-party companies that specialize in selling location data, or access to it, to advertisers, marketers, and data brokers — even other location data providers. It may go through several companies before it reaches its end user. The location data supply chain is intentionally opaque, but eventually your data (and that of millions of others) may wind up in the hands of whatever law enforcement body is willing to pay for it.
Sean O’Brien, principal researcher of ExpressVPN’s Digital Security Lab, has a term for this: data laundering.
“There are so many actors sharing and selling data that it’s incredibly difficult to chase the trail,” O’Brien told Recode.
Last November, Vice managed to chase one trail, reporting that a location data company called X-Mode was selling the data obtained through its software development kit (SDK), which is in hundreds of apps with millions of users, to defense contractors. Those contractors then sold that data to the military. (Sen. Ron Wyden (D-OR) had been on a parallel quest to investigate data brokers, and reached a similar conclusion around the same time.)
Following that report, Apple and Google banned X-Mode’s SDK from their app stores. But months later, researchers are still finding that SDK in apps with thousands of users. O’Brien’s Digital Security Lab, along with Defense Lab Agency co-founder Esther Onfroy, looked at 450 Android apps and found X-Mode’s SDK in nearly 200 of them, some of which were sending data to X-Mode even after the ban. Google removed at least one of those apps after being informed it had slipped through the company’s net. Then ExpressVPN found 25 more apps with the SDK, most from a developer called CityMaps2Go. Google removed those apps from the store, admitting that they got through its screening process due to an “oversight in our enforcement process.”
ExpressVPN told Recode that it then found 22 more apps with the X-Mode SDK in the Google Play Store, all of which were developed by CityMaps2Go, indicating that Google’s enforcement process needs some work. Worth noting: Some of these are paid apps, which should dispel the myth that paying for an app guarantees your privacy. Despite knowing that some of CityMaps2Go’s apps had the banned SDK, Google didn’t check its others. When Recode told Google about the oversight, the company removed the apps from the store.
What’s going on here? The company behind CityMaps2Go, Ulmon, went bankrupt last year. CityMaps2Go was then acquired by a company called Kulemba. Kulemba told Recode that it’s having trouble accessing the code to remove the SDKs from Android apps. That leaves it up to Google to find and remove apps that break its rules, and the consumer just has to hope that it does. With nearly 50 apps slipping through the cracks so far, that hope might be misplaced. O’Brien thinks Google can do better.
“Researchers outside of Google can identify the presence of these banned SDKs without the benefit of owning and operating Google Play,” O’Brien said. “We looked at apps by developers with known links to X-Mode and discovered the offending SDK using well-known methods. Consumers should reasonably expect that Google, or the steward of any app store, protects users from SDKs that have been banned — or there’s a serious disconnect between policy and practice.”
But there’s another, bigger issue here than one company’s SDK and Google’s apparent difficulties enforcing its own rules. X-Mode isn’t the only company that provides location data to government agencies, and it’s not the only company the government is buying it from. Whack-a-mole app store bans will not be enough to stop the massive, opaque, and labyrinthine location data industry that is worth billions.
“Location data brokers use many ways to source data from apps,” Wolfie Christl, a researcher who investigates the data industry, told Recode. “They can make apps embed their data collection code, harvest it from the bidstream in digital advertising, source it directly from app vendors, or just buy it from other data brokers.”
X-Mode did not respond to request for comment on if and how it is still obtaining and using location data, but even if it is well and truly cut off, we already know there are other companies selling location data to the government: specifically, Babel Street and Venntel. Finding their primary data sources is difficult — the data laundering, again — but recent reports linked Venntel to two SDKs, which sent data to Venntel through a series of intermediaries, including its parent company Gravy Analytics.
One of those SDKs, from a company called Predicio, was banned from Google’s Play Store in early February. We’ll see if Google is able to enforce the Predicio ban better than it did X-Mode’s.
“The mobile app economy became a cesspool of data exploitation,” Christl told Recode. “The only way to fix this is to finally enforce data protection law in the EU, and to introduce strong legislation in the US and in other regions.”
If Google can’t stop location data brokers, maybe a new law can
We might have some legislation soon. Wyden, who requested the IRS inspector general’s report in the first place as part of his investigation into the location data industry and government agencies’ use of it, told Recode that he intends to introduce a bill that will forbid law enforcement from purchasing location data.
“Americans need stronger protections for our rights than app stores playing whack-a-mole with shady data brokers,” Wyden told Recode. “Congress needs to close the loopholes that let middlemen sell our personal data to the government, and put it into black-letter law, along with a strong consumer privacy law to make it harder to assemble the massive databases of where we go, and what we read and buy online, and put users back in control of our information.”
“That’s why I will introduce the Fourth Amendment Is Not For Sale Act in the coming weeks, to make the government get a warrant for personal information, instead of just pulling out a credit card,” he said.
There’s also a chance, as the inspector general report said, that location data purchases will be found by the courts to violate the Fourth Amendment, which will solve that part of the problem for us.
Either way, this only addresses one category of location data customers. As Wyden said, consumer privacy laws are also needed. Until (and if) we get those, we have to rely on companies to regulate themselves and trust that they’re doing it. If one of the biggest companies in the world can’t rid its own app store of just one SDK that violates its terms of service, how can we expect it to find and remove the others? When location data companies filter their data sales through multiple intermediaries, how are Google and Apple supposed to know who is breaking their rules in the first place?
“Regulation and legal action can have a positive effect, but I always look for more grassroots solutions,” O’Brien said. “Consumers need to think differently about their relationship with smartphones, social networks, and tech in general.”
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.
Correction: A previous version of this article said that Kulemba acquired Ulmon. Kulemba only acquired Ulmon’s CityMaps2Go apps.