If you rely on Apple and Google's app store rules to protect your location data from companies selling it to the government, you can reconsider those policies. But if you rely on the legal system to stop government agencies from buying that data, you might be in luck – maybe.
A new inspector general from the Treasury Department report says it does not believe agencies have the legal right to purchase location data from commercial services without obtaining a warrant. The watchdog had investigated the Internal Revenue Service (IRS) to do just that, but the IRS isn't the only agency buying location data in the open market. The military, the Federal Bureau of Investigation (FBI), the Drug Enforcement Administration (DEA), and the Department of Homeland Security (DHS) are doing it too.
Agencies have said they are not doing anything illegal because they are simply purchasing commercially available data provided by users who have consented to that data being collected. This new report casts doubt on that claim, saying that a 2018 Supreme Court ruling requiring law enforcement to warrant cell tower data could also be applied to location data.
If the inspector general is right, this could end the government's purchase of location data obtained through a range of intermediaries, a supply chain that is very difficult to follow and therefore difficult to stop. App stores have tried to take action, but their ban could be leaky and incomplete. Google recently banned a tracker from apps in the app store, but researchers have repeatedly found apps that still contain it. And with an entire industry dedicated to collecting and selling location data, even a complete ban on one tracker isn't going to make much difference.
The legal gray area being exploited by "data laundering" – and that Google won't stop
The source of that data is your mobile phone. More specifically, it is the apps you place on it that can send location data back to third-party companies that specialize in selling, or accessing, location data to advertisers, marketers, and data brokers – even other location data providers. It can pass through several companies before it reaches the end user. The location data supply chain is intentionally opaque, but eventually your data (and that of millions of others) could end up in the hands of a law enforcement agency willing to pay for it.
Sean O'Brien, Principal Investigator of ExpressVPN's Digital Security Lab, has a term for this: data laundering.
"There are so many actors sharing and selling data that it is incredibly difficult to follow the trail," O'Brien told Recode.
Last November Vice managed to chase one trail, report that a location data company called X-Mode sold the data through its Software Development Kit (SDK), which resides in hundreds of apps with millions of users, to defense companies. Those contractors then sold that data to the military. (Sen. Ron Wyden (D-OR) had been on a parallel quest to investigate data brokers, and came to a similar conclusion around the same time.)
Following that report, Apple and Google have banned the X-Mode SDK from their app stores. But months later, researchers are still finding that SDK in apps with thousands of users. O & # 39; Brien’s Digital Security Lab, along with Defense Lab Agency co-founder Esther Onfroy, reviewed 450 Android apps and found X-Mode's SDK in nearly 200 of them, some of which sent data to X-Mode even after the banGoogle removed at least one of those apps after being told it slipped through the company's internet. Then ExpressVPN was found 25 more apps with the SDK, most from a developer called CityMaps2Go. Google has removed those apps from its store and admitted that they went through the screening process due to a & # 39; overview in our enforcement process & # 39 ;.
ExpressVPN told Recode it then found 22 additional apps with the X-Mode SDK in the Google Play Store, all of which were developed by CityMaps2Go, indicating that Google's enforcement process needs some work. Worth noting: some of these are paid apps, which should dispel the myth that paying for an app guarantees your privacy. Although Google knew that some of CityMaps2Go's apps had the banned SDK, Google did not monitor the others. When Recode told Google about the surveillance, the company removed the apps from the store.
What is going on here? The company behind CityMaps2Go, Ulmon, was taken over by another company, Kulemba last year. Kulemba told Recode that it is having trouble accessing the code to remove the SDKs from Android apps. That leaves it up to Google to find and remove apps that break the rules, and consumers can only hope they do. With nearly 50 apps slipping through the cracks so far, that hope may be misplaced. O'Brien thinks Google can do better.
"Researchers outside of Google can identify the presence of these banned SDKs without owning and using the benefit of Google Play," said O'Brien. “We looked at developer apps with known links to X-Mode and discovered the offending SDK using known methods. Consumers should reasonably expect Google, or an app store operator, to protect users from SDKs that have been banned, otherwise there is a serious rift between policy and practice. "
But there's another bigger problem here than a company's SDK and Google's apparent difficulty in enforcing its own rules. X-Mode isn't the only company providing location data to government agencies, and it's not the only company the government buys it from. A ban on app stores is not enough to stop the vast, opaque and labyrinthine location data industry worth billions of dollars.
"Location data brokers use many ways to extract data from apps," Wolfie Christl, a researcher who studies the data industry, told Recode. “They can let apps embed and harvest their data collection code from the bidstream in digital classifieds, buy it directly from app suppliers or just buy it from other data brokers. "
X-Mode did not respond to the request for comment on whether and how it still obtains and uses location data, but even if it is properly and truly cut off, we already know there are other companies selling location data to the government: specifically, Babel Street and Venntel. Finding their primary data sources is difficult – data laundering, again – but recent reports linked Venntel with two SDKs, which sent data to Venntel through a range of intermediaries, including parent company Gravy Analytics.
One of those SDKs, from a company called Predicio, was prohibited from the Google Play Store in early February. We'll see if Google is able to enforce the Predicio ban better than X-Mode's.
"The mobile app economy became a cesspool of data exploitation," Christl told Recode. "The only way to fix this is to finally enforce data protection law in the EU and put in place strong laws in the US and other regions."
If Google can't stop location data brokers, maybe a new law can
We may have some legislation soon. Wyden, who had primarily requested the IRS's Inspector General's report as part of his investigation into the location data industry and its use by government agencies, told Recode that he plans to file a bill banning law enforcement location data. to buy.
"Americans need stronger protections for our rights than app stores slapping with shady data brokers," Wyden told Recode. Congress needs to close the loopholes that allow middlemen to sell our personal data to the government, and turn it into black-letter law, along with a strong consumer privacy law, to make it more difficult to compile the massive databases from where we go and what we read and buy online and put users back in control of our information. "
"That's why in the next few weeks I will put up the Fourth Amendment is not for sale, to make sure the government gets a personal information warrant, rather than just taking out a credit card," he said.
There is also a chance, as the inspector general's report said, that the purchase of location data will be found by the court as a violation of the Fourth Amendment, which will solve that part of the problem for us.
Regardless, this is only targeting one category of customers with location data. As Wyden said, consumer privacy laws are also needed. Until (and when) we get it, we have to trust companies to regulate themselves and trust them to do it. If one of the largest companies in the world can't get rid of its own app store of just one SDK that violates its terms of service, how can we expect it to find and remove the other? When companies with location data filter their data sales through multiple intermediaries, how are Google and Apple supposed to know who is breaking their rules?
"Regulations and legal action can have a positive effect, but I am always looking for more basic solutions," said O'Brien. "Consumers need to rethink their relationship with smartphones, social networks and technology in general."
Open source is powered by Omidyar Network. All open source content is editorially independent and produced by our journalists.