The Wild West of Smartphone Data and Surveillance

Maya Villasenor is a former Digital and Cyberspace Policy program intern at the Council on Foreign Relations and an engineering student at Columbia University.

Last November, Motherboard reported that data brokerage startups X-Mode and Babel Street sold location data derived from ordinary, seemingly innocuous smartphone apps to the U.S. military. Although it is not yet clear how the military leveraged commercial location data, smartphone data has previously been used to inform drone strikes overseas. The Department of Homeland Security (DHS) also recently faced scrutiny for using smartphone app location data to track suspected undocumented immigrants. In January, an unclassified memo from the Defense Intelligence Agency described [PDF] using commercial mobile phone data in at least five investigations. While it is clear why the U.S. government desires location data gathered by the commercial sector, addressing the resulting legal and policy questions is much more difficult.

X-Mode, first founded as an app to track inebriated college students, illustrates the complexities of the market. The company promises in their publicity material to provide “accuracy and transparency in the location data industry” by selling privacy-conscious, consent-based data compliant with Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). App developers hoping to monetize their user base without tackling the complexities of the regulatory hurdles surrounding location data install X-Mode’s software in exchange for a small commission. After ostensibly stripping the data of personally identifiable information, X-Mode then licenses datasets derived from these apps to interested contractors, including retailers, insurers, cybersecurity firms, scientists (including researchers tracking the spread of COVID-19), and urban planners. According to their website, data belonging to over 25 percent of the adult American population passes through X-Mode every month.

Users can opt out of in-app data collection, and as a result, government agencies assert [PDF] that a Supreme Court precedent blocking law enforcement from obtaining mobile phone location data without a warrant, Carpenter v. United States (2018), does not apply. Without the privacy protections afforded by Carpenter, a pair of outdated precedents from the pre-digital era, United States v. Miller (1976) and Smith v. Maryland (1979), suggest that mobile phone users do not have a “reasonable expectation of privacy” regarding data they voluntarily allow smartphone apps to collect. However, opting out of smartphone data collection is exceedingly difficult, and most smartphone users do not understand the complex net of data collection tied to apps. Users who do not opt out, whether by choice or naivete, are also often unaware of the ultimate destination of their data.

Government agencies furthermore insist that the purchased location data does not contain individual identities, rendering Fourth Amendment concerns irrelevant. Although X-Mode, Babel Street, and their peers emphasize the anonymity of their datasets, data inherently is not private. In 2019, researchers at the Imperial College London and the Université Catholique de Louvain demonstrated that anonymized datasets with merely fifteen attributes could be used to re-identify individuals with a 99.98 percent accuracy. (Their re-identification software was ultimately published online for public use.) Moreover, former employees at Babel Street bragged that they could—and would, for fun—“absolutely deanonymize a person.”

In December, Apple and Google compelled developers to remove X-Mode’s software from their apps and threatened that noncompliance would result in removal from app marketplaces, and the Office of the Inspector General announced an investigation into DHS for its warrantless use of smartphone app location data. The U.S. House Committee on Oversight and Reform is also currently investigating [PDF] the data trade, yet the innumerable applications of location data—at times malicious but often benign—will render bright-line distinctions elusive.

While domestic scrutiny is necessary and overdue, it will likely do little to address the burgeoning transnational trade of data and surveillance technology, an underappreciated threat to privacy. NSO Group, which has a reputation for selling spyware to governments with poor human rights records, recently debuted a contact tracing system for health ministries, known as Fleming, that was purportedly developed using cell phone location information purchased from data brokers. When deployed, Fleming requires governments to continuously input large volumes of cell phone location data to gain insight into the spread of COVID-19, thus incentivizing them to either purchase vast troves of location data or collect it through other means. Consequently, people’s data from their mobile phones could be used in NSO Group’s contact tracing product without their knowledge.

In the current data landscape, where there is often little distinction between commercial and government action, and where vendors, buyers, and targets of surveillance exist in various countries, regulation is insufficient, and redress is challenging. The dialogue on digital location information largely focuses on the visible, superficial aspects of data collection, yet the complex interlinkages involving behind-the-scenes vendors of data and software will likely pose a greater threat to privacy in the coming decade.