DEA Ditches Location Data Vendor Currently Being Investigated By Congress

/in /by

By Tim Cushing – Tech Dirt | Fri. Dec. 18, 2020 |

The Supreme Court ruled that law enforcement agencies needed a warrant to obtain cell site location info. The ability to turn third parties (like telcos) into proxy long-term tracking devices concerned the court, which decided this wasn’t permissible under the Fourth Amendment. Every American carries a cellphone. But just because they do doesn’t mean they agree the government should be able to track their movements with them.

No problem, said federal law enforcement agencies. We’ll just get the same data from new sources — ones not specifically mentioned in the Carpenter decision. Data brokers harvesting location data from phone apps sell access to government agencies, allowing them to bypass the warrant requirement.

This new source of data location has become a concern for some legislators, which have demanded answers from agencies like the IRS and CBP about their acquisition and use of this data. One company — Venntel — is currently facing a Congressional investigation of its data selling practices. This hasn’t stopped CBP from buying data to track immigrants. But it has perhaps led to one agency — one with a long history of bulk collection violations — to ditch its contract with Venntell. Joseph Cox fills in the details at Motherboard.

The Drug Enforcement Administration abruptly cancelled its contract with Venntel, a U.S. contractor that sells location data harvested from ordinary apps installed on people’s phones around the world.

The news signals that although Venntel’s smartphone location data may be popular with some federal agencies, including Customs and Border Protection (CBP) which Motherboard found spent nearly half a million dollars to access the data, other law enforcement bodies may have less use for such technology.

As Cox’s report suggests, this may not be an indicator of reluctance to engage with a vendor currently under investigation. Instead, it may indicate some agencies find the harvested data less useful than others. The data CBP accesses allows it to track people’s movements on both sides of the border, which is far more useful than scattershot data that may not deliver anything of value to DEA agents seeking to make a drug bust.

The DEA’s cancellation was rather abrupt, suggesting it didn’t feel like paying for something it didn’t see itself using.

Keith Chu, communications director for the office of Senator Ron Wyden, described to Motherboard a conversation that his office had with the DEA.

“On DEA, they told our office: ‘[The Venntel contract was] terminated on our end before the first 30 days of the one year period of performance after determining it would not fit our needs,'” Chu said.

Then again, the DEA may have just cancelled this contract temporarily. The company is being investigated by Wyden and the senator has asked a lot of questions agencies may not feel like answering. Perhaps the DEA may re-engage when the heat dies down. Or it may seek to obtain this data from a different broker — one not currently targeted by a Congressional investigation. Given the restraints on collecting location data from service providers, any parallel source of data is still preferable to seeking a warrant.

If it’s not useful now, there’s a chance it will be in the future. That’s why Congress needs to act. And if it doesn’t, the courts need to examine this data collection under the constraints of the Carpenter decision and decide whether it’s ok for law enforcement to dodge warrant requirements that would seem to apply to ANY tracking of individuals, even if the data is sourced from third party data brokers.

Read the original article HERE.

Exclusive: Israeli Surveillance Companies Are Siphoning Masses Of Location Data From Smartphone Apps

/in /by

By Thomas Brewster – Forbes | Fri. Dec. 11, 2020 |

This year has seen a rush amongst government snoops for a new and sometimes contentious data set: location data grabbed by smartphone popular apps. Customs and Border, the FBI, the U.S. military and other federal agencies have been keen buyers, though it’s caused a furor amongst privacy and human rights watchdogs. The outcry this week led Apple and Google to kick apps containing location-grabbing code from Reston, Virginia-based provider X-Mode out of their respective app stores.

But Israeli surveillance vendors are also getting in on the act, Forbes has learned. One of the players, a highly secretive startup called Bsightful, is part-owned and backed by one of the biggest surveillance vendors in the world, the Nasdaq-listed, $4 billion market cap company Verint, three industry sources told Forbes. The other is an established player in the Israeli surveillance industry, Rayzone, whose Echo product promises “mass collection of all internet users in a country.” The GPS location data is accurate, as close as within one meter of the target, but will be a little behind in real time, due to the nature of the surveillance.

How do they do it?

To provide this service, the surveillance dealers are targeting the mobile advertising ecosystem. According to three sources speaking on the condition of anonymity, the highly secretive Bsightful is one of a handful involved in the business. Two said that Bsightful is hoovering up app location data by running what’s known as a Demand Side Platform (DSP). In the automated world of mobile advertising, apps looking for advertisers will go to a DSP to show off what kind of advertising space they can offer: what devices they’re installed on and where they’re based. Advertisers and their agencies will then choose where to place ads.

If a surveillance company runs a DSP, they don’t even need to provide the ads. They can simply collect the location and other phone data the app developers are willfully providing, the data passing through what’s commonly called the “bidstream.” But they do have to send back ads “from time to time” to keep the DSP active, according to one industry source. They also need to get as many app developers as possible to include the code pointing to their DSP, so they have maximum possible coverage. Setting up a “white label DSP” lets surveillance companies hoover up data that was solely meant to help marketing campaigns and advertisers.

The information is then packaged up into a software tool for government customers, allowing them to search whole areas or for individuals. For instance, if they have a phone number of a target, that should be enough to get their last known location, as long as they have the relevant app on their device.

Venntel, one of the U.S. government’s suppliers for mobile location data, has used the bidstream to acquire information, according to a disclosure by Customs and Border Protection to Senator Wyden’s office, according to Vice. CBP didn’t disclose just how Venntel had access to the bidstream. It also declined to say how it was using the data.

Sights on Bsightful

It’s unclear to whom Bsightful sells its location data. Its website says nothing about what the company does and it has no social media profiles. The company has four cofounders and executives—Avraham Bahron, Guy Gildor, Guy Amir and Asher Elazar—though none were reachable at the time of publication. Messages sent to another employee and via the company website received no response.

Forbes reviewed an Israeli corporate filing for the company, written in Hebrew, that shows a company called Cognyte Technologies was the sole seed investor, with four company directors also holding stock in the company. Cognyte has 16% of shares listed. Sources said Cognyte was a Verint business and online corporate filings show Verint is the only shareholder in the business, which has offices just two streets over from Bsightful in the Tel Aviv suburb of Herzliya. This week, Verint announced it would be renaming its “cyber intelligence” business, which scored $320 million in revenue in the first three quarters of 2020, to Cognyte Software.

Verint, which has not responded to requests for comment, has contracts in countries across the globe, including the U.S., where it’s previously been a reported supplier for the NSA intelligence agency’s phone-tapping initiatives. It sells all manner of spy tools, including one that can locate any individual to the nearest cell tower with just their telephone number. Combining that with advertising data, which provides more specific coordinates of a device’s whereabouts, would likely yield the location of many individuals.

‘Mass collection of all internet users in a country’

Another company, Rayzone, has been ahead of the curve when it comes to collecting information on smartphone users. The business sells police and governments devices to intercept mobile data, but also, for the last two years, has been selling a tool called Echo that’s built on masses of data collected from mobile apps. Rayzone describes Echo as a “Global Virtual Sigint” system, “Sigint” meaning “signals intelligence.” It promises to provide intelligence and law enforcement agencies with “wide, diverse and in-depth information on global internet users.”

Though it hasn’t publicly disclosed that Echo uses location data collected from smartphone ads, and wouldn’t tell Forbes just how it was acquiring the information, Rayzone’s website notes that the tool uses “a fully stealth method of collection on any internet user, without the need for cooperation from either the target or from any tech or commercial entity.” Rayzone says it’s useful for either targeting a specific individual or for “mass collection of all internet users in a country.” Rayzone didn’t respond to requests for comment.

Multiple sources in the Israeli intelligence industry, who spoke on the condition of anonymity, said the practice is becoming much more common in their market. The promise of being able to provide police and intelligence analysts with a mountain of worldwide location data will likely lure governments hungry to keep tabs on people of interest, or entire populations.

But it’s concerning privacy and human rights activists who worry there’s little oversight of the surveillance vendors, their customers or the data being collected by advertisers, and that people’s privacy is being invaded in ways consumers would never have expected. “I have long suspected that surveillance firms and governments buy commercial location data secretly gathered from ordinary smartphone apps, and of course, it’s happening,” said Wolfie Christl, a digital rights activist who has been looking into surveillance industry practices.

“It’s disastrous that commercial location data that has originally been collected in the context of digital marketing and consumer apps is used for completely different purposes.

“Unfortunately, I am sure this is pretty common and there are more companies and contracts in this space than we currently know of. Today’s commercial data economy is broken.”

Read the original article HERE.

 

Supreme Judicial Court of MA upholds guilty verdict in Trudie Hall murder

/in /by

By Ethan Genter – Cape Cod Times | Mon. Nov. 30, 2020 |

On Monday, Nov. 30, 2020, the Supreme Judicial Court (MA) declined to grant Wilson a new trial or reduce the jury’s guilty verdict on the charge of first-degree murder. The court found that trial judge Gary Nickerson did not err in his decision to allow cellphone location data into evidence and didn’t abuse his discretion in denying Wilson a new trial.

In 2015, Wilson, of Centerville, was convicted of murder, assault and battery with a dangerous weapon and improper disposal of a body in the 2010 death of Hall, 23, of Nantucket.

The prosecution presented evidence that Wilson shot Hall, who was pregnant with his child, several times and then dumped her body in Falmouth.

In July 2010, Hall and her husband, Ram Rimal, came to the Cape from Nantucket and planned to stay the night at a West Yarmouth hotel. Hall went missing the day before the pair, who were in an arranged marriage, planned to meet with immigration officials in Boston about Rimal’s status.

Wilson told police that he had gone to Hall’s hotel room that night, but denied meeting with her later in the evening. Hall was having an affair with Wilson, who was also married, and was four months pregnant at the time.

Police found Hall’s bloodstained rental car a couple days after her disappearance at the Route 6 Exit 6 commuter lot, but her body was not recovered until almost two years later by a man walking his dog in East Falmouth. Police also found seven bullets from a .38 caliber gun and the skeleton of her fetus at the site.

Cell site location information, commonly referred to as CSLI, was used extensively in the trial and helped pinpoint where Wilson was the night of the murder. Cell information is collected by cellphone companies and shows the approximate location of a phone in relation to nearby cell towers.

The location information placed Wilson at the hotel, the commuter lot and where Hall’s body was found on the night of her murder. Data also showed that Hall and Wilson’s phones traveled together throughout the evening.

At the time, a warrant was not needed to get the cellphone data, but a U.S. Supreme Court ruling after the trial found that police need search warrants to obtain more than two weeks worth of cell site location information — a decision that does apply retroactively.

Wilson’s attorney, Janet Pumphrey, argued that without the CSLI, which police did not originally get or need a warrant for, Wilson wouldn’t have been found guilty. She also contended that the information should have been suppressed and when police did get a search warrant for it in 2014, it was tainted by the initial warrantless search.

The Supreme Judicial Court found that the cellphone data did not need to be suppressed if the prosecution could show that it could lawfully obtain the evidence independently without the initial tainted evidence.

“The defendant’s sole argument in this regard is that, when stripped of information gleaned from the prior illegal search, the 2014 warrant affidavit lacked probable cause,” the court wrote.

The Supreme Judicial Court disagreed, concluding that ample probable cause was gained by untainted facts known to police prior to the acquisition of Wilson’s cellphone information in 2010.

Police had information that Wilson had a registered pistol, that he was the likely father of Hall’s unborn child, that Hall had told a friend that Wilson had asked her to get an abortion and that Wilson and Hall communicated by cellphone extensively the day she had gone missing. Police also knew that Hall was killed by a gun that Wilson had publicly implied he carried.

“For all of these reasons, the trial judge did not err in denying the defendant’s motion to suppress the defendant’s CSLI, and the motion judge did not abuse his discretion in denying the defendant’s motion for a new trial and for an evidentiary hearing on this issue,” the court wrote.

The high court also rejected Wilson’s argument that his attorney during the trial provided ineffective counsel by failing to make a motion to suppress evidence of the initial warrantless search of his data, saying that the other evidence against Wilson meant that there wasn’t a substantial miscarriage of justice.

The cellphone data played a crucial role in the case and the court’s decision “has important precedential value in the ever-developing area of cellphone case law,” the Cape and Islands District Attorney’s office wrote in a statement.

District Attorney Michael O’Keefe hoped that the ruling would bring some peace of mind to Hall’s mother.

“She has been a courageous woman throughout this terrible ordeal,” he said. “I also want to commend the prosecution team for their hard work on a difficult case.”

Read the original article HERE.

 

AT&T Wins $92M Contract to Expand FBI Wireless Services; Stacy Schwartz Quoted

/in /by

By Nichols Martin | December 9, 2020 |

AT&T (NYSE: T) has won a potential $92M contract to provide the FBI additional mobility services and increase the bureau’s utilization of a nationwide broadband network the company built with the First Responder Network Authority.

The company said Tuesday it will offer FirstNet services to help the federal law enforcement agency access voice and data communications across multiple frequency bands via wireless devices such as smartphones, modems and air cards.

FirstNet will support daily operations, including emergencies, at the bureau under the agreement AT&T describes as the largest commitment by an agency to the national public safety communications program.

The Drug Enforcement Administration, U.S. Marshals Service and the Bureau of Alcohol, Tobacco, Firearms and Explosives can also expand network use as part of the deal.

Stacy Schwartz, vice president of AT&T’s FirstNet program, said the award serves as a testament to the law enforcement attributes of the system.

“We’re enormously proud to help the FBI and other DOJ agencies expand their FirstNet usage in support of their critical work to keep us safe and protect our democracy,” Schwartz added.

Read the original article at GOVCONWire.com HERE.

Apple and Google to Stop X-Mode From Collecting Location Data From Users’ Phones

/in /by

By Byron Tau – The Wall Street Journal | Wed. Dec. 9, 2020 |

Apple Inc. and Alphabet Inc.’s Google will ban the data broker X-Mode Social Inc. from collecting any location information drawn from mobile devices running their operating systems in the wake of revelations about the company’s national-security work.

The two largest mobile-phone platforms told developers this week that they must remove X-Mode’s tracking software from any app present in their app stores or risk losing access to any phones running Apple’s or Google’s mobile operating systems.

Both Apple and Google disclosed their decision to ban X-Mode to investigators working for Sen. Ron Wyden (D., Ore.), who has been conducting an investigation into the sale of location data to government entities.

In a statement provided by a spokesman, Google said developers had seven days to remove X-Mode or face a ban from Google’s Play store, adding that some developers could ask for an extension of up to 30 days. An Apple representative confirmed that the company had given developers notice that they had two weeks to remove X-Mode’s trackers.

Google said developers had seven days to remove X-Mode or face a ban from Google’s Play store.  Together, the two tech companies have an overwhelming market share of mobile phones globally, and their actions to restrict X-Mode represent one of the first times a location broker has been targeted so directly.

X-Mode has been the subject of several media reports, including from The Wall Street Journal, about its defense work. The company has provided data to several U.S. government contractors for national security, counterterrorism and pandemic response, according to its privacy policy and public-spending records.

Dozens of other companies like X-Mode obtain, buy and resell detailed location information about the movement of mobile devices in what has become a billion-dollar industry in which the data is used for targeted advertising, understanding consumer behavior and planning real-estate and investment decisions. Many location brokers, including X-Mode, also have sought to help federal, state and local officials with their Covid-19 pandemic response.

Consumers technically opt-in to such tracking by granting apps permission to record their devices’ location and accepting the terms of service. X-Mode collects the data using a tiny bit of computer code called a software development kit, or SDK, which it pays to embed into other developers’ apps in exchange for the data collected. Other brokers simply buy the data directly from app developers—a tactic that Apple and Google have less ability to police.

Most of X-Mode’s work is in the commercial sector, where investors and corporate clients use its data to guide planning and decision-making. But it also is one of the players in the growing market for government technology—a cottage industry of companies that have sprung up to service the national security establishment’s demand for data.

The Journal reported last month that X-Mode was collecting data from phones running its software about nearby “Internet of Things” devices such as fitness trackers and automobiles. That data was being made available to a company called SignalFrame that had received a small grant from the military and had been trying to win other national security-related contracts.

In addition, Vice News reported last month that X-Mode drew some of its location information from apps with a predominantly Muslim user base, such as a dating app called Muslim Mingle and a prayer app called Muslim Pro, though the company also has software embedded in many other kinds of apps.

In response to questions from the Journal, X-Mode said it was re-evaluating its government work and that its contracts prevent anyone from linking a device to personal information such as a name, address or email address.

The Reston, Va.-based company also suggested it was being unfairly singled out. “A ban on X-Mode’s SDK would have broader ecosystem implications considering X-Mode collects similar mobile app data as most advertising SDKs, and Apple and Google would be setting the precedent that they can determine private enterprises’ ability to collect and use mobile app data,” the company said.

Several developers that work with X-Mode have told the company they plan to ask Apple to reconsider the decision, the data broker said.

Investigators working for Mr. Wyden have been probing the commercial data market in the wake of revelations that such data is being bought by U.S. government entities for surveillance and law enforcement. He said he is drafting legislation to ban the practice.

“Americans are sick of learning about apps selling their location information and other sensitive data to anyone with a checkbook, including to the government,” Mr. Wyden said. “Apple and Google deserve credit for doing the right thing and exiling X-Mode Social, the most high-profile tracking company, from their app stores. But there’s still far more work to be done to protect Americans’ privacy, including rooting out the many other data brokers that are siphoning data from Americans’ phones.”

A review by Apple found 100 apps made by 30 developers contained X-Mode’s software, according to a briefing given to Mr. Wyden’s office and described to the Journal. Apple cited potential violations of its rules around data use and sharing and gave developers two weeks to remove X-Mode’s SDK. Apple told developers that it appeared X-Mode “surreptitiously builds user profiles based on collected user data,” in violation of its terms of service.

The crackdown on X-Mode comes as Apple is preparing to better highlight to users of its iPhones how their data is being tracked. Next year, Apple has said, it will roll out software updates that will prevent advertisers from being able to collect a person’s advertising identifier without the user’s permission. Some companies, such as Facebook Inc., have said the change will hurt their ability to target personalized ads at people using Apple devices.

 

Craig Federighi, Apple’s head of software engineering, this week reiterated Apple’s position that users should have control over their data, especially when it comes to tracking their location. Among changes made to limit such tracking, he noted that a recent software change allows users to enable a feature that allows for approximate location rather than precise location.

“Where you go says a lot about who you are. Like whether you go to a particular place of worship,” Mr. Federighi said Tuesday during the European Data Protection and Privacy Conference. “There is an enormous potential for this kind of data to be misused. And the way some apps are designed, users may have no idea that they’re giving it away.”

Read the original article at The Wall Street Journal HERE.