Cops can buy large amounts of location data for less than $10,000 • The Register

For less than $10,000 and without a warrant, cops can buy large amounts of location data on individuals and track people’s movements over long periods of time.

Fog Data Science is a data broker that claims to collect [PDF] 15 billion sets of data points per day from 250 million US devices each month from “tens of thousands” of mobile apps with tracking code included. An investigation by the Electronic Frontier Foundation (EFF) showed that Fog had past or current contracts with at least 18 local, state and federal law enforcement agencies in the United States.

In post-Roe America, that means law enforcement can, for example, circumvent those pesky warrants for Google Maps queries to build a case against someone seeking an abortion in a state where the procedure is now illegal.

The EFF investigation, which spanned several months and more than 100 public records [PDF] requests, uncovered a massive surveillance operation by which Fog sells phone location data to state highway patrols, police departments and county sheriffs across America.

A county was able to purchase the data it wanted under a one-year license for $9,000. Fog prices, we are told, start from a few thousand dollars a year.

“We were aware that Venntel and other data brokers were being used by federal agencies,” said EFF researcher Beryl Lipton. The register.

“We began using public records requests to determine if state and local police also purchased location data information. In one of the responses we received, we found marketing materials describing a service, Fog Data Science, which seemed to be doing exactly the kind of sleuthing, collecting individual-specific location data that we suspected.

Fog, according to EFF’s deep dive, sells subscriptions to its Fog Reveal search engine and law enforcement does not need to obtain a warrant or subpoena before searching and buying information from it. This gives police an easy way to extract a device’s location records, and track and identify the device’s owner from their home address and place of work – or, really, from anywhere else he visited with his cell phone.

We’re told that a basic annual subscription allows 100 searches per month for device data, and more queries can be purchased. Queries can return timestamped movements of a particular device or return all available information about phones in an area drawn on a map for a given time period.

“Police departments of all sizes use a system that stores and makes searchable the historical locations of individuals,” Lipton said.

“This means they could identify phones – and, by extension, people – who have been to a protest, a reproductive health center, a place of worship or other places and follow them to the places where they live. It violates our constitutional rights, especially when the police do it without a warrant.”

Despite claims by Fog and other data brokers that the information they sell does not contain personally identifiable information, as it is limited to timestamps, location coordinates, and random unique identifiers, such as device or advertising IDs, it doesn’t take too much police work. to link this supposedly anonymized data to real people.

As EFF technologist Will Greenberg wrote, referring to a St Louis cop talking about Fog’s database: “There is no PI [personal information] linked to the [device ID]. But, if we’re good at what we do, we should be able to find the owner.”

That is, you just need the unique device ID and know where and when it has been. Suddenly, it doesn’t seem so impossible to determine who owns the device from the addresses they’ve visited and where they’ve stayed frequently – home, office, etc. – and when.

The EFF investigation comes just days after the US Federal Trade Commission sued another data broker, Kochava, for selling the “precise” location of hundreds of millions of mobile devices in violation of FTC law.

In its lawsuit, the watchdog alleged that Kochava’s data feeds, which are sold through publicly accessible marketplaces, reveal individuals’ visits to reproductive health clinics, places of worship, shelters for homeless and victims of domestic violence, drug treatment centers and other sensitive places. Selling this type of personal information could cause “substantial harm to consumers,” such as harassment, discrimination, job loss, and physical abuse, the FTC says.

According to Lipton: “Fog’s practices raise similar concerns.”

The data broker did not respond to a request for comment. The company told AP that it buys its data legitimately from apps in accordance with the software’s privacy policies and user agreements. In other words: if you’re using an app that’s agreed to put a tracker in it, and the fine print says that app can constantly share your location data, that tracker code collects and sells your data, which end up in the hands of Fog, who resells it again.

And many apps integrate these trackers to sell targeted ads, monitor user behavior, and more. ®