A Virginia-based software company founded by two US military veterans with backgrounds in intelligence has been tracking hundreds of millions of mobile phones across the world, according to documents reviewed by the Wall Street Journal.
The company, Anomaly Six LLC, draws location data from over 500 apps – partly through their proprietary software development kit (SDK) which they’ve paid to embed directly in some of the apps, while the company gets location data from partner providers. The SDK allows the company to obtain a user’s location if they have allowed the apps in question to access the phone’s GPS coordinates.
App publishers often allow third-party companies, for a fee, to insert SDKs into their apps. The SDK maker then sells the consumer data harvested from the app, and the app publisher gets a chunk of revenue. But consumers have no way to know whether SDKs are embedded in apps; most privacy policies don’t disclose that information. Anomaly Six says it embeds its own SDK in some apps, and in other cases gets location data from other partners. –Wall Street Journal
Anomaly Six holds contracts with several branches of the US Government – although they told the Journal that they ‘restrict the sale of US mobile phone movement data to nongovernmental, private sector clients,’ according to the report. Private sector clients – typically marketing companies or others in the advertising space – buy and sell geolocation data, sometimes ‘reselling it to government agencies or contractors‘ according to the report.
And as the Journal notes, in the case of Anomaly Six, “the direct collection of such data by a business closely linked to US national security agencies is unusual.”
Founded by defense-contracting veterans who spent most of their careers in close contact with government agencies, tailored their operation to interface with national-security, according to interviews and court records.
“Anomaly Six is a veteran-owned small business that processes and visualizes location data sourced from mobile devices for analytics and insights,” the company told The Journal in response to questions for the article. “We leverage detailed location data from numerous first-party sources to provide insights into groups, behaviors, and patterns.”
The company acknowledges the “intense scrutiny” surrounding government access to private location data – but insists they aren’t breaking any laws, and that the data it peddles is ‘commercially available.’
Anomaly Six said it would support regulation to require more disclosure by apps of how data is collected and used. The exact apps the company partners with couldn’t be determined and the company declined to comment, citing confidentiality agreements. The partnerships between data brokers and app makers are typically closely held trade secrets within the world of commercial-data sales. -WSJ
Calls for greater transparency
Marketing expert and founder of the Location Based Marketing Association, Asif Khan, says government access to harvested consumer location data has been a longstanding problem for the industry – and has insisted that app-makers provide greater transparency with consumers regarding how their data is used once collected.
“You could argue that the government has the right, just like any commercial entity, to buy the data, if the data is available from a commercial supplier,” said Khan, adding “But you also need to be able to clearly say ‘this data could be used by government.’”
“I think the average consumer doesn’t have a clue,” he added.
That said, the data harvested from apps typically doesn’t link to the name of the cellphone owner. Instead, devices are typically identified using an alphanumeric code. Still, the movement patterns of a specific phone over time (such as where it is every night) can allow analysts to deduce who owns it.
According to interviews with numerous people in the industry, there is little regulation in the U.S. about the buying and selling of location data, leading to what one industry veteran called “the Wild West.” Consumers have come to expect free apps, and app makers have turned to selling user data to pay for the costs of developing and running the software, people familiar with the industry. -WSJ
Anomaly Six and its founders been sued by a competitor, Babel Street, which provides social-media monitoring services to the intelligence community and law-enforcement agencies. Of note, two founders of Anomaly Six are former Babel Street employees who left in 2018, according to the lawsuit.
The lawsuit, filed two years ago, offers insight into the secretive world of location harvesting products used by the US government.
Anomaly Six founder Brandan Huff had managed Babel Street’s relationship with the Defense Department. His co-founder, former Army contractor Jeffrey Heinz, also manage Babel Street’s relationships with the DOJ, US Cyber Command, civilian federal agencies and the intelligence community according to court records.
For example, one of Babel Street’s products, “Locate X,” provides access to the location records of millions of cell phones harvested from consumer apps. Babel claims their two ex-employees sought to build a competing product.
Babel Street doesn’t publicly advertise Locate X and binds clients and users to secrecy about even its existence, according to contracts and user agreements reviewed by the Journal. Developed with input from U.S. government officials, according to court records, Locate X is widely used by military intelligence units who work on gathering “open source” intelligence, or information taken from publicly available sources. Babel Street also has contracts with the Department of Homeland Security, the Justice Department, and many other civilian agencies, federal contracting data shows. Babel Street didn’t respond to a request for comment. -WSJ
What’s more, both Babel Street and Anomaly Six products can be used to combine traditionally gathered intelligence – such as social media data, satellite imagery, confidential human sources, consumer data from the private sector and intercepted communications, according to interviews with people familiar with the process as well as documents reviewed by the Journal.
The data is combined into what’s known as a “pattern of life” analysis, which allows for a deeper understanding of a potential intelligence target’s habits which can possibly be used to predict future behavior.
“It’s really alarming to learn about companies like this that claim to have years’ worth of location data from all over the world. Revelations like this just keep coming,” said Georgetown University law professor Laura Moy, who directs the school’s Communications & Technology Law Clinic.
“Users have no idea that when they install a weather app, a game, or any other innocuous-seeming app that their private location data is going to be harvested and sold. Apparently that’s what’s happening here, and we have no transparency into the practice.”