A deep dive on smartphone location data
We use the NYT's opinion piece analyzing the Capitol Hill intrusions using leaked smartphone location data as a springboard to wax slightly philosophical on the nature of corporate surveillance.
The NYT recently published a piece highlighting the use of smartphone location data to track individuals involved in the Capitol Hill intrusions. While the temptation to engage in political commentary surrounding this specific event certainly exists, our intent is to focus on the underlying theme of corporate surveillance that emerges from the use of smartphone location data and its threat to individual privacy and digital security.
We have been fascinated with smartphone location data for quite some time. Contrary to what occasional abuses or mishandling of data by government agencies may suggest, it is our view that the U.S. Government poses here little-to-no privacy threat to the average law-abiding American citizen (barring any active attempts to join, support, or participate in acts of terrorism).
The more insidious, potent, and — dare we say — competent threat to individual privacy emerges rather from the vast digital advertising ecosystem highlighted by the NYT. This “dizzyingly complex” ecosystem is what amounts to commercialized, largely unregulated, and omnipresent surveillance that specializes in gathering, processing, analyzing, and exploiting — for profit — the personal location data of millions.
Intelligence oversight for 500 please
Let’s first explore how the boogeyman of U.S. Government surveillance differs from its more sneaky — and domestically pervasive — corporate relative.
As is covered extensively at all levels of the U.S. intelligence apparatus, there are official oversight mechanisms1 in place designed to safeguard the civil liberties of its citizens. While these mechanisms are not perfect, they exist and are constantly being trained on, exercised, and adhered to throughout the conduct of complex intelligence operations. And rightfully so.
If the U.S. Government is a smart albeit mildly incompetent bureaucrat almost hamstrung by over-regulation, corporate surveillance is the wheeling and dealing cowboy cousin with the cunning, agility, and motivation to innovate its way through today’s digital landscape in search of the bottom line.
Despite having no inclination, time, capacity, reason, or access to personally interact with data involving U.S. persons, we still suffered through countless briefings, online courses *shudders*, and meetings ensuring the integrity of American civil liberties in the context of properly handling, interacting with, and understanding the necessity of Intelligence Oversight. Mess up, and you get yourself (and everyone all the way up the chain) in trouble whilst fielding calls from righteously indignant permanent staff members who report to Congressional committees. This is, thankfully, the norm.
Contrast such restrictions on the use (and even the basic access let alone viewing or querying) of U.S. persons data by those in the intelligence ecosystem with the absolutely unregulated relative holding the umbrella of corporate surveillance. If the U.S. Government is a smart albeit mildly incompetent bureaucrat almost hamstrung by over-regulation, corporate surveillance is the wheeling and dealing cowboy cousin with the cunning, agility, and motivation to innovate its way through today’s digital landscape in search of the bottom line.
And while we would be remiss to mention the convenience and clear benefit yielded from the technologies that we voluntarily choose to use in our daily lives, the cost to our privacy and digital security has never been as apparent as it could be. We are thus placed in an inopportune bind: having grown accustomed to convenience, instant gratification, and hyperconnectivity found through our devices, we step increasingly further towards the intersection of technology dependency and the accompanying degradation of individual privacy. Sign me up.
Cui bono?
You probably gather by now that oversight is not an oft-used tool in the corporate surveillance saddlebag. But before Steve the general counsel from Corporate sends us a sternly worded letter seeking restitution, we must note that, while unregulated, certain corporations do have policies prohibiting attempts to de-anonymize location data. It is a fact that customers relying on location data typically must undergo third-party audits and agree to manage the data in a responsible manner. We’ve partially explored these processes and can attest to this vetting process with data brokers such as LexisNexis.
However, as Mr. Warzel and Mr. Thompson identify in their piece, such nominal treatment of user data still lacks significant transparency and an impactful manner in which users can control their data once it has entered the corporate data aggregation ecosystem. The appearance of oversight is present, but power does not lie in the users’ hands.
Smartphone users will never know if they are included in the data or whether their precise movements were sold. There are no laws forcing companies to disclose what the data is used for or for how long. There are no legal requirements to ever delete the data. Even if anyone could figure out where records of their locations were sold, in most states, you can’t request that the data be deleted. Their movements could be bought and sold to innumerable parties for years. And the threat that those movements could be tied back to their identity will never go away.2
As the cookie currently crumbles, it is possible to remove certain personal information from appearing online by submitting suppression requests, opt-outs, and other similar actions. This personal data is usually relegated to removing one’s name, home address, phone number, relatives, and whatever else has been aggregated from appearing in databases.
Shameless plug, we do that for clients and can assist you in that department. It certainly isn’t glamorous, but it keeps the lights on.
While certain personal information can be removed from individual company databases, this process is arduous and involves navigating deliberately labyrinthine processes with individual data brokers who have aggregated one’s data. Unfortunately, the amount of personal data publicly available online often outpaces one’s ability to contain it. And this information is just the tip of the iceberg. So long as we continue to value the convenience offered by our devices, and as the NYT demonstrates, users can only do so much to manage their digital footprint (or “signature”, as we like to call it).
As it were, we would again be remiss not to mention that it is this very same publicly available data that can be harnessed offensively during online investigations, using common Open Source Intelligence techniques. So we are presented with a double-edged sword that cuts through the center of both privacy and digital security and the other side of the same coin in the form of data analysis and exploitation.
The tip of the surveillance iceberg
Now onto the specific identifiers and means by which this often-nebulous corporate surveillance occurs. Conceptually, the notion of smartphone location data is easy to grasp; technically, users may struggle to fully comprehend the quantity of data being generated by our devices and how it can be used to benefit someone else’s bottom line. We will introduce some technicality but won’t go into significant detail here, as the principles of privacy and individual user responsibility are where the true emphasis lies.
Let’s start with a typical smartphone. At all times, unless placed in a Faraday bag3, our devices are connected to several cell phone towers or panels, wireless networks, searching for a remembered Bluetooth connection, or otherwise transmitting or receiving some form of radio frequency propagation somewhere along the electromagnetic spectrum. As has been previously demonstrated4, if a device possesses a battery that cannot be removed, simply turning off a device is no guarantee it cannot be somehow tracked.
Our devices do these things so that we, the users, remain hyperconnected, informed, and “in control” of the typically wide variety of functions smartphones offer us: GPS navigation, social media, weather, news updates, messaging and video calls with friends and family, and countless more. So how does corporate surveillance capitalize on this data while we remain suckers for our own walking digital security and privacy nightmares?
The NYT notes one identifier — among many others only nominally discussed here5 — that is particularly useful in feeding the corporate data aggregation machine, and which provides key insights to users’ profiles in a way that offers location data customers the prime effect they seek in the play-to-the-margins game of targeted advertising: a device’s unique mobile advertising identifier.
The IDs, called mobile advertising identifiers, allow companies to track people across the internet and on apps. They are supposed to be anonymous, and smartphone owners can reset them or disable them entirely. Our findings show the promise of anonymity is a farce. Several companies offer tools to allow anyone with data to match the IDs with other databases.6
Image above: the NYT demonstrates the power as they matched the supposedly anonymous advertising IDs with other databases, allowing them to add true names, addresses, phone numbers, email addresses, and other information about smartphone owners in seconds.
It is here we begin to see the power of data aggregation in today’s digital landscape. For while a single identifier (similar to what we could call “single source” in the intelligence business) is typically insufficient to draw meaningful insights, the right identifier can unlock many more doors when analyzed, corroborated, and cross-referenced with other existing data. This is a traditionally analytical function thrown into hyper-drive with the power of data aggregation, or “big data”. And when our devices are spewing countless other unique identifiers at all times, the iceberg of surveillance we’re trying to avoid only grows larger.
David, meet Goliath
The way in which unique advertising IDs are used by location data companies to offer their customers smartphone users’ location insights is but one facet of a large, shapeshifting industry. That is to say, location-based marketing is only one form of the corporate surveillance industry.
Below are several tables derived from the Electronic Frontier Foundation’s outstanding deep dive on corporate surveillance, where they identify a representative sample of identifiers available to third parties (anyone you don’t intend to interact with directly). As the EFF identifies, this list is not exhaustive and continues to grow with technological advances. Digest the tables below, broken down by web, phone, and other identifiers, and get a sense for other ways our data can work against us.
Images above: the EFF offers a sample of identifiers available to third parties that seek to capitalize on user data. These tables are not exhaustive and grow over time with technological advances.
While companies such as Adobe, Google, Facebook, and others are quick to draw fire for their exploitation of user data, law enforcement and foreign nations are also among the consumers seeking to capitalize — for a different profit — from the exponentially increasing quantity of data. Not coincidentally, many also express fears of China’s assessed ability to aggregate and transform global data in a similar way to inform its own endstates in geopolitics, espionage, and elsewhere.7
The truth shall make you free
If you weren’t expecting to be summoned to the murky battle of individual privacy that wages largely unseen behind the veil of technological convenience, neither did we. But keep your eyes fixed on the horizon, for hope remains in the form of knowledge and individual action. As is memorialized at CIA headquarters in Langley, “And ye shall know the truth, and the truth shall make you free.”
We believe that empowering individual users to better understand digital security and privacy builds the strongest foundation upon which to gird our proverbial loins and enable meaningful change — a small rock in our slingshot against the behemoth of corporate surveillance.
Which brings us to the present moment. We daresay things appear quite bleak given the crossroads we rapidly approach: the seemingly convenient, instantly gratifying, and hyperconnected promises of our ever-present devices collapsing under the monstrously quick degradation of individual privacy and thus, security.
We believe that empowering individual users to better understand digital security and privacy builds the strongest foundation upon which to gird our proverbial loins and enable meaningful change — a small rock in our slingshot against the behemoth of corporate surveillance, as it were. And as there is no such thing as coincidence, we researched, wrote, published, and shared our guide for digital security as an accessible bank of techniques from which to gain your own foothold starting today (it’s free, because privacy is fundamental).
Go forth in privacy and digital security.
Enjoyed this piece? Give us a follow and get all future ones delivered directly to your inbox.
https://www.dni.gov/index.php/how-we-work/accountability
https://www.nytimes.com/2021/02/05/opinion/capitol-attack-cellphone-data.html
We are not affiliates but heartily endorse Silent Pocket’s line of Faraday products: https://silent-pocket.com/
https://www.usatoday.com/story/tech/columnist/komando/2014/06/20/smartphones-nsa-spying/10548601/
We strongly recommend for additional context and education the Electronic Frontier Foundation’s excellent report on corporate surveillance available here.
https://www.nytimes.com/2021/02/05/opinion/capitol-attack-cellphone-data.html
https://foreignpolicy.com/2020/12/22/china-us-data-intelligence-cybersecurity-xi-jinping/
Great article. I have a question though. The data that was used to track users at the capitol appears to primarily be from the Parler hack initiated by "Donk", where he grabbed posts of users, and farmed the EXIF data from their posts. But, I also heard but cannot confirm, that this occurred at the same time Maetz (?) the CEO at the time turned over the data to the FBI. So not sure on if that was a government request, or Donk was the one that published the data, and that is how we ended up with the activity (in one form) of Parler users at the capitol. So I guess I am wondering how much of the anonymous tracking animations we see of the Capitol insurrection are from government inquires or the Donk hack?
I work as a security guy at a manufacturing firm (I use that term loosely) and since we are global we both NA and EU privacy policies to contend with. The EU policies are arguably tougher, and it is easier for people to opt out, also, EU users can anonymize their user ID. Since I am that guy that can see every mouse click, web url visited, email (if legally asked to do so) etc. etc. having an anonymized ID is nice perk for the end user . . . but, as an administrator if HR gets involved, we can always tie that ID to the actual user ID. I guess my point being, I think the corporate entities you are discussing are more in the retail and social media arena? Here in the glamorous manufacturing sector we are striving to take user privacy pretty seriously, albeit it is driven by legal developments and requirements.