Why bother with warrants when cops can buy location data for under $10k?
How Fog Data Science sells records of your whereabouts, according to the EFF
For less than $10,000, and without a warrant, cops can buy large amounts of location data on private citizens and track people's movements over long periods of time.
Fog Data Science is a data broker that claims it collects [PDF] 15 billion sets of data points daily from 250 million US devices every month sourced from "tens of thousands" of mobile apps with tracking code included. An investigation by the Electronic Frontier Foundation (EFF) has shown Fog has past or ongoing contracts with at least 18 local, state and federal law enforcement agencies in the United States.
In post-Roe America, this means that law enforcement can, for example, bypass those pesky warrants for Google Maps queries to build a case against an individual seeking an abortion in a state where the procedure is now illegal.
The EFF investigation, which took several months and more than 100 public records [PDF] requests, uncovered a massive surveillance operation by which Fog sells people's phone location data to state highway patrols, police departments, and county sheriffs across America.
One county was able to buy the data it wanted under a one-year license for $9,000. Fog's prices, we're told, start from a few thousand dollars a year.
"We knew that Venntel and other data brokers were in use by federal agencies," EFF investigative researcher Beryl Lipton told The Register.
"We began using public records requests to investigate whether state and local police had also been buying location data information. In one of the responses we received, we found marketing materials describing a service, Fog Data Science, that seemed to do just the kind of dragnet, individually-specific location data collection that we suspected. We went from there."
Fog, according to EFF's deep dive, sells subscriptions to its Fog Reveal search engine and it does not require law enforcement to obtain a warrant or subpoena before searching for and buying information from it. This gives police an easy way to pull up location records for a device, and track and identify the device owner from their home address and place of work — or, really, anywhere else they have visited with their cellphone.
We're told that a basic annual subscription allows for 100 searches a month for device data, and more queries can be bought. The queries can return the timestamped movements of a particular device, or return all the available information about the phones within an area drawn on a map for a given timeframe.
"Police departments of all sizes have been using a system that stores and makes searchable the historical locations of individuals," Lipton said.
"This means that they could identify the phones — and, by extension, the people — that have been at a protest, a reproductive health center, a place of worship, or other locations and track them to the places they live. This violates our constitutional rights, especially when police do it without a warrant."
Despite claims by Fog and other data brokers that the information they sell doesn't contain personally identifiable information because it's limited to timestamps, location coordinates, and random unique identifiers, such as device or advertising IDs, it doesn't take too much police work to link this supposedly anonymized data to actual people.
- FTC sues data broker for selling millions of people's 'precise' location info
- Sephora to pay $1.2m to settle Cali privacy law claims – and why this is a big deal
- Data brokers amass profiles of pregnant women – and, of course, it's all up for sale
- Need baby formula? Buy a pregnancy test at Walgreens
As EFF technologist Will Greenberg wrote, referencing a St Louis cop talking about Fog's database: "There is no PI [personal information] linked to the [device ID]. But, if we are good at what we do, we should be able to figure out the owner."
That is to say, you just need the unique ID for the device and know where and when it's been. Suddenly, it doesn't sound so impossible figuring out who owns the device from the addresses they've visited and stayed at frequently – home, the office, and so on – and when.
The EFF investigation comes just days after the US Federal Trade Commission sued another data broker, Kochava, for selling the "precise" whereabouts of hundreds of millions of mobile devices in violation of the FTC Act.
In its lawsuit, the watchdog agency alleged that Kochava's data feeds, which are sold via publicly accessible marketplaces, reveal individuals' visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, addiction recovery facilities, and other sensitive places. Selling this type of personal information could cause "substantial injury to consumers" such as stalking, discrimination, job loss, and physical violence, the FTC argues.
According to Lipton: "Fog's practices raise similar concerns."
The data broker did not reply to a request for comment. The biz told AP it buys its data legitimately from apps as per the software's privacy policies and user agreements. In other words: if you use an app that's agreed to put a tracker in it, and the fine-print says this app may constantly share your location data, that tracker code is collecting and selling your data, which ends up in the hands of Fog, which resells it again.
And so many apps embed these trackers to sell targeted advertising, monitor user behavior, and more. ®