New documents reveal the extent of the US government’s tracking of cellphone location data

According to new documents released by the American Civil Liberties Union (ACLU), the Department of Homeland Security (DHS) purchased location data from third parties to circumvent the traditional court order process.

These documents show that agencies such as Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) were able to purchase large amounts of location data without any legal review and use it to track the movements of millions of cellphones.

In a newly released report, Digital Shadows’ Photon Research team reveals that there are currently approximately 24.6 billion full sets of usernames and passwords in circulation on the dark web. That’s four full sets of credentials for every person on Earth, but also a 65% increase since this survey was last conducted in 2020. Internet users and organizations to properly protect their identifiers and their passwords for the various platforms they use.

The report titled Account takeover in 2022, provides an overview of leaks of personal data, leaked usernames and passwords that have occurred over the past two years. The analysis found that more than half of the 24.6 billion pairs of stolen credentials available for sale on the dark web have been exposed in the past year. Across all dark web credentials, approximately 6.7 billion offers had a unique username and password combination, indicating that the combination was not duplicated in databases. .

In December 2020, the ACLU and the NYCLU filed a lawsuit under the Freedom of Information Act to obtain documents from Customs and Border Protection, Immigration and Customs and other Departments of Homeland Security regarding this practice of purchasing cell phone location data collected from smartphone apps.

Unbeknownst to users, app makers routinely sell users’ location information to other third-party companies, such as Venntel and Babel Street, who use it for marketing and other purposes. These third-party companies then compile this data and market it to government agencies.

Generally, obtaining national communications data directly from providers (ie, telecommunications companies) requires a warrant, which must be approved by a judge. But purchasing data from intermediary organizations is not subject to the same restrictions and effectively gives law enforcement carte blanche to collect personal data they would not otherwise have access to.

The amount of location data revealed in the newly released documents is huge and heralds an even higher level of data collection by the agencies involved. The documents were obtained by the ACLU under freedom of information laws after a lawsuit was filed in 2020 following a Wall Street Journal report that revealed data buying commercial sites by government agencies.

Some of the documents released to the ACLU included a set of spreadsheets containing a subset of location data purchased by CBP from data broker Venntel. According to the ACLU’s analysis, the recordings in a three-day period in 2018 contain approximately 113,654 location points – which corresponds to more than 26 location points recorded per minute. But even this data is limited to a geographic area in the Southwest, suggesting that it is only a fraction of the total amount of location data obtained by federal agencies.

As Politico reports, in emails exchanged between Venntel and ICE, the data broker claims to collect location data from more than 250 million mobile devices and process more than 15 billion location data points daily.

Another data broker identified in the documents is Babel Street. Like Venntel, Babel Street obtains location data by paying developers to include snippets of its code in other mobile apps, which – largely unknown to users – transmit the data to the company’s servers. In 2021, Motherboard reported that Venntel had a contract with the Florida Department of Corrections to provide information on all cell phones that were near state prisons.

In a statement, Nathan Freed Wessler, deputy director of the ACLU’s Speech, Privacy, and Technology Project, said that data brokers are a new threat to privacy and as such must be regulated by the government.

The Supreme Court has made clear that because the location history of our cell phones reveals so many “life details,” it deserves full Fourth Amendment protection, Wessler said. Yet here we see data brokers and government agencies wrangling their brushes and trying to explain how people can have no expectation of privacy for such obviously personal and sensitive location information. Because the potential for abuse is so high, Congress must act to end the practice for good.

In fact, Congress will soon have the opportunity to intervene. On Tuesday, the House Judiciary Committee will hold a hearing on “digital networks” and the government’s access to sensitive data. Late. Elizabeth Warren (D-MA) previously proposed a bill to completely ban data brokers from selling location or health data.

For some analysts, it would not be fair to cast a negative light on the US government’s tracking of cell phone location data. In fact, virtually all mobile applications would sell some portion of users’ data.

The FOIA lawsuit seeks information about how the government justifies its circumvention of the Supreme Court ruling on the Fourth Amendment, how it uses location records and what controls are in place to protect lives.

In 2018, the Supreme Court ruled in Carpenter v. United States that the government needs a warrant to obtain cellphone location information from people’s cellular carriers because of the near-perfect surveillance that information allows.

Source: ACLU

And you?

What is your opinion on the subject?

Also see:

There are 24.6 billion pairs of credentials for sale on the dark web, some of which could be cracked in less than a second, the report says

A major effort to eliminate the need for passwords worldwide, the FIDO Alliance claims to have found the missing piece on the road to a password-free future

Passwords stored on Google Chrome are not immune to cyberattacks, the platform may be behind the latest increase in cyberattacks, according to ESET

Microsoft, Apple and Google step up efforts to eliminate passwords on major platforms, tech giants want to roll out FIDO’s “passkey” standard next year

Leave a Comment