Secret Service Paid To Get Americans' Location Data Without a Warrant, Documents Show (gizmodo.com) 68
An anonymous reader quotes a report from Gizmodo: A newly released document shows the U.S. Secret Service went through a controversial social media surveillance company to purchase the location information on American's movements, no warrant necessary. Babel Street is a shadowy organization that offers a product called Locate X that is reportedly used to gather anonymized location data from a host of popular apps that users have unwittingly installed on their phones. When we say "unwittingly," we mean that not everyone is aware that random innocuous apps are often bundling and anonymizing their data to be sold off to the highest bidder.
Back in March, Protocol reported that U.S. Customs and Border Protection had a contract to use Locate X and that sources inside the secretive company described the system's capabilities as allowing a user "to draw a digital fence around an address or area, pinpoint mobile devices that were within that area, and see where else those devices have traveled, going back months." Protocol's sources also said that the Secret Service had used the Locate X system in the course of investigating a large credit card skimming operation. On Monday, Motherboard confirmed the investigation when it published an internal Secret Service document it acquired through a Freedom of Information Act (FOIA) request. (You can view the full document here.) The document covers a relationship between Secret Service and Babel Street from September 28, 2017, to September 27, 2018. In the past, the Secret Service has reportedly used a separate social media surveillance product from Babel Street, and the newly-released document totals fees paid after the addition of the Locate X license as $1,999,394.
Back in March, Protocol reported that U.S. Customs and Border Protection had a contract to use Locate X and that sources inside the secretive company described the system's capabilities as allowing a user "to draw a digital fence around an address or area, pinpoint mobile devices that were within that area, and see where else those devices have traveled, going back months." Protocol's sources also said that the Secret Service had used the Locate X system in the course of investigating a large credit card skimming operation. On Monday, Motherboard confirmed the investigation when it published an internal Secret Service document it acquired through a Freedom of Information Act (FOIA) request. (You can view the full document here.) The document covers a relationship between Secret Service and Babel Street from September 28, 2017, to September 27, 2018. In the past, the Secret Service has reportedly used a separate social media surveillance product from Babel Street, and the newly-released document totals fees paid after the addition of the Locate X license as $1,999,394.
If you don't know me by now... (Score:3)
C'mon. Cell phones have been popular for a decade, and all apps do this. I really doubt that anybody doesn't know they're spying devices by now. That seems really far-fetched.
Re:If you don't know me by now... (Score:5, Informative)
Re: If you don't know me by now... (Score:1)
And who's fault is that?
Re: If you don't know me by now... (Score:5, Insightful)
Probably ours as the IT community. We should do more arm-waving, like how we (should) recommend Firefox over Chrome for avoiding the most egregious spying. But frankly, most users don't give a shit, kind of like how error dialog boxes pop up in Windows saying "Something Really Bad(TM) is about to happen, is that OK? <Yes> <No>" may as well just have a single <Whatever> button, because users are simply not going to read (or think or care about) what that message means; they just simply want to get on with whatever they think they're doing, consequences be damned.
Re: If you don't know me by now... (Score:4, Interesting)
...like how we (should) recommend Firefox over Chrome for avoiding the most egregious spying....
I just ordered myself a Pine64 phone. As a developer, it has piqued my interest. As an end-user who values my privacy, it ticked all the right boxes. When I told my wife (who is solely an end-user) about it, she immediately wanted one, too.
When I told her it was not going to have most of the apps she's used to, she said she didn't care. When I showed her the specifications for the phone, and explained that it meant the phone was going to be slower, perhaps significantly, than her current phone, she didn't bat an eye. When I told her that the current release is targeted at developers, and that end users may be carrying around a paper-weight, she said that we should just get one for me and see how it goes.
End users want privacy. They just think that it's not an option. They think that they have to choose between convenience and security. With the current crop of phones, they're right. However, options are appearing that could start tilting the balance of freedom. I'm willing to surrender some, "ooh, shiny!" in order to build back some lost freedoms.
Andbox (and other LXC). (Score:4, Informative)
When I told her it was not going to have most of the apps she's used to, she said she didn't care.
And yet, Anbox [anbox.io] is apparently now available on multple of the OSes, according to the latest Pine64 Blog post [pine64.org] (i.e.: running AOSP in an LXC container, similar to the latest AlienDalvik 8 on Sailfish OS).
Collabra's SPURV is another such "Android in a container" solution.
In my experience (AlienDalvik on Sailfish OS) using such LXC-based solutions:
- a surprising amount of apps actually work on straight AOSP.
- this includes "must haves" (due to networking effect) such as WhatsApp.
- several app developer who target extremely wide audience try to make their app independent of the closed source parts of Android: e.g. Android, Skype, WhatsApp, several popular games, etc.
- And unless you want to be able always reachable on WhatsApp, this gives you the possibility to just shut down the container when no android app is in use and forget about any app tracking.
- Some apps are *completely addicted* to the proprietary google blob (Google Play Service) and won't run on a naked AOSP build.
- Even there, it's possible to avoid the privacy raping: MicroG [microg.org] is an opensource re-implementation of significant portion of the com.google.android.gms APIs, and can work for application which require those (e.g.: for location).
- They also have dummy for com.android.store class (FakeStore), because some apps insist on checking for Play Store's presence (?!)
- And you can also temporarily install the genuine Play Store if you need to access paid content or pay in-App.
- In my experience [jolla.com] (Sailfish OS, but except for the exact sequence to turn on signature spoofing, or the location in menus to access the settings, it shouldn't be any different) microG covers the need of large swaths of applications.
- microG is very good at also limiting what application get started in the background (e.g.: when receiving Cloud push notifications) in my experience [jolla.com] (and an application which isn't running cannot track you).
- in my everyday situation, I only have WhatsApp and a couple of opensource android application running in the background. Everything else is shut off (including abusers like AliExpress are prevented in running in the background).
- Saddly some App still insist on the genuine Google Play Services blob, mostly because they need APIs not yet implemented inside microG and don't fail gracefully.
- You can also install the original blobs [opengapps.org] for those situations.
- This enables even more apps to run.
- Though you might still be failing some security test and a few banking app might complain and refuse to work.
(I haven't tried running multiple container yet to have the Google Play Service isolated in a separate container).
When I showed her the specifications for the phone, and explained that it meant the phone was going to be slower, perhaps significantly, than her current phone, she didn't bat an eye.
For people who are more concerned by specs, some manufacturer still make phone whose firmware is unlockable by design and on which you can install alternative OSes.
Sony Opendevices program is an example of such smartphones.
Saddly, to to hardware designs, you usually are still stuck at using the official blob pack (closed source proprietary firmware and drivers, running atop some old kernel version) by the chipset manufacturer.
But at least, thanks to lib
Re: (Score:3)
The specs for the Pine phone [pine64.org] list actual hardware switches for the radios, camera and mic. Though it isn't clear where they are located based on the images. Very interesting.
Hardware switches are a must, and I'm glad this developer realizes it. It's not secure unless I can unplug it.
Re: (Score:1)
Yo Grark
Re: If you don't know me by now... (Score:4, Insightful)
You can tell people about these risks and 99% of them will respond with "But I'm not a terrorist" or whatever. They don't understand that tools that can be used in ways they approve of can also be used to hurt them later, or they have convinced themselves that day will never come.
Re: (Score:2)
And still, I say, so what.
If I'm having an affair I worry more about my neighbours than google. If I'm passing secrets or doing stuff my government doesn't like, yea, different story.
Funny though how that second metric measures up. In my country, if I protest against guns or climate change, or how shit the ginger one is, I'm ok. In the USA, I would have to hide that. Glad I live in a free country.
Like what? (Score:2)
Yes, these tools can be used against someone, but apart from diabolical conspiracies, big government and big corporations have never needed electronic spying to oppress the public at large. Union busting was done long before electronic surveillance, and gaps in government knowledge were filled by armed police breaking down doors with a search warrant. Oppression has never been a problem of technology, and always a problem of human nature. The will to power has never been frustrated by a lack of technolo
Re: If you don't know me by now... (Score:2)
Convincing people to be uoset about something they don't understand is always difficult.
I watched an old South Park episode the other night, and in it Cartman was blogging and posting his every action on social media, and most of his posts were about fears that the NSA was tracking him.
To drive home the irony he was also constantly on his phone, using speakerphone, having 'private' conversations. He accused anyone that was near him of trying to listen in on his calls, when in fact it was quite the opposite
Re: (Score:2)
Whose. Probably ours as the IT community...
Maybe that was true 20 years ago. Today, it's a pathetic excuse. Computer UIs are literally designed for children to operate and understand. Why are we still holding hands for grown-ass adults who have literally been exposed to this technology their entire lives?
The Top 10 Worst Passwords lists. Look at them. Now look at that same list from 20 years ago. No matter the risk, no matter the danger, people don't ever change. They're just as ignorant about bad passwords today as they were 20 years ago. O
Re: If you don't know me by now... (Score:2)
I should note that they don't just sell to the highest bidder. They are promiscuous. They will sell to anyone for any price and do it as many times as they can.
Public info (Score:2)
That cellphone users don't know what they agree to because they didn't read the Terms of Service, or what it means to allow a game to track their location does not entitle them protection from their bad decisions/choices.
It sounds like the govt can not supply vendor with a phone number or name, it goes by location at a point in time. For example, police hire the service and draw a circle around a violent protest, asking for historical data on the phones that freely offered up their location during the prote
Re: (Score:2)
That cellphone users don't know what they agree to because they didn't read the Terms of Service, or what it means to allow a game to track their location does not entitle them protection from their bad decisions/choices.
IMO, there are a few bad assumptions here. First off, just being in a ToS doesn't inherently mean it is either legal, or ethical. Second, ToSes being very verbose and thus difficult to want to plod through is another issue that IMO purely would be beyond idiotic to pile on to the consumer.
Allow location "Only when using" (Score:4, Informative)
Re: (Score:2)
A user may not realize an app can still collect data unless you physically close it.
Isnt this the fault of the OS, that provides easy "minimize," convoluted "close," and a back page listing of opened applications?
Re: (Score:2)
Re: (Score:3)
A user may not realize an app can still collect data unless you physically close it.
Isnt this the fault of the OS, that provides easy "minimize," convoluted "close," and a back page listing of opened applications?
I agree. It’s a poor human factors design since it gives the appearance of quitting without actually quitting. It may make the device be more responsive but at the cost of user awareness of tracking.
Re: (Score:3)
End users don't have a chance until the OS stops this kind of thing from being allowed. As an end user I'm quite ok to share data when i'm running an app, and the recent(?) permissions which only allow it to collect such info "when running" on android is a step in the right direction, but the fact that the app still runs when I close it needs to be addressed unless it's a system app (and even then!) or I explicitly
Anonymizing? (Score:2)
> When we say "unwittingly," we mean that not everyone is aware that random innocuous apps are often bundling and anonymizing their data to be sold off to the highest bidder.
If the location data was anonymized, then it couldn't be traced back to people. Since that's exactly what's going on, how is this 'anonymized'?
Re: (Score:2)
cops knew where people were at a certain time. even the company selling the data had no way to know that, you don't get that from the data. you get that by surveillance. It's like I put a camera in your home to record when you took the anonymous survey for your employer but without seeing your screen, and the HR department doesn't know who filled out what form but they know what time the submit button was hit because they get email notice when someone finishes yet another form. Me with my camera know
Re: (Score:2)
If the location data was anonymized, then it couldn't be traced back to people. Since that's exactly what's going on, how is this 'anonymized'?
'Anonymized' isn't what it used to be. From TFS:
allowing a user "to draw a digital fence around an address or area, pinpoint mobile devices that were within that area, and see where else those devices have traveled, going back months."
I'd bet that they can make a reasonable guess as to your identity with this.
Is anyone else able to tag stories? (Score:2)
OT comment, but trying to figure out - is it just me, or is anyone else no longer able to add tags to stories on the main feed?
I've been having too much fun adding sardonic tags, like "enoughtiktokalready" to the many and varied TikTok stories, not to mention judicious use of "clickbait" as a tag ... so I wouldn't be surprised if TPTB have put me in story-tag time out. :-)
Re: (Score:2)
Re: (Score:2)
I mean, don't blame the idiots that were spamming 'vote for trump', slurs, etc. in the tags or anything. Or slashdot admins' inability to block simple shit like the swastika spamwalls. Surely it's "the regime".
The Slashdot admins *are* "the regime" I meant.
Re: (Score:2)
You must be the only person who ever used them. What was the point of 99% of the things posted here having the story tag?
No warrant necessary? (Score:5, Insightful)
So what I want to know is, why was no warrant necessary? The requirement for a warrant is a limitation on police activity to limit abuse, not a technical measure. There's no technical reason cops have to get a warrant before installing a GPS tracker on your car, or a surveillance feed into your living room. They need a warrant because they're not legally allowed to conduct that surveillance without it. So what difference does it make if it's a third party doing the spying? Either they get a warrant first, or they should be brought up on charges for illegal surveillance.
Re: (Score:2)
So what I want to know is, why was no warrant necessary? The requirement for a warrant is a limitation on police activity to limit abuse, not a technical measure. There's no technical reason cops have to get a warrant before installing a GPS tracker on your car, or a surveillance feed into your living room. They need a warrant because they're not legally allowed to conduct that surveillance without it. So what difference does it make if it's a third party doing the spying? Either they get a warrant first, or they should be brought up on charges for illegal surveillance.
There was no law enforcement surveillance happening. Law enforcement bought information from someone else. It's not illegal to use a snitch.
If you have a problem with this development in law enforcement I suggest you go to the root, the gathering and collation of information on private citizens in general. As long as that is happening, everyone in the world with money will have access to it for whatever purpose. This is basically the same argument as for "national security and only national security should
Re: (Score:3)
By that argument, what's to stop someone from opening a business "Snoops-R-Us" that cops can hire to do all their desired surveillance without worrying about getting those annoying warrants?
Re: (Score:2)
Not that I disagree with the rest of your post - it's just the question of what is permissible for our employees is much narrower than what is permissible for independent citizens.
Re: (Score:1)
By that argument, what's to stop someone from opening a business "Snoops-R-Us" that cops can hire to do all their desired surveillance without worrying about getting those annoying warrants?
Absolutely nothing, in fact I dare say that is what TFA is all about. As long as the business is not specifically (i.e. openly) intended to snoop information for law enforcement there is pretty much no way to prevent such behavior today. The only way to get rid of law enforcement using commercially available information is to put severe restrictions or even outlaw such information gathering in the first place. Sadly, that is unlikely to happen since the business sector focused on social media information ga
Re: (Score:1)
Sorry, I think I did not clearly state a part of my reply there:
When I talk about information in my post, I mean specifically online information and anything that can be snooped from the internet. I am not including traditional snooping such as a P.I. in this context, as I think existing law is fairly clear in prohibiting law enforcement from hiring private contractors to bypass regulations. The key here is that online information is considered public, freely given, and commercial in nature, which translate
Re: (Score:2)
> The only way to get rid of law enforcement using commercially available information is to put severe restrictions or even outlaw such information gathering in the first place.
Or, to explicitly prohibit police from using it without a warrant to gain information that would otherwise require illegal surveillance.
What's wrong? (Score:1)
Why are you saddened by this? Police — our employees — are able to do their work (work for which we pay them) better, thanks to tools and information available from competing private companies.
What's wrong?
Re: (Score:2)
I assume, because in practice police are mostly NOT our employees - they're employees of the government, and as the founding fathers recognized government is a necessary evil that always trends towards tyranny. To say nothing of the multitude of independent abuses that are perpetrated by police officers and their managers for personal reasons.
Re: (Score:1)
The entire government are our employees... If we have police at all — because there remains crime — shouldn't they have the best tools in existence available to them? Especially, when the tools are non-violent and their abuse — (almost) non-impacting?
And, when I say non-impacting, what's wrong about police knowing, you were in a certain area at a certain time? The inconvenience of having to answer investigators' questions? Please...
It
Re: (Score:1)
Not if those crimes were invented to justify enslaving 7 million people for cheap labor.
Re: (Score:3)
That does not mean, we need to outlaw these tools...
Certainly not! OTOH, most of us would not give a chainsaw to our 5 year old so he can familiarize himself with power tools. We create and maintain strong restrictions regulating how these tools are used to be certain they aren't misused (scaled by how immediately dangerous they are). Is this case, there are almost no controls / limits in place to protect against misuse by anyone who has this data. Remember, the police aren't there to determine innocence or guilt, their job is to turn over a suspect for pros
Re: (Score:3)
>The entire government are our employees...
Right... I suppose that's why statistical analysis shows almost zero correlation between widespread public support (or condemnation) of policies, and the likelihood of congressional support for them at the federal level.
Granted things get a bit better as you get more local, but at the end of the day our collective desires are still mostly irrelevant to government actions. They do NOT work for us.
Re: (Score:2)
By that argument, what's to stop someone from opening a business "Snoops-R-Us" that cops can hire to do all their desired surveillance without worrying about getting those annoying warrants?
That's the wrong business model. If the cops hire you to do their surveillance, then you are acting as their agent, and you are, in fact, subject to the Fourth Amendment as if you were a cop.
Your business model needs to be, "I'll collect everything I can and sell it to ANYONE for a large amount of money." Then, since the cops are merely purchasing something that any member of the public can buy, it's legal for them.
So you don't hire yourself out to the cops, you just sell to anyone.
Re: (Score:2)
Re: (Score:3)
Well, "Snoops-R-Us" would have to obey the laws regarding trespass, computer misuse, intrusion of privacy and whatever other laws are there.
The police don't. The warrant system is the check and authorisation to sidestep the legal constraints that apply to everybody else.
If the data supplier is acting legally then the law is not being broken, and no warrant is required. If the data supplier is contravening the law, the police should be arresting them, not buying their data.
Re: (Score:3)
In theory, yes. In practice - who exactly is going to enforce those laws? The police who are requesting that they be broken? The judiciary and public prosecutors whose jobs are made much easier by police cooperation and already usually decline to hold police accountable for murder and other abuses?
The law is just words on paper unless the people responsible for enforcing it actually choose to do so.
Re: (Score:2)
Well, this is why the US needs the ability to launch a private criminal prosecution.
In the UK if someone's breaking the law then anybody can bring a prosecution against them. It's tried by a proper judge in a proper court with the full range of judicial sanctions available. So someone breaching the law to gather data illegally for the police could be taken the court and jailed even if the police chose not to investigate.
Re: (Score:2)
There's certainly much to be said for such an option - but it doesn't actually solve much if the court is not interested in enforcing the law.
As a common ongoing example - in (parts of?) the U.S. individuals convicted of domestic abuse are not allowed to own firearms, as domestic abuse is a good predictor of future violence. However, when police are found guilty of domestic abuse, courts will often convict them of battery instead - which allows them to continue to possess firearms, and thus keep their jobs
Re: (Score:2)
1) The cops weren't surveilling. Private companies were.
2) Any evidence outside ones person or personal domicile (or other private locations as defined by law) is permissible for law enforcement to seize sans warrant in the investigation of a crime.
3) Until this behavior is challenged in court, and until enough Supreme Court justices recognize that this constitutes abuse by law enforcement, this behavior will continue.
Re:No warrant necessary? (Score:4, Informative)
Where there is no explicit Constitutional right involved, technicalities matter, because the legality of any government actions is going to be judged on those technicalities.
The US Constitution has no explicit right to privacy, so the courts over the years have used the 9th Amendment to cobble together a sort of half-assed version out of bits and pieces. And because the courts have done the framing, it's *based* on technicalities. That means there's loopholes.
Here's big one: US case law leans heavily on prohibiting government actions. But once the data has been collected by someone else, the Constitution doesn't explicitly recognize any individual rights of the subject to control or track that data. This leaves the government free to amass databases of information it is not allowed to collect itself. The only legal limitations on this, such as they are, are statutory.
The framers lived in a time when nobody had the ability to amass much data, or do very much surveillance. So they didn't say anything to protect information itself. They just set up a a barrier between the government and the things (papers) and places (homes) that contain information. Today the Bill of Rights would be written in terms of the things being protected rather than the means of threatening them.
Re: (Score:3)
Not just the highest bidder. (Score:2)
" random innocuous apps are often bundling and anonymizing their data to be sold off to the highest bidder. "
The great thing about information is that you still have it after you sold it the first time, so you can sell it to everyone who wants it. Even after it is obsolete you very well might be able to sell it to a historian.
Get A Warrant (Score:2)
They absolutely should have obtained a warrant, if for no other reason than to make sure that the defense can't bring the issue up and possibly have the evidence excluded. Judges sign off on those as a near rubber stamp anyway.
Re: (Score:3)
Evidence has been ruled inadmissable before now because the signed warrant to gather it was deemed overly broad.
By omitting the warrant they avoid the risk of that happening, and by buying publicly available data they don't need a warrant anyway.
Tax data at rest. (Score:2)
End mass collection now!
This should be covered under the 4th Amendment. (Score:3)
This really should be covered under the Fourth Amendment.
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Although our Constitutional Rights don't limit corporations they do limit what the government can do. Just because the data is held in corporate databases doesn't mean it should be up for grabs by the government without a warrant and, if they aren't already, this is something the ACLU needs to get involved in. Where and when I am, is part of my "person", no matter who holds or claims to own that data. The government should not be able to just use our tax dollars to skirt around the Constitution by purchasing things that are clearly protected data.
Re: (Score:1)
The ACLU no longer gives a fuck about American's rights. They've become hard-left-activists that view our Bill of Rights as subjective. Look into the recent declassification from the DNI, it really shows how corrupt our government has become. The Obama admin used the FBI and D
If the data is for sale to the public (Score:3)
There's no reason that the government cannot buy it. It's not like they seized the data.
I'm not a fan of the government surveillance, but don't see any Constitutional violation here.
Pretty clear precedents that stuff you abandon (through out in the trash) or do in public (e.g., government can access your public facebook without a warrant, same as anyone else) is fair game. And anything you have told/given to third parties, those third parties can tell government if they want to, as they have no requirement
Re: (Score:3)
It's not so simple as, "that's data about me, you need a warrant". It is data that users agreed (technically) to allow someone to collect, analyze and/or sell. So, is it still "your" data, or does it now belong to the company that bought it?
There's an exemption to the 4th that allows law enforcement to use information provided by a 3rd party not bound by the 4th. If a PI working a di
Credit card skimming? (Score:2)
Why is the secret service investigating credit card skimming operations? Isn't that the FBI's job?
Re: (Score:2)
Secret service have long had a remit to protect the currency. Mostly they used to deal with forged backnotes and the like but they do credit cards as well.