The buying and selling of information is the staple of the data brokering industry. Information about income, education, ethnicity, religious beliefs, political views and geolocation data are peeled from publicly available sources that may include census records, social media sites and commercial transactions. A mass surveillance technology developed by an obscure company specializing in the marketing of geolocation data collected by the applications people use on their electronic devices was revealed earlier today by the Electronic Frontier Foundation. It provides law enforcement with a powerful investigative tool to sift through datasets of smartphone location history and give investigators a window into the past.

1. Introduction

The terms mobile device tracking and mobile device surveillance are often used interchangeably but actually mean different things in the digital ecosystem. Mobile device tracking may be described as a process for locating a mobile phone. The location of a specific device may be achieved in a variety of ways including the use of the service provider’s network or the software installed on the device. Mobile device surveillance is a broader term that includes the interception and recording of private communications including text messages. It would also include spyware surreptitiously downloaded on a device to monitor conversations in real time that may also provide stalking capability from a remote location. The global scandal involving Pegasus software developed by NSO Group is an example of mobile device surveillance because its capabilities are more invasive than device tracking. (here)

2. Fog Data Science

On August 31, 2022, the Electronic Frontier Foundation (EFF), the renowned digital rights organization based in San Francisco, California, released an investigation of public records acquired from law enforcement agencies that uncovered a previously unknown mass surveillance technology. (here) According to a series of posts to the EFF web site, Fog Data Science LLC provides state and local law enforcement agencies in the United States with warrantless access to continuous geolocation data of millions of Americans that is collected through their smartphone apps and then aggregated by technology developed by Fog Science. The tool created by Fog Science for aggregating the data is called Fog Reveal. (here) The technology appears to fall into the category of mobile device tracking as EFF did not identify other capabilities. The results of the investigation have literally emerged out of the fog that shrouds the data market.

3. The Fog Database

Fog Data Science LLC was founded by two former officials in the U.S. Department of Homeland Security under former President George W. Bush. According to documents created by the company, reported by EFF, it purchases “billions of data points” from approximately “250 million devices” throughout the United States, originally sourced from “tens of thousands” of mobile apps, and then aggregates it into a searchable database. Fog Science provides law enforcement agencies with access to the database for an annual fee between $6,000 and $9,000. The basic service includes 100 queries a month although Fog Science sells more query allocations for an additional monthly fee. The technique, then, involves using the data to create a geofence around a specific area during an investigation similar to the techniques authorized by geofence warrants that I discussed in a previous post to On The Wire. (here) However, according to EFF, Fog Science does not require the police to obtain a warrant authorizing access to its database.

Fog Science has stated in materials provided to law enforcement that it has access to “near real-time” databases of billions of geolocation signals derived from smartphones. It can access historical data going back to 2017. The signals include latitude, longitude, timestamp and device ID. According to the EFF investigation, Fog Science’s materials describe how users can run two different queries:

• “Area searches”: This feature allows law enforcement to draw one or more shapes on a map and specify a time range they would like to search. The service will show a list of all cellphone location signals (including location, time, and device ID) within the specific area(s) during that time. The records EFF obtained do not say how large an area Fog’s area searches are capable of covering with a single query.
• “Device searches”: Law enforcement can specify one or more devices they’ve identified and a time range, and Fog Reveal will return a list of location signals associated with each device. Fog’s materials describe this capability as providing a person’s “pattern of life”, which allows authorities to identify “bed downs,” presumably meaning where people sleep, and “other locations of interest.” In other words, Fog’s service allows police to track people’s movements over long periods of time.

Fog Reveal is distinct from other mobile device location technologies in that it follows a device through its advertising ID which is a unique number assigned to all devices. The ad ID number does not reveal the name of a device’s user but it can be traced to a residence or employment location that helps police to establish a “pattern of life” analysis. The acquisition of the data is distinguishable from a geofence warrant in that the data is obtained directly from a data broker such as Fog Science. A geofence warrant, on the other hand, that taps into GPS and other sources, accesses data from tech companies like Apple and Google.

Although Fox Science insists that it does not collect personally identifying information, the location data tracked over time allows law enforcement to draw inferences about the habits and lifestyle choices of a particular device’s user. This can tie an anonymous device to a specific individual and enable Fog Science to promote its services for “pattern of life” analyses. In a post in the series titled Inside Fog Data Science, the Secretive Company Selling Mass Surveillance to Local Police, EFF staff technologist Bennett Cyphers characterized the “area search” and “device search” functions as allowing surveillance that is both broad and specific. “An area search can be used to gather device IDs for everyone in an area, and device searches can be used to learn where those people live and work,” he wrote. “As a result, using Fog Reveal, police can execute searches that are functionally equivalent to the geofence warrants that are commonly served to Google.” (here)

A similar point was made in a post titled How Ad Tech Became Cop Spy Tech where EFF staff technologist Will Greenberg described the claim of data brokers that they don’t sell personally identifiable information as bogus. (here) Ad IDs allow disparate data points to be grouped into a pattern that can make it “trivially easy” to identify where a person lives, works, attends school or church, and where they go for medical services. In the documents reviewed by EFF, a police officer in St. Louis, Missouri, said this about Fog Reveal: “There is no PI [personal information] linked to the [device ID]. (But, if we are good at what we do, we should be able to figure out the owner).”

4. The Dangers of Fog Reveal

Fog Reveal was described as a “major blow to civil liberties in the United States” in another concurrent post titled What is Fog Data Science? Why is the Surveillance Company so Dangerous? by Matthew Guariglia, an Affiliated Scholar with the Institute of Criminal Justice at the University of California, Hastings School of Law, and an EFF policy analyst. Here are three key extracts:

• With a click and drag of a mouse, police can see the devices of every person who attended a protest, follow them home to where they sleep, and open up people exercising their constitutionally-protected right to protest to more surveillance, harassment, and retribution. Police can also, for instance, track people whose devices have been inside an immigration attorney’s office, a women’s health clinic, or a mental health facility. Police could easily, with almost no oversight, use this tool to watch secret rendezvous between a journalist and their whistleblowing source.
• Fog claims that their product is made of data willingly given by people. But people did not hand their geolocation data over to Fog or the police, willingly or even knowingly. Rather, they gave it over, for example, to a weather app so that they could see if it will rain in their town today. When they downloaded the app, they may have clicked a box purporting to grant various so-called “consents,” but no reasonable person expects this will result in the app tracking all their movements, the app developer selling this sensitive information to a data broker, and police ultimately buying it.
• Fog also claims that their product is privacy conscious, because it does not contain personally identifying information like a person’s name or phone number. Not so. The police looking at a dot representing you on a map may not know your phone number or your name – but when they follow that dot to the place where you sleep at night, suddenly they have your address. A decade ago, researchers found that four spatio-temporal points were enough to identify 95% of the 1.5 million people whose movements were tracked in a 15-month set of phone mobility data. Claims that location data has supposedly been “anonymized” are highly dubious.

Fog Data Science frequently partners with Venntel, Inc., a data broker that works with law enforcement. (here) The collaboration can provide additional clues that help identify specific individuals. Fog Reveal, then, has the capacity to provide law enforcement with the ability to track the precise movements of hundreds of millions of mobile devices and their users back in time as they went about their daily lives. EFF called it mass surveillance.

5. Conclusion

Although there is a hungry market for app-derived location data Fog Data Science is the only company identified by EFF that sells individualized geolocation data to state and local law enforcement in the United States. And there is no evidence that Facebook, Apple or Google Maps provide data to Fog Science. Nonetheless, EFF concluded that Fog Reveal represents a “direct and uniquely modern threat to our privacy.” The threat is intensified by an evolving legal environment where the warrantless seizure of this kind of app based data by the police has not been tested in the courts. There is, however, a parallel with “cell site location information” that is subject to scrutiny under the Fourth Amendment to the Constitution of the United States and s. 8 of the Canadian Charter of Rights and Freedoms.

What, then, can you do about it? Fog Reveal relies on data gathered by code embedded in third party apps. You can slow down the data hose by doing two things. First, disable ad tracking and the mobile ad identifier on your devices which allows data brokers to tie geolocation data to your individual device. (here) Second, delete applications you don’t need and limit the number of others that have permission to collect your geolocation data. Apple’s App Tracking Transparency initiative that now allows users to opt out of ad tracking has resulted in a decrease in the number of devices sharing that data thus making companies like Fog Science less useful to law enforcement. If you use Apple devices, and haven’t already opted out, go to Settings > Privacy > Tracking and toggle off “Allow Apps to Request to Track”.