How the U.S. Military Buys Location Data from Ordinary Apps
November 19, 2020 3:26 PM   Subscribe

How the U.S. Military Buys Location Data from Ordinary Apps "Through public records, interviews with developers, and technical analysis, Motherboard uncovered two separate, parallel data streams that the U.S. military uses, or has used, to obtain location data. One relies on a company called Babel Street, which creates a product called Locate X. U.S. Special Operations Command (USSOCOM), a branch of the military tasked with counterterrorism, counterinsurgency, and special reconnaissance, bought access to Locate X to assist on overseas special forces operations. The other stream is through a company called X-Mode, which obtains location data directly from apps, then sells that data to contractors, and by extension, the military."
posted by 922257033c4a0f3cecdbd819a46d626999d1af4a (13 comments total) 14 users marked this as a favorite
Is there a list of the apps somewhere, or what? These articles are important and informative, but how the hell am I supposed to know what to delete, or at least lock down from accessing my location data?
posted by SansPoint at 3:55 PM on November 19 [2 favorites]

I doubt the military even knows what apps they're coming from. The app developer, in an attempt to make a few bucks, puts some code into their app from another company (not the military) that displays ads. But "displaying ads" means that they're grabbing every single possible data point on you (because that's where the money is) including location, phone model/cost, unique advertising identifier, the app that it's getting the information - and then selling that data to some other data aggregator. That aggregator can then sell that data to others, including other aggregators but also government and other ad companies, in order to form a "complete profile" on you.

If you're using an app for Muslim dating, or making ghost guns or whatever, there might be a lot of people interested in you and not just for displaying ads.
posted by meowzilla at 4:17 PM on November 19 [6 favorites]

I think it’s not exactly right to assert the US military specifically bought the location data of users of the prayer app, that’s not how it is really aggregated and packaged. It is also unfair to say the developers specifically, intentionally, sold that information in that context. They just wanted to have an ad-supported app.
posted by floam at 4:26 PM on November 19 [2 favorites]

Is there a list of the apps somewhere, or what? These articles are important and informative, but how the hell am I supposed to know what to delete, or at least lock down from accessing my location data?
posted by SansPoint
I remember having been told at one point that the reason why weather apps are free is because they make a lot of money selling user location data, because everyone wants precise location tracking for weather forecasts

Basically I feel like maybe it would just generally be a safer assumption to just assume every developer is selling your location data unless they are known to have a reason not to
posted by DoctorFedora at 6:42 PM on November 19 [5 favorites]

If you want to avoid being tracked by corporations and governments, and you are reading this statement, you have already made a grave error.
posted by Mr.Encyclopedia at 7:02 PM on November 19 [4 favorites]

Does the smart in smartphone refer to how we were connived into giving up all of our personal information by corporations and governments?
posted by neon909 at 8:04 PM on November 19

It isn't clear to me from reading the article if the location data acquired through third-party SDKs would only be from apps that display ads.

Is there any reason to think the SDK that X-Mode pays developers to use wouldn't also potentially be incorporated into apps that don't display ads?
posted by theory at 8:43 PM on November 19 [1 favorite]

neon909: no, smartphones have hardware and operating systems enabling rich general computing features with Internet connectivity, compared to simpler devices which have set limited features oriented mostly towards mostly telephone calling and network SMS texting.

A smartphone is a mobile computer with built-in telephony.
posted by floam at 10:00 PM on November 19

$1,500 per month for an app with 50,000 users is $.03 per user per month, $.36 per year. That's not nothing, but the aggregated data from every user of every cooperating app must be insanely valuable.
posted by Joe in Australia at 11:16 PM on November 19

According to Jacob Silverman this isn't a problem that can be solved by individual action, it requires new laws that protect user data.
posted by subdee at 7:12 AM on November 20 [2 favorites]

Is there any reason to think the SDK that X-Mode pays developers to use wouldn't also potentially be incorporated into apps that don't display ads?

If I were an app developer and some company emailed me to say "hey put our totally-legit code in your app and it doesn't do anything, but we'll pay you $1,000 a month", my internal alarm bells would be ringing and I would refuse. Who are these people? What does the code do? It's not normal to be paid for doing "nothing".

But ad-supported apps are totally normal, so partnering with an ad agency that pays you to display ads wouldn't trip off any alarm signals, because you know where that money comes from.

I think the big picture is the banality of evil and the unregulated collection of data. There would be concerns about the United States military directly writing weather apps to steal people's private information. If app developers directly stole people's information, then they would be classified as spyware authors and shunned. If government agents directly contacted app developers, they would not get a lot of acceptance.

But if you're an app developer and you're partnering with a 2 billion dollar company called UserClick that's listed on NASDAQ, it all seems completely above board. But you're not really sure who else gets that information if it's shared with UserClick's "partners".
posted by meowzilla at 11:21 AM on November 20 [1 favorite]

In previous jobs I've used X-Mode and several other device tracking providers, sometimes for good (covid mobility tracking for state health orgs) sometimes for less good (industrial activity for traders and big corporations). The appeal to an app developer to use services like X-Mode is that you (the developer) also get access to the location data without having to develop your own geospatial blahdeblah, and you even get paid for it.

With these services, you'd get a delivery every day in some place in the cloud of device pings. The columns were what you expect: anonymized device id, timestamp, latitude, longitude, and a bunch of extra columns that were generally useless because they weren't reliably filled. You throw that into a database and do your work. It's easy to work with and not that large a volume of data, all things considered. It also isn't as expensive as you might think.

None of the companies would tell us what specific apps are giving the data (the apps mentioned in the article are not surprising to me; we had surprisingly good success in indonesia for instance), just that some fraction were iOS and some Android. This actually made the data much harder to use, because it was pretty obvious that the apps were changing quite a lot. You could never be sure of your coverage ("I see N% of all devices / people."), just that it changed in geography and time, that it was never a large number (think 1-10%), and that the majority of devices only showed up a few times (makes it hard to use census blocks to turn devices into estimates of people).

It was a constant conversation internally about what guidelines we could set up to Not Be Creepy and still Make Money. There were also a lot of legal issues about what countries you could use: they wouldn't (easily) give us european data because of gdpr, for example.

The data was useful from a demo perspective: it's easy to take the data, draw a box, and get hourly activity. It's also easy to do creepier things (heatmaps of activity, tracing devices from one place to another). It looks flashy and sexy. But, we had difficulty making it useful, because the data just wasn't good enough. You can tell big changes in activity (eg caltrain going down was easy to algorithmically detect), but (i) you got that information a few days later (too late!); (ii) you couldn't reliably quantify the changes because you couldn't guarantee that a large change was due to people and not due to a new app providing data (which did happen and we could clearly see in the data).

Google and Apple have more devices and more information per device. Apps like google maps can tell you when it's busy at a restaurant, because they saw when you were there whether you knew it or not.
posted by getao at 11:01 PM on November 20 [1 favorite]

Presumably X-Mode could correlate devices across apps if it chose to, and possibly provide enough granularity to identify individual users. I have to think that if they're not being paid for supplying that information, it's because companies higher up the food chain have cornered the market.
posted by Joe in Australia at 10:45 PM on November 21

« Older What we think is worth knowing   |   The free dataset in the maw of FAANG Newer »

You are not currently logged in. Log in or create a new account to post comments.