Officials inside the Secret Service clashed over whether they needed a warrant to use location data harvested from ordinary apps installed on smartphones, with some arguing that citizens have agreed to be tracked with such data by accepting app terms of service, despite those apps often not saying their data may end up with the authorities, according to hundreds of pages of internal Secret Service emails obtained by 404 Media:
The emails provide deeper insight into the agency's use of Locate X, a powerful surveillance capability that allows law enforcement officials to follow a phone, and person's, precise movements over time at the click of a mouse. In 2023, a government oversight body found that the Secret Service, Customs and Border Protection, and Immigration and Customs Enforcement all used their access to such location data illegally. The Secret Service told 404 Media in an email last week it is no longer using the tool.
"If USSS [U.S. Secret Service] is using Locate X, that is most concerning to us," one of the internal emails said. 404 Media obtained them and other documents through a Freedom of Information Act (FOIA) request with the Secret Service.
Locate X is made by a company called Babel Street. In October 404 Media, NOTUS, Haaretz, and Krebs on Security published articles based on videos that showed the Locate X tool in action. In one example, it was possible to follow the visitors to a specific abortion clinic across state lines and to their likely place of residence.
Tools similar to Locate X often use data that has been collected from ordinary smartphone apps. Apps on both iOS and Android devices collect location data and then sell or transfer that to members of the data broker industry. Eventually, that data can end up in tools like Locate X.
Originally spotted on Schneier on Security
Previously: Secret Service Bought Location Data Pulled From Common Apps
« China's Moon Rock Samples Suggest Durable Lunar Volcanoes | New Supercomputer Simulation Explains How Mars Got its Moons »
Related Stories
Secret Service bought location data pulled from common apps:
The Secret Service paid a private company for access to location data generated by common smartphone apps, Motherboard reports. Internal documents obtained through a Freedom of Information Act (FOIA) request show that the agency spent $35,844 for a one-year subscription to Babel Street's product Locate X, which tracks the location of devices via data harvested from popular apps.
As Motherboard notes, the glaring issue with this contract is that it allows the law enforcement agency to buy information that it would normally need a warrant or a court order to obtain.
[...] In March, Protocol reported that US Customs and Border Protection purchased Locate X, and a former Babel Street employee told Protocol that the Secret Service and US Immigration and Customs Enforcement (ICE) were using the location-tracking tech. But Motherboard has the first confirmation that the Secret Service did in fact purchase Locate X.
[...] Senator Ron Wyden is reportedly planning legislation to block law enforcement from purchasing products like Locate X.
"It is clear that multiple federal agencies have turned to purchasing Americans' data to buy their way around Americans' Fourth Amendment Rights. I'm drafting legislation to close this loophole, and ensure the Fourth Amendment isn't for sale," Wyden said in a statement provided to Motherboard.
(Score: 4, Insightful) by looorg on Sunday November 24, @03:10PM (13 children)
I'm not some fancy Secret Service lawyer. But I'm still fairly sure that this is not what people agreed to. The intended usage. So if one wants to be all technical and fancy about it, and that is a mighty big IF, those people might have agreed to be tracked by location data for commercial reasons by Google, Advertisers or whomever. They did not agreed to be tracked by the Secret Service or any LEO. I don't recall them being part of any EULA or whatever. That is unless the Secret Service are now trying to sell some merch. It's was tracking for commercial reasons, not to be tracked into compliance by Big Brother.
If the claim is that they do not need a warrant due to them technically buying a service. What other overreach can they do, if it can be purchased as a service as or instead of being part of an actual investigation. Perhaps they should just stop investigating all together and just buy investigations from someone that doesn't need to or have to follow any kind of rules.
If they need to get a warrant to get information from a telephone company, why would they not need a warrant to get information from Locate X / Babel Street. In some regard this seems like a setup to just make bypass around the entire legal system.
(Score: 5, Insightful) by JoeMerchant on Sunday November 24, @03:30PM (3 children)
It's not what people agreed to, which is why lawyers are arguing over it.
You see, the uneducated masses need lawyers to translate and navigate the legal world for them to serve their best interests, for a fee of course.
For instance, TFS implies that crossing out of your state to another to visit an abortion clinic might be something a pregnant woman needs to be concerned about the secret service knowing? That's contrary to every US legal principle I thought I knew... Better consult a lawyer instead of me...
🌻🌻 [google.com]
(Score: 3, Touché) by DadaDoofy on Sunday November 24, @06:28PM (2 children)
"It's not what people agreed to"
Oh, but it was. What would lead someone to believe a "third party" somehow excludes law enforcement?
(Score: 0) by Anonymous Coward on Sunday November 24, @07:28PM (1 child)
Oh, but it's not. Contract law is a very interesting topic that is worth looking into sometime.
(Score: 3, Funny) by Anonymous Coward on Sunday November 24, @08:51PM
Fear not! Now the Freedom(tm) loving party is back in power, all these evil government overreaches will be ended. Praise Jesus!
(Score: 5, Informative) by Unixnut on Sunday November 24, @03:46PM (4 children)
I don't know, pretty much every EULA I've bothered to read (and they do seem to make it a real drag to actually read and understand them) seem to have buried in the small print wording similar to: "data may be shared locally or internationally with third parties and authorities in order to facilitate processing, provide end-user service and/or comply with legal and regulatory obligations".
While I am no lawyer, the whole "facilitate processing, provide end-user service and/or comply with legal and regulatory obligations" type of stuff they put in there is so broad that it basically grants them the right to share your data with whoever they want for whatever reason.
As such I always assumed that anything they record, collect and capture about me is basically public information. Which is why I try to avoid it as much as possible, hard as it is nowadays to do it 100% without basically moving to a wood shack in the middle of nowhere and living like a hermit.
Thing is, even if they violate the agreement, they are so much more powerful than an individual that any legal action is bound to destroy said individual long before the conclusion of the case. So as far as I'm concerned there is no real way of dealing with this short of not giving them your information in the first place. That is the only way to be sure the information won't be (ab)used against you or others.
(Score: 2, Interesting) by Anonymous Coward on Sunday November 24, @06:23PM (3 children)
IMO this is a cover-ass provision. They feel they can't deny cops, so they put it into the EULA that you allow them to provide what they can't refuse to pass up. Remove the requirement that they comply, and a lot of them most likely wouldn't - compliance is a cost, after all. But of course, in the United Police-States of America, "law" (and technicalities) trumps all - even corporate profits (amazingly).
Of course, click-through EULA's are not contracts, and were not negotiated, and saying that any of this is valid is highly questionable.
(Score: 3, Insightful) by aafcac on Monday November 25, @12:02AM (2 children)
With the existence of National Security Letters, it's hard for them to not put that into their ToS as they don't have the option to refuse in most cases and can't disclose that they've been ordered to provide data.
(Score: 5, Insightful) by NotSanguine on Monday November 25, @01:10AM (1 child)
Except that's not what's happening here. Locate X/Babel Street aren't "just responding to Law enforcement requests," they're actively marketing and selling the data they collect to those LEOs.
Which is much, much different than responding to a NSL, subpoena or polite request, IMNSHO.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by aafcac on Monday November 25, @05:28PM
It would have to be in there either way. Neither situation should be permissible.
(Score: 4, Informative) by Thexalon on Monday November 25, @03:52AM (3 children)
Shortly after the opening of the Internet to general public traffic during the Clinton administration, the FBI began developing methods of tracking specifically targeted individuals' activity. This was supposed to have similar requirements to phone wiretaps: There had to be evidence that their target committed a crime and was using the Internet to commit it.
But the way cops and national security types think, there's never too much information available for them, so as early as 1996 they were starting to organize online information gathering projects. They made some arguments that amounted to pointing out that if you weren't monitoring somebody, and later it turned out they were involved in a crime, you wouldn't automatically know who else was involved in that crime, so therefor they needed some basic continuous monitoring of everybody, By May 2003, this had morphed into a project called "Total Information Awareness", led by Iran-Contra felon John Poindexter, which aimed to track everybody's online everything as thoroughly as possible. As you might imagine, some folks had some Fourth Amendment concerns about all of this, and Congress officially voted to defund the effort about 6 months after it had officially started.
And a few years later, it cropped up that they'd simply moved all these efforts to a different department, increased the classification level, and kept going, with some hints that it's been going pretty much continuously over the last couple of decades. And more recently, the NSA built a giant data center in Utah [wikipedia.org] that does, well, nobody knows, but there are a lot of suspicions. And they generally claim that it's targeted at terrorists and/or foreigners, but again nobody really knows who is allowed to tell the public, and some hints that the overall system is being used to among other things track down agents' ex-lovers for harassment.
Buying phone location data would definitely fit into those overall plans, particularly since it would help with the development of a graph of who is likely gathering in-person with whom.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 2) by PiMuNu on Monday November 25, @03:03PM (2 children)
> terrorists and/or foreigners
Is there a difference between the two?
(Score: 2) by Thexalon on Monday November 25, @07:01PM (1 child)
Yes: Some people the government considers terrorists are US citizens. There have been cases of US citizens locked up in Gitmo, US citizens hit by anti-terrorism drone strikes (arguments persist on whether those were accidental), and US citizens charged with domestic terrorism for alleged involvement in activities like throwing rocks and bottles at cops.
Just in case you thought government activities were OK because they were targeting Them rather than Us.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 2) by PiMuNu on Tuesday November 26, @12:38PM
Thanks for the clarification
Mod +1 Sad but also Funny
(Score: 2) by Spamalope on Sunday November 24, @03:33PM (1 child)
The industry is highly regulated, which means regulators hold life or death control over the businesses.
A request 'coordinate to facilitate location tracking' can't be refused. Any action in that direction is barred as a 1st, 4th, 5th breach at least because they can't be separated from impermissible action/influence/blackmail.
The usual technique - 'muh cutout company' where an 'aggregator' is created to launder the impermissible activity is the current go to, with 'no expectation of privacy' the contrived excuse when caught. The catch is, it starts with an impermissible breach via coercive power.
The location info collection + agreements surrounding it are subject to regulatory directives. (i.e. get the info, arrange for us to get it and hide the fact that you are or that we require it or your licenses will have 'difficulties' until you do)
(Score: 2) by mcgrew on Sunday November 24, @09:34PM
The industry is highly regulated
I see you're not American. Not all countries can be as civilized as yours.
Our nation is in deep shit, but it's illegal to say that on TV.
(Score: 4, Interesting) by pTamok on Sunday November 24, @03:40PM (13 children)
Once you agree to provide your location to a corporation, it becomes a business record owned by the corporation (it is different in GDPR-land, where 'data subjects' own their personal data and give permission to others to process it for specific purposes, unless an applicable exception - for specific purposes, one of which is government, of which national security is a part - applies). Business records are 'fair game'.
The big question is not if location data can be used for National Security purposes, but whether is can be used by others, such as police departments and other national and local government departments.
Image if you can get a speeding ticket because your phone was shown to be moving down a highway at greater than the posted speed limit.
(Score: 2) by JoeMerchant on Sunday November 24, @04:13PM (12 children)
As for my life: track away. They will know I'm up to no good, or dead, when the phone stops moving, the CC stops charging, and the non-connected vehicle's license plate stops showing up on traffic cameras.
I'll probably never need to "go dark", but if I do my distinctive hair will go generic buzz cut, my distinctive dressing patterns will shift mainstream while I am in transit, and I will wear MAGA swag - to blend in.
🌻🌻 [google.com]
(Score: 5, Funny) by Anonymous Coward on Sunday November 24, @04:23PM (1 child)
Commonly known as Florida casual?
(Score: 1, Funny) by Anonymous Coward on Sunday November 24, @09:34PM
I think the hairstyle is wrong for Florida casual. It should be a mullet.
(Score: 5, Insightful) by bzipitidoo on Sunday November 24, @06:08PM (9 children)
Let's all keep in mind why privacy is valuable. It's not a matter of hiding crimes. Saying that innocent people have nothing to hide is part of the propaganda to justify all the spying. Innocent people have plenty to hide, and not for nefarious reasons.
It's that you never want enemies and opportunists to know whether and how you are vulnerable. Hiding that you suffer from some grave illness is very common, and so greatly wanted that medical records are subject to higher legal protection. HIPAA, you know. Aging is another weakening many go to considerable lengths to conceal. Scam artists who prey upon the elderly are legion. Even if you are young and healthy, they're still trying to find weaknesses, the better to exploit you. Blackmail you. Having an affair is not illegal, but it sure is info that can be used to hurt you. If you're in a closet, so to speak, being forced out rather than coming out is another use of your private info against you.
Mostly though, what they do is manipulate you, try to persuade you to part with your money in exchange for goods or services that might on the surface seem a fair deal, but which really aren't. The discovery that many people can be suckered into paying monthly for services that can be had in perpetuity for a one time expense is one of the biggest scams that have been pulled on the public. Microsoft 365, for instance. I continue to be amazed that the great majority of people go for commercial tech's deep propagandizing that amounts to "you get what you pay for", and let themselves be scared away from the free software world. FUD worked.
Whether and how you voted is another piece of info we as a society go to some lengths to help you keep private. We know that if that info is not private, it takes your freedom of choice. What do you do if your employer wants all employees to vote for the candidates they prefer, and can find out if you voted as they wish, and also can fire and blackball you if you didn't?
Whistleblowing is a particularly fraught breach of privacy. These are instances in which secrecy is being abused to cover up fraud and dangerously reckless activities, and exposure is in the public interest. We try to protect most whistleblowers. (We sure fell down on protecting Edward Snowden, Reality Winner, and Chelsea Manning.) Many of the powerful are always pushing the boundaries, pushing in ways that are very much harmful and grossly unfair, and whistleblowing helps tamp that down.
(Score: 4, Informative) by JoeMerchant on Sunday November 24, @07:13PM (6 children)
>medical records are subject to higher legal protection. HIPAA
And that is a good thing, except the actual implementation of HIPAA in my experience has been 95%+ as an excuse to hide malpractice and abuse, actual patient information is little more protected than it was before HIPAA - though, for those few systems implementors who follow best practices HIPAA is a signpost to point at as for why the project is going to take an extra 6 to 18 months for security implementation and validation.
>Aging is another weakening many go to considerable lengths to conceal. Scam artists who prey upon the elderly are legion.
And they all fail miserably. Give me an address in the United States and odds are that within 5 minutes or less I can tell you the name, mailing address and accurate age of the owner, along with the appraised and fair market value of the property and when they bought it and what they paid... Five more minutes should get you all the current mortgage holders' info as well.
>If you're in a closet, so to speak, being forced out rather than coming out is another use of your private info against you.
Nothing is 100%, but there does seem to be a correlation between political party and skeleton keepers in their closets: https://www.snopes.com/fact-check/greene-democrats-supermajority-gaetz/ [snopes.com] Satire?
>The discovery that many people can be suckered into paying monthly for services that can be had in perpetuity for a one time expense is one of the biggest scams that have been pulled on the public.
Give away the shiny razor, sell the disposable blades for obscene profit margins is a tried and truly highly profitable business model in most industries. Signing people up for automatically renewing subscriptions is another. I just paid $5 extra for a product rather than activate my fourth free Amazon Prime trial month, I hope someone is paying attention and continuing to provide competitive pricing without membership dues...
>Whether and how you voted is another piece of info we as a society go to some lengths to help you keep private.
Bzzzt. Whether you voted is very public, and your party registration is too. How you voted is becoming easier and easier to guess with social media and other easily learned clues. Your reasoning why that privacy is important is entirely valid, but when the majority of people who vote are transparent about who they vote for, simply not being transparent makes you an outlier, a small minority, and discrimination against small minorities is all too easy, and often socially profitable.
>We try to protect most whistleblowers.
Do we, really, or is that a comforting fiction we tell ourselves? https://kkc.com/media/two-dead-a-third-boeing-whistleblower-lives-in-terror/ [kkc.com]
🌻🌻 [google.com]
(Score: 2) by bzipitidoo on Sunday November 24, @08:36PM (3 children)
> Signing people up for automatically renewing subscriptions is another. I just paid $5 extra for a product rather than activate my fourth free Amazon Prime trial
I burned down an entire web of magazine and newspaper subscriptions when they started doing the automatic renewal. I ended subscriptions with all of them, whether or not they were trying the automatic renewal. Too many of them were. In the neighborhood I'm in now, I have never seen a newspaper in anyone's yard.
And, I learned that all the magazines my family had stored, decades worth of National Geographic, Scientific American, Science News, Natural History, Smithsonian, Time, US News and World Report, Reader's Digest, and so forth, were all worthless. No one wanted them, even for free. Nat Geo was supposed to be collectable, but have to get back to the 1950s for them to start to be worth anything. I wouldn't pay for them in any case, not with digital scans of them all readily available. Into the recycling they all went.
> Give me an address in the United States and odds are that within 5 minutes or less I can tell you the name, mailing address and accurate age of the owner
Yes, if you pay. Commercial peddlers of such info have had considerable success in SEOing the websites with the freely available info way down the search results. Takes a bit longer if you try to avoid those commercial sites. Ironic if you use the commercial sites, and you fall for their lies that they need your info in order to provide the info on your target.
> Bzzzt. Whether you voted is very public
Well, that's true. Have to record that to prevent people from voting multiple times. However, I think we could do better. Should be possible to prevent the casting of more than one ballot per voter, without plaintext recording that they voted. Store a secure digital hash of each voter's info, much like passwords are stored. Then, if a voter tries to vote again, the hash of their info will match one of the stored hashes, and they will be denied a second ballot.
Yes, it's pretty clear that protecting whistleblowers is one of those idealistic things that we say we do but too often fail to accomplish.
(Score: 2) by JoeMerchant on Sunday November 24, @09:52PM (2 children)
>>Give me an address in the United States and odds are that within 5 minutes or less I can tell you the name, mailing address and accurate age of the owner
>Yes, if you pay
That would take two minutes. First look up the name of the county the address is in, then go to that county's property appraiser website, you can almost always search by address or owner name, often by map - always free, 24-7-365.
>Store a secure digital hash of each voter's info, much like passwords are stored.
Bzzzt. Anybody who can check if you voted twice can check if you voted once. Better to leave that information public than attempt to obfuscate it for non election officers.
🌻🌻 [google.com]
(Score: 2) by bzipitidoo on Monday November 25, @06:11AM (1 child)
> Bzzzt. Anybody who can check if you voted twice can check if you voted once.
Bzzzt yourself. Okay, so hashing the voter info isn't enough, that's true. But it still can be done. Assign a unique passcode to each voter. Then add that (hashed and salted) to the data to be hashed. Only those who know the passcode (ideally only the voter), can produce a hash that will match, and it will match if they are trying to vote a 2nd time. They can't vote unless they use their passcode. More cumbersome, but that does conceal whether a voter voted, as well as how they voted. If we are ever to move voting online, we'll have to do something of that sort anyway.
(Score: 2) by JoeMerchant on Monday November 25, @12:57PM
>Assign a unique passcode to each voter.
Technology, I agree. Practically, voters are mostly incapable of managing their own secrets securely.
Also: Bzzzt.
>a unique passcode to each voter. Then add that (hashed and salted) to the data to be hashed. Only those who know the passcode (ideally only the voter), can produce a hash that will match, and it will match if they are trying to vote a 2nd time.
Again >>Anybody who can check if you voted twice can check if you voted once
>If we are ever to move voting online, we'll have to do something of that sort anyway.
Agreed, but I don't think we are ever moving to online voting, at least not before 2060. We already have idiots using their dementiaed out (and dead) parents' mail in ballots, to trust online voting we will need to have the voters manage their own personal secrets securely (which dementiaed out nonagenarians can't, but they sure do have the right to vote - another issue for another discussion.)
One solution: UBI. Every citizen gets one (and only one at a time) credit card that provides their UBI. Using multiples will happen, but will also have a strong interdiction program, not just biannual volunteer nonagenarians putting ballots in secrecy sleeves for you. The secure private key for UBI payment control can be used to obtain a digital ballot from a polling authority. The polling authority needs to record that the voter obtained a ballot, and provide a certified but anonymized ballot. The voter may then "mark" the ballot and submit it, or not. Double voting is controlled during the obtaining of the ballot. Anonymity depends on the ballot issues not tracking which ID obtained which ballot.
🌻🌻 [google.com]
(Score: 2) by bzipitidoo on Tuesday November 26, @01:11AM (1 child)
> except the actual implementation of HIPAA in my experience has been 95%+ as an excuse to hide malpractice and abuse
In my experience, HIPAA has been abused to justify refusing to tell anyone anything. If a loved one is injured and sent to the emergency, good luck trying to find out anything by calling around. Have to visit in person, if you can find out where. I got into it with the nursing home where my aunt lived. When I visited, I could at once see her, but if I called, they would refuse to divulge anything whatever about her, like that she was still there, still alive, and doing okay. They blamed HIPAA for why they couldn't tell me anything. I checked, and found they were lying. HIPAA does not forbid them answering questions of that sort. Further, they don't have to verify my identity, they can take me at my word that I am who I say I am. I kept calling and arguing, and they got very hostile. Shifted to another excuse, that they could only tell relatives. I reminded them that I was in fact a relative. They still wouldn't talk. So I called the police and asked them to do a welfare check, and they did. Assured me my aunt was fine. In part, the welfare check was to send that nursing home a message. I was genuinely worried that they might retaliate for those phone calls by harming her. I went up the chain, called their corporate headquarters, got them to admit it was not HIPAA, it was their policy, and they said they would instruct their staff to quit blaming HIPAA. I don't know if they followed through on that, but I wouldn't be surprised if they didn't.
(Score: 2) by JoeMerchant on Tuesday November 26, @01:31AM
Sorry for your experience.
Nursing homes have a lot to hide, the only way to cut the crap is to show up in person. If they give you problems in person immediately call the police and Department of Children and Families Adult protection services, or whatever your local equivalent is. In my experience that escalation has never been necessary, if you are there in person.
The worst part is: you are basically stuck working with the place, it's unlikely that moving to another would improve the situation.
🌻🌻 [google.com]
(Score: 3, Insightful) by NotSanguine on Monday November 25, @01:14AM (1 child)
You make a bunch of really good points, all of which are completely valid.
But you missed the most important: My business is my business and no one else's. Full stop.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 4, Insightful) by RS3 on Monday November 25, @03:04AM
Absolutely agree. On the simplest level, and please forgive me if this is a bit course, but I liken the spying to voyeurism. Someone watching you while you're in your bathroom (lew) is not causing you any tangible harm. Yet most people will agree it's a crime.
(Score: 2) by Nuke on Sunday November 24, @04:47PM (1 child)
It is to enrich your experience.
(Score: 0) by Anonymous Coward on Sunday November 24, @05:04PM
They're doing their *best* to keep you "safe"!
(Score: 2) by Frosty Piss on Sunday November 24, @10:36PM
...getting their pantaloons in a twist like the FBI wants their files anyway. Lol to the extreme!
(Score: 4, Interesting) by gnuman on Sunday November 24, @11:09PM (2 children)
In Soviet Union, sometimes the government would try to install "wired" radios that could listen to what was happening inside. People didn't like that. If only they invented the modern cell phone and realized that people would sell all their data for convenience.
The GNU list of all surveillance that's happening seems fitting here,
https://www.gnu.org/proprietary/proprietary-surveillance.en.html [gnu.org]
You don't need a warrant if the data is flowing anyway. You only need a warrant for legal reasons. Those can be invented later and warrants acquired. Or via "random" search that just happens at the right place and right time.
(Score: 2) by DannyB on Monday November 25, @03:02PM (1 child)
It is amazing how slippery the slope is.
Get everyone to "agree" to allow their personal information to be collected, including a continuous stream of location data, in exchange for essential necessities to participate in modern society.
Let's not forget, cameras everywhere.
Santa maintains a database and does double verification of it.
(Score: 3, Interesting) by gnuman on Tuesday November 26, @06:47PM
To be honest, you do not really need cameras these days. Cameras help to see what is actually happening, but you basically have total surveillance built-in to the cell network. Ability for many devices to be accessed via baseband vulnerabilities, makes the cameras even less important. And do not forget, that whenever something is happening, it's probably live streamed on TikTok or whatever. CCTV-like cameras are mostly obsolete from the point of population surveillance.
Remember when during COVID in China, if someone didn't have a phone, they were considered troublemakers and suspects.
Though I'm not sure how much of the surveillance mechanism is actually implemented... that's probably secret info we are not allowed to know.