Last fall, reports revealed the location data broker X-Mode’s ties to several U.S. defense contractors. Shortly after, both Apple and Google banned the X-Mode SDK from their app stores, essentially shutting off X-Mode’s pipeline of location data. In February, Google kicked another location data broker, Predicio, from its stores.
We’ve written about the problems with app-store monopolies: companies shouldn’t have control over what software users can choose to run on their devices. But that doesn’t mean app stores shouldn’t moderate. On the contrary, Apple and Google have a responsibility to make sure the apps they sell, and profit from, do not put their users at risk of harms like unwarranted surveillance. Kicking out two data brokers helps to protect users, but it’s just a first step.
X-Mode and Predicio have each been the subject of reports over the past year that reveal how U.S. government agencies—including the Department of Defense and ICE—try to work around the 4th Amendment by buying location data on the private market. In 2018, the Supreme Court handed down U.S. v. Carpenter, a landmark decision which ruled that location data collected from cell phone towers is protected by the 4th Amendment. This means law enforcement can’t get your location from your cell carrier without a warrant.
But dozens of companies are still collecting the same location from a different source—mobile apps—and making it available to law enforcement, defense, intelligence, immigration, and other government agencies. Data brokers entice app developers to install pieces of third-party code, called SDKs, which collect raw GPS data and feed it directly to the brokers. These data brokers then resell the location feeds to advertisers, hedge funds, other data brokers, and governments all around the world.
The apps that source the data run the gamut from prayer apps to weather services. X-Mode collected data from thousands of apps including Muslim Pro, one of the most popular Muslim prayer apps in the U.S. X-Mode allegedly sold that data to several Pentagon contractors. Another broker, Predicio, collected data from hundreds of apps including Fu*** Weather and Salaat First. It then sold data to Gravy Analytics, whose subsidiary Venntel has provided location data to the IRS, CBP, and ICE.
It took many months of investigative journalism by Vice, the Wall Street Journal, Protocol, NRK Beta, and others to piece together the flow of location data from particular apps to the U.S. government. These reporters deserve our gratitude. But it’s not good enough for app stores to wait for specific data brokers to come into the public spotlight before banning them.
We know brokers continue to mine location data from our apps and sell it to military and law enforcement—we just don’t know which apps. For example, we know that Babel Street sells its secretive Locate X product, which comprises real-time location data about untold numbers of users, to the Department of Homeland Security, the Department of Defense, and the Secret Service. This data reportedly comes from thousands of different mobile apps.
But figuring out which apps are responsible is difficult. Laws in the U.S. generally do not require companies to disclose exactly where they sell personal data, so it’s easy for data brokers to mask their behavior. Journalists often must rely on technical analysis (which requires expertise and lots of time) and government records requests (which may take years and be heavily redacted) to piece together data flows. When investigators do discover proof of unwanted data sharing, the apps and brokers involved can just change their tactics. Even the app developers involved often don’t know where the data they share will end up. Users can’t make educated choices without knowing where or how their data will be shared.
Google Play and the Apple App Store shouldn’t wait on journalists to establish end-to-end data flows before taking steps to protect users.
The ecosystem of phone app location data should be better regulated. Local CCOPS (community control of police surveillance) laws can ban police and other local government agencies from acquiring surveillance tech, including data broker deals, without legislative permission and community input. We support these laws, but most cities do not have them. Also, they do not address the problem of federal agencies buying our location data on the open market. We will continue pushing for legislation and judicial decisions that, as required by the Fourth Amendment, prevent the government at all levels from buying this kind of data without first getting a warrant. But in the meantime, many government agencies will continue buying location data as long as they believe they can.
App stores are in a unique position to protect tech users from app-powered surveillance. We applaud Apple and Google for taking action against X-Mode and Predicio. But this is only the tip of the iceberg. Now the app stores should take the next step: ban SDKs from any data brokers that collect and sell our location information.
There is no good reason for apps to collect and sell location data, especially when users have no way of knowing how that data will be used. We implore Apple and Google to end this seedy industry, and make it clear that location data brokers are not welcome on their app stores.