You are here

You are here

App SDKs sell location data to US military in ‘war on terror’

Richi Jennings Your humble blogwatcher, dba RJA

Several apps popular among Muslims are sending users’ locations to the US Special Operations Command and other military units, via shadowy data brokers and military contractors. And, wouldn’t you know it, sources say the “anonymized” data is trivial to de-anonymize.

Yes, it’s all in the name of counterterrorism. But brokers such as X-Mode and Babel Street appear unaccountable and opaque when it comes to user privacy preferences.

Are you happy this is being done in your name? In this week’s Security Blogwatch, we fear fear itself.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: TS4 honesty.

Your tax dollars at work

What’s the craic? Across two articles, Joseph Cox reports—U.S. Military Buys Location Data:

The U.S. military is buying the granular movement data of people around the world, harvested from innocuous-seeming apps. … The most popular app … is a Muslim prayer and Quran app that has more than 98 million downloads worldwide. Others include a Muslim dating app, a popular Craigslist app, an app for following storms, and a "level" app that can be used to help, for example, install shelves in a bedroom.

[There are] two separate, parallel data streams that the U.S. military uses, or has used, to obtain location data. One relies on a company called Babel Street, which creates a product called Locate X. … The other stream is through a company called X-Mode, which obtains location data directly from apps, then sells that data to contractors, and by extension, the military.

Many of the users of apps involved in the data supply chain are Muslim. … The apps sending data to X-Mode include Muslim Pro [and] Muslim Mingle.

USSOCOM bought access to Locate X, a location data product from a company called Babel Street. … A former Babel Street employee … said "we could absolutely deanonymize a person." … Location data firm X-Mode … encourages app developers to incorporate its SDK. … The SDK then collects the app users' location data and sends it to X-Mode; in return, X-Mode pays the app developers a fee.

"In respect of the trust millions of prayers puts in Muslim Pro every day, we are immediately terminating our relationships with our data partners," [said] Muslim Pro. … "As one of the most trusted Muslim app over the last 10 years, we adhere to the most stringent privacy standards and data protection regulations, and never share any personal identifiable information."

And Aaron Holmes adds—The US military reportedly … track users for 'counterterrorism':

Muslim Pro is one of hundreds of smartphone apps that make money by selling users' location data to third-party brokers. … In past years, the US has used location data harvested from smartphones to plan and carry out drone strikes.

Navy Cmdr. Tim Hawkins, a US Special Operations Command spokesman, said in a statement … that the command bought the data … "to support Special Operations Forces mission requirements overseas. … We strictly adhere to established procedures and policies for protecting the privacy, civil liberties, constitutional and legal rights of American citizens."

The practice has raised the ire of privacy advocates, but location-data firms and their partners insist that people's movements are anonymized and not directly tied to their identities. Some studies have shown, however, that it's easy to de-anonymize the location data and tie it back to individual people.

tl;dr? Tom Maxwell breaks it down—Muslim apps with hundreds of millions of users are paid to send precise location data to military contractors:

The U.S. military has waged a long war against … terror groups in the Middle East, and targeted drone strikes have left hundreds of thousands of civilians dead as collateral damage. Drone strikes are controversial because they're often anything but precise.

The problem with using this type of smartphone data to select targets for strikes is that it can be incredibly unreliable. You might think you're following a target, only to realize later it was the target's mother.

The terms and conditions of these apps don't help anything, as in most cases they are incredibly vague as to how the data is being used, and don't mention any relationship to X-Mode or Locate X. … Meaningful privacy legislation could target all apps for this type of quiet data harvesting and require them to clearly note when data is trading hands or being used for anything but the express functions of the app.

Is there a snappy hook we can use? organgtool obliges:

It's Fascism 2.0.

"We the people" use tons of apps that harvest our data so that it can be sold to third-parties and the government is quickly becoming a huge consumer of this data to sidestep the Fourth Amendment. And it's all being paid for with our tax dollars.

Lest we forget, some of those "we" practice the Muslim faith. Marium Nur Vahed—@mariumvahed—is lost for words:

I can’t even begin to express how hurtful (and terrifying) this is. Muslims should have the right to access prayer times and the Quran without being subject to military surveillance fueled by an Islamophobic understanding of Muslims as a threat.

Similarly, daniaal takes offense:

As a Muslim, I feel like I have been violated. I have this app and … how much more insidious can data surveillance get? Especially using it for counter-terrorism.

I am not one to get easily offended, but this definitely does pull a few strings. [It] also makes me want to start reading Terms and Conditions—probably should have in this instance.

What can people do? Brian Bixby begs that question:

Actual terrorists already knew this and turn location services off as soon as they acquire any new phone. It honestly surprises me that not everyone does this as a matter of course, except that an awful lot of people are too stupid to know how to read a map.

As does ahurmazda:

One can lock out an app from ever using the GPS—that’s been my default posture as long as I can remember. In addition, I regularly look up to see which of the apps are trying to access location information (they usually quickly get the boot).

Until the US legislates, we’ll always have California. Dustin Gardiner and Shwanika Narayan note news we might have missed in the election furor—California’s Proposition 24 on consumer privacy passes:

The initiative prohibits legislators from weakening the California Consumer Privacy Act, creates a state agency to enforce privacy protections, and gives people more control over how tech companies use their personal information. … The measure would … expand the types of information that consumers can block businesses from sharing, including data about their health, genetics, race, ethnicity, sexual orientation, sex life, union membership, religion, philosophical beliefs and precise location.

[But it] was opposed by some privacy advocates [including the ACLU], who said it … would make it harder for low-income people to exercise their privacy rights. … Critics said the initiative would do nothing to change the existing law’s “pay for privacy” provision, under which consumers who opt out of having their data sold can be charged more to make up for the value of the information that a company must forfeit.

Meanwhile, neveryoumind nevermindme:

It's data people gave away in exchange for "free" app. Welcome to the world, or should I say goodbye?

The moral of the story?

Dev: Don’t use third-party SDKs unless you’re sure what data is collected.
IT: Help your users choose the best privacy settings on their devices.

And finally

New merch

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Bicanski (cc:0)

Keep learning

Read more articles about: SecurityData Security