New York Times reporters working on an investigation into the sprawling location data business—in which the paper obtained a three-year-old file containing 50 billion location pings for over 12 million Americans—were able to track the movements of a member of Donald Trump’s Secret Service security detail. And thus, the Times reporters were able to track the movements of the President of the United States.
According to the Times, this agent’s particular vulnerability was an app collecting and sharing his data, though it’s unclear which one became a security hole that was giving live updates on the president’s location (it could be a “weather services, maps, perhaps even something as mundane as a coupon saver,” the Times wrote). Following his movements provided a highly accurate map of where the president’s entourage was at all times. Beyond that, the Times was able to track the movements of cell phones “in nearly every major government building and facility in Washington.” In many cases, the data then led them straight to the owners’ homes and other places they’ve visited, making it trivial to find their real-life identities.
According to the Times, in addition to two Secret Service agents, they were able to track a Supreme Court technology staffer, a Department of Defence official, a House committee director, and a national security adviser to a senator. While the CIA headquarters in Langley didn’t register any pings from inside the building due to a no-mobile phones policy, the devices continued to transmit data from parking lots and as they followed workers home. Based on movements, the Times “surmised the job title of a commander in the U.S. Air Force Reserve.”
“From those very detailed documents, they may gather a good deal of information about a person,” Culper Partners co-founder and former Department of Justice national security official David S. Kris, who was also in the trove of data, told the paper. “The more you can combine location-based data into a mosaic with other information, the more likely you are to gain real insight into an adversary.”
“... I’m wary of breathless, pearl-clutching, speculative, sensationalistic counterintelligence concerns,” Kris added. “This doesn’t strike me as falling into that category. I think there is a legitimate concern here.”
The security implications are obvious: It’s a trove of data on when and where many government officials and other VIPs like electoral candidates are at any moment, as well as who they’re with. Potential uses including identifying people in the public eye or with access to privileged information whose private lives might leave them susceptible to blackmail or embarrassment.
As the Times noted, the data could also simply be used to figure out the identities and habits of “people in prominent and sensitive posts,” providing insights into “security practices, contacts, [and] schedules.” (One person tracked entering the Pentagon during workdays visited a “mental health and substance abuse facility multiple times,” according to the paper.)
It also has military implications; last year, the fitness app Strava released trillions of location data points that flagged the locations of hundreds of bases belonging to the U.S., Russian, and Taiwanese militaries. Anyone with access to such location data could potentially identify personnel stationed at a known facility and then follow them to a secret one. Martijn Rasser, a former CIA officer, told the Times that following a soldier’s movements could hint at where specific facilities are located within a base.
Virtually any app installed on a mobile device that has access to location data could be transmitting that information to market analysis firms, which in turn sell it to everyone from ad companies to regular businesses. Developers aren’t always forthright about the data they’re collecting, either, often asking permission to collect it with a single prompt and burying that they can share it with whoever they want in lengthy terms of service (and sometimes use workarounds to collect it without consent).
Carriers have recklessly sold off large amounts of real-time location data on their own customers to location aggregators, who in turn went ahead and resold it to everyone from landlords and credit agencies to bounty hunters. Republicans in Congress and Trump’s Federal Communications Commission helped enable these unauthorised and possibly illegal sales by overturning landmark privacy rules, weakening the FCC’s ability to respond.
FCC chairman Ajit Pai promised that the agency would investigate how that location data ended up being resold to a host of shady characters, but he has seemingly stonewalled that inquiry. (As of earlier this month, Pai said that the investigation is nearly done and will be released by the end of January 2020.) In the meantime, the major carriers claimed that they have mostly stopped reselling live location data to the aggregators in the wake of the bad publicity.
Lawmakers from both parties, including Republican Senator Josh Hawley and Democratic Senator Elizabeth Warren, expressed anger to the paper about how easy it was to gain access to this kind of data. The location tracking business, of course, remains essentially unregulated on the federal level, with no restrictions on the exchange of tracking data between private entities or how they use it.
“We want our people to understand,” a senior Defence Department official told the Times. “They should make no assumptions about anonymity. You are not anonymous on this planet at this point in our existence. Everyone is trackable, traceable, discoverable to some degree.”