Power

Through apps, not warrants, ‘Locate X’ allows federal law enforcement to track phones

Federal agencies have big contracts with Virginia-based Babel Street. Depending on where you've traveled, your movements may be in the company's data.

An illustration of tracking

With Locate X, investigators can pinpoint app-using phones that passed through one location and see where else those devices traveled, sources said.

Illustration: Rob Dobi

U.S. law enforcement agencies signed millions of dollars worth of contracts with a Virginia company after it rolled out a powerful tool that uses data from popular mobile apps to track the movement of people's cell phones, according to federal contracting records and six people familiar with the software.

The product, called Locate X and sold by Babel Street, allows investigators to draw a digital fence around an address or area, pinpoint mobile devices that were within that area, and see where else those devices have traveled, going back months, the sources told Protocol.

They said the tool tracks the location of devices anonymously, using data that popular cell phone apps collect to enable features like mapping or targeted ads, or simply to sell it on to data brokers.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

Babel Street has kept Locate X a secret, not mentioning it in public-facing marketing materials and stipulating in federal contracts that even the existence of the data is "confidential information." Locate X must be "used for internal research purposes only," according to terms of use distributed to agencies, and law enforcement authorities are forbidden from using the technology as evidence — or mentioning it at all — in legal proceedings.

Federal records show that U.S. Customs and Border Protection purchased Locate X, and the Secret Service and U.S. Immigration and Customs Enforcement also use the location-tracking technology, according to a former Babel Street employee. Numerous other government agencies have active contracts with Reston-based Babel Street, records show, but publicly available contract information does not specify whether other agencies besides CBP bought Locate X or other products and services offered by the company.

None of the federal agencies, including CBP, would confirm whether they used the location-tracking software when contacted by Protocol. Babel Street's other products include an analytics tool it has widely marketed that sifts through streams of social media to "chart sentiment" about topics and brands.

A former government official familiar with Locate X provided an example of how it could be used, referring to the aftermath of a car bombing or kidnapping. Investigators could draw what is known as a geo-fence around the site, identify mobile devices that were in the vicinity in the days before the attack, and see where else those devices had traveled in the days, weeks or months leading up to the attack, or where they traveled afterward.

"If you see a device that a month ago was in Saudi Arabia, then you know maybe Saudis were involved," this person said. "It's a lead generator. You get a data point, and from there you use your other resources to figure out if it's valid."

A former Babel Street employee said the technology was deployed in a crackdown on credit card skimming, in which thieves install illegal card readers on gas station pumps, capturing customers' card data to use or sell online. The Secret Service was the lead agency in those investigations, which, according to published reports, led to arrests and the seizure of devices.

A spokesperson for the Secret Service declined to comment on its work with Babel Street, saying the agency does not reveal methods used to carry out missions.

While federal records show that CBP purchased Locate X and last year upgraded, paying for "premium" licenses, the records neither describe what Locate X does nor define the difference between a basic and premium license. A CBP spokesperson would not comment in detail about the use of the tool, but said the agency follows the law when deploying "open-source information."

Told of Protocol's reporting on Babel Street, Sen. Ron Wyden, a Democrat from Oregon who has pushed for tougher privacy legislation, questioned whether uses of the technology might violate the Fourth Amendment ban on unreasonable searches.

The Supreme Court, in the landmark case Carpenter v. United States, ruled in June 2018 that the government must obtain a search warrant to access cell-tower location data for individual phone accounts. The court "recognized that the government needs a warrant to get someone's location data," Wyden said. "Now the government is using its checkbook to try to get around Carpenter. Americans won't stand for that kind of loophole when it comes to our Fourth Amendment rights."

A spokesperson for Babel Street, Lacy Talton, declined to answer specific questions about the company's government sales or its Locate X technology, but said the firm handles data carefully to comply with both the law and internet terms of service. There is no indication Babel Street is doing anything illegal.

Senator Ron Wyden Sen. Ron Wyden said the U.S. Supreme Court has "recognized that the government needs a warrant to get someone's location data." Photo: Sarah Silbiger via Getty Images

"Although data content is freely available without restriction from thousands of vendors and suppliers, Babel Street employs a variety of measures to ensure appropriate use of the data," Talton said in a statement to Protocol. "This is not required by most vendors but stems from Babel Street's ethos of proper data compliance. The company regularly ensures that the data accessed through its software is in compliance with ever-changing global privacy regulations, data use rights, and terms of service."

The details of Babel Street's location-tracking technology and its contracts with the federal government have not been reported before. Last month, The Wall Street Journal reported that border and immigration agents were tracking the location of cell phones, and looking for activity in suspicious places near the border, after buying data from Venntel Inc. of Herndon, Virginia.

Venntell is a subsidiary of location-based marketing company Gravy Analytics of Dulles, Virginia. Gravy Analytics has provided location data to Babel Street, according to former employees of both firms.

Taken together, the revelations suggest that the sale of personal location data from commercial firms to the government is more widespread and has been going on longer than previously known. The emergence of the technology comes amid growing, broader concern over the tracking of people's movements, whether through facial recognition, their license plates or the phones in their pockets.

While consumers enable location-based services on their cell phone apps, privacy advocates said people are generally unaware of how far their personal information could travel — and in particular that it could be piped to law enforcement.

The sources who spoke to Protocol, who independently described the location-tracking technology, were three former Babel Street employees, a former government official with firsthand knowledge of the company's products, and two former employees of Gravy Analytics. They requested anonymity because the information is sensitive, and some feared retribution from employers for speaking to the media.

A spokesperson for Gravy Analytics declined to comment on the company's relationship with Babel Street. She said Venntel is a "wholly owned subsidiary of Gravy Analytics that supports public sector initiatives."

She pointed to the company's privacy policy on its Web site: "We take consumer privacy seriously and ensure that our data platform remains fully transparent and compliant with industry and legal requirements," the policy reads. "Gravy ensures that 100% of our data complies with all local privacy laws, including required consumer consent and opt-out provisions."

From brand to threat management

While there is little public information about Locate X, government contracting records provide a picture of Babel Street's growth and increasing popularity in federal law enforcement circles. The company registered Locate X with the U.S. Patent and Trademark Office in May 2017, and sales to federal agencies shot up afterward — from $64,000 in fresh contracts in 2016 to more than $2.1 million in 2017 to nearly $5.3 million in 2018.

Babel Street's sales spike was fueled in large part by four new customers: CBP, which signed $3.2 million in contracts, ICE ($1.1 million), the State Department's Bureau of Diplomatic Security ($710,000), and the Secret Service's Criminal Investigations Division ($313,858), the records show.

CBP signed a first contract worth $981,000 for "Babel software" in September 2017. The Targeting and Analysis Systems Directorate, the CBP branch that purchased the software, apparently liked what it received. A year later, the agency signed a fresh contract worth $2.2 million for "Babel software licenses." In March 2019, CBP filed an amended contract, worth an extra $130,000, to "upgrade the current Babel Street Locate X licensing from basic to premium licenses as well as add an additional 10 licenses."

Asked about its use of Locate X, a CBP spokesperson told Protocol the agency uses a "variety of tools" that "may include tools to facilitate access to open-source data relevant to its border security mission. All CBP operations in which open-source information may be used are undertaken in furtherance of CBP's responsibility to enforce U.S. law at the border and in accordance with relevant legal, policy and privacy requirements."

In September 2018, ICE officials signed a one-year, $1.1 million contract with Babel Street. The deal included Locate X, according to a former Babel Street employee. Last August, ICE signed a fresh five-year deal worth up to $6.5 million with Babel Street for "data subscription services," records show.

A spokesperson for ICE said, "We do not discuss specific law enforcement tactics or techniques, or discuss the existence or absence of specific law-enforcement-sensitive capabilities." She also said, referring to cell phone location data, "ICE does not generally use this type of information for routine enforcement operations."

Other agencies with active Babel Street contracts include the Department of Justice, the U.S. Marshals Service, the Army, the Coast Guard, the Drug Enforcement Administration and the Department of Transportation's Office of Intelligence, Security and Emergency Response. The contract records are from USAspending.gov, the official source for U.S. government spending.

A spokesperson for the Department of Transportation, which signed a yearlong contract with Babel Street last May, said the Office of Intelligence, Security and Emergency Response "utilizes Babel Street software features depending on the nature of particular incidents."

Spokespeople for the Army, the Bureau of Diplomatic Security, the DEA and the Marshals Service declined to comment on the contracts with Babel Street. The Department of Justice and the Coast Guard did not respond to requests for comment.

A spokesperson for a regional DEA office in El Paso, Texas, which signed a separate $12,978 contract for a one-year Babel Street software license last September, denied that the agency had purchased the location-tracking data tool.

The technology was controversial enough that some agencies, including the FBI and the ATF, declined to purchase Locate X after those agencies' lawyers nixed it, a former Babel Street employee said.

A spokesperson for the FBI declined to comment. A spokesperson for the ATF, April Langwell, declined to comment on ATF procurement decisions. "ATF always works within DOJ guidelines with regard to the investigative techniques that we use and ensure that they are consistent with federal law and subject to court approval," Langwell said.

The former Babel Street employees and the former government official said Babel Street was careful about its clients for location data technology. For example, they said, it did not sell to commercial clients, local law enforcement agencies or foreign governments.

The software included pop-ups that reminded users it was to be used only in the investigation of serious crimes and matters of national security, one former employee said. However, after users complained that the pop-ups were annoying, the company removed them, the employee said. Babel Street did not respond to emailed questions about the pop-ups.

Secrecy to the extreme

Despite the apparent power of the tool, Protocol could not find a single instance in which a federal agency had publicly described using Locate X, in an investigation or in any other capacity. And Babel Street appears to have taken a number of steps to keep the technology secret. The company advertises other products on its website and in press releases, but makes no mention of Locate X or the tracking of mobile devices.

Locate X's terms of use, spelled out in a single document published online by the General Services Administration, require government clients to agree that the product "will be used for internal research purposes only. Locate X data may not be used as the basis for any legal process in any country, including as the basis for a warrant or subpoena, or any other legal or administrative action." The terms state that Locate X data may not be "cited in any court/investigation-related document."

Tear-out Terms of use for Babel Street's Locate X product state that the data "may not be used as the basis for any legal process."Illustration: 615 Productions

Protocol shared the terms of use in the Locate X contract with Nathan Wessler, a lawyer with the ACLU's Speech, Privacy, and Technology Project who argued the Carpenter v. United States case before the Supreme Court. He called the secrecy provisions "tremendously disturbing," raising the possibility that a criminal defendant might not know the tool had factored into a case — and therefore wouldn't be able to challenge its legality.

"These secrecy provisions prevent the courts from providing oversight," Wessler said. "That is really corrosive to our system of checks and balances."

In the past, Wessler noted, courts have been critical of nondisclosure agreements with law enforcement that are designed to protect sensitive surveillance technologies, notably in cases involving devices that mimic cell towers in order to capture phone information, often referred to by the brand name StingRays.

Scores of U.S. law enforcement agencies deployed the devices for years in secret without judicial scrutiny or public transparency. When use of the technology began to be exposed in criminal trials, the courts did not take a favorable view of the secrecy agreements. One of the more pointed opinions came in a 2016 ruling by a Maryland state appeals court judge, involving Baltimore police and an attempted murder suspect.

The use of a nondisclosure agreement to protect the technology is "inimical to the constitutional principles we revere," Judge Andrea M. Leahy wrote for the three-member court panel.

In 2015, both the Department of Justice and Homeland Security updated their policies to require law enforcement to disclose the use of cell site simulator technologies to the courts when used as part of an investigation. "In all circumstances, candor to the court is of paramount importance," the Homeland Security policy reads. "Applications for the use of a cell site simulator must include sufficient information to ensure that the courts are aware that the technology may be used."

The limits of anonymity

One of the former Babel Street employees who spoke to Protocol cited another example of how Locate X could be used to protect U.S. national security. Investigators, this person said, could identify mobile devices carried near popular border crossing points into the U.S. and pull up the historical location data for those devices, viewing where they've been in the preceding months.

"If you are thinking about attack planning, and you know these devices were just at a Hezbollah or ISIS training camp, and now they're sitting in Juarez, maybe that matters," the former employee said.

Still, privacy experts told of Protocol's reporting on Locate X asserted that law enforcement officials' practice of buying data they would otherwise need a warrant to access amounts to a form of data laundering.

"That consumers can have data being collected that tracks their location, and the government, instead of getting a warrant, which they would normally need to do, can just go to a private company and buy it directly, that's hugely concerning," said Serge Egelman, a computer science professor at UC Berkeley who works on privacy issues.

In the Supreme Court's Carpenter v. United States case, the court held that investigators violated the Fourth Amendment by obtaining cell tower records without a warrant that placed a robbery suspect near the crimes. Chief Justice John Roberts wrote, in the majority opinion, that authorities in that case had failed "to contend with the seismic shifts in digital technology that made possible the tracking of not only Carpenter's location but also everyone else's, not for a short period but for years and years."

But whether courts would hold anonymous location data culled from mobile apps to the same standard is an open question.

A spokesperson for Wyden said the senator's aides had a phone call with Venntel attorneys on Feb. 20, in response to The Wall Street Journal article, to discuss the company's sale of location data to the government. A Wyden aide said Venntel's counsel declined to answer most questions, would not identify the company's government clients, and would not reveal the source of the data.

Babel Street's sale of location data to the government could also raise potential liability issues for app developers under the Stored Communications Act, said Wessler, the ACLU lawyer. The 1986 law prohibits providers of computing services or electronic communication to the public from knowingly divulging customer information to any government entity.

"The question for the app companies themselves is whether, now that they know that Babel Street is taking their customers' location data and providing it to law enforcement, are those companies themselves now liable under the Stored Communications Act," Wessler said.

Location data culled from mobile apps is said to be anonymized, with each device masked behind a nameless ID number. But experts say data can be traced back to individual users, based on their particular movements.

The New York Times reviewed a database of location data and reported in December 2018 that it was able to identify a woman as she traveled to her dermatologist's office, hiked with her dog and stayed over at her ex-boyfriend's home. Babel Street did not respond to an emailed question about whether Locate X data can be de-anonymized.

Big sales, big hires

Babel Street was founded in 2009 as Agincourt Solutions by former U.S. Navy Officer Jeff Chapman, and became Babel Street in 2014. On its website and in marketing materials, it describes itself as "the world's data-to-knowledge company," focusing on a service that analyzes streams of social media activity in multiple languages, often for brand management and sometimes linked to locations such as sports arenas.

Early on, the promise of gleaning meaningful intelligence from Twitter feeds and other social media applications drew clients to Babel Street, according to government records, published reports and the former employees. The NFL has used Babel Street's analytics software. So, too, have at least 10 local law enforcement agencies around the country, according to the Brennan Center for Justice at New York University Law School.

Motherboard and The Washington Post wrote about the company's social media analytics software in 2017, noting heavy interest from police agencies overseeing major events like Super Bowls. On the government side, the FBI and the Army were among Babel Street's early customers. Michael Flynn, who served briefly as President Trump's national security adviser and later pleaded guilty to lying to the FBI, was once an adviser to the firm, according to Flynn's financial disclosure forms.

Just before the rollout of Locate X, the company hired a veteran Department of Justice privacy lawyer, Jill Maze, to be the company's chief privacy officer, according to former employees and Maze's LinkedIn account.

Subsequent hires suggest the company viewed location data as a growth area. In February 2019, Babel Street hired retired Maj. Gen. Mark Quantock, a former director of intelligence for U.S. Central Command, which includes the Middle East and Central Asia, and the former director of operations for the National Geospatial Intelligence Agency, essentially the government's headquarters for location data intelligence.

Three months later, the company hired a 20-year Pentagon veteran, Dave Dillow, who since 2003 has worked with special operations forces focused on integrating "publicly available information," or PAI, into the intelligence pipeline for those forces. Commercial location data is one type of PAI.

Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.

The data used by Babel Street, said the former employees of Babel Street and Gravy Analytics, comes largely from third-party data aggregators who broker deals with mobile app developers, offering revenue in return and sometimes detailed analysis about how users are engaging with the app. Data aggregators who spoke to Protocol said they enable services like mapping and marketing, and comply with privacy regulations, which include requiring all app users to give their consent to sharing their data.

Privacy advocates say such consumer opt-ins are often buried in small print or otherwise clouded in vague or bureaucratic language, and that users have little visibility into how their data is used.

"That's the fundamental problem," said Egelman, the UC Berkeley professor. "The trafficking in this data is totally opaque to everyone who isn't a party to these transactions."

Protocol | Workplace

Instacart workers are on strike. How far can it get them?

Instacart activists want a nationwide strike to start today, but many workers are too afraid of the company and feel they can't afford a day off of work.

Gig workers protest in front of an Amazon facility in 2020.

Photo: Michael Nagle/Bloomberg via Getty Images

Starting today, an Instacart organizing group is asking the app's gig workers to go on a nationwide strike to demand better payment structures, benefits and other changes to the way the company treats its workers — but if past strikes are any indication, most Instacart users probably won't even notice.

The majority of Instacart workers on forums like Reddit and Facebook appear either unaware of the planned strike or don't plan to participate because they are skeptical of its power, afraid of retaliation from the company or are too reliant on what they do make from the app to be able to afford to take even one day off of the platform. "Not unless someone is going to pay my bills," "It will never work, you will never be able to get every shopper to organize" and "Last time there was a 'strike' Instacart took away our quality bonus pay," are just a few of the comments Instacart shoppers have left in response to news of the strike.

Keep Reading Show less
Anna Kramer

Anna Kramer is a reporter at Protocol (Twitter: @ anna_c_kramer, email: akramer@protocol.com), where she writes about labor and workplace issues. Prior to joining the team, she covered tech and small business for the San Francisco Chronicle and privacy for Bloomberg Law. She is a recent graduate of Brown University, where she studied International Relations and Arabic and wrote her senior thesis about surveillance tools and technological development in the Middle East.

The way we work has fundamentally changed. COVID-19 upended business dealings and office work processes, putting into hyperdrive a move towards digital collaboration platforms that allow teams to streamline processes and communicate from anywhere. According to the International Data Corporation, the revenue for worldwide collaboration applications increased 32.9 percent from 2019 to 2020, reaching $22.6 billion; it's expected to become a $50.7 billion industry by 2025.

"While consumers and early adopter businesses had widely embraced collaborative applications prior to the pandemic, the market saw five years' worth of new users in the first six months of 2020," said Wayne Kurtzman, research director of social and collaboration at IDC. "This has cemented collaboration, at least to some extent, for every business, large and small."

Keep Reading Show less
Kate Silver

Kate Silver is an award-winning reporter and editor with 15-plus years of journalism experience. Based in Chicago, she specializes in feature and business reporting. Kate's reporting has appeared in the Washington Post, The Chicago Tribune, The Atlantic's CityLab, Atlas Obscura, The Telegraph and many other outlets.

Protocol | China

WeChat promises to stop accessing users’ photo albums amid public outcry

A tech blogger claimed that popular Chinese apps snoop around users' photo libraries, provoking heightened public concerns over privacy.

A survey launched by Sina Tech shows 94% of the some 30,000 responding users said they are not comfortable with apps reading their photo libraries just to allow them to share images faster in chats.

Photo: S3studio via Getty Images

A Chinese tech blogger dropped a bombshell last Friday, claiming on Chinese media that he found that several popular Chinese apps, including the Tencent-owned chat apps WeChat and QQ, as well as the Alibaba-owned ecommerce app Taobao, frequently access iPhone users' photo albums in the background even when those apps are not in use.

The original Weibo post from the tech blogger, using the handle of @Hackl0us, provoked intense debates about user privacy on the Chinese internet and consequently prompted WeChat to announce that it would stop fetching users' photo album data in the background.

Keep Reading Show less
Shen Lu

Shen Lu is a reporter with Protocol | China. Her writing has appeared in Foreign Policy, The New York Times and POLITICO, among other publications. She can be reached at shenlu@protocol.com.

Protocol | Enterprise

As businesses struggle with data, enterprise tech is cleaning up

Enterprise tech's vision of "big data" largely fell flat inside silos. But now, an army of providers think they've figured out the problems. And customers and investors are taking note.

Corporate data tends to settle in silos that makes it harder to understand the bigger picture. Enterprise tech vendors smell a lucrative opportunity.

Photo: Jim Witkowski/Unsplash

Data isn't the new oil; it's the new gold. And in any gold rush, the ones who make the most money in the long run are the tool makers and suppliers.

Enterprise tech vendors have long peddled a vision of corporate America centered around so-called "big data." But there was a big problem: Many of those projects failed to produce a return. An army of new providers think they've finally figured out the problem, and investors and customers are taking note.

Keep Reading Show less
Joe Williams

Joe Williams is a senior reporter at Protocol covering enterprise software, including industry giants like Salesforce, Microsoft, IBM and Oracle. He previously covered emerging technology for Business Insider. Joe can be reached at JWilliams@Protocol.com. To share information confidentially, he can also be contacted on a non-work device via Signal (+1-309-265-6120) or JPW53189@protonmail.com.

Protocol | Policy

What Frances Haugen’s SEC complaint means for the rest of tech

Haugen argues Facebook misled investors by failing to disclose its platforms' harms. If the SEC bites, the rest of tech could be next.

The question is whether the SEC will find the contents of Haugen's complaint relevant to investors' interests.

Photo: Matt McClain-Pool/Getty Images

Whistleblowers like former Facebook staffer Frances Haugen have pretty limited options when it comes to actually seeking redress for the harms they've observed and documented. There's no federal privacy law in the U.S. to speak of, Section 230 protects platforms for online speech and companies like Facebook are under no obligation to share any information with lawmakers, or anyone else, about what's happening on their sites.

But there is one agency that not only governs all publicly-traded companies, including in tech, but also offers whistleblowers like Haugen the opportunity for a payout: the Securities and Exchange Commission.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Latest Stories