Power

Through apps, not warrants, ‘Locate X’ allows federal law enforcement to track phones

Federal agencies have big contracts with Virginia-based Babel Street. Depending on where you've traveled, your movements may be in the company's data.

An illustration of tracking

With Locate X, investigators can pinpoint app-using phones that passed through one location and see where else those devices traveled, sources said.

Illustration: Rob Dobi

U.S. law enforcement agencies signed millions of dollars worth of contracts with a Virginia company after it rolled out a powerful tool that uses data from popular mobile apps to track the movement of people's cell phones, according to federal contracting records and six people familiar with the software.

The product, called Locate X and sold by Babel Street, allows investigators to draw a digital fence around an address or area, pinpoint mobile devices that were within that area, and see where else those devices have traveled, going back months, the sources told Protocol.

They said the tool tracks the location of devices anonymously, using data that popular cell phone apps collect to enable features like mapping or targeted ads, or simply to sell it on to data brokers.

Get what matters in tech, in your inbox every morning. Sign up for Source Code.

Babel Street has kept Locate X a secret, not mentioning it in public-facing marketing materials and stipulating in federal contracts that even the existence of the data is "confidential information." Locate X must be "used for internal research purposes only," according to terms of use distributed to agencies, and law enforcement authorities are forbidden from using the technology as evidence — or mentioning it at all — in legal proceedings.

Federal records show that U.S. Customs and Border Protection purchased Locate X, and the Secret Service and U.S. Immigration and Customs Enforcement also use the location-tracking technology, according to a former Babel Street employee. Numerous other government agencies have active contracts with Reston-based Babel Street, records show, but publicly available contract information does not specify whether other agencies besides CBP bought Locate X or other products and services offered by the company.

None of the federal agencies, including CBP, would confirm whether they used the location-tracking software when contacted by Protocol. Babel Street's other products include an analytics tool it has widely marketed that sifts through streams of social media to "chart sentiment" about topics and brands.

A former government official familiar with Locate X provided an example of how it could be used, referring to the aftermath of a car bombing or kidnapping. Investigators could draw what is known as a geo-fence around the site, identify mobile devices that were in the vicinity in the days before the attack, and see where else those devices had traveled in the days, weeks or months leading up to the attack, or where they traveled afterward.

"If you see a device that a month ago was in Saudi Arabia, then you know maybe Saudis were involved," this person said. "It's a lead generator. You get a data point, and from there you use your other resources to figure out if it's valid."

A former Babel Street employee said the technology was deployed in a crackdown on credit card skimming, in which thieves install illegal card readers on gas station pumps, capturing customers' card data to use or sell online. The Secret Service was the lead agency in those investigations, which, according to published reports, led to arrests and the seizure of devices.

A spokesperson for the Secret Service declined to comment on its work with Babel Street, saying the agency does not reveal methods used to carry out missions.

While federal records show that CBP purchased Locate X and last year upgraded, paying for "premium" licenses, the records neither describe what Locate X does nor define the difference between a basic and premium license. A CBP spokesperson would not comment in detail about the use of the tool, but said the agency follows the law when deploying "open-source information."

Told of Protocol's reporting on Babel Street, Sen. Ron Wyden, a Democrat from Oregon who has pushed for tougher privacy legislation, questioned whether uses of the technology might violate the Fourth Amendment ban on unreasonable searches.

The Supreme Court, in the landmark case Carpenter v. United States, ruled in June 2018 that the government must obtain a search warrant to access cell-tower location data for individual phone accounts. The court "recognized that the government needs a warrant to get someone's location data," Wyden said. "Now the government is using its checkbook to try to get around Carpenter. Americans won't stand for that kind of loophole when it comes to our Fourth Amendment rights."

A spokesperson for Babel Street, Lacy Talton, declined to answer specific questions about the company's government sales or its Locate X technology, but said the firm handles data carefully to comply with both the law and internet terms of service. There is no indication Babel Street is doing anything illegal.

Senator Ron Wyden Sen. Ron Wyden said the U.S. Supreme Court has "recognized that the government needs a warrant to get someone's location data." Photo: Sarah Silbiger via Getty Images

"Although data content is freely available without restriction from thousands of vendors and suppliers, Babel Street employs a variety of measures to ensure appropriate use of the data," Talton said in a statement to Protocol. "This is not required by most vendors but stems from Babel Street's ethos of proper data compliance. The company regularly ensures that the data accessed through its software is in compliance with ever-changing global privacy regulations, data use rights, and terms of service."

The details of Babel Street's location-tracking technology and its contracts with the federal government have not been reported before. Last month, The Wall Street Journal reported that border and immigration agents were tracking the location of cell phones, and looking for activity in suspicious places near the border, after buying data from Venntel Inc. of Herndon, Virginia.

Venntell is a subsidiary of location-based marketing company Gravy Analytics of Dulles, Virginia. Gravy Analytics has provided location data to Babel Street, according to former employees of both firms.

Taken together, the revelations suggest that the sale of personal location data from commercial firms to the government is more widespread and has been going on longer than previously known. The emergence of the technology comes amid growing, broader concern over the tracking of people's movements, whether through facial recognition, their license plates or the phones in their pockets.

While consumers enable location-based services on their cell phone apps, privacy advocates said people are generally unaware of how far their personal information could travel — and in particular that it could be piped to law enforcement.

The sources who spoke to Protocol, who independently described the location-tracking technology, were three former Babel Street employees, a former government official with firsthand knowledge of the company's products, and two former employees of Gravy Analytics. They requested anonymity because the information is sensitive, and some feared retribution from employers for speaking to the media.

A spokesperson for Gravy Analytics declined to comment on the company's relationship with Babel Street. She said Venntel is a "wholly owned subsidiary of Gravy Analytics that supports public sector initiatives."

She pointed to the company's privacy policy on its Web site: "We take consumer privacy seriously and ensure that our data platform remains fully transparent and compliant with industry and legal requirements," the policy reads. "Gravy ensures that 100% of our data complies with all local privacy laws, including required consumer consent and opt-out provisions."

From brand to threat management

While there is little public information about Locate X, government contracting records provide a picture of Babel Street's growth and increasing popularity in federal law enforcement circles. The company registered Locate X with the U.S. Patent and Trademark Office in May 2017, and sales to federal agencies shot up afterward — from $64,000 in fresh contracts in 2016 to more than $2.1 million in 2017 to nearly $5.3 million in 2018.

Babel Street's sales spike was fueled in large part by four new customers: CBP, which signed $3.2 million in contracts, ICE ($1.1 million), the State Department's Bureau of Diplomatic Security ($710,000), and the Secret Service's Criminal Investigations Division ($313,858), the records show.

CBP signed a first contract worth $981,000 for "Babel software" in September 2017. The Targeting and Analysis Systems Directorate, the CBP branch that purchased the software, apparently liked what it received. A year later, the agency signed a fresh contract worth $2.2 million for "Babel software licenses." In March 2019, CBP filed an amended contract, worth an extra $130,000, to "upgrade the current Babel Street Locate X licensing from basic to premium licenses as well as add an additional 10 licenses."

Asked about its use of Locate X, a CBP spokesperson told Protocol the agency uses a "variety of tools" that "may include tools to facilitate access to open-source data relevant to its border security mission. All CBP operations in which open-source information may be used are undertaken in furtherance of CBP's responsibility to enforce U.S. law at the border and in accordance with relevant legal, policy and privacy requirements."

In September 2018, ICE officials signed a one-year, $1.1 million contract with Babel Street. The deal included Locate X, according to a former Babel Street employee. Last August, ICE signed a fresh five-year deal worth up to $6.5 million with Babel Street for "data subscription services," records show.

A spokesperson for ICE said, "We do not discuss specific law enforcement tactics or techniques, or discuss the existence or absence of specific law-enforcement-sensitive capabilities." She also said, referring to cell phone location data, "ICE does not generally use this type of information for routine enforcement operations."

Other agencies with active Babel Street contracts include the Department of Justice, the U.S. Marshals Service, the Army, the Coast Guard, the Drug Enforcement Administration and the Department of Transportation's Office of Intelligence, Security and Emergency Response. The contract records are from USAspending.gov, the official source for U.S. government spending.

A spokesperson for the Department of Transportation, which signed a yearlong contract with Babel Street last May, said the Office of Intelligence, Security and Emergency Response "utilizes Babel Street software features depending on the nature of particular incidents."

Spokespeople for the Army, the Bureau of Diplomatic Security, the DEA and the Marshals Service declined to comment on the contracts with Babel Street. The Department of Justice and the Coast Guard did not respond to requests for comment.

A spokesperson for a regional DEA office in El Paso, Texas, which signed a separate $12,978 contract for a one-year Babel Street software license last September, denied that the agency had purchased the location-tracking data tool.

The technology was controversial enough that some agencies, including the FBI and the ATF, declined to purchase Locate X after those agencies' lawyers nixed it, a former Babel Street employee said.

A spokesperson for the FBI declined to comment. A spokesperson for the ATF, April Langwell, declined to comment on ATF procurement decisions. "ATF always works within DOJ guidelines with regard to the investigative techniques that we use and ensure that they are consistent with federal law and subject to court approval," Langwell said.

The former Babel Street employees and the former government official said Babel Street was careful about its clients for location data technology. For example, they said, it did not sell to commercial clients, local law enforcement agencies or foreign governments.

The software included pop-ups that reminded users it was to be used only in the investigation of serious crimes and matters of national security, one former employee said. However, after users complained that the pop-ups were annoying, the company removed them, the employee said. Babel Street did not respond to emailed questions about the pop-ups.

Secrecy to the extreme

Despite the apparent power of the tool, Protocol could not find a single instance in which a federal agency had publicly described using Locate X, in an investigation or in any other capacity. And Babel Street appears to have taken a number of steps to keep the technology secret. The company advertises other products on its website and in press releases, but makes no mention of Locate X or the tracking of mobile devices.

Locate X's terms of use, spelled out in a single document published online by the General Services Administration, require government clients to agree that the product "will be used for internal research purposes only. Locate X data may not be used as the basis for any legal process in any country, including as the basis for a warrant or subpoena, or any other legal or administrative action." The terms state that Locate X data may not be "cited in any court/investigation-related document."

Tear-out Terms of use for Babel Street's Locate X product state that the data "may not be used as the basis for any legal process."Illustration: 615 Productions

Protocol shared the terms of use in the Locate X contract with Nathan Wessler, a lawyer with the ACLU's Speech, Privacy, and Technology Project who argued the Carpenter v. United States case before the Supreme Court. He called the secrecy provisions "tremendously disturbing," raising the possibility that a criminal defendant might not know the tool had factored into a case — and therefore wouldn't be able to challenge its legality.

"These secrecy provisions prevent the courts from providing oversight," Wessler said. "That is really corrosive to our system of checks and balances."

In the past, Wessler noted, courts have been critical of nondisclosure agreements with law enforcement that are designed to protect sensitive surveillance technologies, notably in cases involving devices that mimic cell towers in order to capture phone information, often referred to by the brand name StingRays.

Scores of U.S. law enforcement agencies deployed the devices for years in secret without judicial scrutiny or public transparency. When use of the technology began to be exposed in criminal trials, the courts did not take a favorable view of the secrecy agreements. One of the more pointed opinions came in a 2016 ruling by a Maryland state appeals court judge, involving Baltimore police and an attempted murder suspect.

The use of a nondisclosure agreement to protect the technology is "inimical to the constitutional principles we revere," Judge Andrea M. Leahy wrote for the three-member court panel.

In 2015, both the Department of Justice and Homeland Security updated their policies to require law enforcement to disclose the use of cell site simulator technologies to the courts when used as part of an investigation. "In all circumstances, candor to the court is of paramount importance," the Homeland Security policy reads. "Applications for the use of a cell site simulator must include sufficient information to ensure that the courts are aware that the technology may be used."

The limits of anonymity

One of the former Babel Street employees who spoke to Protocol cited another example of how Locate X could be used to protect U.S. national security. Investigators, this person said, could identify mobile devices carried near popular border crossing points into the U.S. and pull up the historical location data for those devices, viewing where they've been in the preceding months.

"If you are thinking about attack planning, and you know these devices were just at a Hezbollah or ISIS training camp, and now they're sitting in Juarez, maybe that matters," the former employee said.

Still, privacy experts told of Protocol's reporting on Locate X asserted that law enforcement officials' practice of buying data they would otherwise need a warrant to access amounts to a form of data laundering.

"That consumers can have data being collected that tracks their location, and the government, instead of getting a warrant, which they would normally need to do, can just go to a private company and buy it directly, that's hugely concerning," said Serge Egelman, a computer science professor at UC Berkeley who works on privacy issues.

In the Supreme Court's Carpenter v. United States case, the court held that investigators violated the Fourth Amendment by obtaining cell tower records without a warrant that placed a robbery suspect near the crimes. Chief Justice John Roberts wrote, in the majority opinion, that authorities in that case had failed "to contend with the seismic shifts in digital technology that made possible the tracking of not only Carpenter's location but also everyone else's, not for a short period but for years and years."

But whether courts would hold anonymous location data culled from mobile apps to the same standard is an open question.

A spokesperson for Wyden said the senator's aides had a phone call with Venntel attorneys on Feb. 20, in response to The Wall Street Journal article, to discuss the company's sale of location data to the government. A Wyden aide said Venntel's counsel declined to answer most questions, would not identify the company's government clients, and would not reveal the source of the data.

Babel Street's sale of location data to the government could also raise potential liability issues for app developers under the Stored Communications Act, said Wessler, the ACLU lawyer. The 1986 law prohibits providers of computing services or electronic communication to the public from knowingly divulging customer information to any government entity.

"The question for the app companies themselves is whether, now that they know that Babel Street is taking their customers' location data and providing it to law enforcement, are those companies themselves now liable under the Stored Communications Act," Wessler said.

Location data culled from mobile apps is said to be anonymized, with each device masked behind a nameless ID number. But experts say data can be traced back to individual users, based on their particular movements.

The New York Times reviewed a database of location data and reported in December 2018 that it was able to identify a woman as she traveled to her dermatologist's office, hiked with her dog and stayed over at her ex-boyfriend's home. Babel Street did not respond to an emailed question about whether Locate X data can be de-anonymized.

Big sales, big hires

Babel Street was founded in 2009 as Agincourt Solutions by former U.S. Navy Officer Jeff Chapman, and became Babel Street in 2014. On its website and in marketing materials, it describes itself as "the world's data-to-knowledge company," focusing on a service that analyzes streams of social media activity in multiple languages, often for brand management and sometimes linked to locations such as sports arenas.

Early on, the promise of gleaning meaningful intelligence from Twitter feeds and other social media applications drew clients to Babel Street, according to government records, published reports and the former employees. The NFL has used Babel Street's analytics software. So, too, have at least 10 local law enforcement agencies around the country, according to the Brennan Center for Justice at New York University Law School.

Motherboard and The Washington Post wrote about the company's social media analytics software in 2017, noting heavy interest from police agencies overseeing major events like Super Bowls. On the government side, the FBI and the Army were among Babel Street's early customers. Michael Flynn, who served briefly as President Trump's national security adviser and later pleaded guilty to lying to the FBI, was once an adviser to the firm, according to Flynn's financial disclosure forms.

Just before the rollout of Locate X, the company hired a veteran Department of Justice privacy lawyer, Jill Maze, to be the company's chief privacy officer, according to former employees and Maze's LinkedIn account.

Subsequent hires suggest the company viewed location data as a growth area. In February 2019, Babel Street hired retired Maj. Gen. Mark Quantock, a former director of intelligence for U.S. Central Command, which includes the Middle East and Central Asia, and the former director of operations for the National Geospatial Intelligence Agency, essentially the government's headquarters for location data intelligence.

Three months later, the company hired a 20-year Pentagon veteran, Dave Dillow, who since 2003 has worked with special operations forces focused on integrating "publicly available information," or PAI, into the intelligence pipeline for those forces. Commercial location data is one type of PAI.

Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.

The data used by Babel Street, said the former employees of Babel Street and Gravy Analytics, comes largely from third-party data aggregators who broker deals with mobile app developers, offering revenue in return and sometimes detailed analysis about how users are engaging with the app. Data aggregators who spoke to Protocol said they enable services like mapping and marketing, and comply with privacy regulations, which include requiring all app users to give their consent to sharing their data.

Privacy advocates say such consumer opt-ins are often buried in small print or otherwise clouded in vague or bureaucratic language, and that users have little visibility into how their data is used.

"That's the fundamental problem," said Egelman, the UC Berkeley professor. "The trafficking in this data is totally opaque to everyone who isn't a party to these transactions."

Fintech

Gensler: Bitcoin may be a commodity

The SEC has been vague about crypto. But Gensler said bitcoin is a commodity, “maybe.” It’s the clearest glimpse of his views on digital assets yet.

“Bitcoin — maybe that’s a commodity token. That has a big market value, but that goes over there,” Gensler said, referring to another regulator, the CFTC.

Photoillustration: Al Drago/Bloomberg via Getty Images; Protocol

SEC Chair Gary Gensler has long argued that many cryptocurrencies are subject to regulation as securities.

But he recently clarified that this view wouldn’t apply to the best-known cryptocurrency, bitcoin.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Sponsored Content

Why the digital transformation of industries is creating a more sustainable future

Qualcomm’s chief sustainability officer Angela Baker on how companies can view going “digital” as a way not only toward growth, as laid out in a recent report, but also toward establishing and meeting environmental, social and governance goals.

Three letters dominate business practice at present: ESG, or environmental, social and governance goals. The number of mentions of the environment in financial earnings has doubled in the last five years, according to GlobalData: 600,000 companies mentioned the term in their annual or quarterly results last year.

But meeting those ESG goals can be a challenge — one that businesses can’t and shouldn’t take lightly. Ahead of an exclusive fireside chat at Davos, Angela Baker, chief sustainability officer at Qualcomm, sat down with Protocol to speak about how best to achieve those targets and how Qualcomm thinks about its own sustainability strategy, net zero commitment, other ESG targets and more.

Keep Reading Show less
Chris Stokel-Walker

Chris Stokel-Walker is a freelance technology and culture journalist and author of "YouTubers: How YouTube Shook Up TV and Created a New Generation of Stars." His work has been published in The New York Times, The Guardian and Wired.

Workplace

What the economic downturn means for pay packages

The war for talent rages on, but dynamics are shifting back to the employers.

Compensation packages could start to look different as companies reshuffle the balance of cash and equity.

Illustration: Nuthawut Somsuk/Getty Images

The market is turning. Tech stocks are slumping — which is bad news for employees — and even industry powerhouses are slowing hiring and laying people off. Tech talent is still in high demand, but compensation packages could start to look different as companies recruit.

“It’s a little bit like whiplash,” compensation consultant Ashish Raina said of the downturn. Raina, who mainly works with startups that have 200 to 800 employees, previously worked as the director of Talent at Index Ventures and head of Compensation and Talent Analytics at Box. “I do think there’s going to be an interesting reckoning in terms of pay increases going forward, how that pay is delivered.”

Keep Reading Show less
Allison Levitsky
Allison Levitsky is a reporter at Protocol covering workplace issues in tech. She previously covered big tech companies and the tech workforce for the Silicon Valley Business Journal. Allison grew up in the Bay Area and graduated from UC Berkeley.
Policy

How 'Zuck Bucks' saved the 2020 election — and fueled the Big Lie

The true story of how Mark Zuckerberg and Priscilla Chan’s $419 million donation became the 2020 election’s most enduring conspiracy theory.

Mark Zuckerberg is smack in the center of one of the 2020 election’s multitudinous conspiracies.

Illustration: Mike McQuade; Photos: Getty Images

If Mark Zuckerberg could have imagined the worst possible outcome of his decision to insert himself into the 2020 election, it might have looked something like the scene that unfolded inside Mar-a-Lago on a steamy evening in early April.

There in a gilded ballroom-turned-theater, MAGA world icons including Kellyanne Conway, Corey Lewandowski, Hope Hicks and former president Donald Trump himself were gathered for the premiere of “Rigged: The Zuckerberg Funded Plot to Defeat Donald Trump.”

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Fintech

From frenzy to fear: Trading apps grapple with anxious investors

After riding the stock-trading wave last year, trading apps like Robinhood have disenchanted customers and jittery investors.

Retail stock trading is still an attractive business, as shown by the news that crypto exchange FTX is dipping its toes in the market by letting some U.S. customers trade stocks.

Photo: Lam Yik/Bloomberg via Getty Images

For a brief moment, last year’s GameStop craze made buying and selling stocks cool, even exciting, for a new generation of young investors. Now, that frenzy has turned to fear.

Robinhood CEO Vlad Tenev pointed to “a challenging macro environment” marked by rising prices and interest rates and a slumping market in a call with analysts explaining his company’s lackluster results. The downturn, he said, was something “most of our customers have never experienced in their lifetimes.”

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Latest Stories
Bulletins