My Phone Was Spying on Me, so I Tracked Down the Surveillants
THREAD on the location data industry and how European personal data ended up at a U.S. government contractor.
THREAD on the location data industry and how European personal data ended up at a U.S. government contractor.
There are 160 apps on my phone. What they’re actually doing, I don’t know. So I decided to figure it out by using the power of the GDPR - or the more lame name of subject access requests (SAR).
Long story short – I got a lot of data on my movements. Actually more than 75.000 data points on my precise location.
Home and work:
Home and work:
How: I designed an experiment where I installed a lot of apps on an Android phone. I then consented to sharing my location data. Then I turned the tables: By using SARs I stitch together the data flows from me to different companies. (Better graphics in article.)
The app Funny Weather appeared in the metadata provided by Venntel and Gravy Analytics. The data might have been shared through Predicio, but the company did not respond to any requests for an interview.
Complementics and Predicio sent my personal data to Gravy Analytics, a major data broker in the marketing business. This is according to the SAR from Gravy. Gravy did not respond to comment.
Venntel is a subsidiary of Gravy Analytics. Venntel has a lot of government contracts – CBP, ICE, IRS, FBI, DEA. What these agencies actually use the data for @ByronTau (WSJ) and @josephfcox (Motherboard) have a lot of good reporting on.
Venntel told me in a subject access request that my data was shared, but they did not provide to whom. When contacted later - they told me in a short statement that the data was not shared with ICE or CBP.
ENGLISH ARTICLE: https://nrkbeta.no/2020/12/03/my-phone-was-spying-on-me-so-i-tracked-down-the-surveillants/
We cooperated with @josephfcox, who made this article with a US focus https://www.vice.com/en/article/epdpdm/ice-dhs-fbi-location-data-venntel-apps
In the article you will find statements from U.S. agencies and apps / companies.
Reaction to the reporting by @josephfcox https://twitter.com/aclu/status/1334531537799409664
Some have asked about easy steps to better protect themselves or someone that are less technical: https://twitter.com/martingund/status/1334825574821453826?s=20
Reactions: Slovak DPA opens an investigation after my reporting. Will likely focus on the app provider Sygic as the company is based in Slovakia. https://twitter.com/martingund/status/1337338804273901569
App provider breaks partnerships https://twitter.com/martingund/status/1337427140850147328