CBP Bought 'Global' Location Data from Weather and Game Apps

Oct 6, 2020
In The News

U.S. Customs and Border Protection (CBP) bought access to "global" location data harvested from ordinary apps installed on peoples' phones, meaning it could track devices even outside of U.S. borders, according to a document obtained by Motherboard.

The news provides more insight on what sort of broad data U.S. government agencies are purchasing, and highlights the scale at which location firms are gathering information on largely unsuspecting smartphone users to then sell to clients.

"I know I could find signals in non-U.S. territory but they may have been U.S. users/devices," a former worker for Venntel, the company that CBP bought the location data from, told Motherboard.

"A pioneer in mobile analytics, Venntel provides security and risk management solutions through technological innovation, data reliability, and proven results," Venntel's website reads. The company obtains the granular location data from games, weather, and other innocuous-looking apps, and then sells access to those cellphone movements to multiple government agencies, The Wall Street Journal reported in February.

In August Motherboard reported that CBP paid Venntel nearly half a million dollars in a recent deal. At the time, Congresswoman Carolyn Maloney, and Chairwoman of the House Committee on Oversight and Reform which is investigating Venntel, told Motherboard, "This new contract raises even more concerns about the cozy and ongoing relationship between the federal government and these data brokers, which operate in the shadows and can amass mountains of sensitive personal data without any restrictions."

The newly obtained document relates to this $475,944.49 deal.

"Capability: Access to Venntel global mobile location database via the portal," the document reads. Motherboard obtained the document from a Freedom of Information Act (FOIA) request with CBP.

"U.S. Customs and Border Protection (CBP) requires the purchase of Venntel software. This software is in support of mission critical decision making by providing access to commercially available, multi-sourced, validated, location marketing data via custom geolocation data research requests," the document adds.

Another new document specifies that the Venntel data purchase is for the Targeting and Analysis Systems Program Directorate (TASPD).

The former Venntel worker previously told Motherboard that customers can use the company's product to search by an area to look for devices, or search for a specific device's identifier to see a history of where that phone has been. The identifiers themselves are randomly created codes Venntel assigned to the phones, the person added.

"If you search a certain house, you're only going to get three or four different signals out of there. I think from that standpoint, you could definitely try and identify specific people," the person said. A second source who previously worked with Venntel said that identifying someone would be laborious, though.

The IRS tried to do something similar and identify particular criminal suspects but failed, the agency previously told the office of Senator Ron Wyden.

The Wall Street Journal previously reported that some agencies have used Venntel's data to pinpoint border crossings and then arrest people.

A CBP spokesperson reiterated a statement in previously provided to Motherboard.

"CBP officers, agents, and analysts are provided with access to the vendor’s interface on a case-by-case basis, and are only able to view a limited sample of anonymized data consistent with existing border security or law enforcement operations. All CBP operations in which commercially available telemetry data may be used are undertaken in furtherance of CBP’s responsibility to enforce U.S. law at the border and in accordance with relevant legal, policy, and privacy requirements," the statement read. The spokesperson did not directly answer a question on whether the agency uses location data beyond the Mexican and Canadian borders.

Venntel did not respond to a request for comment on whether it collects information on European users.