A few years prior to the outbreak of the war with Russia, a number of Ukrainians began downloading an app onto their phones, hoping to earn a little money. The app, called Premise Data, was a global gig-working platform not all that different from TaskRabbit or Handy.
Founded in 2012, Premise had been originally designed as a way for organizations to collect good-quality data on the prices of consumer goods in the developing world. The app, based in San Francisco, had a globally distributed workforce of hundreds of thousands of freelance contributors, all using their smartphones to collect data — usually examining the price of food or other goods, answering surveys and taking photographs.
Premise’s website touted its work with international development organizations like USAID or the Gates Foundation, and corporate clients like Bloomberg and Google. However, everything was not as it seemed. Premise did have corporate and nongovernmental organizations as clients, but in recent years, it had pivoted toward taking on more work from the intelligence and defense agencies of the U.S. government.
Dating to 2019, it had a network of more than 1,000 gig workers in Ukraine who were being asked to do tasks that they believed were innocuous market research or corporate data collection — but some of which were actually intelligence-gathering projects for American and other Western governments or their contractors, according to a review of Premise documents created to win government contracts as well as interviews with more than 20 former Premise employees plus two government officials.
Ukraine’s status as a geopolitical hot spot meant that intelligence agencies around the world — including U.S. intelligence — wanted information about it. And so, Premise contributors’ phones were running software in the background that secretly mapped Ukraine’s telecommunications system and its Wi-Fi access points. Those contributors were also being asked to photograph crops as part of experiments to hone American satellite imagery capabilities.
Some of those contributors were most likely Ukrainian service members carrying their devices into and out of a base in a conflict zone, according to a slide deck I reviewed. “Guilty by Geography,” one slide read, boasting of how easy it was to make a guess about the person’s occupation thanks to their real-world movements. They were inadvertently gathering intelligence for a foreign power because of an app they put on their phones.
(Premise describes its activities differently: “Characterizations of Premise as a covert tool for intelligence agencies are rooted in fantasy, not reality,” a company spokesperson told me in a statement. “Premise provides insights and data so that its customers, including private companies, nonprofits and government departments, can better understand the world.”)
If all this sounds familiar — a popular app harvests data from unsuspecting users and a government uses that data for its own ends — then it might be because this is precisely the scenario that has caused many U.S. politicians to call for banning TikTok. For the past few years, Washington has been grappling with the reality that one of the most popular social networks in our country is controlled by a Chinese company regulated under Chinese national security laws that give the state power to access pretty much anything.
In an appearance before the House Energy and Commerce Committee last year, TikTok’s CEO, Shou Chew, promised that the company “will firewall protected U.S. user data from unauthorized foreign access” and “will remain a platform for free expression and will not be manipulated by any government.” Still, at least in theory, TikTok offers numerous ways for an adversary like China to cause trouble. It could collect immense amounts of behavioral data on Americans, understanding their likes, dislikes, preferences, habits and routines. The friend networks and social circles of Americans could be collected through TikTok by mapping out who follows and interacts with whom. What’s more, Americans are uploading a great deal of biometric information — their faces, for example — to services like TikTok, information that could potentially be valuable to Chinese intelligence. Finally, it could be a vector for propaganda. A tweak of the algorithm during a key geopolitical crisis could alter U.S. public opinion without anyone being aware.
“If Americans woke up tomorrow to stories in The Wall Street Journal or Washington Post that China had put 100 million sensors all over America, there would be alarm. But that’s exactly what’s happening with TikTok,” Klon Kitchen, a former CIA officer and technologist, told me.
And yet, rarely acknowledged during our national reckoning over TikTok is that, when it comes to ethically dubious uses of technology, so many of the scariest possibilities we ascribe to China and other adversaries are, in fact, things that our own government already does.
***
Most people are bewildered that their phones and apps might be a vector for data collection. “Why would any government care about me?” they might ask. But beyond facilitating commerce or harmless time-wasting, apps are a backdoor portal for mass data. Beneath software code running on millions or even billions of mobile devices is a world that the ordinary person can’t possibly begin to unravel.
To understand the potential value of innocuous-seeming data, consider what happened in 2018, when the fitness app Strava published a global “heatmap” showing all of the popular running and cycling routes of its 27 million users. Inside that data were the internal layouts of a number of unannounced military and intelligence facilities.
“This is where I politely remind @Strava that it is sitting on a ton of data that most intelligence entities would literally kill to acquire,” one well-known professor tweeted. In July 2023, Strava’s potential use as an intelligence tool to understand the habits and routines of an adversary would come to light again after a Russian submarine commander who regularly posted his running routes on the app was killed in broad daylight on a morning run. (Strava did not respond to a request for comment.)
Or consider a set of security lapses — revealed by the open-source intelligence collective Bellingcat — that involved a beer-rating app called Untappd. Untappd allows users to upload photos or log where they are when they sample a new brew. On this social network, one U.S. Defense Department official took a picture of his beer with classified papers in the photo’s background. Another user kept logging his location at “the Farm,” the CIA facility where clandestine service officers are trained. (Untappd did not respond to a request for comment.)
With so much data out there to be harvested and analyzed — and more generally, with information technology offering so many possibilities for countries to gain an edge over adversaries — it would probably be surprising if the U.S. government hadn’t moved aggressively into this space. And, as it turns out, the story of Premise is just the tip of the iceberg.
The U.S. government first made forays into corporate data collection shortly after Sept. 11, when the Pentagon stood up a program called Total Information Awareness. The initiative was a research program that aspired to weave the government’s classified data with unclassified corporate information like travel history, medical records and consumer purchases — with the goal of looking for behavioral outliers or anomalies that could indicate the planning of a terrorist attack.
TIA wound down after a bipartisan outcry on Capitol Hill about the privacy implications of such a program directed at Americans. It never actually got to the step of ingesting any real data, but research on this kind of data mining of corporate records didn’t stop. After TIA, future projects would be incubated in the anonymous office parks of suburban Washington by faceless, nameless bureaucrats and low-profile contractors. They would be cloaked in nondisclosure agreements or hidden in classified contracts.
As social media became popular, Washington’s national security and law enforcement grew hungry to acquire bulk data about the conversations on popular sites or in web forums and to map out people’s connections to one another. As mobile phones became important to commerce and everyday life, government agencies began buying up huge amounts of mobile phone data showing the movements of hundreds of millions or even billions of people. And as everything became digitized and trackable, spies and law enforcement agencies were there, wallets open, waiting to buy whatever data sets became available.
Sign up for the latest from NOTUS.
Washington’s data acquisitions have taken many forms. Three people familiar with intelligence programs have described to me how the U.S. government, for all intents and purposes, buys foreign telecommunication data — sometimes an entire country’s worth at a time. Basically, an American company with hidden ties to the intelligence community offers a service to a foreign telecommunications entity: to improve network reliability or fight fraud or spam calls — something like that. As part of the arrangement, it gets commercial access to telecommunications networks and sells that data to the U.S. government for tens of millions of dollars.
In some cases, this isn’t just the metadata of who called whom; it can include the content of calls, text messages and other data transiting the network, according to two of the sources. This is exactly why U.S. officials are so concerned about telecommunications equipment from Chinese companies like Huawei and ZTE in U.S. networks. American intelligence has spent more than a decade collecting data through commercial arrangements, with its antennas pointed at geopolitical hot spots like the Middle East and Eastern Europe.
***
Until 2022, a company called Measurement Systems was going around the world offering app developers large sums of money to insert a strange bit of code into their apps. In some instances, it was targeting Islamic-themed apps, but in other cases, it was trying to get its software into generic apps with large foreign-user bases.
Measurement Systems’ code could collect an exceedingly large amount of data about its users’ phones. First, when a user connected to a Wi-Fi network, the code could see every other phone, tablet, router, smart TV and smart speaker connected to that network, as well as the special unique digital identifiers that belong to those devices. This could enable whoever was receiving the data to map out the social network of the phones’ owners. Second, it could copy the material on a phone’s clipboard — which often included sensitive information like passwords — and the email address of the owner of the phone as well as the phone number assigned to the phone.
Most bizarrely, it had the capability to scan the WhatsApp downloads folder of any phone on which it was installed. It couldn’t necessarily read the contents of the files, but it seemed to take an inventory of the file names stored there. This could be a remarkably valuable intelligence-gathering tool — since WhatsApp is encrypted and, in theory, cannot see the content of messages exchanged between users.
The Measurement Systems software code was discovered in 2021 by two computer scientists, Joel Reardon and Serge Egelman, who work together to study vulnerabilities in the mobile app ecosystem. They hold academic appointments at the University of Calgary and the University of California, Berkeley, respectively, and have also started a company called AppCensus that helps audit mobile apps for security vulnerabilities. They brought their findings to me when I was a Wall Street Journal reporter in 2022.
And what exactly was Measurement Systems? Together with Reardon and Egelman, I traced its ownership back through a network of shell companies and cutouts and found it was linked to a U.S. government contractor with deep ties to the U.S. intelligence community. Measurement Systems’ web domain registration also linked back to the same contractor. (Measurement Systems denies any ties to the contractor or the U.S. government. “The allegations you make about the company’s activities are false,” it said in a 2022 statement to me. “Further, we are not aware of any connections between our company and U.S. defense contractors.” It declined to answer follow-up questions.)
Given all this, perhaps it’s no surprise that data, not nukes, are the new game of tit for tat: In 2021, China ordered its officials in sensitive positions to stop driving Tesla cars over concerns that the vehicles could exfiltrate data to the U.S. — and the U.S. is now considering new rules about Chinese-made connected vehicles on American roadways.
Meanwhile, though data collection may be the most troubling way for the U.S. government to mirror its adversaries in using information technology, there are other ways too. Remember how Washington blasted Russia for using “troll farms” to boost Donald Trump during the 2016 election? We’ve done very similar things: A 2020 U.S. special forces contracting document that I’ve seen solicited a vendor who could create and maintain 200 fictitious social media personas with the capability to disseminate messages on behalf of the U.S.-led task force fighting ISIS. The personas “should appear to be based in Iraq, Syria, Jordan or regional diaspora.” The aim was to spread covert propaganda messages to 10,000 to 20,000 people daily, without links back to the U.S. government.
***
America is, of course, a democratic nation that differs in important ways from China and Russia. Beijing and Moscow quell domestic dissent to remain in power; Russia is a belligerent state that has attacked its neighbors without provocation and whose political leadership is willing to assassinate domestic opponents; China’s repression of Uyghurs has been credibly called a genocide.
And yet, while there are major distinctions between our countries — and while those differences matter — we can’t have an honest debate about privacy and data collection if Americans are left with the impression that this is something only other governments do. The missions of U.S. military and intelligence agencies are important, but so is the global public’s understanding of what people are really signing up for when they use modern information technology.
__
Byron Tau is a NOTUS reporter and the author of “Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New American Surveillance State,” from which this article is, in part, adapted.