On a day this past June, researchers were able to track a cell phone as it went from a residential address in Alabama to Tallahassee, Florida, where it remained for about two hours before going to another house in Mississippi.
The address in Tallahassee was an abortion clinic that explicitly advertises its services to out-of-state visitors.
Earlier this year, start-up company Atlas Privacy got access to a mobile phone-tracking tool used by law enforcement and U.S. government agencies across the country. The tracking tool, sold by Virginia-based company Babel Street, pulls commercially available data that phones beam out through apps. Atlas researchers were looking for privacy and security vulnerabilities in the data for sale.
Data brokers claim the information is fully anonymized. But in reality, it can easily expose someone’s identity, and it can potentially reveal some of the most private moments of a person’s life — like crossing state lines to go to an abortion clinic.
NOTUS, along with journalists from The New York Times, 404 Media, Haaretz and independent cybersecurity reporter Brian Krebs, were given access to nearly two hours of footage of Atlas Privacy using Babel Street’s tracking tool, Locate X. Our investigation found that this fine-grained data is being sold in an unregulated market. There’s little to no vetting over who gets access to it or how they use it. Paired with people-search platforms, the ability to freely mine through data like it can pose serious privacy concerns.
Atlas used Locate X to search for phones at locations like abortion clinics, courthouses and the homes of law enforcement officers and prosecutors. Atlas’ researchers also confirmed that such data was available internationally — conducting searches in Israel and Germany as test cases.
The United States is one of the few industrialized democracies without a comprehensive national privacy law regulating the sale and handling of personal data. Data brokers remain lightly regulated, leaving Americans at the mercy of little-known private companies buying and selling vast quantities of data.
The implications of being able to easily and extensively search personal information are substantial, privacy advocates say, especially as hate crimes rise in the U.S. and some states fight in the courts to put restrictions on traveling across state lines to seek an abortion. Platforms like Locate X could be used to track and potentially identify people doing just that.
“Whether location data is being used to identify and expose closeted gay Americans or to track people as they cross state lines to seek reproductive health care, data brokers are selling Americans’ deepest secrets and exposing them to serious harm, all for a few bucks,” said Oregon Democratic Sen. Ron Wyden, a longtime proponent of requiring a judicial order to access data on Americans.
“Congress’ failure to regulate data brokers and the administration’s continued opposition to bipartisan legislation that would limit data sales to law enforcement have created this current privacy crisis,” Wyden said.
***
Using Babel Street’s platform, Atlas Privacy looked for devices that were at a single north Florida abortion clinic that may have traveled from nearby states where the procedure is largely outlawed. Abortion remains legal in Florida through the first six weeks of pregnancy.
In total, Atlas identified more than 700 unique devices at the clinic over the last three years using Babel’s platform. The data can sometimes be spotty. And there are privacy features built into Apple devices, meaning far more Google Android users appear in the data set than Apple users.
Routine travel to the clinic might indicate medical staff, but Atlas was looking for devices that visited only a small number of times. Locate X allows users to sort by the number of signals observed at a particular location — meaning it could easily filter out and eliminate people who were at the clinic every day as likely staff members.
In another query, Atlas narrowed its search to devices that had been at both the Florida clinic and in Mobile, Alabama, where abortions are almost entirely illegal, in the last three years.
The platform can be so precise that researchers could follow one device that fits the behavioral template of a likely patient as it traveled along the highway from Alabama to the Florida clinic and then back east to a house in Mississippi. The device they honed in on for demonstration purposes was observed at the clinic only a single time in the three years of location data they could access through Locate X. There were likely many others that fit that pattern as well.
The demonstration offers a rare look into how easily identifiable people are in these location-based data sets, which brokers claim are “anonymized.”
Such claims do not hold up to scrutiny. The tools in the hands of capable researchers, including law enforcement, can be used to identify specific individuals in many cases. Babel’s tool is explicitly marketed to intelligence analysts and law enforcement officers as a commercially available phone-tracking capability — a way to do a kind of surveillance that once required a search warrant inside the U.S. or was conducted by spy agencies when done outside the U.S.
Babel Street did not respond to multiple requests for comment.
It wasn’t clear from the demo alone whether the device’s owner lived in Mississippi and picked up a passenger or visited an acquaintance in Alabama or vice versa — but Babel Street’s platform could easily have been used to do a deeper investigation and find what is sometimes called the “beddown” location of the device. In other words, a person’s home.
From Atlas’ screenshots alone, NOTUS was able to make at least a guess at the potential identity of the owner of the mobile phone that traveled to the clinic using free people-search websites and other online information by running searches on both addresses. We are withholding any additional details for privacy and safety purposes.
Atlas also tried to find devices that appeared at a synagogue in Los Angeles, a courthouse and prosecutor’s office in New Jersey, a mosque in Dearborn, Michigan, and a high school in suburban Philadelphia. In each instance, the searches brought up detailed information that could be traced back to individuals, including travel history and daily patterns. They could see 8,000 devices at the mosque in Michigan over the past few years — and that many had traveled extensively in the Middle East. One device that frequented the Pennsylvania high school seemed to have a travel pattern that showed visits to college towns around the country — possibly a student or parent touring colleges.
In theory, Babel sells its location-tracking capability only to federal government agencies and their contractors. But Atlas said that their experience shows Babel is doing minimal due diligence on its customers.
They gained access to the tool through a private investigator who works for them. The investigator was offered a trial of the location-tracking product but told it was only offered to government agencies or contractors of the government. The investigator told Babel Street that he was contemplating becoming a federal contractor in the future — and the Babel Street sales representative said “that’s good enough” and that “they don’t actually check,” presumably referring to his employer.
Atlas’ private investigator was then given a free trial. He was never contacted by Babel to raise concerns about any of the searches he ran in its platform despite geofencing health care facilities, religious institutions and even a high school, where thousands of minors are present daily.
***
On the one hand, the explosion of commercial services has offered law enforcement new crime-solving and tracking capabilities. On the other hand, law enforcement officers, prosecutors and judges often deal with dangerous people — and their information is also easily accessible online, raising new safety concerns.
Atlas Privacy straddles this debate. A large part of its work is helping law enforcement officers scrub their data from brokers and bring lawsuits to enforce their demands. The company primarily works in New Jersey, where a landmark law permits judges, prosecutors, law enforcement officers and certain eligible family members to remove their data from commercial databases for their own safety. The law, called Daniel’s Law, was passed in response to an attempted assassination of U.S. District Court Judge Esther Salas at her home in New Jersey in 2020. The judge’s son, Daniel Anderl, was killed in the attack. Subsequent investigations found that the gunman, who was a disgruntled litigant, had compiled a dossier on the judge by accessing commercial data brokers.
Atlas is part of a wave of private sector actors taking action against data brokers. They mainly help law enforcement officials remove their information from the web — a bespoke version of a service that companies like DeleteMe and Optery offer to the general public. Atlas also engages in litigation against data brokers who do not comply with Daniel’s Law, suing Babel Street and other data brokers who they allege have failed to exercise due diligence in removing personal information from people protected by Daniel’s Law from their data sets.
Atlas Privacy said they provided footage of their research to journalists in the hopes of helping the public better understand the shadowy world of data brokers.
Babel Street is a government contractor which sells social media-monitoring and phone-tracking software to the military, intelligence agencies and law enforcement for public safety and national security purposes. It buys its mobile phone data from brokers who obtain it from advertising companies or app makers.
Police need a court order to access movement data from cell phone carriers like Verizon and AT&T. But because companies like Babel Street buy the data from brokers and aggregators, there are fewer legal restrictions on tracking phones through its tool.
Lawmakers of both parties have been critical of what’s sometimes called the “data broker loophole,” which allows government agencies to track devices warrantlessly if they buy the data from brokers.
The Federal Trade Commission and other regulatory agencies in recent years have tried to crack down on the resale of consumer-location data — but huge amounts of mobile phone data remains available for sale in opaque marketplaces. The FTC Act gives the agency the power to investigate unfair and deceptive trade practices.
“Speaking generally, the FTC has made it clear, through our recent law enforcement work, that companies that share consumers’ sensitive location data may violate the FTC Act, and we won’t hesitate to take action,” an FTC spokesperson said. The FTC would not comment on Babel Street’s platform specifically.
For years, major players in the advertising technology ecosystem have justified the collection and resale of this data on the theory that it is “anonymized” or “de-identified” — stripped of any personal information that could link it to an individual. They also argue that consumers have opted in, accepting the tracking by downloading the app and agreeing to the terms of service.
But NOTUS spoke with several people whose phones appeared in the data, who said they had no idea how much personal information was being shared and did not feel that they had consented to this kind of intimate tracking.
“It is really a jaw-dropping revelation that they knew where I was the last few years,” said Patrick Colligan, a former police officer in New Jersey who also headed the state police union until this year and is a client of Atlas’. Colligan had worked to scrub his name and home address from people-search websites and other data brokers that sell names and addresses — but he had no idea that his phone was broadcasting his location so frequently to a whole different set of location data brokers.
“I think they should do a better job notifying people they’re going to be tracked,” Colligan said of companies like Babel Street. “It should be easier for the average consumer — which I would say I am — to understand what is happening and opt out.”
Some of Atlas’ clients, who are law enforcement officers themselves, say that warrantless access to such intimate data poses a danger to everyone.
“As a law enforcement officer, in order for me to track someone, I need a judge to sign a warrant — and that’s for a criminal investigation after we’ve developed probable cause,” Scott Maloney, a police officer in New Jersey and an Atlas client, said in an interview. Maloney and his wife, Justyna, say they were subject to an online harassment campaign after a video of a police encounter between Justyna and a citizen activist was posted online. “Data brokers tracking me and my family just to sell that information for profit, without our consent, and even after we’ve explicitly asked them not to, is deeply disturbing.”
Atlas was able to identify devices belonging to other clients in the data set. They were able to identify the device of one of the daughters of a client in New Jersey, including which university she attended, which sports team she played on and where she hung out.
Under New Jersey’s Daniel’s Law, the immediate family of covered officials are also eligible to have their data removed from data broker websites. However, the statute only extends to name and phone number. Data brokers selling location data sets do not appear to be covered by the statute as the data sets they broker contain no phone numbers or residential addresses. Atlas’ lawsuit against Babel Street and other brokers is over the names and addresses of law enforcement officials in people-search products, not geolocation tools like Locate X.
Companies like Babel Street have made it easy to deanonymize location data and derive insights from it, including built-in tools that illustrate links between people in this supposedly anonymized data.
One tool lets you pick a specific mobile device and then run a “signal proximity search” — basically showing other devices that appear frequently in proximity to a device of interest. It also makes it easy to show where a device spends time and pick out a home or workplace from a device’s behavioral pattern.
“Real-time or near real-time geolocation tracking is a capability known to exist in the national security arena. But the idea that any company or individual wanting to purchase access to this data could conceivably do so was alarming. Babel Street did not attempt to verify any information about the investigator or perform any Know-Your-Customer (KYC) type background checks. There were effectively no gates or guardrails in place prior to accessing this data,” Atlas said in a statement.
—
Byron Tau is a reporter at NOTUS.
NOTUS shared notes and conducted joint interviews with reporters from The New York Times, 404 Media, Haaretz and KrebsonSecurity.com