Another story broken by 404 Media:
It’s a lengthy article, but a very good read. Below are a few highlights from the article from a digital privacy angle.
Babel Street’s Locate X software, loosely sold to law enforcement and government agencies, can track individuals’ movements, including those to abortion clinics. The tool’s data, obtained through mobile advertising, can be used to identify and prosecute abortion clinic visitors, raising concerns about reproductive freedom and privacy. The tool’s capabilities extend beyond abortion clinics, potentially exposing sensitive locations like places of worship and schools.
Through a complex data supply chain involving apps or ads on a phone, peoples’ movements are included in Locate X as a side-product of the mobile advertising system.
The Locate X data also includes devices’ mobile advertising identifiers (MAIDs), which are unique codes assigned to each phone by its operating system. An industry exists which sells the potential real name of a person using a MAID, shattering their presumed anonymity.
The data ultimately powering tools like Babel Street’s Locate X can come from two main sources. The first are ordinary apps installed on peoples’ phones, whose developers sell their users’ location data to a broker, who then in turn sells it either directly or through a series of middlemen to a company like Babel Street. The other is through a process called real-time bidding, in which members of the online ad industry try to outbid one another to have their advert be delivered to a certain demographic of users. A side effect is that some companies listen in on that process, and harvest location data on unsuspecting swaths of the public.
This sort of surveillance is only possible because of the mobile advertising ecosystem. Location data is sometimes used to build profiles on device users and better target advertisements to them. Much of that advertising relies on a MAID, the unique advertising ID, on a phone. The MAID acts as the digital glue between a device and its associated data.
But that same underlying system, of Google and Apple linking a unique identifier on the phone to a user’s activity, allows Babel Street and others to build their mass monitoring products.
“Both Google and Apple can’t keep pretending like the mobile advertising IDs broadcasting into the bidstream from hundreds of millions of American devices aren’t join keys for tracking people,” Zach Edwards, senior threat analyst at cybersecurity firm SilentPush who has followed the location data industry closely, said. “The privacy risks here will remain until Apple and Google permanently turn off their mobile advertising ID schemes and admit to the American public that this is the technology that has been supporting the global data broker ecosystem.”
When it comes to the MAID, the Apple option to turn off the ability for apps to request to track users appears in a prominent pop-up on the device. Apple said that if a user does this, their MAID (called an IDFA by Apple) is not provided to the requesting app. On Google devices, users have to go deeper into their settings to delete or reset the MAID. Google said once a user does delete it, no MAID is then available to Google or third parties.
The severity and tangibility of this story makes it one to definitely share with friends and family. It concretely shows that concerns are not mere hypotheticals, but reality.
Again, be sure to read the full article if you’re interested. I tried my best to highlight the parts that are most relevant to the forum, but it ultimately lacks some context.