"Mum, they’re bombing me!"
Mobile applications for family security share information about the exact location of tens of millions of users around the world, including children. Among those who can use this data are the US Centres for Disease Control and Prevention (CDC), responsible for vaccinating the population, and the Pentagon Intelligence Agency (DIA).
These are the results of a December investigation carried out by the American non-profit organisation The Markup, specialising in data protection, regarding the popular family geotracker Life360, which was downloaded by over 50 million users from the Google Play store alone.
The business model of other similar programs is not much different from Life360 and involves the same transfer of information to third parties. As a result, the final buyers of this information receive an invaluable resource for surveillance - up to the possibility of conducting special operations anywhere in the world.
Special cynicism is that smartphone owners install such applications just for the safety of their own families. In reality, they voluntarily agree to the surveillance of relatives and friends.
"Who is interested in you!"
Who among us does not worry about the children while they are alone on the street? Controlling them is not easy. A call or a "tweet" on a messenger often does not help: our kids love to put their phones on silent mode or simply do not answer their parents. It's the same with the elderly: many of them also need supervision.
Therefore, millions of Russian families breathed a sigh of relief when family geolocators appeared in mobile app stores - programs that track the location of people on the map in real time. Nothing complicated: you install the application at home and at a relative's, press a few buttons, distributing permissions, and you're done: your loved one is in the palm of your hand.
However, if you do not spare 10 minutes and read the user agreement, it turns out that such programs, as a rule, assume the right to "transfer your personal information to third-party business partners, suppliers and consultants”. And by downloading the app to your phone, we give permission for this.
At this point, an objection usually follows: "To whom have you surrendered! If your information is transmitted to someone, it is in an impersonal form!" But, first of all, as it is now clear, we gave up very much to someone, otherwise the same Life360 would not have earned $16 million in 2020 by selling user data to third parties. And, secondly, cybersecurity experts have repeatedly demonstrated how "anonymous" location information can be easily linked to real users.
So, in the Cell scientific journal an article was published in March 2021, and the authors prove that the trajectories of people in space remain unique on the scale of a population of tens of millions of people. And in the journal Nature back in 2013 it was shown that four space-time points are enough to uniquely identify 95% of people whose location is indicated at least hourly.
There is no need for a full name or phone number to do this. Moreover, our unique mobile advertising identifier defines us better than a first name with a last name. In addition, applications can access protected data even without the user's consent, using both hidden and side channels. And this is a proven fact.
To whom do family geolocators sell the inside story about our relatives? So-called geolocation data brokers, who then resell it to "interested parties". There are at least several tens of such brokers, and each is interesting in its own way. This industry is estimated at $12 billion annually, and brokers themselves like to boast about other figures: "We know about 1.6 billion people in 44 countries!", "We cover 1.9 billion devices and 50 billion mobile signals per day!", "We get data on 25% of the US adult population per month!", etc.
And then the most interesting thing begins.
"The Pentagon is in touch!.."
One of the brokers with whom Life360 still shares data is Cuebiq. It turned out that in the very first days of the COVID-19 pandemic, Cuebiq began cooperating with the US Centres for Disease Control and Prevention. This organisation responsible for quarantine and vaccination began to receive real-time data on the movement, places of stay and contacts of American (and not only) citizens.
Following the link, it is possible to see one of the contracts between Cuebiq and CDC. Another large company in the field of geolocation data, SafeGraph, also collaborated with the Centres. It's funny that even the ex-head of Saudi intelligence, Prince Turki bin Faisal Al Saud, wormed his way into the ranks of the curators of this company. Is it really only with a commercial interest?
But these are all details. Another similar broker is the company Outlogic. Prior to its acquisition in August by Digital Envoy, an IP intelligence firm, it was known by another name - X-Mode. This X-Mode acquired information about the location of Life360 users and sold them... directly to the US Department of Defence. In the past and the year before, the amounts of their contracts were estimated at hundreds of thousands of dollars.
The same X-Mode, as it turned out, sold military contractor data from several mobile applications for Muslims, including Muslim Pro (96 million users) and Qibla Compass, which determines the direction to Mecca. And it’s not the only one.
Another geodata broker, Babel Street, cooperates with a whole scattering of American departments: the Department of Defence, the Department of Homeland Security, the Defence Threat Reduction Agency (DTRA), the Department of Justice, the Treasury, etc. Similar contact is with the broker Venntel and others.
Other lovers of private individuals' geolocations not so long ago turned out to be the criminal investigation subunit of the US Internal Revenue Service (IRS CI) and the US Border Protection and Customs Service (CBP). Their interest was not at all limited to the territory of the US, and the mobile applications that provided them with information were extremely diverse: from games and weather forecasts to applications like "level", using a smartphone to hang exactly a shelf or a picture.
However, a mere mortal can also buy information about the per-second location of millions of people. Outlogic offers a complete set of geolocation data for 50 million people per month in 240 countries of the world, including Russia, for just $240,000. It turns out to be inexpensive — a thousand dollars per country…
By the way, about Russia
Today, American researchers are extremely concerned about the fact that due to the activities of brokers, confidential information about US citizens, including military personnel and civil servants, may fall into the hands of Moscow. Well, we, in turn, are worried about something else entirely — that the creators of similar domestic programs for mobile phones may well turn out to be ... American companies.
For example, Life360's main competitor, the seemingly Russian application "Find my Kids” (more than 10 million downloads), writes about itself in the "Privacy Policy" the following:
"In this document, ‘Company', ‘we’, ‘our’ and ‘our’ refer to Geo Track Technologies Inc, registered as a legal entity under the laws of the State of Delaware (USA) on December 26, 2018 with tax identification number 83-2987714, location: 8 The Green, STE A, Dover, DE, 19901."
...Of course, all of this does not mean that the US law enforcement agencies are monitoring our children day and night through applications. However, now it should be clear to everyone: in which case one and one’s family will be calculated instantly. And anything can be such a case: from a business trip of the head of the family to Syria or work in a defence design bureau to the tax problems of a beloved uncle who messed with dollars. For families from troubled regions of the Russian Federation, this is all the more relevant.
Not that it was a military secret: our mobile phones have long been "translucent" throughout. It's just that in the case of family geolocators, we ourselves agree to transfer data about our own children - up to their usual routes and surrounding sounds. So isn't it time to show elementary network hygiene in this matter?