Trapped in a fog —

Cops wanted to keep mass surveillance app secret; privacy advocates refused

Fog Reveal is "almost invisible" when attempting to search for it online.

Cops wanted to keep mass surveillance app secret; privacy advocates refused

Much is known about how the federal government leverages location data by serving warrants to major tech companies like Google or Facebook to investigate crime in America. However, much less is known about how location data influences state and local law enforcement investigations. It turns out that's because many local police agencies intentionally avoid mentioning the under-the-radar tech they use—sometimes without warrants—to monitor private citizens.

As one Maryland-based sergeant wrote in a department email, touting the benefit of "no court paperwork" before purchasing the software, "The success lies in the secrecy."

This week, an investigation from the Electronic Frontier Foundation and Associated Press—supported by the Pulitzer Center for Crisis Reporting—has made public what could be considered local police's best-kept secret. Their reporting revealed the potentially extreme extent of data surveillance of ordinary people being tracked and made vulnerable just for moving about small-town America.

Reports showed how police in nearly two dozen agencies—one record shows the total figure could possibly be up to 60—use Google Maps-like tech called Fog Reveal. Licensed by Fog Data Science, Fog Reveal gives state and local police power to surveil what the company's marketing materials claimed in 2019 amounts to "hundreds of billions of records from 250 million mobile devices."

EFF found that Fog Reveal draws its data from Venntel, the same data source the feds use. Although neither company disclosed the nature of their business relationship to AP or EFF, it appears that because of their partnership with Venntel, Fog Reveal provides location data services to local police at a steep discount. This makes it more affordable for smaller police agencies and private security companies to access broad swaths of data and trace devices across months or even years.

Venntel provided Ars with the same statement it gave AP: "The confidential nature of our business relationships" prevents the company from responding to questions.

Typically, EFF found that police agencies have licensed the software annually for costs as low as $6,000 to $9,000. Some agencies were willing to spend more on the tech, though. Ars reviewed one annual contract in Anaheim, California, that was for more than $40,000.

It took the Electronic Frontier Foundation months and more than 100 public records requests to gather thousands of pages of evidence to compile a clear picture that shows how local law enforcement increasingly mines location data. Records showed Fog Reveal has been used in criminal investigations, including, as AP reports, "tracing the movements of a potential participant in the Jan. 6 insurrection at the Capitol."

Fog Data Science managing partner Matthew Broderick told AP that Fog Reveal has been critical to police to save time and money on investigations, suggesting police were under-resourced and investigations suffered from reliance on outdated tech. (Bloomberg reported that most cities increased local police budgets last year.)

"Local law enforcement is at the front lines of trafficking and missing persons cases, yet these departments are often behind in technology adoption," Broderick told AP. "We fill a gap for underfunded and understaffed departments."

EFF found that some agencies stopped using Fog Reveal because it wasn't providing enough information on its own to aid investigations. It also found at least one instance of a sergeant questioning the legality of using Fog Reveal due to Carpenter v. United States. In that case, it was found that wireless carriers couldn't share location data with the Federal Bureau of Investigation because doing so violated the suspect's reasonable expectation of privacy.

AP reported that Broderick said "that the company does not have access to people's personal information," instead drawing from "commercially available data without restrictions to use." Broderick defended Fog Reveal's legality by saying all location data came from data brokers "that legitimately purchase data from apps in accordance with their legal agreements." This essentially asserts that privacy agreements between apps and their users elicit broad consent for third-party data brokers to then buy the data and share it with police, alleging users gave consent.

The head of EFF's investigation into Fog Reveal, Bennett Cyphers, wrote that this is an old argument that "rests on a legal fiction of consent that EFFcourts, and members of Congress have repeatedly criticized because it fails to adequately protect people's privacy." He told AP that one risk of lawmakers ignoring this new report was increasing surveillance of people in smaller towns going unnoticed, posing a bigger threat than federal agencies. These are the law enforcement agencies that Americans interact with most often, and now there's evidence they'll be monitoring Americans more frequently.

"We're seeing counties with less than 100,000 people where the sheriff is using this extremely high-tech, extremely invasive, secretive surveillance tool to chase down local crime," Cyphers told AP.

A Fog Data Science spokesperson told Ars that the company plans to clarify some aspects of AP's and EFF's reporting. Ars will update the story with any new information when it becomes available.

Channel Ars Technica