For Sale: Millions of Back Doors

There is a remarkable series of stories that Joseph Cox of Motherboard has been reporting over the past couple of months, describing the ways location data, IP addresses, and other private information is being sold to vendors and, eventually, law enforcement. I think these articles are best presented together, for the fullest context.

Here’s the first — police are purchasing illegally-obtained website data through intermediaries:

Hackers break into websites, steal information, and then publish that data all the time, with other hackers or scammers then using it for their own ends. But breached data now has another customer: law enforcement.

Some companies are selling government agencies access to data stolen from websites in the hope that it can generate investigative leads, with the data including passwords, email addresses, IP addresses, and more.

Motherboard obtained webinar slides by a company called SpyCloud presented to prospective customers. In that webinar, the company claimed to “empower investigators from law enforcement agencies and enterprises around the world to more quickly and efficiently bring malicious actors to justice.” The slides were shared by a source who was concerned about law enforcement agencies buying access to hacked data. SpyCloud confirmed the slides were authentic to Motherboard.

Here’s another — the United States Secret Service purchased a license to Babel Street’s Locate X. You may remember that name from a story that appeared in the Wall Street Journal last month, which I covered, that showed multiple U.S. government agencies had contracts with private location tracking companies. Cox:

The Secret Service paid for a product that gives the agency access to location data generated by ordinary apps installed on peoples’ smartphones, an internal Secret Service document confirms.

The sale highlights the issue of law enforcement agencies buying information, and in particular location data, that they would ordinarily need a warrant or court order to obtain. This contract relates to the sale of Locate X, a product from a company called Babel Street.

Finally, published yesterday, a story about a private spy company that buys location data:

A threat intelligence firm called HYAS, a private company that tries to prevent or investigates hacks against its clients, is buying location data harvested from ordinary apps installed on peoples’ phones around the world, and using it to unmask hackers. The company is a business, not a law enforcement agency, and claims to be able to track people to their “doorstep.”

[…]

Motherboard found several location data companies that list HYAS in their privacy policies. One of those is X-Mode, a company that plants its own code into ordinary smartphone apps to then harvest location information. An X-Mode spokesperson told Motherboard in an email that the company’s data collecting code, or software development kit (SDK), is in over 400 apps and gathers information on 60 million global monthly users on average. X-Mode also develops some of its own apps which use location data, including parental monitoring app PlanC and fitness tracker Burn App.

Many of these apps are distributed by a developer called Launch LLC. So you think you’re downloading a simple app from some no-name developer, and it’s actually from this X-Mode data brokerage company that sells your data to HYAS which, in turn, distributes it to law enforcement and intelligence agencies to mine without a warrant.

The fact that these marketplaces are even possible is absurd and outrageous. A lack of strict regulations for the collection and use of personal data — particularly in the United States, given the number of tech companies based there — puts everyone at risk.

Just a couple of months ago, a massive Oracle BlueKai database was found to be leaking data from an estimated 1% of all traffic on the web. A report released last week indicated that just a handful of often-visited websites are needed to reliably “fingerprint” someone, and dozens of companies have the potential to do so.

We constantly generate so much private data on the smartphones we carry everywhere. Yet the collection, use, and resale of that data is basically unregulated. The scale of it is unknown, since many of the organizations responsible go out of their way to hide their activities. I am sure that all of this has the potential to catch criminals, but at what cost?

Yesterday, the U.S. Court of Appeals for the Ninth Circuit unanimously confirmed that the NSA’s bulk collection of Americans’ phone records was illegal, and found no evidence that it ever found or convicted a single terrorist. But, even if it had helped, the program would still have been illegal because bulk surveillance is antithetical to a healthy democracy. If anything, this decision demonstrated that federal agencies are more constrained than private companies in their ability to collect information like this. That makes sense — the state should not be spying on citizens — but Cox’s reporting shows that the private sector has provided a convenient workaround.

Perhaps it is possible to update the law to require a warrant for surveillance by proxy, and for it to be more targeted, but it is highly unethical to be collecting this much information in the first place for the purposes of stockpiling and bulk sales. This circumstance should not be possible — even in theory. That is not for the purposes of making legitimate investigations harder, but to ensure privacy and security for everyone. The software we use should not be snitching our location to some two-bit private intelligence firm for resale to whomever they determine to be an agreeable customer. You might be comfortable with the U.S. Secret Service buying access to your location; maybe you’re fine with other law enforcement agencies and private companies that may have similar contracts. But, sooner or later, I am certain we will find out that some disagreeable entity — maybe a company that behaves unethically, or maybe some authoritarian state — also tracks people around the world. Then what? Stopping this data brokerage industry is not paranoia, it is pragmatic.