An Investigation of Fog Data Science, Which Provides Device Locating Services to U.S. Police eff.org

Bennett Cyphers, Electronic Frontier Foundation:

The company, Fog Data Science, has claimed in marketing materials that it has “billions” of data points about “over 250 million” devices and that its data can be used to learn about where its subjects work, live, and associate. Fog sells access to this data via a web application, called Fog Reveal, that lets customers point and click to access detailed histories of regular people’s lives. This panoptic surveillance apparatus is offered to state highway patrols, local police departments, and county sheriffs across the country for less than $10,000 per year.

The records received by EFF indicate that Fog has past or ongoing contractual relationships with at least 18 local, state, and federal law enforcement clients; several other agencies took advantage of free trials of Fog’s service. EFF learned about Fog after filing more than 100 public records requests over several months for documents pertaining to government relationships with location data brokers. EFF also shared these records with The Associated Press.

Cyphers found several connections between Fog Data Science and a data broker called Venntel. While Fog Data focuses on smaller police departments, Venntel works mostly with national agencies and, according to Cypher’s reporting, also provides data to other law enforcement-connected location companies like Babel Street and X-Mode. Venntel is well-connected in Washington. The Department of Homeland Security is a current user of its software; in the past, it has also held contracts with the FBI, DEA, ICE, and IRS, according to a search of USAspending.gov.

Cyphers:

Together, the “area search” and the “device search” functions allow surveillance that is both broad and specific. An area search can be used to gather device IDs for everyone in an area, and device searches can be used to learn where those people live and work. As a result, using Fog Reveal, police can execute searches that are functionally equivalent to the geofence warrants that are commonly served to Google.

The EFF says Fog Reveal will display a proprietary hash of the advertiser ID for devices within a geofence instead of the actual ID. But that may not be the case for all users.

Will Greenberg, EFF:

Federal users have access to an interface for converting between Fog’s internal device IDs (“FOG IDs”) and the device’s actual Advertiser ID:

This is eyebrow raising for a couple reasons. First, if this feature is operational, it would contradict assurances made in a sample State search warrant Fog sends to customers that FOG IDs can’t be converted back into Advertiser IDs. Second, if users could retrieve the Advertiser IDs of all devices in a query’s results, it would make Reveal far more capable of unmasking the identities of those device’s owners. This is due to the fact that if you have access to a device, you can read its Advertiser ID, and thus law enforcement would be able to verify if a specific person’s device was part of a query’s results.

To be clear, the EFF does not know if this extra level of federal functionality is available to end users. The U.S. Marshals had a two-year contract with Fog Data, which ended in 2020. It is the only national-level contract the EFF could find, and there is no evidence the Marshals or any Fog Data customer has access to unhashed advertiser IDs.

Even so, the presence of this functionality is worrisome. Last year, Joseph Cox of Vice explained how “identity resolution” companies like BIGDBM and FullContact brag about their ability to tie advertising identifiers to individual profiles of people: their names, physical addresses, IP addresses, property records, and more. If a law enforcement agency has contracts with a device location aggregator like Fog Data and an identity resolution company, and has access to this feature, officers could create full named profiles of people’s movements without a warrant.

Even if an agency does not have access to an unhashed device identifier, the repeated presence of a device at an address is a strong indicator that its owner lives there. It is hard to overstate how easy it is to link an address back to a name and phone number with free and publicly accessible web tools. That is, even though Fog Data may not collect what it deems is personally identifiable information — which, somehow, does not include device advertising identifiers — it is trivial to tie what it does show back to a specific person. And, again, police somehow do not need a warrant for this because the location data is bought from data brokers which harvest it from apps instead of cell towers.