California Congresswoman Anna Eshoo is urging the Federal Trade Commission (FTC) to investigate a Virginia-based company revealed by the Associated Press to provide law enforcement agencies across the U.S. with access to cellphone tracking technology capable of mapping people’s movements “months back in time.”
In a letter this week, Eshoo called on Lina Khan, the commission’s chair, to “immediately investigate” the company, Fog Data Science LLC, “to ensure that surveillance advertising becomes a prohibited business practice.”
On Sept. 2, an Associated Press report described the company’s product as an “obscure cellphone tracking tool” capable of searching “hundreds of billions of records from 250 million mobile devices.” The software, known as Fog Reveal, operates on location data culled from hundreds of consumer apps, purportedly for advertising purposes.
Fog Data Science reportedly purchases this data, which can be used to track the movements of an individual mobile device over a period of months, and repackages it in a platform used by at least two dozen agencies for investigative purposes. (The company has previously declined to reveal how many police contracts it holds.)
The software’s existence first came to light in documents obtained by the Electronic Frontier Foundation, whose special advisor, Bennett Cyphers, called Fog Reveal “a mass surveillance program on a budget.” Records show the software can be had for as low as $7,500 a year.
Fog Reveal is one of several services exploiting what some constitutional experts have come to call a Fourth Amendment “loophole.” While a Supreme Court opinion in 2018 held that the government cannot acquire sensitive location data without a warrant, many government agencies have chosen to interpret the ruling narrowly, applicable only to demands for such data. Because the Fourth Amendment does not regulate commercial transactions, and no court has yet ruled on whether the opinion applies to the government’s ability to simply purchase the same data instead, a host of federal, state, and local law enforcement agencies have begun literally buying their way around the need to obtain a warrant.
“In a post-Roe v. Wade world, it’s more important than ever to be highly mindful of how tools like Fog Reveal may present new threats as states across the country pass increasingly draconian bills restricting people’s access to abortion services and targeting people seeking reproductive healthcare,” Eshoo said.
“The use of Fog Reveal is also seemingly incompatible with protections against unlawful search and seizure guaranteed by the Fourth Amendment,” she continued. “Consumers do not realize that they are potentially nullifying their Fourth Amendment rights when they download and use free apps on their phones. It would be hard to imagine consumers consenting to this if actually given the option, yet this is functionally what occurs.”
Fog Data Science could not be immediately reached for comment. One of the company’s managing partners, Matthew Broderick, a former U.S. Marine brigadier general and senior official at the Department of Homeland Security, told the Associated Press: “Search warrants are not required for the use of the public data.”
Broderick went on to describe the company as filling a technological “gap” necessary “at the front lines of trafficking and missing persons cases,” adding that he was “confident” that law enforcement would use the product responsibly and “in accordance with the laws in their respective jurisdictions.”
Aside from a few ordinances passed in cities located largely along the West Coast, most jurisdictions have no applicable laws governing the use of commercial surveillance technology. Only in a handful of places, such as Oakland and San Diego, are city leaders even required to weigh the benefits of surveillance tech ahead of its deployment.
What’s more, misuse of police databases has been widely reported across the country. In 2016, the Associated Press unearthed hundreds of documented cases in which officers had been fired, suspended, or forced to resign after accessing confidential databases to gather information on “romantic partners, business associates, neighbors, journalists and others for reasons that have nothing to do with daily police work.”
An FTC spokesperson acknowledged receipt of Eshoo’s letter, but they declined to comment further.
Last month, the agency initiated a rulemaking process to address “commercial surveillance and data security,” writing that it had become “concerned that companies collect vast troves of consumer information,” often through “secret surveillance practices.” The notice for this process broadly defines the issue, encompassing virtually all forms of data collected commercially. It remains unclear, however, how the agency will act on its findings, or whether it even currently believes new rules for data collection are necessary. And while the notice references accounts of location data being purchased by the government — namely, the military — its references to “surreptitious” location tracking do not specifically call out law enforcement partnerships.
Jessica Rich, the former director of the FTC’s consumer protection bureau, has joined others, meanwhile, in questioning whether the rulemaking is a “serious effort,” or merely an “attempt to push Congress to move forward” and pass a comprehensive privacy bill known as the American Data Privacy and Prevention Act (reported on in-depth by Gizmodo last month).
Notably, the restrictions against the collection or sale of data under that bill do not apply to any company working on behalf of the government, which includes federal, state, and local law enforcement. The passage of the American Data Privacy and Prevention Act (ADPPA) would do nothing to halt police use of the Fog Reveal software.
Like the ADPPA, which is the first major privacy bill to be passed out of committee on Capitol Hill in two decades, other bills that would actually ban the practice of selling location data — such as the Geolocation Privacy and Surveillance Act or the Fourth Amendment Is Not For Sale Act — have received no legitimate support from bicameral leadership in Congress. The clock on the ADPPA itself is rapidly ticking away as we approach the election of a new House of Representatives in November.
On that matter, the New York Times reported three years ago that the U.S. was “virtually the only developed nation without a comprehensive consumer data protection law and an independent agency to enforce it,” adding, optimistically: “But that could be changing.”
Yet virtually nothing has changed. Democrats and Republicans remain entrenched over competing ideas of what a national privacy law should accomplish. Years of backroom negotiating have helped whittled their list of policy disagreements down to a final vexing few, but the issues remaining embody starkly clashing visions of how a federal law should work. For example: Should the government empower victims of privacy crimes to seek relief directly from the courts? Or, conversely, should they be made to rely on the government itself to get justice on their behalf? (And ultimately, does it even matter?)
In addition to a private right of action, areas of dispute such as preemption (a debate over whether federal law should be a floor upon which states can create new privacy rights, versus a ceiling, which would prevent them from doing so) and appeals to introduce a “duty of loyalty” (obligating data collectors to “act in the best interests of people exposing their data”) remain major impediments in brokering a consensus between two factions of policymakers: those genuinely in pursuit of the strongest possible privacy rights, and those negotiating on behalf of corporations, whose bottom lines could be hurt if forced to respect them.
Regardless, neither side appears, at least at this time, interested in tackling the problem at hand — that law enforcement officers around the country are being handed the incredible power to track the movements of ordinary Americans using tools that can fit on a cellphone, without even a wisp of oversight.