By now, most Americans are used to hearing about how the NSA, the CIA, and the FBI collect massive amounts of personal information on millions of people, American or otherwise. Those are all Federal agencies. But what happens at the local or state level?

As it turns out, a recent EFF investigation has shown that a shady company called Fog Data Science provides state and local law enforcement with precise location data of hundreds of millions of Americans – often without a warrant. The data is collected through thousands of smartphone apps and aggregated by data brokers without any oversight or public disclosure.

In this post, we’re going to look at who Fog Data Science is, what they’re doing, and, to a limited degree, what you can do about it.

Fog Data Science explained

Fog Data Science is a data broker that purchases raw location data collected by popular (and less popular) smartphone and tablet applications. These apps continuously gather your device’s location information and sell that data to data brokers – like Fog Data Science. In most cases, that data is used to sell you stuff. It is most often sold to advertisers and marketing companies that will serve you location-based ads.

But Fog Data Science’s business model is somewhat different. According to some of the company’s internal documents obtained by EFF, Fog Data Science buys billions of data points sourced from tens of thousands of mobile applications from roughly 250 million devices across the United States. It then makes the data available to local and state law enforcement agencies for a subscription fee. That fee is typically between $6000 and $9000 and provides for 100 queries per month – with more queries available for additional fees.

The subscription service is called “Fog Reveal.” It provides a slick website to law enforcement, where they can perform lookups using latitude, longitude, timestamp, and device ID. Police can also access a device’s historical location data going back to 2017.

So what can local and state police do with a “Fog Reveal” subscription?

The documents obtained by EFF show that Fog Reveal subscribers can run two kinds of queries:

  • Area searches
  • Device searches

Area searches enable law enforcement to simply draw one or more boxes on the website’s map and display the location, time, and device ID of every device present in the geographical area within the selected timeframe. The documents remain silent on how large the selected geographical area for a given search can be.

Device searches, for their part, allow law enforcement to specify one or more devices they’re interested in along with a timeframe, and Fog Reveal displays a list of all the device(s)’ location signals and the associated time. Police can track a specific device’s location history over months and even years. And, as mentioned above, there’s no warrant or court order requirement for police to get their hands on this data trove.

In EFF’s words, “This means that police, sometimes without a warrant, have the ability to track the precise movements of hundreds of millions of Americans as they go about their day. This is mass surveillance, often with no judicial oversight.”

No need to worry, Fog Data Science claims it’s privacy-friendly…

Fog Data Science claims to respect user privacy(!) and that it never collects any personally identifiable information (PII), such as names, phone numbers, or email addresses). But it does enable law enforcement to access historical location data for a given device. And by “historical,” I mean years’ worth of location data.

This allows for – and Fog Data Science explicitly mentions this in its marketing – “pattern of life” analysis. Pattern of life analysis tracks a device over time to reveal where its owner sleeps, studies, works, worships and otherwise associates with others. And yes, you guessed it, pattern of life analysis allows law enforcement to obtain the identity of the device owners – and quite trivially at that.

As the EFF states, having police look at a dot representing your phone on a map may not reveal your name and phone number, but when they follow that dot to where you sleep at night, they suddenly have your address. Not only that, over a decade ago, a study using a 15-month set of data culled from mobile phones found that they needed just four spatio-temporal points to identify 95% of the 1.5 million people in the data set.

So its privacy claims are dubious at best. That it would make such a claim despite being a surveillance company somewhat reminds me of that time in 2019 when Mark Zuckerberg tried to brand Facebook as a privacy champ. It was analogous to oil companies talking about their commitment to the environment or armament companies waxing about world peace – not exactly convincing.

What’s the harm?

We’ve all heard the misguided adages of those who favor giving up our privacy in the modern world. There’s the “They’re only doing it to sell me stuff” and its more philosophical counterpart, “I don’t care. I have nothing to hide”. Brilliant. Now let’s look at the actual harms that become possible when this kind of surveillance is left unchecked.

Allowing police to subscribe to Fog Data Science flies in the face of civil liberties. It’s illegal for police to demand location data from mobile service providers without a warrant, but this, apparently, enables law enforcement to bypass that requirement.

With a Google Maps-like user interface, police can select an area with their mouse and display all of the devices that were present during a protest, for example. They can then follow these people home and subject them to more “surveillance, harassment, and retribution.” For example, police can track devices that have been to a union meeting, a women’s health clinic, a rehab center, an immigration lawyer’s office, etc.

Then there are what I refer to as the circumstantial harms that come with such practices. Let’s say you randomly found yourself near a shop that got robbed or any event likely to come under police scrutiny. In those cases, police would easily be able to see your device was located in the crime’s vicinity and sign you up for more surveillance (without your knowledge or consent, of course).

What can we do to mitigate this?

Unfortunately, there isn’t much we can do because we have limited control of our mobile phones (compared to the control we have over desktop computers and laptops). Although that doesn’t mean we can’t do anything.

Here’s a short list of measures you can take to enhance your resilience against these kinds of practices:

  • You should disable ad tracking and its associated mobile ad identifier, which enables data brokers to link all the collected data to your specific device.
  • Try and limit the number of applications you install on your phone. Many apps collect as much data as possible despite the fact the collected information is not required for the app to function. Think of a puzzle game that requires your location.
  • Disable location services globally on your phone. Instructions on how to do this are found below.
  • If disabling location service globally is not feasible for you (i.e., you know some of the apps that you use require access to location services), it may be worth disabling location services for specific apps that don’t actually need location services to function correctly (though they may still collect it). Instructions on how to do this are also found below.

How to disable location services on iOS

Disabling location services globally

Here’s how to disable location services globally on iOS:

  • Open the Settings app.
  • Scroll down and select Privacy.
  • Select Location Services.
  • Toggle the Location Services switch to Off.

Disabling location services for a specific app

Here’s how to disable location services for a specific app on iOS:

  • Open the Settings app.
  • Scroll down and select Privacy.
  • Select Location Services. Under Share My Location is a list of apps that currently have access to location services. Select the app you want to disable.
  • Select the Never option to make sure the app won’t be able to access your location even with location services (the general option) enabled.

How to disable location services on Android

Here’s how to disable location services globally on Android:

  • Open the Settings app.
  • Select Location.
  • Toggle the Location switch to Off.

Here’s how to disable location services for a specific app on Android:

  • Open the Settings app.
  • Select Location.
  • Select App permissions. A list of apps that currently have access to location services is displayed. Select the app you want to disable.
  • Select the Deny option to make sure the app won’t be able to access your location even with location services (the general option) enabled.

Disabling Google location services

On all Android phones, Google-specific location services are continually running in the background. You’ll want to disable those too.

  • Open the Settings app.
  • Select Location. Towards the bottom of the page, you’ll see a list of Google location services.
  • Select each one of them and toggle the switch to Off.

Wrapping Up

So that’s Fog Data Science, and you certainly want to feed it as little data as possible. But indiscriminate surveillance is difficult to avoid because it’s ubiquitous. So while the above measures will help, the internet will remain a hostile place regarding user privacy. We’ve been aware of the issue for a long time, but we don’t appear to be making much headway.

While we can provide tips and tricks to mitigate this kind of data collection all day long, it’s unlikely to change much. What we need is legislation. We’re going to need governments to step in and put forth laws that bar government agencies from purchasing location data in the first place if we want meaningful protection from these harms.

We would also need consumer data privacy legislation that actually has teeth and is enforceable. And, while we’re at it, how about a ban on online behavioral advertising? That would have the benefit of significantly limiting the amount of location data made available to data brokers.

Until then, we have little choice but to rummage through our device’s settings to turn off as many data faucets as possible and hope for the best. But hey, at least we can’t say we weren’t born in interesting times, right?

Stay (as) safe (as possible).