The tool, known as “Fog Reveal,” allows law enforcement to create location analyses of users by accessing hundreds of billions of records from 250 million mobile devices. This data-gathering practice was revealed as lawmakers scrutinized data brokers for various privacy-related concerns.
“[Fog Reveal] represents a direct and uniquely modern threat to our privacy. Its business is only possible because of a cascade of decisions by tech platforms, app developers, lawmakers, and judges, all of whom have failed to adequately protect regular users,” wrote Electronic Frontier Foundation staff technologist Bennett Cyphers in a review of the technology’s uses. Cyphers noted a number of failures by lawmakers and tech companies to enforce stronger privacy protections, as well as courts failing to clarify that a person’s Fourth Amendment rights “aren’t diminished just because they’re carrying a smartphone that can transmit their location to apps and data brokers.”
Fog Reveal’s owner, Fog Data Science, promotes itself by claiming that it has “billions” of data points about “over 250 million devices” and that law enforcement can use the data to determine where a subject works, lives, and hangs around. Fog has had contracts with at least 18 local, state, and federal law enforcement agencies, according to data reviewed by EFF. Several other agencies have used a test version of the software.
Fog’s software allows agencies to run two specific kinds of data searches. The first is an area search, which allows an agency to draw one or more shapes on a map and specify a time range. The data will then show a list of cellular signals that may have been present in the area at that time and location. The second search allows law enforcement to specify one or more identified devices and a time range. Fog Reveal will then provide them with a list of location signals that can be used to identify a target’s “pattern of life.”
While Fog states that it does not collect identifying information, it does allow law enforcement extended access to users’ data, which police can use for “pattern of life” analysis, including insights into sleep patterns, work habits, and other elements of a person’s life. The data used by Fog originate from third-party apps, which often have permission to share that data with brokers like Fog for additional revenue without getting the consent of the people being tracked. Fog’s Senior Vice President for Sales and Analysis Mark Massop has said that the data do not come from Big Tech firms like Facebook and Twitter but rather from “lots of smaller apps.”
While Fog has worked with several agencies in the past, some have canceled their subscriptions to Fog Reveal, with at least one claiming that the service never helped them solve a case. “Those potential shortcomings are not a reason to underestimate Fog’s invasiveness, or its capability for unfettered dragnet monitoring. But it’s important to understand its limits,” Cyphers notes.
While Fog claims that it only provides its services to law enforcement, promotional material also notes that it provides “out-sourced analytic services” to non-law enforcement agencies, including “private sector security clients.”
Law enforcement data practices have been a focus for lawmakers in recent months. Multiple civil liberties groups and lawmakers have objected to agencies like the FBI and ICE having access to user data without seeking a warrant. The Department of Homeland Security and ICE have purchased mass quantities of location data from Fog’s competitors in the past, creating concern about what sorts of details it may provide on citizens.
The Federal Trade Commission filed a suit against a data broker on Monday for its data gathering process, including selling data connected to abortion clinics, places of worship, and homeless shelters.