The Florida Department of Corrections (FDC), which runs state-owned prisons in the state and is the third largest state prison system in the country, bought access to a tool that lets users track the location of smartphones via data harvested from ordinary apps, Motherboard has found. The tool, called Locate X, allows users to draw a geofence around a particular area, see which phones were at that location, and then follow them onwards or back in time to other places.
Previous coverage has shown how border authorities, federal law enforcement agencies, and various branches of the military have bought the same tool or other similar products. This is the first time a state agency has been found buying the technology, however.
"This is exactly the dynamic that civil liberties advocates worry about when it comes to new, invasive surveillance technologies," Nate Wessler, deputy project director of the Speech, Privacy, and Technology Project at the American Civil Liberties Union (ACLU), told Motherboard in a phone call. "First intelligence agencies and the military adopt it, then the FBI and the DEA, and then other parts of the federal government, and then at some point, we can presume, state and local law enforcement agencies realize this is an option and they go for it too."
Are you a government user of location data? Or do you work at a location data company selling to the government? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
The news also calls attention to the broader question of cell phones in prisons. Inmates are generally banned from possessing cell phones while incarcerated, but prison reform advocates say that phone calls from prison can be exorbitantly expensive, sometimes costing several dollars per minute, and that efforts to cap the price of prison phone calls have failed. Meanwhile, and especially during a pandemic that has disproportionately affected incarcerated people, cell phones have given inmates the ability to document their living conditions for the outside world.
Motherboard asked the FDC for comment on its Locate X purchase; after over a week, the agency had acknowledged the request but not provided a statement.
Jack Poulson, executive director of Tech Inquiry, first alerted Motherboard to a February contract between the FDC and Babel Street, the company that makes Locate X and other products including a social media monitoring tool. Motherboard then identified another contract with Babel Street from the year prior, and also confirmed that both included purchases of Locate X. The 2020 contract was for the Bureau of Security Operations, and the 2021 contract concerned the Office of Intelligence, according to the procurement records. Both purchases totalled at just over $34,000 each.
"Locate X provides access to a Data Feed enabling access to historical digital device location data. The results are obtained from geo-enabled advertising sources and are not derived from cell site location information," a Babel Street document Motherboard found in a separate United Kingdom procurement database reads.
On top of Locate X itself, the FDC's purchase also included an additional product called "Locate X Premium." A description of this premium version of the product is included in the United Kingdom database.
"Babel Street also offers select Locate X customers, pending approved use cases, an opportunity to subscribe to Locate X Premium. Locate X Premium offers access to additional metadata and is an add-on purchase to Locate X," the document reads.
Babel Street did not respond to a request for comment on what that additional metadata contains.
Motherboard also found a Locate X price list in the UK procurement database. The product costs £11,740 (around $16,230) per user for between one and ten users, decreasing in price if the client purchases more licenses. The Locate X Premium add-on costs £7,200 per user (around $8,578), according to the document.
Wessler said multiple court cases have found that when prison authorities are engaged in legitimate activities, such as ensuring order in the facility, they can invade an incarcerated person's privacy in ways that they never could with a free person.
"Even if they're just tracking people who are within a hundred yards of the outside of a facility, a lot of municipal jails and some prisons are in residential areas," Wessler added. "There's a really important question of whether that technology is actually stopping at the prison walls."
Law enforcement officials have previously abused other similar phone location data products that are specifically used by prisons. In 2018, The New York Times reported how Cory Hutcheson, a sheriff, leveraged a system from tech company Securus Technologies meant to be used for monitoring inmates' calls and who they were calling outside of the facility. Hutcheson abused it to spy on a judge and members of the State High Patrol. Securus bought the cell phone location data from a middleman company that sourced it from the carriers.
An internal Department of Homeland Security (DHS) document previously obtained by Motherboard said that Babel Street "re-hosts" data obtained by Venntel, another contractor that obtains location data from apps installed on peoples' smartphones and then also sells that data to government agencies. Apps that are part of the supply chain to Venntel can include weather and other innocuous seeming apps.
The Locate X data is anonymous, but a former Venntel worker previously told Motherboard it can be possible to deanonymize people from the dataset. (The IRS tried and failed to identify individual criminal suspects with the Venntel product).
BuzzFeed News obtained a DHS memo arguing that agency does not require a warrant to access commercial location data. The watchdog for the Treasury Department recently said, in a review of the IRS' warrantless use of such data, that agencies may not be on firm legal footing, The Wall Street Journal reported. In Carpenter v. United States, the Supreme Court laid down a landmark ruling saying that agencies generally need to obtain a warrant to collect caches of location data from telecom companies.
Protocol first reported last year that Locate X customers include Immigration and Customs Enforcement (ICE), Customs and Border Protection (CBP), and the Secret Service. Motherboard then obtained a Secret Service document confirming the purchase, and also reported that Special Operations Command (SOCOM) and a part of the Iowa Air National Guard that conducts drone strikes also bought the tool.
Senator Ron Wyden told Motherboard in a statement that "Shady data brokers have been running wild for years—selling data collected from millions of peoples’ phones to anyone with a credit card, including to government agencies. Congress has got to bring these shady data brokers to heel."
Subscribe to our cybersecurity podcast CYBER, here.