Last weekend, the New Yorker reported that the Trump campaign has spent $4 million buying voter information—including location data—from a data broker called Phunware. But it is hard, and perhaps impossible, for an ordinary user to know whether or not your physical movements and personal data are being tracked and sold to the Trump campaign (or other political campaigns), because of the opaque nature in which the data industry operates.
The Trump campaign’s work with Phunware, a company that helps “Fortune 5000 brands engage, manage, and monetize their mobile audiences,” have been widely reported. Among other things, the company makes a software development kit (SDK) that allows app manufacturers to easily collect real-time location data from users. That data can then, in some cases, be collected by Phunware and resold to other customers, who can analyze and use the data. According to the New Yorker, the Trump campaign, through a company called American Made Media Consultants, has paid roughly $4 million to Phunware in the last year for app development and data.
“They are paying for data. They are paying for targeted advertising services,” a former business partner of Phunware told the New Yorker. “Imagine if every time I open my phone I see a campaign message that Joe Biden’s America means we’re going to have war in the streets. That’s the service the Trump campaign and Brad Parscale (the Trump campaign's senior advisor for data and digital operations) have bought from Phunware. An app is just part of the package.”
Do you work at a location SDK company? Did you used to? Do you know anything else about the sale of location data, or Phunware in particular? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Phunware’s SDK is embedded in hundreds of apps, some of which collect and sell their users’ data, others of which do not. Independent security researchers from hacking collective LaBac identified a collection of apps that connect to Phunware domains and provided a list to Motherboard, including a horoscope app, and another for a hospital in Los Angeles. But it is essentially impossible for an ordinary user to know whether the inclusion of a Phunware SDK in an app they use means their data is eventually making their way to advertisers or political campaigns. We only learn about how this data is actually traded because of whistleblowers within the industry who sometimes leak to journalists. And sometimes, we learn about the use of this data through political campaign disclosure rules.
This is because Phunware does not disclose its specific deals with app developers. Phunware declined to speak to the New Yorker for its story, but several months ago, Motherboard emailed with Randall Crowder, Phunware's chief operating officer, about how Phunware’s data is used.
When asked if location data gathered by Phunware's SDK is used for all types of the company's clients, be those political, health-focused, or any other subset, Crowder said, "Absolutely not. Some data is contained only within an application's sandbox. Other applications allow us to use their data, but only anonymously and in the aggregate." Crowder declined to comment on any specific app's data collection.
When Motherboard learned, for example, that a Los Angeles hospital’s app had a Phunware SDK installed, we reached out to the hospital, Cedars-Sinai, to learn more. The hospital explained that it needed location data to help patients navigate its campus, but that Phunware does not then provide this data to other clients.
"The Cedars-Sinai mobile app contains a feature developed by Phunware that allows visitors and patients to find their way around our main medical campus. Data is collected only if it is necessary to drive the on-campus wayfinding functionality and for no other purpose. Furthermore, Phunware has certified in writing to us that the data utilized to drive this functionality is de-identified, kept private, confidential, and segregated from all of its other business lines and customers. Any personal health information is always separate and secure, ensuring patient privacy," a Cedars-Sinai spokesperson told Motherboard in an email.
The average user—and even sophisticated security researchers—are unable to vet each and every client of each and every firm collecting and selling location data. They are also often unable to then track who those data brokers sell the data they collect to, creating a chain of data custody that is complicated, opaque, and largely out of the average user’s control. Some, but not all, data brokers explain exactly what data they collect and how they collect it, but often that information is buried in long terms of service agreements or privacy policies, and the nested structure of apps—Phunware, for example, makes an SDK that goes into apps, but is not the actual maker of most of those apps—means that it is time consuming and difficult to understand specifically what companies you are giving your data to, and what they are then doing with it.
Instead, the crucial part of the data supply chain—what happens to location data after it is collected—is not clear from the apps itself, and often is a closely-guarded secret within a data broker itself.
One alternative to having location data collected and sold to unknown parties, which is not feasible for most people, is to turn off location services on all apps, all the time. Another alternative is to not use any apps at all. But some location data, as Motherboard has shown, has historically come directly from phone companies themselves. And so, if you are using a phone at all, it is possible for your general location to be tracked, and for that data to be monetized and potentially used to advertise to you and perhaps influence your vote.
This sort of location-based voter targeting, when paired with other data, can become quite granular and is potentially very powerful and invasive.
The CEO of a location data-tracking company called Mobilewalla said on the Top Entrepreneurs podcast that, in the 2016 election, it worked with Republicans to track people's locations near Evangelical churches over the course of a six-month period, and then also tracked their locations on election day.
“We were telling the ground team who showed up to vote and who hadn’t yet,” Mobilewalla CEO Anindya Datta said in a 2017 podcast. Campaigns were then able to send alerts to presumed Evangelicals (who overwhelmingly vote Republican), reminding them to go vote.