Earlier this month U.S. Customs and Border Protection (CBP) paid nearly half a million dollars to a company that sells a product based on location data harvested from ordinary apps installed on peoples' phones, according to public procurement records reviewed by Motherboard.
The news highlights how law enforcement agencies continue to buy data that may in some cases require a warrant or court order to obtain. This latest contract, which went to data broker Venntel and has not been previously reported, came after a government oversight committee already announced it was investigating such companies for their sale of sensitive data to agencies.
"This new contract raises even more concerns about the cozy and ongoing relationship between the federal government and these data brokers, which operate in the shadows and can amass mountains of sensitive personal data without any restrictions," Congresswoman Carolyn Maloney, and Chairwoman of the House Committee on Oversight and Reform which is investigating Venntel, told Motherboard in a statement.
Do you work at Venntel or Babel Street? Did you used to? Do you know anything else about the sale of location data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
CBP paid just under $476,000 for "Venntel Software" on August 5, according to the public procurement record.
"Innovative big data analytics for the world's most challenging problems," Venntel's website reads, adding that it supports critical infrastructure, security and risk management, and supply chain industries as well as governments. Venntel obtains location data that comes from various types of apps such as games, weather, and e-commerce, and then sells access to a database of cellphone movements to various government agencies, The Wall Street Journal reported in February.
One person who worked with Venntel told Motherboard that a user can search by an area to look for devices in that particular place, or by looking up an identifier of a specific device to get the history of where that device has been. The identifiers are randomly generated codes Venntel assigned to devices, the source added. Motherboard granted two people who have worked with Venntel anonymity as they weren't authorized to speak to the press.
"If you search a certain house, you're only going to get three or four different signals out of there. I think from that standpoint, you could definitely try and identify specific people," the first source said. "I think that was part of the goal in using it for government customers and things like that, is that you're able to identify devices, and then you can do device searches to see where else they might have been," they added. A second person who has worked with the company said the data in a geofenced area is not going to contain 100 percent of devices in that location, and that identifying someone would be laborious.
The office of Senator Ron Wyden found that the criminal investigation unit of the Internal Revenue Service (IRS) tried to use Venntel data to identify and track potential criminal suspects. The IRS failed to locate any targets of interest during the year-long contract.
The Venntel data is more useful for tracking "herds of people," the second former worker told Motherboard. The Wall Street Journal's February report mentioned agencies have used Venntel data to identify border crossings and then arrest people.
The second person who worked with Venntel told Motherboard that the company was "ethical" in the clients it works with, and would not sell to local or state police, and that the company does not want its capability to be abused. Venntel did not respond to a request for comment.
The August procurement record doesn't say what specific Venntel product CBP purchased. But when asked for comment, a CBP spokesperson told Motherboard in a statement that, "Consistent with its border security and law enforcement authorities, CBP has acquired limited access to commercial telemetry data through the procurement of a limited number of licenses to a vendor provided interface."
"If you search a certain house, you're only going to get three or four different signals out of there. I think from that standpoint, you could definitely try and identify specific people."
"CBP officers, agents, and analysts are provided with access to the vendor’s interface on a case-by-case basis, and are only able to view a limited sample of anonymized data consistent with existing border security or law enforcement operations. All CBP operations in which commercially available telemetry data may be used are undertaken in furtherance of CBP’s responsibility to enforce U.S. law at the border and in accordance with relevant legal, policy, and privacy requirements," the statement added.
Notably, the statement mentions that CBP workers are able to view the data not only in line with border security issues, but also other existing "law enforcement operations." CBP is known to take technology used to surveill border crossings and apply it to other instances. In May, CBP flew an unarmed Predator drone over Minneapolis during the early stages of anti-police brutality protests after a police officer killed Black man George Floyd. Motherboard then found that CBP regularly flew such drones over American cities, including in some cases farther than 100 miles from the border (The U.S. border region legally ends 100 miles beyond the literal border).
"Shady location data brokers like Venntel are scooping up people’s location history with no restrictions on how they can use the data—and then turning around and selling it to the government to use for law and immigration enforcement," Senator Elizabeth Warren, who is part of the investigation into Venntel, told Motherboard in an statement when presented with news of the recent contract. "This is unacceptable, and it’s why my colleagues and I have opened an investigation into the government contracts held by location data brokers."
Last week Motherboard published a contract that confirmed the Secret Service had bought access to location data from another firm called Babel Street.
Senator Ron Wyden is planning legislation that would stop law enforcement and intelligence agencies from buying data that would ordinarily require a warrant or court order. This can include location data.
"Senator Wyden is pursing a multi-year inquiry into the sale of Americans' location data. That includes an investigation into Venntel, which the House Oversight Committee is leading, with Senator Wyden’s participation," Keith Chu, communications director for Wyden's office, told Motherboard in a statement. "Senator Wyden's office has reached out to several federal agencies that have purchased subscriptions to Venntel's surveillance database. Of particular interest to Senator Wyden is whether federal agencies have used commercial surveillance databases, like Venntel's, to go around the 4th Amendment. He will continue to perform vigorous oversight to protect Americans’ Constitutional rights."
"There are very practical applications for it," one of the sources that previously worked for Venntel said, referring to the company's location data. "It's just a question of, one, is it ethical, and two, does that open up the information to being released elsewhere?"
Correction: This piece has been updated to attribute a quote to Congresswoman Carolyn Maloney, rather than a spokesperson for the House Committee on Oversight and Reform.