One user travelled through a park a few blocks south of an Islamic cultural center. Roughly every two minutes, their phone reported their physical location. Another was next to a bank two streets over from a different mosque. A third person was at a train station, again near a mosque.
Perhaps unbeknownst to these people, Salaat First (Prayer Times), an app that reminds Muslims when to pray, was recording and selling their granular location information to a data broker, which in turn sells location data to other clients. Motherboard has obtained a large dataset of those raw, precise movements of users of the app from a source. The source who provided the dataset was concerned that such sensitive information, which could potentially track Muslims going about their day including visiting places of worship, could be abused by those who buy and make use of the data. The company collecting the location data, a French firm called Predicio, has previously been linked to a supply chain of data involving a U.S. government contractor that worked with ICE, Customs and Border Protection, and the FBI.
The news about Salaat First, which has been downloaded more than 10 million times on Android, highlights not only the use of religious apps to harvest location data, but also the ease at which this sensitive information is traded in the location data industry. Motherboard is withholding some specifics about the dataset such as its exact size in order to protect the source, but the significance is clear: users of a Muslim-focused app are being tracked likely without their informed consent.
"Being tracked all day provides a lot of information, and it shouldn't be usable against you, especially if you are unaware of it," the source said. Motherboard granted them anonymity to avoid repercussions from their employer.
Do you work at Predicio or any other location data company? Did you used to? Do you know anything else about the sale of location data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Motherboard previously reported how a separate app, Muslim Pro, was selling its users' location data to a company called X-Mode Social which sells products to the U.S. military via contractors. In the wake of our report on Muslim Pro, both Apple and Google banned X-Mode from their respective app stores, putting the future of the location firm into question. This new Motherboard investigation is based on a second, previously unreported data transfer with a different app.
Salaat First is also available on iOS, but that version does not send data to Predicio. The app sends notifications reminding users when to pray, shows them which direction to pray while pointing towards Mecca, and displays nearby mosques to users based on their current location.
The leaked data itself contains precise latitude and longitude of app users, their phone model, operating system, IP address, and a timestamp. The data also includes the user's unique advertising ID—a particularly powerful piece of data that allowed Motherboard to filter the cache to specific users and then follow that person's movements through time. The dataset is not limited to just Salaat First, and includes data generated by other apps that have sent information to Predicio.
Hicham Boushaba, the developer behind Salaat First, confirmed to Motherboard that his app sent users' location data to Predicio. He said that he implemented Predicio's software development kit (SDK)—a bundle of code, in this case to collect location data—after the company approached him in March 2020. Boushaba said that, per his agreement with Predicio, that the data collection only initialized if the user downloaded the app in the UK, Germany, France, or Italy.
With that in mind, it is unlikely many Salaat First users provided informed consent for the app to sell their location data.
"I don’t know that," one Salaat First user told Motherboard over Twitter Direct Message when told about the location data harvesting.
The dataset Motherboard obtained is not the full extent of what Predicio collected from Salaat First or other apps, and is only a snapshot. The total amount of collected data is likely much larger than what was included in the sample we obtained. Predicio did not respond to multiple requests for comment, including questions asking which third parties the company sold data from Salaat First users to, and how the company ensures that clients receiving location data do not abuse it.
Last month, Motherboard and Norwegian broadcaster NRK reported how Predicio was part of a complex data supply chain connected to Venntel, a U.S. government contractor that sells location data to law enforcement agencies, including Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP). That investigation found that Gravy Analytics, the parent company of Venntel, has obtained data from Predicio. Gravy then provides location data to Venntel, according to documents shared by NRK with Motherboard.
That article named some apps that provide location data to Predicio, including Fu*** Weather, a weather app with more than one million downloads. After that report, Costin Raiu, director of the Global Research and Analysis Team at cybersecurity firm Kaspersky, analyzed the Fu*** Weather app and provided Motherboard with what appeared to be a Predicio domain embedded into apps that may be part of the Predicio network: "sdk.predic.io".
From there, Motherboard compiled a list of apps that contain code related to Predicio's SDK by reverse engineering individual apps. Motherboard found multiple apps that contained the Predicio domain, including Weawow, a weather app with over one million downloads, as well as Salaat First. Not all apps that contain the domain necessarily send data to Predicio—some may have tested the SDK but not fully implemented it—but in some cases developers of the apps confirmed to Motherboard that they did send data to Predicio, and many of the apps included in the leaked dataset match those Motherboard identified as being linked to Predicio through the app analysis.
"Only users who like the Weawow app very much and want to help me in any way financially will permit the providing location data," Kei Shinohara, the CEO of Weawow, told Motherboard in an email, adding that the location data sharing is turned off in the app by default.
Predicio's location data SDK is called "Telescope," according to Motherboard's analysis of apps containing the code and since deleted Predicio documentation Motherboard found online.
"We build the most accurate mobile data products available," one part of that documentation, written by Predicio's VP of Business Development Adam Esjmont, reads. The documentation also mentions that Predicio's SDK may collect hashed emails of users and a list of what other apps are installed on the device. This particular data was not included in the cache that Motherboard obtained.
"Being tracked all day provides a lot of information, and it shouldn't be usable against you, especially if you are unaware of it."
It is unclear—and difficult to know—whether any specific Salaat First data collected by Predicio was subsequently sent to Gravy and Venntel. Jolene Wiggins, chief marketing officer at Gravy Analytics, told Motherboard in an email that "Gravy Analytics does not license app information—including the name of the app—from any of our location data suppliers," suggesting that the company is not aware of which apps ultimately provide it with data. "All of our suppliers contractually represent and warrant to us that the collection and sharing of the data they license us complies with all applicable laws," she added. (A document previously obtained by NRK and shared with Motherboard showed that Gravy can sometimes receive the name of the apps from suppliers accidentally, but Gravy does not ask for this information).
After Motherboard's and NRK's earlier coverage, Predicio briefly took its website offline. When it returned, it included a new message, trying to distance itself from the tracking of ethnic and religious groups.
"Predicio does not support any governmental, commercial, or private use cases that aim to use business intelligence data to identify ethnic, religious, or political groups for human tracking or people identification of any sort. We do not tolerate the abuse of our solutions for the use cases that do not follow our global moral, social, and ethical code of conduct," the message on the company's website read. Despite saying it does not support use cases to identify religious groups, the statement does not mention that Predicio was collecting granular location data from an explicitly Muslim-focused app.
Nihad Awad, the national executive director of the Council on American-Islamic Relations, told Motherboard in a statement, "In light of these latest revelations, the owners of all major Muslim applications should thoroughly investigate how their companies handle user data. The companies should publicly acknowledge any identified sale of user data that could have been obtained by government entities, and then take transparent steps to ensure that it never happens again."
"Government agencies must immediately stop acquiring user data from popular Muslim digital applications to surveil, spy on or otherwise target the Muslim community in the United States, Europe and elsewhere. Congress should also launch a public inquiry in order to fully account for the past use of such data," he added.
Cori Crider, founding director of UK-based activist organization Foxglove, and which has threatened legal action against Muslim Pro, the previous Muslim-focused app Motherboard found selling location data, said in a statement, "Companies who persist in this shadiness will start shedding users—and could wind up at the sharp end of a lawsuit. Apple and Google have also got to do a better job of booting untrustworthy apps out of their app stores."
Multiple app developers declined to say how much Predicio paid them for the location data because they had signed confidentiality agreements with the company. Regardless, app developers selling personal or sensitive user data collected through Play Store apps is against Google's policies. Google told Motherboard that this would include location data.
A Google spokesperson told Motherboard in a statement "The Play Store prohibits the sale of personal or sensitive data collected through Play apps. We investigate all claims related to apps violating our policies, and if we confirm a violation, we take action."
Predicio, however, has been harvesting location data from Android apps and paying developers for years, raising questions about Google's lackluster enforcement of its own policies.
Boushaba, the Salaat First developer, told Motherboard he suspended the Predicio data collection in October 2020 because the SDK was causing high battery usage on phones that had the app installed. Then after reading reports about X-Mode's and Venntel's use of location data, Boushaba said he decided as a precaution to stop his agreement with Predicio on December 6th.
"When I accepted collaborating with Predicio, the agreement and the idea I had was that the collected data will be totally anonymized, and will be used for ads personalization and/or products improvement, same as any other data company does," Boushaba said in an email. "But when I read the report about X-Mode, I was afraid the data may be misused by either Predicio or its partners, so decided to terminate the agreement." Boushaba said he doesn't earn profit from running the app, and instead donates generated revenue to "some local charitable organizations."
After Motherboard approached Weawow, Shinohara, the company's CEO, said that he has cut off the data transfer to Predicio and will update the app removing the SDK entirely within a few days.
Lawiusz Fras, the developer behind Fu*** Weather, said that he has since stopped working with Predicio.
"Unfortunately, I can't share any details," he wrote in an email when asked why he cut off Predicio.
Senator Ron Wyden, whose office has been conducting its own investigation into the broader location data industry, told Motherboard in a statement that "Google and Apple took a good first step protecting Americans’ privacy when they banned the data broker X-Mode Social last year. But banning one company at a time will be an endless game of whack-a-mole. Google and Apple need to ban every one of these shady, deceptive data brokers from their app stores."
Subscribe to our cybersecurity podcast CYBER, here.