A section of U.S. Special Operations Command (SOCOM), a part of the military tasked with counterterrorism, counterinsurgency, and special reconnaissance, paid half a million dollars to a company that sells access to location data harvested from ordinary apps installed on peoples' phones, Motherboard has learned. Specifically, SOCOM paid Anomaly 6, a secretive contractor run by ex-military and location industry veterans.
The news shows that military interest in app-based location data may be wider than previously known. Motherboard previously found that both SOCOM and a division of the Iowa Air National Guard that carries out drone strikes bought access to a similar product called Locate X. The new Anomaly 6 purchase unearthed by Motherboard is the first reported contract Anomaly 6 has with the U.S. government.
"The purpose of the contract was to evaluate the technical feasibility of using Anomaly 6 telemetry services in an overseas operating environment," Tim Hawkins, a SOCOM spokesperson, told Motherboard in an email. "The evaluation period has ended, and we are not currently executing the contract."
Are you a government user of location data? Or do you work at a location data company? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
SOCAFRICA, an operational unit under SOCOM with a focus on the continent, paid Anomaly 6 $589,500 in September 2020, according to public procurement records viewed by Motherboard. The payment was for a "Commercial Telemetry Feed," the records add.
Brendan Huff, co-founder of Anomaly 6, told Motherboard in an email that "We don't comment on current or former clients both from contractual obligation and as a course of doing business with our partners."
Anomaly 6 offers clients a tool that can track the movements of hundreds of millions of mobile phones worldwide, The Wall Street Journal reported last August. The company has access to location data from more than 500 mobile apps, and sells products to both government and private clients, it added.
The company is particularly secretive, with its website only displaying a blue sky background, the company's name, a contact email address, and its location as "Alexandria, VA."
The original Wall Street Journal article said that Anomaly 6 embeds its own software development kit (SDK)—a bundle of code that transmits the location data—into apps. The report was based on documents reviewed by the publication and what Anomaly 6 told the office of Senator Ron Wyden at the time, which has been conducting its own investigation into the location data market.
But it appears Anomaly 6 was misleading in its claims. In a subsequent email to Wyden's staff, Anomaly 6’s Huff said the company has "strategic partnerships that are confidential and a competitive advantage for us. These arrangements allow us to claim the SDK as our code but deployed by partners who are CCPA compliant per our contractual agreements," referring to the California Consumer Protection Act.
"A6 [Anomaly 6] does not have an SDK deployed commercially," he added. Wyden’s office shared sections of the email with Motherboard.
That new context shows some companies in the location industry which sell to governments use data obtained by other sources. Motherboard previously reported how Babel Street, an established vendor in the space, actually "re-hosts" data obtained by Venntel, another contractor, according to a Department of Homeland Security document.
Huff and second co-founder Jeffrey Heinz previously used to work for Babel Street. Babel Street sued Anomaly 6 and its founders and the case settled out of court, The Wall Street Journal first reported. That lawsuit said Huff and Heinz left Babel Street in 2018 to make their own competing company. Huff previously managed Babel Street's relationship with the Defense Department, while Heinz managed Babel Street's relationships with the intelligence community, U.S. Cyber Command, the Justice Department, and other federal agencies, the report added.
Motherboard previously reported how a wide range of apps, including a Muslim prayer app, sent location data without users' informed consent to a firm called X-Mode, whose clients included U.S. military contractors.