Private Intel Firm Buys Location Data to Track People to their 'Doorstep'

A threat intelligence firm called HYAS, a private company that tries to prevent or investigates hacks against its clients, is buying location data harvested from ordinary apps installed on peoples' phones around the world, and using it to unmask hackers. The company is a business, not a law enforcement agency, and claims to be able to track people to their "doorstep."

The news highlights the complex supply chain and sale of location data, traveling from apps whose users are in some cases unaware that the software is selling their location, through to data brokers, and finally to end clients who use the data itself. The news also shows that while some location firms repeatedly reassure the public that their data is focused on the high level, aggregated, pseudonymous tracking of groups of people, some companies do buy and use location data from a largely unregulated market explicitly for the purpose of identifying specific individuals.

HYAS' location data comes from X-Mode, a company that started with an app named "Drunk Mode," designed to prevent college students from making drunk phone calls and has since pivoted to selling user data from a wide swath of apps. Apps that mention X-Mode in their privacy policies include Perfect365, a beauty app, and other innocuous looking apps such as an MP3 file converter.

"As a TI [threat intelligence] tool it's incredible, but ethically it stinks," a source in the threat intelligence industry who received a demo of HYAS' product told Motherboard. Motherboard granted the source anonymity as they weren't authorized by their company to speak to the press.

HYAS puts a particular emphasis on identifying the people behind attacks, or "attributing" them, although the actual effectiveness of its products is unclear and may be exaggerated by the firm in marketing material.

"We track threat actors and other bad guys down to their physical doorstep for customers and clients," the LinkedIn profile for HYAS CEO David Ratner reads. HYAS' "Insight" product provides clients with a Google Maps-style interface to interact with the company's datasets, according to HYAS' website. Insight provides access to the firm's "exclusive data sources" and "non-traditional collection mechanisms," the website reads.

A wide range of industries often buy location data to track the movements of crowds of people. Retailers can source the data to see how much foot traffic their store, or maybe one of their competitors, is getting. Real estate companies could use the information to see if a piece of land has the potential to be popular. Marketing firms use location data to identify and target groups with specific commercial or political adverts.

HYAS differs in that it provides a concrete example of a company deliberately sourcing mobile phone location data with the intention of identifying and pinpointing particular people and providing that service to its own clients. Independently of Motherboard, the office of Senator Ron Wyden, which has been investigating the location data market, also discovered HYAS was using mobile location data. A Wyden aide said they had spoken with HYAS about the use of the data. HYAS said the mobile location data is used to unmask people who may be using a Virtual Private Network (VPN) to hide their identity, according to the Wyden aide.

In a webinar uploaded to HYAS' website, Todd Thiemann, VP of marketing at the company, describes how HYAS used location data to track a suspected hacker.

"We found out it was the city of Abuja, and on a city block in an apartment building that you can see down there below," he says during the webinar. "We found the command and control domain used for the compromised employees, and used this threat actor's login into the registrar, along with our geolocation granular mobile data to confirm right down to his house. We also got his first and last name, and verified his cellphone with a Nigerian mobile operator."

On its website, HYAS claims to have some Fortune 25 companies, large tech firms, as well as law enforcement and intelligence agencies as clients.

Threat intelligence firms generally gather data from a wide range of sources, including hacker forums, private chat rooms, and internet infrastructure such as where websites are hosted, and sell products based on that data and their own analysis to clients. Customers can include banks who want to get a heads-up on whether a freshly dumped cache of stolen credit card data belongs to them; a retailer trying to protect themselves from hackers; or a business checking if any of their employees' login details are being traded by cybercriminals.

Some threat intelligence companies also sell services to government agencies, including the FBI, DHS, and Secret Service. The Department of Justice oftens acknowledges the work of particular threat intelligence companies in the department's announcement of charges or indictments against hackers and other types of criminals.

But some other members of the threat intelligence industry criticized HYAS' use of mobile app location data. The CEO of another threat intelligence firm told Motherboard that their company does not use the same sort of information that HYAS does.

The threat intelligence source who originally alerted Motherboard to HYAS recalled "being super shook at how they collected it," referring to the location data.

A senior employee of a third threat intelligence firm said that location data is not hard to buy.

A blog post on HYAS' website said that "HYAS Insight 1.1 provides telemetry gleaned from advertising and mobile application location data."

When Motherboard emailed HYAS, it removed the mention of advertising and mobile application location data from its blog post. The blog post added that the Insight product also lets customers determine what other devices or wireless networks are near a device. The post now reads that HYAS "provides precise geolocation telemetry."

"HYAS is in the business of supporting our clients in cyber-criminal investigations. Our business is focused on helping our clients detect and prevent cyber crime," Ratner told Motherboard in an email. The company did not reply when asked why it removed the mention of mobile application location data from its website.

Motherboard found several location data companies that list HYAS in their privacy policies. One of those is X-Mode, a company that plants its own code into ordinary smartphone apps to then harvest location information. An X-Mode spokesperson told Motherboard in an email that the company's data collecting code, or software development kit (SDK), is in over 400 apps and gathers information on 60 million global monthly users on average. X-Mode also develops some of its own apps which use location data, including parental monitoring app PlanC and fitness tracker Burn App.

"Whatever your need, the XDK Visualizer is here to show you that our signature SDK is too legit to quit (literally, it’s always on)," the description for another of X-Code's own apps, which visualizes the company's data collection to attract clients, reads.

"They’re like many location trackers but seem more aggressive to be honest," Will Strafach, founder of the app Guardian, which alerts users to other apps accessing their location data, told Motherboard in an online chat. In January, X-Mode acquired the assets of Location Sciences, another location firm, expanding X-Mode's dataset.

"My bet is that they bet on folks clicking through things without reading the text," Strafach said of app users not necessarily being aware of X-Mode collecting their location data.

Motherboard then identified a number of apps whose own privacy policies mention X-Mode. They included Perfect365, a beauty-focused app that people can use to virtually try on different types of makeup with their device's camera.

"I don’t know if my information was used anywhere," Marta, one Perfect365 user, told Motherboard. Marta provided a screenshot of her app settings, showing Perfect365 could access her device’s location.

Gianna, another user, said "[It] bothers me the fact that it asks me for my current location!," she added.

Perfect365's CEO Sean Mao did not respond to a request for comment.

Eva Galperin, director of cybersecurity at activist group the Electronic Frontier Foundation (EFF) told Motherboard that even if a user is presented with some form of consent notice, they may not tangibly understand or know what is happening to their data.

"And that's assuming people even read privacy notices, which they normally don't," she said.

An X-Mode spokesperson told Motherboard in an email that "app users must provide informed consent before their location is tracked," and that the company follows guidelines from the GDPR, CCPA, and other data protection regulation. Users can also opt-out of collection via the company's own app, the email added.

The X-Mode spokesperson added that "Our clients use this data to observe groups of individuals in the aggregate and pseudonymously. X-Mode actively uses two data anonymization techniques—pseudonymization and generalization. We obfuscate any user IDs we collect from all devices and we aggregate devices using generalization. Our clients use these techniques and others to identify trends that are difficult to observe at the individual level, such as trends in mobility."

This stands in stark contrast to what HYAS says it is actually trying to do with that data, however. When pressed on HYAS' deployment of mobile location data to find specific people, X-Mode said "We take our obligations of confidentiality with our clients seriously, and we can't discuss the details of specific clients. I am sure you are aware however that companies such as the one you mentioned use multiple data sources. As we stated, and to reiterate, we contractually prohibit misuses of X-Mode data such as using X-Mode data solely to re-identify individuals."

"The data we obtain is used for these purposes in compliance with all applicable law," Ratner, HYAS' CEO, added.

"Shady data brokers are scooping up databases of private information to create dossiers on individual Americans, without our consent or knowledge," Senator Ron Wyden told Motherboard in a statement. "These databases create enormous risks to our personal safety, privacy and U.S. national security if they fall into the wrong hands. I wrote the Mind Your Own Business Act to crack down on these unsavory practices and put Americans back in control of their own personal information."

Various government agencies have bought access to location data from other companies. Last month, Motherboard found that U.S. Customs and Border Protection (CBP) paid $476,000 to a firm that sells phone location data. CBP has used the data to scan parts of the U.S. border, and the Internal Revenue Service (IRS) tried to use the same data to track criminal suspects but was unsuccessful.

The first threat intelligence source added, describing HYAS' use of mobile location data, "It's shady as fuck."