nrk.no

My Phone Was Spying on Me, so I Tracked Down the Surveillants

Kategori: English-articles

TRACKED: An American company had information on my whereabouts. Illustration: Henrik Lied/Eirik Solheim/Harald K. Jansson/Norge i bilder


There are 160 apps on my phone. What they’re actually doing, I don’t know. But I decided to find out.

This is an English translation, read the original here.

I have a feeling these apps are spying on me. Well, not listening in, but that they’re keeping track of where I am at all times. That my every move is shared on. When I am shopping for groceries, having a drink, or hanging out with friends.

I know there are those that buy and sell such information. How are they tracking us, and what do they want with our data?

To try to get to the bottom of this, I started an experiment in February. I installed lots of apps on a spare phone. I would then carry that phone everywhere.

Or almost. I left it at home when I took a COVID-19 test in April.

Easy to misuse

There is a good reason for why my feeling of being monitored has increased over the years. This spring, I was part of an NRK team documenting how more than 8,300 mobile phones were being tracked while they were at hospitals or women’s shelters.

For the sum of 35,000 NOK (3,300 EUR / 4,000 USD), we got access to location data showing where tens of thousands of Norwegians had travelled in 2019.

One of them was 31-year-old Karl Bjarne Bernhardsen from Stavanger. The information made it easy for us to identify him in the data that – according to the data provider – had been anonymised.

When we called him, we could tell him where he had been nearly every day, through 2019. The Zoo. A job interview. At the hospital, where he stayed for several days as a first time new father.

– In the wrong hands this could be exploited by anyone, Karl said to us then.

A betrayal

It is a common refrain that commercial surveillance is not that scary: “It’s just used for ads.” But there are now many who are interested in the digital exhaust of our phones.

Recently the publication Vice Motherboard uncovered that the U.S. military buys location data and that a Muslim prayer app sent user location data to military contractors.

“It feels like a betrayal,” was the reaction from a local leader of the Council on American-Islamic Relations.

In 2018, the owner of an abandoned Kentucky Fried Chicken restaurant was arrested in a border town in Arizona. He was supposedly involved in smuggling drugs from Mexico through a tunnel below the US border.

TUNNEL: The 180-meter tunnel started in a Mexican home and ended up at a closed KFC-restaurant. Photo: Homeland Security Investigations/Yuma Sector Border Patrol

According to the Wall Street Journal (WSJ), the operation was in part uncovered due to U.S. Immigration and Customs Enforcement (ICE) using commercially available location data.

Eventually, the commercial data was supposedly shared with the ICE arm in charge of deportations, according to WSJ.U.S. Customs and Border Protection (CBP) has also bought access to «global» location data.

Journalists in the NRK are asked to think twice before taking their phone along when meeting confidential sources for a reason. Authorities may get access to information about our whereabouts, even without court approval.

If my location data gets into the wrong hands, it may have consequences for others than myself. That is a constant fear – that someone who has told me something in confidence could get exposed.

I request access to my data

The company that supplied ICE with the information about the fast food restaurant is called Venntel. According to company records they are located in an industrial cluster in the state of Virginia.

In the area you’ll find familiar names within the defence sector, like Lockheed Martin – the company behind the F-35 fighter, and Booz Allen Hamilton, Edward Snowden’s former employer. Take a 20 minute drive east, and you’ll be in Langley, Virginia, where CIA headquarters are locate

DEFENCE CLUSTER: Venntel is registered at this building in an industry cluster in Virginia, USA. Photo: Google Maps

On August 20th, I requested a copy of all the information Venntel had about me. All Europeans have the right to do so, as a result of the GDPR, which was adopted in 2018.

The next day, the legal department of Venntel asked me to confirm some addresses I had visited recently.

“Once we have this information, we will first check to see if the Advertiser ID you provided is in our database,” the email said.

An «Advertiser ID» is something all smartphones have. This ID is the key to tracking phone users over time and across apps. Phone owners may limit how easy it is to access this ID, though few actually do.

I gave Venntel the address of my office at the NRK headquarters in Oslo, and to my flat at Majorstuen in Oslo.

Data for sale

Almost a month later, I received an interesting email attachment from Venntel. It contained information on where I’d been 75,406 times since 15 February. Suddenly I could retrace my every step – on a hike, out for a drink, and visiting my grandmother in Southern Norway.

DOTS: The left picture shows registrations of my movements in the area where I live. In the picture to the right, you’ll see a map of the NRK headquarters at Marienlyst. Over time, there have been an enormous number of registrations here. Illustration: Harald K. Jansson/Norge i bilder

There were no phone numbers or names in the data. Still, it would have been easy for nearly anyone to find out that this was me. Simple searches in Google and the white pages would show there was a Martin Gundersen living in Sorgenfrigata in Oslo and working at NRK Marienlyst.

Venntel also informed me that they had shared my information with their customers. Their customers could use this information for purposes such as federal law enforcement and national security.

Who these customers were, Venntel declined to disclose.

Well kept secret

How could my location data end up with Venntel in the US? None of the apps I had installed mentioned this company in any way. Nowhere. Not even in the impenetrable privacy policies hardly anyone bothers actually reading before clicking «OK».

Venntel could inform me they had aquired my information from their parent company, Gravy Analytics, and that they only in a few cases knew anything more about which apps were involved.

Gravy Analytics is a data broker based in marketing. They collect vast amounts of data about consumers to improve ad targeting. Gravy Analytics also claims that they do not know the origin of most of the data. But the response to the request for access contained the names of two new companies: Predicio in France and Complementics in the U.S.

A new round of access requests uncovered that some of the location data that ended up at Venntel originated from a Slovak app developer called Sygic, which have a portfolio of 70 different apps.

Their most popular app supposedly has more than 200 million users, according to their webpage.

Illustrasjon: Martin Gundersen

On 15 February, I installed two navigation apps from Sygic. Both asked me to consent to some terms for personalising my advertising experience.

If you are one of those who barely read what you consent to, you are not alone. Few actually read the terms of use of apps and services they install.

“I agree,” I pressed. We had now made a binding agreement, the app and I.

Violated privacy laws

It appears that the agreement with Sygic was broken when Gravy Analytics received the data. Gravy Analytics stated in their privacy policy that my personal information could be used for a range of services for partners and customers. According to their own privacy policy, this included purposes such as fraud detection, law enforcement, and national security.

Put another way: Gravy Analytics shared my location data with their subsidiary company that specifically offered these kinds of services.

Which leads us back to my agreement made with Sygic on 15 February.

I have consulted with three lawyers, Malgorzata Agnieszka Cyndecka, Lee Bygrave, and Arve Føyen, who are all privacy specialists. They believed the fact that my personal information could be used for other purposes than I had agreed to was an apparent violation of the GDPR. Because GDPR is setting strict limits and requirements for what you actually can do with our personal information.

STRICT REQUIREMENTS: «If it turns out that partners can use personal information for purposes other than what you have agreed to, you will lose your privacy,» says Cyndecka. Photo: Eirik Holmøyvik

– This function creep is unacceptable. This practice is not only subverting the principle of purpose limitation, but also principles of transparency and fairness in GDPR, says Associate Professor at the Faculty of Law at the University of Bergen, Malgorzata Agnieszka Cyndecka.

Funny weather with a catch

I was tracked by the weather app Fu*** Weather as well, according to the data files from Gravy Analytics and Venntel. The app promises to present the weather in a sarcastic, sharp-tongued manner. Because who wouldn’t rather have their daily forecast served with lots of profanities?

When installing the app this autumn, I agreed that my data could be used for analytics and «monetisation», ie. financing the app.

These same three lawyers I’ve consulted believe this agreement does not comply with GDPR, as it is too unclear what «monetisation» actually implies. Analytics also do not cover all of Venntel’s business practices.


BAD WEATHER CONDITIONS: The Funny Weather app warned against sticking your head out the window to check the weather – it will put you in a bad mood. Illustration: Martin Gundersen

Lawiusz Fras, the developer behind Funny Weather, does not have a large company behind him. He says he does not know Venntel, but states that he is open about the app’s business model.

«The fact that I cooperate with companies which utilize some data that the app has access to in order to make money of this is not confidential», Lawiusz Fras, the developer of the app writes to me in an email.

Fras admits the app could be clearer on what “monetization” entails. He intends to do something about this in the privacy policy, but maintains that users have been properly informed.

Impossible to track

How the data from Funny Weather reached Venntel remains a mystery, but it is probable that the data flowed through the French company Predicio, as this intermediary is listed as a partner in the app’s privacy policy.

Illustrasjon: Martin Gundersen

What other apps Venntel might be receiving data from is a well kept secret. Not even the people behind the mobile apps knew they were involved.

– We do not know the company Venntel, Zuzana Kacanova replies to my request on how my data ended up with them.

Kacanova claims that my consent had been lawfully obtained according to GDPR, and that their partners were contractually obliged to only use my data for marketing purposes.

– Based on the information you provided, it is not clear that the source of data Venntel has about you is Sygic GPS Navigation. If proven to be true, it is a breach of the contracts we have with the respective partners.

A technical analysis conducted by NRK shows several details indicating that data from Sygic has ended up with Venntel. For instance, an ID used by Complementics for data from Sygic is present in the data from Venntel as well.

Kacanova did not reply to questions about what consequences this will have for their partnerships with Predicio or Complementics.

Built on illegalities

With the arrival of GDPR in 2018, privacy advocates had won an important victory. The common European legislation was supposed to enable closer scrutiny of companies trading in user data. Yet, parts of the digital ad industry hasn’t changed much.

– They are trying to hang on to old practices and disguise them as something different, but are at the core still the same, David Martin says from his living room in Brussels.

He is leading the digital rights group in BEUC, an umbrella group for European consumer organisations. Parts of the digital advertising system is «built on an almost systemic breach» of the GDPR, according to Martin.

He is sharing the view of most privacy advocates: In theory, GDPR is great, but in practice it has serious shortcomings.

David Martin i BEUC. Photo: Pablo Garrigos

The Austrian privacy researcher and activist, Wolfie Christl, has for a number of years been investigating how companies use our data. Recently, he assisted the Norwegian Consumer Council with «Out of Control», a report documenting several potential privacy violations in the app ecosystem.

– In most cases, it is difficult or impossible to trace how personal data is flowing between apps, data brokers and their clients, he says.

To Christl, it appears the data protection authorities in the EU are either unable or unwilling to stop many of the breaches of the GDPR.

– We won’t see any change without massive fines and data processing bans. EU member states and the EU Commission must act, he ascertains.

The question is whether anyone is willing to listen. And how simple it would be to prosecute the alleged violations. Arve Føyen, partner in the legal firm Føyen Torkildsen, thinks it is difficult to penalise companies like Venntel, as they have no offices in Europe.

– I am afraid this is giving an illusory impression that the rules apply – but in practice, it’s just not possible to take legal action, Føyen explains.

A digital photo album

Several months have passed since I brought my extra phone to the Ullevålseter sports lodge – a popular place for coffee and waffles in the Nordmarka forest.

On my screen I now see dots winding along forest paths. Several cluster together where I took a rest, where I walked briskly, they’re further apart.

A BITE TO EAT: I entered from the path on the right. Then I paused in the main courtyard, slightly confused, before finding a wooden bench to the right. In total, the picture is showing 36 minutes of Sunday 9 August. Illustration: Harald K. Jansson/Norge i bilder

It was a hot late summer Sunday. The horseflies were active, especially around the boggy stretches.

We tend to forget most places we have been and what we did there. Still, a couple of cues are enough for memories to return. Retracing my steps that summer Sunday became like leafing through an old album, where every page contains its own story.

The funny thing is, somebody else is holding this data. My movements.

It is uncanny to follow my own steps, even though they do not divulge any romantic affair, secret meetings, or embarrassing health issues.

Most of us have moments in our life we do not want to share. Not even to our closest, our bosses, or the government.

I was able to map the data flow from mobile apps to Venntel, but I still have a lot of unanswered questions. Which of Venntel’s customers acquired the information about me? Could it be companies in the defence sector, intelligence, the FBI?

Hard to get answers

Gravy Analytics did not response to our repeated inquiries. The subsidiary Venntel did not want to be interviewed by phone or email.

In a short statement, Venntel claims that my phone movements haven’t been shared with ICE or CBP. They also write that they have no relationship with the app providers Sygic or Lawiusz Fras. (NRK has never claimed they have a direct relationship, but has documented that the company is acquiring information from these apps via others.)

“We will not comment further on our business relationships or on interpretation of law”, Venntel writes.

In a statement given to the NRK, The United States Customs and Border Protection (CBP) states that they they have limited access to commercially available data, and that they are used in line with relevant rules and regulations. (you can find the entire statement at the bottom of this article).

CBP Press Officer Jason Givens did not reply to follow-up questions about what limitations are placed on the CBP in acquiring data on European citizens or phones that are outside the U.S. border zone.

FBI and ICE also have contracts with Venntel, but they have not answered questions about what opportunities it provides to track Europeans in and outside Europe.

When the Predicio responded to the request for access on 11 August, they did not mention anything about sharing data with Venntel between February and July. (The Funny Weather app was installed on August 10th.) Predicio has not responded to my repeated inquiries about interviews.

Complementics co-founder Walter Harrison states that my data was used only used for marketing analytics. Harrison did not want to be interviewed and he did not answer questions about their relationship with Gravy Analytics. When Vice Motherboard asked Harrison about Gravy Analytics, they said that its partner «has committed by contract that it will not share any data it receives from Complementics directly or indirectly with any U.S. government intelligence, immigration enforcement, or law enforcement agency».

Method: The article is based on a series of subject access requests sent to companies in the location data industry. The requests are based on the template provided by Michael Veale. Attatched are parts of the responses from Venntel (explanation, metadata, description of data fields, data), Gravy Analytics (explanation, description of data fields, metadata, data), Sygic (explanation, data), Predicio (explanation, data), og Complementics (explanation, description of data fields, data). Only a small subsection of the raw location data are shared.

Statements for U.S. government agencies
FBI
«The FBI’s mission is to protect the American people and uphold the Constitution. That mission is dual and simultaneous, not contradictory, which means that one part need not—and must not—come at the expense of the other. All FBI operations are conducted in accordance with all legal requirements, to include the Constitution, the Privacy Act of 1974, our Domestic Investigations Operations Guide, the Justice Manual, and the standards with which the American people expect the FBI to protect them. Additionally, all FBI operations are subject to robust compliance mechanisms and oversight from the three branches of government.»

ICE
«U.S. Immigration and Customs Enforcement (ICE) is complying with all applicable privacy statutes, guidance, and policies. You can review the contract documents associated with Venntel at: FPDS. ICE defers to Venntel with regard to compliance with the GDPR

CBP
«U.S. Customs and Border Protection may obtain access to commercially available information relevant to its border security mission. Consistent with its border security and law enforcement authorities, CBP has acquired limited access to commercial telemetry data through the procurement of a limited number of licenses to a vendor provided interface.

While CBP is being provided access to location information, it is important to note that such information does not include cellular phone tower data, is not ingested in bulk, and does not include the individual user’s identity. Rather, CBP officers, agents, and analysts are provided with access to the vendor’s interface on a case-by-case basis, and are only able to view a limited sample of anonymized data consistent with existing border security or law enforcement operations. All CBP operations in which commercially available telemetry data may be used are undertaken in furtherance of CBP’s responsibility to enforce U.S. law at the border and in accordance with relevant legal, policy, and privacy requirements.»

22 kommentarer

  1. The only ‘app’ on my Android phone is Google Maps. I always leave the ‘location’ button ON.
    Every month Google sends me a very precise review of my daily movements, very like that described in the article.
    Who needs 160 apps on their phone when Google is already there! Look no further for the culprit! And, I imagine, they are busy monetizing my information even as I type $$$

    Svar på denne kommentaren

  2. Very good article, thank you so much! I am member of https://telegram.me/pdnsf where I saw a link to your article. I have done a lot of research for open source navigation software. I would like to advice you to have a look at https://www.magicearth.com
    Based on OpenStreetMaps and very, very, well doing the job. Dashcam, Apple Carplay, Head Up Display and more!

    You can download every country for offline usage! Goodbye TomTom, Google maps, Sygic!

    Cheers, Willem

    Svar på denne kommentaren

    • Edward (svar til Willem)

      Your post implies that Magic Earth is open source.

      It is not. It is 100% closed and proprietary.

      Just because it uses the work of open source and open data developers, means nothing if you don’t contribute those same freedoms to your users.

      I challenge you to live up to what you imply (while avoiding stating) in your post. Release the source code under a standard open source license.

      Until then, using misleading promotional comments to milk good will from well meaning non profit projects, for your own commercial gain, does not reflect well on your app or company.

    • There is …sort of! Look up the «Librem 5» phone, made by Purism. It’s arguably the first serious attempt at a phone that truly puts the user/owner’s interests first.
      This is a monumental undertaking by the people making it, since the entire smartphone industry’s «ecosystem» is flawed in this respect (the disrespect of phone users’ best interests exists at every level from the electronic chips to the apps).
      So, these people are having to build everything from scratch, they can’t use the «ready-made kits» available to other smartphone manufacturers.
      Right now, it’s very much an «early adopter» phone – you’ll have to forgive *a lot* of bugs and missing features while the technology matures.
      But, it’s an incredibly inspiring development and by the looks of it, they make great progress. They seem to be doing everything the «right» way (leveraging/collaborating with the Free Software community that shares the values of users’ rights, and they are not letting any technology be part of the phone that disrespects the user’s best interests).
      This phone is just starting to ship and it will surely take some time before the software and apps are good enough for normal people’s daily use, but it’s a very inspiring first step.
      Personally, I think this is the most promising candidate yet for becoming the standard, user-respecting, free (as in freedom) alternative to the Android/Apple oligopoly we have right now. Basically, in the same way that Linux (or Ubuntu) has become the standard alternative to Windows on computers, as a system based on values of freedom and users’ rights.

  3. Good read.

    There are no strong privacy or consumer protection laws in the 3rd world including India. Hence many apps take full advantage, usually collecting the data for targeting ads or programmatic advtg. That shockingly includes PayTM (@Alibaba Group and Ant Financial) which was not surprisingly, not banned by the Govt among around 100 apps in total, thx to the openly disclosed contribution to multiple parties during last elections.

    It’s shocking that despite increasing awareness, people still use apps like Swiggy, Zomatto, PolicyBazzar, Byju’s, Oyo, Ola..etc and hundreds of games, whose redundant servers are all in China.

    While the Govt needs FDI, key question is why China?

    The best solution is to avoid unnecessary app or keeping Bluetooth and Location ON.
    Also switch on data only when needed.
    Few people are aware that one can set data specific to apps and block access to any app with in the OS.

    In my own phone, when really needed and no other option for payment, I only use PhonePay (Google) that is not directly linked to my bank account but debit card via OTP.

    Svar på denne kommentaren

    • Martin Gundersen (NRK) (svar til David)

      On my extra phone (Samsung Galaxy S7) I had location on the whole time. I also woke up some apps to avoid that they never activated.

  4. Your article mentions «European citizens» in the context of the GDPR, so I thought I should offer a precision concerning the Regulation’s territorial scope, defined in Article 3 thereof.

    It does not concern itself with the nationality or citizenship or even residence of data subjects, but merely with where the data subjects, controllers and processors are located (at the time of collecting or processing the data).

    Simplifying, it applies if either the controllers or processors are located in the Union (regardless of where the data subject is), or vice-versa (controllers/processors outside the Union but the data subject inside).

    The Union refers to the European Union but in this context it also includes Norway by virtue of the agreements in place between the two.

    Thanks for the article and the translation!

    Svar på denne kommentaren

  5. Great article. Now we just need one that describes for non tech people why “I have nothing to hide” isn’t a good reason to click agree on everything. And we need a browser setting instead of every webpage a useless question only designed to get everyone to click on agree

    Svar på denne kommentaren

  6. Martin are you using Sygic when hiking or visiting your grandmother? It’s not commuting type of application and I don’t trust that Sygic is tracking you on the way to your favourite coffee shop. If US governemnt would like to know your location data they won’t need data from such poor sources. Your security and privacy ended at the day when you bought and logged to your smart phone.

    Svar på denne kommentaren

    • Martin Gundersen (NRK) (svar til Peter)

      There are other types of data collection, but I could not go into them all 🙂

      I brought along the extra phone, but did not use actively on my trips.

  7. Martin I have a feeling that you are not saying the complete and truth story. Show us some exact prove or evidence that these apps have really collected your data. How you know it? Show us more information please how you can such precisely say that it were these 2 specific apps spying on you. In security world you have to play with open cards, because in other case it looks that you are just catching some fame and likes. Publish that details on your twitter and just than I will give you like.

    Svar på denne kommentaren

  8. Thanks for a great article Martin. Have you took any legal action (such as submitting GDPR complaints with authorities) to force these companies into disclosing their data transactions, or deleting your data? If so, what was the outcome?

    Svar på denne kommentaren

  9. Jeg har brukt Sygic i 10 år.. Nå er kontoen slettet og appen avinstallert. Heretter bruker jeg Google maps i duckduckgo go via nordvpn… Til jeg finner en bedre løsning. Noen som har noen gode forslag?

    Svar på denne kommentaren

Legg igjen en kommentar

Din e-postadresse vil ikke bli publisert. Obligatoriske felt er merket med *. Les vår personvernserklæring for informasjon om hvilke data vi lagrer om deg som kommenterer.