U.S. Government Contractor Embedded Software in Apps to Track Phones: Anomaly Six has ties to military, intelligence agencies and draws location data from more than 500 apps with hundreds of millions of users

Consumers have no way of knowing whether software-development kits that can track their locations are embedded in their apps. Photo: Bastiaan Slabbers/Zuma Press.

By Byron Tau | Aug. 7, 2020 | Link to original

WASHINGTON—A small U.S. company with ties to the U.S. defense and intelligence communities has embedded its software in numerous mobile apps, allowing it to track the movements of hundreds of millions of mobile phones world-wide, according to interviews and documents reviewed by The Wall Street Journal.

Anomaly Six LLC a Virginia-based company founded by two U.S. military veterans with a background in intelligence, said in marketing material it is able to draw location data from more than 500 mobile applications, in part through its own software development kit, or SDK, that is embedded directly in some of the apps. An SDK allows the company to obtain the phone’s location if consumers have allowed the app containing the software to access the phone’s GPS coordinates.

App publishers often allow third-party companies, for a fee, to insert SDKs into their apps. The SDK maker then sells the consumer data harvested from the app, and the app publisher gets a chunk of revenue. But consumers have no way to know whether SDKs are embedded in apps; most privacy policies don’t disclose that information. Anomaly Six says it embeds its own SDK in some apps, and in other cases gets location data from other partners.

Anomaly Six is a federal contractor that provides global-location-data products to branches of the U.S. government and private-sector clients. The company told The Wall Street Journal it restricts the sale of U.S. mobile phone movement data only to nongovernmental, private-sector clients.

Numerous agencies of the U.S. government have concluded that mobile data acquired by federal agencies from advertising is lawful. Several law-enforcement agencies are using such data for criminal-law enforcement, the Journal has reported, while numerous U.S. military and intelligence agencies also acquire this kind of data.

Many private-sector companies in the advertising and marketing world buy and sell geolocation data, sometimes reselling it to government agencies or contractors. But the direct collection of such data by a business closely linked to U.S. national security agencies is unusual.

Anomaly Six was founded by defense-contracting veterans who worked closely with government agencies for most of their careers and built a company to cater in part to national-security agencies, according to court records and interviews.

The U.S. government is using app-generated marketing data based on the movements of millions of cellphones around the country for some forms of law enforcement. We explain how such data is being gathered and sold. Photo: Justin Lane/Shutterstock

The firm’s capabilities were described in documents prepared for military officials that were reviewed by the Journal. The company also explained its business practices in a recent briefing to the office of Sen. Ron Wyden, whose staff then described it to the Journal. The Oregon Democrat has been conducting a probe into the sale of Americans’ location data.

“Anomaly Six is a veteran-owned small business that processes and visualizes location data sourced from mobile devices for analytics and insights,” the company said in response to questions for this article. “We leverage detailed location data from numerous first-party sources to provide insights into groups, behaviors, and patterns.” The company said it acknowledged the “intense scrutiny” around the government use of such data, but said all the data it works with is commercially available and compliant with all laws.

Anomaly Six said it would support regulation to require more disclosure by apps of how data is collected and used. The exact apps the company partners with couldn’t be determined and the company declined to comment, citing confidentiality agreements. The partnerships between data brokers and app makers are typically closely held trade secrets within the world of commercial-data sales.

Asif Khan, a marketing expert and founder of the Location Based Marketing Association, a trade group representing advertising and marketing companies who deal in location data, said the government acquisition of consumer location data has been a longstanding issue for the industry. He said app-makers should be more transparent with consumers about how the data may be used once it is collected.

“You could argue that the government has the right, just like any commercial entity, to buy the data, if the data is available from a commercial supplier,” said Mr. Khan. “But you also need to be able to clearly say ‘this data could be used by government.’”

“I think the average consumer doesn’t have a clue,’ he said.

In the data drawn from apps, each cellphone is typically represented by an alphanumeric identifier that isn’t linked to the name of the cellphone’s owner. But the movement patterns of a phone over time can allow analysts to deduce its ownership—for example, where the phone is located during the evenings and overnight is likely where the phone-owner lives.

Consumers world-wide are often in the dark about governments’ acquisition and use of such data. Despite collecting data from consumer apps, Anomaly Six doesn’t have a privacy policy on its website, nor is it registered as a data broker in California, where a state law passed in 2018 typically requires companies to detail how they are acquiring and using consumer data. The company says it doesn’t meet the definition of a data broker under California law and isn’t required to register. The California attorney general’s office didn’t respond to a request for comment.

According to interviews with numerous people in the industry, there is little regulation in the U.S. about the buying and selling of location data, leading to what one industry veteran called “the Wild West.” Consumers have come to expect free apps, and app makers have turned to selling user data to pay for the costs of developing and running the software, people familiar with the industry.

Anomaly Six’s offerings are similar to those of a company called Babel Street, which provides social-media monitoring services to the intelligence community and law-enforcement agencies. A lawsuit filed by Babel Street two years ago against Anomaly Six and its founders offers a window into the competitive and largely secretive market of providing consumer location products to the U.S. government.

The two founders of Anomaly Six formerly worked for Babel Street and left in 2018, according to the lawsuit.

Brandan Huff, a former Army counterintelligence officer, had managed Babel Street’s relationship with the Defense Department and had also worked for numerous other defense contractors. The other, Jeffrey Heinz, was also previously in the U.S. Army and had managed Babel Street’s relationships with the Justice Department, U.S. Cyber Command, civilian federal agencies and the intelligence community, court records show.

One of Babel Street’s products, called “Locate X,” includes the location records of millions of cellphones, drawn from consumer apps. The two former employees set out to build a product to compete with it, according to Babel’s lawsuit. Anomaly Six declined to comment on the lawsuit, which was settled out of court last year.

Babel Street doesn’t publicly advertise Locate X and binds clients and users to secrecy about even its existence, according to contracts and user agreements reviewed by the Journal. Developed with input from U.S. government officials, according to court records, Locate X is widely used by military intelligence units who work on gathering “open source” intelligence, or information taken from publicly available sources. Babel Street also has contracts with the Department of Homeland Security, the Justice Department, and many other civilian agencies, federal contracting data shows. Babel Street didn’t respond to a request for comment.

Both Babel Street’s and Anomaly Six’s products can be used to combine intelligence gathered in more traditional ways, from clandestine human sources to secret intercepts, with social media data, satellite imagery, and consumer data from the private sector, according to interviews with people familiar with the process and documents reviewed by the Journal.

The information, gathered into what’s known as a “pattern of life” analysis, can provide a richer understanding of the habits and behaviors of potential intelligence targets, and to possibly predict their future behavior.

The U.S. isn’t alone in attempting to use mobile-location data for strategic advantage. The National Security Agency this month warned military and intelligence community personnel to sharply limit the location-tracking features on their mobile devices, out of concern that the data could be used by adversaries to reveal sensitive national security information about U.S. operations.

A group of academic researchers using Babel Street’s software were able to monitor the movement of devices at Russian military facilities as part of a project for the U.S. Army, the Journal also reported last month.

Such revelations showcase the power of even commercial data to reveal sensitive information about some of the most secure facilities in the world—and raise privacy concerns about the blurring the lines between corporate marketing and government surveillance.

“It’s really alarming to learn about companies like this that claim to have years’ worth of location data from all over the world. Revelations like this just keep coming,” said Laura Moy, a law professor at Georgetown University and director of the school’s Communications & Technology Law Clinic.

“Users have no idea that when they install a weather app, a game, or any other innocuous-seeming app that their private location data is going to be harvested and sold. Apparently that’s what’s happening here, and we have no transparency into the practice,” said Ms. Moy.

Anomaly Six isn’t listed in any public spending contracts, and many of Babel Street’s sales to government entities aren’t reflected in public documents either. Anomaly Six said its contracts with the U.S. government were unclassified but confidential, and that it couldn’t reveal which agencies it was working with without permission from those agencies.

Write to Byron Tau at byron.tau@wsj.com