Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Academic project used marketing data to monitor russian military sites
1. Academic Project Used Marketing Data
to Monitor Russian Military Sites
Commercially available location data is increasingly used for sensitive
surveillance by researchers, government agencies
Wall Street Journal
20 July 2020
In 2019, a group of Americans was observing the cellphone signals coming from
military sites across Eastern Europe.
At one of the locations, the Nyonoksa Missile Test Site in northern Russia, the
group identified 48 mobile devices present on Aug. 9, one day after a mysterious
radiation spike there generated international headlines and widespread
speculation that a Russian missile test had gone wrong.
The Americans were able to track the movements of those devices over time.
One went to the Paradisus Varadero Resort and Spa in Varadero, Cuba, for nine
days. Others scattered across the country—going to the Russian cities of St.
Petersburg and Moscow or to secure Russian military districts in Severodvinsk
and Archangel. One went to Ganja, Azerbaijan, which runs along a strategic
overland trade corridor between Asia and Europe.
The trackers weren’t professional intelligence analysts with access to secret
intercepts. Rather, they were a team of academic researchers in Starkville, Miss.,
working with their graduate research assistants and undergraduate interns on
the campus of Mississippi State University, using a commercially available
software program.
The data they used was GPS location information usually drawn from cellphone
apps—typically from games, weather services and such—and collected and
made available for purchase by the advertising industry.
The effort was a demonstration to the military of the power of commercial
cellphone data to provide valuable intelligence. From the data, they could begin
to make inferences—Nyonoksa, for instance, had the fewest devices present of
any of the three sites they were monitoring, leading them to conclude either
2. that it was more heavily restricted than the other three or that the recent
radiation accident had forced an evacuation.
By monitoring cellphones in Russian government buildings and foreign
embassies in Moscow, they were able to conclude that no high-level Russian
officials or foreign diplomats had visited the test sites recently. And they homed
in on the Azerbaijan trip as worthy of future study “because of contentious
relations between Russia and Azerbaijan” and the importance of the corridor
around Ganja as an overland connection between Europe and Asia.
The researchers’ experiment underscores how the global marketing industry’s
practice of collecting and reselling reams of user data, often for marketing and
advertising purposes, can be turned toward other ends. The data can be easily
purchased and exploited by foreign and domestic national-security agencies,
law-enforcement officials and others for surveillance and monitoring.
The sites that the Mississippi State researchers were able to pull cellphone data
from were extremely sensitive: Besides drone test facilities, they also were
monitoring numerous U.S. and foreign embassies and the Kremlin Senate
building in Moscow, documents show.
The team was working on a U.S. Army-sponsored, unclassified, experimental
project that sought to leverage “open-source” commercial data for intelligence
purposes. The team’s monitoring efforts were described in detail in unclassified
documents obtained by The Wall Street Journal from Mississippi State under
state open-records laws.
“This project has served as a great opportunity for both undergraduate and
graduate students at MSU to develop real-world skills and knowledge that will
benefit them greatly as they seek employment in the future,” said David May,
the principal investigator on the study and a sociology professor at Mississippi
State.
Edric Thompson, a spokesman for the U.S. Army Combat Capabilities
Development Command, which funded the project, said it was selected for
military funding because it had “good potential use for being able for our
soldiers to share information with each other.”
3. Mr. Thompson said the collection of cellphone location data was permitted
under Army regulations so long as no personal characteristics about the phone’s
owner were collected. He said the Mississippi State study also included an
analysis of the ethical and policy implications about the use of such data that
would help inform the military in the future.
The tool that enabled this kind of bird-dogging of personnel at Russian airfields
was sold by Babel Street, an open-source intelligence software platform that is
widely used by law enforcement, intelligence agencies, military units and private
companies. Babel Street has contracts with government agencies big and
small—from the Department of Homeland Security and the U.S. military to
county police departments across the country.
Babel Street publicly advertises itself as a social-media monitoring service,
allowing its law-enforcement, intelligence and military clients to mine public
social-media data for leads about criminal activity and do real-time monitoring
of unfolding events.
But Babel Street also sells a product called “Locate X”—access to cellphone
location data drawn from the advertising industry. The existence of the product,
which isn’t described on the company’s website, was revealed in March by the
website Protocol. The company didn’t respond to requests for comment.
For the military and intelligence officials, such data can show staffing levels at
sensitive sites and movement patterns of officials, and give clues about the
behavior of adversaries. For law enforcement, marketing data offers the
opportunity to try to identify suspects in the vicinity of crimes.
According to documents reviewed by the Journal and people familiar with the
company, Locate X provides advertising data drawn from the marketing industry
to intelligence, military and law-enforcement agencies for monitoring purposes.
Its terms of service say that the customer may not even disclose the existence
of Locate X. Mississippi State cited a confidentiality obligation in its contract with
Babel and declined to answer questions about the product.
The federal government did a governmentwide evaluation of Locate X,
according to documents reviewed by the Journal, which also showed that Babel
Street has worked closely with U.S. government agencies and contractors to
develop and refine the product.
4. Documents reviewed by the Journal show that in the U.S., Babel Street had sold
its products to nearly every major defense, national-security or law-
enforcement agency, including the Central Intelligence Agency, the National
Security Agency, the Justice Department, the Department of Homeland Security,
the Defense Intelligence Agency and U.S. Cyber Command. Records show that
Babel Street products are sold to governments world-wide—including in
Canada, the United Kingdom, Australia, New Zealand, Singapore, Germany and
others.
Babel Street is part of a growing ecosystem of companies taking consumer data
collected by some of the world’s largest corporations and mobile-app
publishers, and repackaging it for intelligence, law-enforcement and military
agencies.
In many cases, consumers have no forewarning that anyone—global intelligence
agencies or local cops—might be buying it and using it to monitor them.
The uses of such data also raise unsettled legal and ethical questions about
global privacy and consumer consent. Typically, consumers aren’t identified by
their names in such data sets, but rather by an alphanumeric identifier. But as
the Mississippi State project shows, it is fairly simple to home in on individuals
of interest at some of the highest-security sites in the world and track intimate
details of their lives.
“We as individuals walk around with multiple devices and have multiple devices
in our homes. There is a tremendous amount of data that doesn’t personally
identify us by our name, driver’s licenses, Social Security number or address,
which nevertheless will have very significant consequences for our lives,” said
Marc Groman, a lawyer who specializes in privacy, technology and
cybersecurity.
“When a consumer downloads an app and gives that app consent to collect and
track their precise location, does the consumer understand that the app may
then share or sell that precise location with a wide range of third parties—
potentially including the Department of Homeland Security, the Army, law
enforcement or other stakeholders? The answer is no,” said Mr. Groman, who
previously worked for the Obama White House.
5. On the other hand, location data is widely available for commercial purposes.
Advertisers use it to target ads; brands use it to understand customer behavior;
and Wall Street firms increasingly rely on it to inform investment decisions.
“This is the argument about private versus government access to data,” said
Stewart Baker, a lawyer who has served in senior positions at both the National
Security Agency and the Department of Homeland Security and is now a lawyer
in private practice at Steptoe & Johnson LLP.
“On the one hand, the private parties accessing the data can’t arrest anybody,
but they can use the data for other much more trivial purposes. And when
government gets access to the data, they can do with it things that are much
more painful for the person under scrutiny.” But, said Mr. Baker, “there is a lot
more value in catching criminals than in selling a barbecue set.”
Commercial data drawn from mobile devices, particularly involving location
data, can have surprising implications.
The fitness app Strava publicly released a map in 2017 of three trillion individual
GPS data points from users who logged their running or cycling routes. But
within that data, researchers at nongovernmental organizations and journalists
gleaned a trove of valuable national-security information—like the location of
U.S. forward-operating bases in Afghanistan, the routes of military supply
convoys and the location of secret CIA facilities.
The running routes were even detailed enough to show the internal layout of
sensitive facilities and bases.