[German]A new report reveals an unpleasant discovery. Apparently hundreds of apps are contaminated with frameworks that allow for government monitoring. It involves the US company Anomaly Six, which has ties to the military and intelligence community. The US contractor obtains location data from more than 500 applications (apps) with hundreds of millions of users – so this time not China’s KP.
The Wall Street Journal (WSI, article only accessible by login – an excerpt is available here) has revealed the story in question the days before. Anomaly Six LLC, was founded by two US military veterans with a background in intelligence. The company is based in Virginia, and has ties to the US defense and intelligence community.
Anomaly Six, a small US company w/ ties to defense and intelligence communities has embedded its software in numerous mobile apps, allowing it to track the movements of hundreds of millions of mobile phones world-wide. https://t.co/6wTc5UwoXy
— Kim Zetter (@KimZetter) August 7, 2020
Anomaly Six LLC Framework in 500 Apps
The small US company has probably developed a software (SDK with a framework) which is embedded in numerous mobile apps. The contractor of the US authorities pays app developers to integrate the framework. This enables Anomaly Six LLC to track the movements of hundreds of millions of mobile phones worldwide. The trackers only collect anonymized data from smartphones, according to the WSJ article. But Anomaly Six aggregates this data and sells it to the US government. And the whole thing is completely legal in the USA – in Europe the GDPR prevent this from being legally.
The whole thing has attracted attention because in marketing material the company claims that they was able to pull location data from more than 500 mobile applications. The Wall Street Journal then conducted various interviews and was able to review documents in order to write an article about this matter. The tracking software of Anomaly Six is probably included in more than 500 mobile apps – it is not known which ones are.
Anonymous, but secret
Although the data Anomaly Six collects is claimed as ‘anonymous’, this isn’t the full truth. Every smartphone is provided with an alphanumeric identifier, which is not linked to the name of the phone owner. But there are many ways to associate “anonymous” data with an owner. For example, if a device is at one location for a long time, this could be the owner’s home, school, university or workplace. This can be found out and it has already been proven in practice that this works (see Undermined privacy: How Apps spy on us legally).
Once this information is available, it is not difficult to infer other user habits, e.g. where the owners of the equipment work, what they commute with, where they eat out, etc. However, Anomaly Six has not disclosed in which apps the framework is included and with which developers it has partnerships. The conclusion of the WSJ: Since Anomaly Six does not disclose its government tracking software, there is no way to log out. In short, you are being tracked and your smartphone location data are being sold to the government and there is nothing you can do about it.
App list unknown so far
The WSJ was not able to find out this information by other methods. I have also searched briefly – but I also couldn’t find it (in a hurry). So, if you have US apps on your smartphone, you might also have these tracking functions. Irony of this story: The US government is currently banning Chinese apps because they could track millions of Americans. No more to say …