IRS Used Cellphone Location Data to Try to Find Suspects
The unsuccessful effort shows how anonymized information sold by marketers is increasingly being used by law enforcement to identify suspects
By Byron Tau
Wall Street Journal
Updated June 19, 2020 1:46 pm ET
The IRS Criminal Investigation unit had a subscription to access the data in 2017 and 2018; above, IRS headquarters. Photo: Chip Somodevilla/Getty Images
------------------------------------------
WASHINGTON—The Internal Revenue Service attempted to identify and track potential criminal suspects by purchasing access to a commercial database that records the locations of millions of American cellphones.
The IRS Criminal Investigation unit, or IRS CI, had a subscription to access the data in 2017 and 2018, and the way it used the data was revealed last week in a briefing by IRS CI officials to Sen. Ron Wyden’s (D., Ore.) office. The briefing was described to The Wall Street Journal by an aide to the senator.
IRS CI officials told Mr. Wyden’s office that their lawyers had given verbal approval for the use of the database, which is sold by a Virginia-based government contractor called Venntel Inc. Venntel obtains anonymized location data from the marketing industry and resells it to governments. IRS CI added that it let its Venntel subscription lapse after it failed to locate any targets of interest during the year it paid for the service, according to Mr. Wyden’s aide.
Justin Cole, a spokesman for IRS CI, said it entered into a “limited contract with Venntel to test their services against the law enforcement requirements of our agency.” IRS CI pursues the most serious and flagrant violations of tax law, and it said it used the Venntel database in “significant money-laundering, cyber, drug and organized-crime cases.”
The episode demonstrates a growing law enforcement interest in reams of anonymized cellphone movement data collected by the marketing industry. Government entities can try to use the data to identify individuals—which in many cases isn’t difficult with such databases.
It also shows that data from the marketing industry can be used as an alternative to obtaining data from cellphone carriers, a process that requires a court order. Until 2018, prosecutors needed “reasonable grounds” to seek cell tower records from a carrier. In June 2018, the U.S. Supreme Court strengthened the requirement to show probable cause a crime has been committed before such data can be obtained from carriers.
Location, Location, Location
Cell phones give off two different kinds of location data—cell tower data, which is collected by phone companies, and GPS data, which is mostly collected by apps running on the phone. Law enforcement authorities typically need a warrant to obtain cell tower data but can buy GPS data that is available through marketing firms.
But because marketing data doesn’t include names and cellphone numbers, attorneys at numerous government agencies have concluded the court decision doesn’t apply.
“The tool provided information as to where a phone with an anonymized identifier (created by Venntel) is located at different times,“ Mr. Cole said. ”For example, if we know that a suspicious ATM deposit was made at a specific time and at a specific location, and we have one or more other data points for the same scheme, we can cross reference the data from each event to see if one or more devices were present at multiple transactions. This would then allow us to identify the device used by a potential suspect and attempt to follow that particular movement.”
IRS CI “attempted to use Venntel data to look for location records for mobile devices that were consistently present during multiple financial transactions related to an alleged crime,” Mr. Cole said. He said that the tool could be used to track an individual criminal suspect once one was identified but said that it didn’t do so because the tool produced no leads.
Venntel is a wholly-owned subsidiary of the Dulles, Va.-based Gravy Analytics Inc., a company that works with some of America’s largest corporations on marketing and advertising campaigns using location records from millions of cellphones. Venntel said its data is sourced only from apps, not the mobile carriers.
“The data that Venntel uses is pseudonymized. Due to the confidential nature of our clients’ businesses and/or missions, we are not able to comment further,” Venntel President Chris Gildea said in an email.
Governments’ use of purchased location data has exploded in recent months, as officials around the world have sought insights on how people are moving around during the Covid-19 pandemic. In general, governments have assured their citizens that any location data collected by the marketing industry and used by public health entities is anonymous.
But the movements of a phone give strong clues to its ownership—for example, where the phone is located during the evenings and overnight is likely where the phone owner lives. The identity of the phone’s owner can further be corroborated if their workplace, place of worship, therapist’s office or other information about their real-world activities are known to investigators.
“The IRS appears to be one of a growing number of federal agencies that are buying Americans’ private data as part of an end-run around the Fourth Amendment,” which protects against unreasonable search and seizure, Mr. Wyden said.
“There are clear rules against tracking Americans’ phones without court oversight and buying data from Venntel and other shady data brokers shouldn’t amount to a free pass to violate our civil liberties,” Mr. Wyden said.
Location data is typically drawn from ordinary cellphone apps, including those for games, weather and e-commerce, for which the user has granted permission to log the phone’s location, though sometimes location data firms get anonymized data from cellphone carriers or collect a user’s location from Bluetooth beacons located in stores and other physical locations.
Venntel’s data is drawn from the robust ecosystem of advertising companies that collect location data from consumer cellphones and make it available for purchase on an opaque marketplace of brokers who deal in huge amounts of bulk cellphone movement data.
Many purchasers of the bulk data are advertisers trying to target customers or companies trying to understand more about their customer base. Some Wall Street firms use mobile location data to help guide investment decisions. But a small number of firms in this marketing ecosystem have started selling that location data to the U.S. government.
The Journal reported in February that Department of Homeland Security agencies were buying Venntel subscriptions for immigration enforcement purposes—to detect the presence of underground border tunnels or other sites of illicit crossings. The department said at the time that the data didn’t include “the individual user’s identity.”
Federal contracting records show IRS CI paid approximately $20,000 for access to the Venntel platform—roughly the cost of a single login to the service, according to documents reviewed by the Journal.
The Journal reviewed one marketing database similar to the kind used by Venntel. In many cases, the data is precise enough to clearly identify the home address of the phone’s user, which can then be cross-checked against public databases showing property ownership records or rental address history.
“What happens any time you have location on for any purpose to any website or app—you’re giving them permission to collect that GPS data. And they are not restricted by law by what they can do with it,” said Mark Rasch, a lawyer at Kohrman Jackson & Krantz who specializes in privacy issues.
“[E]ven if it’s anonymous…it might be quite revealing,” he said.—Richard Rubin contributed to this article.
Two Ways to Locate a Cellphone
There are two main ways to determine a cellphone’s location.
The first uses three or more cell towers to estimate it; that data is generally maintained by phone carriers.
The other way relies on the Global Positioning System (GPS), a network of orbiting satellites that helps digital devices orient themselves. Makers of apps that deliver services based on a phone’s location—such as mapping, weather and games—collect the satellite-derived coordinates.
The FCC estimates that cellphone tower data is accurate to within three fourths of a square mile of a phone’s location, whereas GPS data is generally accurate within 16 feet, though buildings, bridges and other obstacles can degrade accuracy.
GPS data is typically collected anonymously by the app makers, meaning no names or phone numbers are attached. Users are generally represented only by an alphanumeric string called the Identifier for Advertisers (IDFA) on iPhones and the Android Advertising ID (AAID) on phones running Google operating systems.
Cell tower data kept by the carrier is associated with phone numbers and account holders. However, some carriers strip out those numbers and sell the data to marketers—meaning that some location data brokers can also sometimes obtain anonymized cell tower data to supplement their trove of GPS data. Venntel said its data is sourced only from apps, not the mobile carriers.
Cell tower data—long used in criminal investigations—was at issue in the landmark U.S. Supreme Court case Carpenter v. U.S., where the court ruled in 2018 that a warrant was required to access historical location data from cellphone carriers.
“Whether the Government employs its own surveillance technology…or leverages the technology of a wireless carrier, we hold that an individual maintains a legitimate expectation of privacy in the record of his physical movements,” a majority of the court held in Carpenter.
But the court didn’t address GPS data—more precise, more widely collected, and sold in bulk by the marketing industry. Because it doesn’t contain consumers’ names or phone numbers, many government lawyers have concluded that the decision doesn’t apply.
Write to Byron Tau at byron.tau@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved.
wsj.com |
