Hackers Claim To Have Compromised Data Broker Used By U.S. Government To Dodge Warrants
Gravy Analytics, the parent company of Venntel, is like many dodgy data brokers. The company gleans vast troves of sensitive U.S. behavior and location cellphone data, then generally sells access to that data to a long line of folks. Including the U.S. government, which has increasingly turned to buying data broker data as a quick and easy end around for having to get a warrant.
Last month the FTC sued Gravy Analytics saying it routinely collects sensitive phone location and behavior data without getting the consent of consumers. This month, hackers claim to have compromised the giant surveillance company, gaining access to 17 terabytes of data, including a bunch of sensitive location data detailing the very specific movement patterns of U.S. consumers.
As the fine folks at 404 Media note, this is yet another inflection point for a super dodgy and barely regulated commercial surveillance industry at the center of scandal after scandal:
The news is a crystalizing moment for the location data industry. For years, companies have harvested location information from smartphones, either through ordinary apps or the advertising ecosystem, and then built products based on that data or sold it to others. In many cases, those customers include the U.S. government, with arms of the military, DHS, the IRS, and FBI using it for various purposes. But collecting that data presents an attractive target to hackers.
“A location data broker like Gravy Analytics getting hacked is the nightmare scenario all privacy advocates have feared and warned about. The potential harms for individuals is haunting, and if all the bulk location data of Americans ends up being sold on underground markets, this will create countless deanonymization risks and tracking concerns for high risk individuals and organizations,” Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, and who has followed the location data industry closely, told 404 Media. “This may be the first major breach of a bulk location data provider, but it won’t be the last.”
We’ve long noted how the data broker space is an unregulated mess, routinely over-collecting data, selling access to any nitwit with two nickels to rub together (including foreign intelligence or criminals), and failing to generally secure it. Wired last month had a piece detailing how it was trivial to purchase U.S. troop and intelligence officer movement data as they visited sensitive U.S. locations in Germany.
An earlier scandal highlighted by Senator Ron Wyden involved the sale of abortion clinic visitor location data to right wing activists, who then targeted those vulnerable women with health care disinformation. More recently, a data broker was found to have leaked the social security numbers of 270 million Americans.
Now the one agency that actually did anything about the problem (the FTC) is about to be absolutely defanged under Trump because a handful of billionaires thought Lina Khan was being personally mean to them. Ain’t democracy grand.
The warning signs are absolutely blaring, and the entire location data sector is absolutely begging for a scandal that makes all previous scandals look like a lovely summer picnic. At which point, all of the policymakers who repeatedly refused to take consumer privacy seriously will stand around with their hands on hips in a real life version of the Spiderman meme, wondering how exactly we got here.