EFFecting Digital Freedom
by Jason Kelley
Clearing the FOG
A year of digging into the location data marketplace led us to a company that allows police to access millions of people's location data - and reconstruct their lives with a few clicks.
When EFF began filing public records requests with police agencies last year, we wanted to see if we could learn whether location data pulled from our mobile devices was being exploited by surveillance technology companies. Included in one of the responses was promotional material from a company called FOG Data Science, LLC, which offered access to the precise and continuous geolocation of hundreds of millions of Americans.
We'd never heard of FOG and the company had almost no public online presence. So we requested more records about the company, specifically from law enforcement across the country. What we uncovered was a widely-used mass surveillance technology that raises "Significant Fourth Amendment search and seizure concerns," according to Rep. Anna Eshoo of California.
What we learned is that FOG Data Science offers a sleek search engine called FOG REVEAL that allows cops to browse through that location data as if they were Google Maps results, and a "device search" feature that provides historical location information for a single device going back for months or possibly years.
People's location data ends up with FOG after it's collected through smartphone apps and then aggregated by data brokers. Often these apps are unassuming - they might tell you the weather, for example - but meanwhile, they collect your location data as well. Databrokers buy bundles of this data and it can include a wealth of private information about you, such as your year of birth, gender, what search terms you use, and perhaps most importantly for FOG, your location. Each of these bundles of data has something called an ad ID attached to it, which is a random string of letters and numbers associated with your device, and which data brokers can later use to group them together to form a more complete picture of your behavior.
This data allows companies to target ads to very specific groups of people - say, everyone with an interest in 2600 Magazine. It also allows FOG to offer a service that they claim in marketing materials has "billions" of data points about "over 250 million" devices. With a few keystrokes, a FOG user is able to access an exhaustively detailed account of a person's life - often regardless of whether that person is under any suspicion or whether police have obtained a subpoena or warrant.
A pitch by a FOG official trying to sell his company's surveillance to law enforcement highlights how dangerous this product could be. To demonstrate a proof-of-concept, the FOG representative relayed how New York City experienced high China COVID-19 infection rates during the first few weeks of the pandemic, and it made leaders of nearby states nervous about New York City residents traveling and spreading the virus. The governor of Rhode Island had recently proposed banning all travelers from New York.
FOG's demo illustrated how its data could be used to help enforce such a ban. The company ran a dragnet query on its dataset, looking for anyone who had traveled between Port Chester, NY and Newport, RI between March 5 and March 22. It found 52 devices. FOG then narrowed in on one of those devices and ran a "pattern of life" analysis on it, querying for every GPS ping associated with that device for the previous 90 days. It found over 24,000 pings - more than 266 per day - locating the device across Rhode Island, Massachusetts, New York, and Connecticut. It showed how the device had taken multiple trips across New England, stopping in the New York City metropolitan area and near Rochester at different times. And it revealed the device owner's likely home, near Providence, and several other common destinations nearby. All of this was done without a warrant and with no apparent law enforcement investigation. The person's private data appeared to be used as a sales pitch.
We were also able to analyze the app's public-facing code to get a better understanding of how its product works for the law enforcement end users. FOG REVEAL, like Google Maps, is a web application that runs in your browser. To research its functionality, we locally reconstructed the app based on the web resources available by visiting fogreveal.com. This was possible at the time because, upon loading the page, without logging in or even clicking anything, the site automatically requests nearly all the JavaScript/HTML needed by the fully functional app.
By saving REVEAL's front-end files and organizing them into directories mirroring their original URL paths, we made a local reproduction of the site's resources. From there, we wrote a mock back-end server to serve the files and handle API calls made by the front-end, and then systematically worked out the format of data expected from that API. Note that because we had no access to FOG's back-end server, we made several educated guesses and had it only return fake location data. So it's possible that our mock website differs from FOG's functionality. Once this was done, we had a semi-functional local reproduction of REVEAL that made no requests to FOG's actual server, and yet allowed us to explore its features.
After signing in, REVEAL presents a Google Maps view of the U.S., as well as a toolbox. Users can "geofence" an area with a shape such as a circle, or they can carve out a more detailed area, such as the shape of a building. The front-end circle tool will allow queries with a radius of 2500 meters, allowing up to nearly 20 square kilometers when performing a "signal search." It's possible that the back-end imposes further limitations.
The user can also specify a date and time range for their query, and it seems that these ranges can stretch back over several months: a copy of FOG REVEAL's user manual received from Greensboro Police Department claims that date/time ranges can extend up to 90 days, and can be searched "back to Jun[e] of 2017."
After specifying a geofence and date/time range, the user can run their query. Queries return a set of data points which represent where a device was at a given point in time. The user can then do further analysis on these signals, such as grouping them by the device that produced them, or displaying the path taken by the device over time.
We also discovered that if certain user parameters are set, REVEAL will update its logo to display "REVEAL Federal," and enable the front-end to request a much more powerful suite of query tools from the back-end. These federal users have access to an interface for converting between FOG's internal device IDs and the device's actual advertiser ID. We don't know if this feature is operational but, if so, it would contradict statements FOG makes in other materials that its proprietary FOG IDs can't be converted back into advertiser IDs. And, if users could retrieve the advertiser IDs of all devices in a query's results, it would make REVEAL far more capable of unmasking the identities of those device's owners.
FOG is a Fourth Amendment violation. First, police should not be able to use FOG's "device search" without obtaining a warrant, and public records show that many agencies did not get warrants before using this feature. Even when police obtain warrants before using FOG to perform geofence area searches, they would still violate the Fourth Amendment for all the same reasons that courts have held other geofence warrants unconstitutional.
Police use of FOG is a privacy disaster - it shows how location data taken from our devices is exploited and later used against us via police surveillance. We urge you to speak up to Congress and demand that lawmakers pass a meaningful and comprehensive data privacy law that allows all of us to control when and how our data is used. Such a law would stop this police surveillance at its source by preventing data brokers from obtaining and selling your data without your explicit opt-in consent.