This year has seen a rush amongst government snoops for a new and sometimes contentious data set: location data grabbed by smartphone popular apps. Customs and Border, the FBI, the U.S. military and other federal agencies have been keen buyers, though it’s caused a furor amongst privacy and human rights watchdogs. The outcry this week led Apple and Google to kick apps containing location-grabbing code from Reston, Virginia-based provider X-Mode out of their respective app stores.
But Israeli surveillance vendors are also getting in on the act, Forbes has learned. One of the players, a highly secretive startup called Bsightful, is part-owned and backed by one of the biggest surveillance vendors in the world, the Nasdaq-listed, $4 billion market cap company Verint, three industry sources told Forbes. The other is an established player in the Israeli surveillance industry, Rayzone, whose Echo product promises “mass collection of all internet users in a country.” The GPS location data is accurate, as close as within one meter of the target, but will be a little behind in real time, due to the nature of the surveillance.
How do they do it?
To provide this service, the surveillance dealers are targeting the mobile advertising ecosystem. According to three sources speaking on the condition of anonymity, the highly secretive Bsightful is one of a handful involved in the business. Two said that Bsightful is hoovering up app location data by running what’s known as a Demand Side Platform (DSP). In the automated world of mobile advertising, apps looking for advertisers will go to a DSP to show off what kind of advertising space they can offer: what devices they’re installed on and where they’re based. Advertisers and their agencies will then choose where to place ads.
If a surveillance company runs a DSP, they don’t even need to provide the ads. They can simply collect the location and other phone data the app developers are willfully providing, the data passing through what’s commonly called the “bidstream.” But they do have to send back ads “from time to time” to keep the DSP active, according to one industry source. They also need to get as many app developers as possible to include the code pointing to their DSP, so they have maximum possible coverage. Setting up a “white label DSP” lets surveillance companies hoover up data that was solely meant to help marketing campaigns and advertisers.
The information is then packaged up into a software tool for government customers, allowing them to search whole areas or for individuals. For instance, if they have a phone number of a target, that should be enough to get their last known location, as long as they have the relevant app on their device.
Venntel, one of the U.S. government’s suppliers for mobile location data, has used the bidstream to acquire information, according to a disclosure by Customs and Border Protection to Senator Wyden’s office, according to Vice. CBP didn’t disclose just how Venntel had access to the bidstream. It also declined to say how it was using the data.
Sights on Bsightful
It’s unclear to whom Bsightful sells its location data. Its website says nothing about what the company does and it has no social media profiles. The company has four cofounders and executives—Avraham Bahron, Guy Gildor, Guy Amir and Asher Elazar—though none were reachable at the time of publication. Messages sent to another employee and via the company website received no response.
Forbes reviewed an Israeli corporate filing for the company, written in Hebrew, that shows a company called Cognyte Technologies was the sole seed investor, with four company directors also holding stock in the company. Cognyte has 16% of shares listed. Sources said Cognyte was a Verint business and online corporate filings show Verint is the only shareholder in the business, which has offices just two streets over from Bsightful in the Tel Aviv suburb of Herzliya. This week, Verint announced it would be renaming its “cyber intelligence” business, which scored $320 million in revenue in the first three quarters of 2020, to Cognyte Software.
Verint, which has not responded to requests for comment, has contracts in countries across the globe, including the U.S., where it’s previously been a reported supplier for the NSA intelligence agency’s phone-tapping initiatives. It sells all manner of spy tools, including one that can locate any individual to the nearest cell tower with just their telephone number. Combining that with advertising data, which provides more specific coordinates of a device’s whereabouts, would likely yield the location of many individuals.
‘Mass collection of all internet users in a country’
Another company, Rayzone, has been ahead of the curve when it comes to collecting information on smartphone users. The business sells police and governments devices to intercept mobile data, but also, for the last two years, has been selling a tool called Echo that’s built on masses of data collected from mobile apps. Rayzone describes Echo as a “Global Virtual Sigint” system, “Sigint” meaning “signals intelligence.” It promises to provide intelligence and law enforcement agencies with “wide, diverse and in-depth information on global internet users.”
Though it hasn’t publicly disclosed that Echo uses location data collected from smartphone ads, and wouldn’t tell Forbes just how it was acquiring the information, Rayzone’s website notes that the tool uses “a fully stealth method of collection on any internet user, without the need for cooperation from either the target or from any tech or commercial entity.” Rayzone says it’s useful for either targeting a specific individual or for “mass collection of all internet users in a country.” Rayzone didn’t respond to requests for comment.
Multiple sources in the Israeli intelligence industry, who spoke on the condition of anonymity, said the practice is becoming much more common in their market. The promise of being able to provide police and intelligence analysts with a mountain of worldwide location data will likely lure governments hungry to keep tabs on people of interest, or entire populations.
But it’s concerning privacy and human rights activists who worry there’s little oversight of the surveillance vendors, their customers or the data being collected by advertisers, and that people’s privacy is being invaded in ways consumers would never have expected. “I have long suspected that surveillance firms and governments buy commercial location data secretly gathered from ordinary smartphone apps, and of course, it’s happening,” said Wolfie Christl, a digital rights activist who has been looking into surveillance industry practices.
“It’s disastrous that commercial location data that has originally been collected in the context of digital marketing and consumer apps is used for completely different purposes.
“Unfortunately, I am sure this is pretty common and there are more companies and contracts in this space than we currently know of. Today’s commercial data economy is broken.”