A social media and phone surveillance system ICE bought access to is designed to monitor a city neighborhood or block for mobile phones, track the movements of those devices and their owners over time, and follow them from their places of work to home or other locations, according to material that describes how the system works obtained by 404 Media.
Commercial location data, in this case acquired from hundreds of millions of phones via a company called Penlink, can be queried without a warrant, according to an internal ICE legal analysis shared with 404 Media. The purchase comes squarely during ICE’s mass deportation effort and continued crackdown on protected speech, alarming civil liberties experts and raising questions on what exactly ICE will use the surveillance system for.
“This is a very dangerous tool in the hands of an out-of-control agency. This granular location information paints a detailed picture of who we are, where we go, and who we spend time with,” Nathan Freed Wessler, deputy project director of the American Civil Liberties Union’s (ACLU) Speech, Privacy, and Technology Project, told 404 Media.
FYI, the most relevant information to avoiding your phone showing up in ICE’s rented databases is how they are getting the location data:
The material does not say how Penlink obtains the smartphone location data in the first place. But surveillance companies and data brokers broadly gather it in two different ways. The first is from small bundles of code included in ordinary apps called software development kits, or SDKs. SDK owners then pay the app developers, who might make things like weather or prayer apps, for their users’ location data. The second is through real-time bidding, or RTB. This is where companies in the online advertising industry place near instantaneous bids to get their advert in front of a certain demographic. A side effect is that companies can obtain data about peoples’ individual devices, including their GPS coordinates. Spy firms have sourced this sort of RTB information from hugely popular smartphone apps.
This includes a link to a prior 404 story that may have a list of apps, but it’s paywalled and none of the archive sites seem to have it indexed: https://www.404media.co/candy-crush-tinder-myfitnesspal-see-the-thousands-of-apps-hijacked-to-spy-on-your-location/
This is the link to the full list provided in that article but it may also be paywalled by 404 Media which I am a subscriber to. It’s also got more than
1K10K entries on it.A lot of these seem to be mobile games, fitness apps, photo editing apps, and prayer apps though.
My SMS app was on it. Which makes me sad because Textra was dope, I’ve moved to qksms.
Thank you, that’s exactly what I was looking for. More than *10K entries, by the look of it…
Yeah. Typo. Seems to happen a lot when I’m typing fast on a phone screen. Sorry.
In case you’re wondering how to get a list of all the apps installed on your phone, these instructions worked for me https://www.javathinking.com/blog/how-to-get-the-list-of-all-apps-on-android-device-using-terminal/
I just wrote a quick script to check my list against the google doc. The official Merriam Webster app and the official Letterboxd app both got flagged.
Do you think a Linux phone would have the same weaknesses?
I’m sure that app developers who want to sell user data because it is big business will find a way to do so, yes.
Phones for the vast majority of people are a black box. Most of the users have no idea how their apps work or what data is going where and they don’t know how to check. People who work in cyber security, or the tech field (engineers, coders, developers etc) who’s jobs revolve around this type of thing know how to check and generally take steps to avoid apps and services that siphon up this kind of user data.
I know little to nothing about the Linux phone. I haven’t tried it. I haven’t delved into what it can do and why it’s “not ready for prime time”.
So all I can do is extrapolate from what we already know which is, these apps request permissions that a lot of people give them without thinking about it. People do this on windows and Mac too. Humans and their lack of understanding/preference for convenience are the main problem. That and there’s no regulations that hold these app devs accountable.
These apps aren’t breaking the TOS of the Apps stores they’re on.
My hope is that a lot of the Linux phone apps will be FOSS. That way the code can be independently audited. That would be better than the alternative.
And, added it to the description.
Both of these sources seem like things that would be blocked by using a DNS sinkhole. I personally use technetium but pihole and adguard are more popular, but less feature rich and harder to set up as a recursive resolver.
If they want to target more technologically capable users, they’ll just hard code the IP addresses so it doesn’t need DNS and make any IP changes in routine updates.
Do not take your phone to protests/rallies/organized events. Do not turn it off and take it with you thinking it’s okay, they will know when and where you turned it off. Jury is still out if modern phones truly turn off as well. Use a regular camera for taking pictures, take lots of them, get faces, IDs, anything if you can of ICE. Let them start the violence first.
Pardon the pedanticness: Phones do NOT completely power down. The jury is out on if they are still traceable in “standby”/psuedo-powered off mode. The generally accepted advice is to treat them like they are still tracable.
If “Find my phone” still works when it’s turned off, then yes, phones are definitely traceable when powered down.
For iPhones, Find My only works powered off by Bluetooth connections to other devices. Unless someone is scanning and tracking Bluetooth radios, they can’t track you.
The vulnerability in the article is about apps that send location data back to a third party who makes it available to law enforcement.
Mainly, this is a problem for people who give any random app access to location data.
Wasn’t sure if they were or not, why I mentioned the jury was out on it. Regardless, leave your phone at home.
One of the best things about phones with batteries you can replace. You can take them out of the phone as well.
Yep, I miss removable batteries. Not just for the ability to replace the batteries (e.g. due to degradation) but also to be able to completely remove power from the device.
also, tape recorders. And if you travel out of the country… buy a burner flip phone to use.
I thought this was going to say they were deploying Stingrays in neighborhoods. Pretty sure this is worse, because at least a Stingray requires something be physically present. Fuck all of this.
Yeah, same. I setup an Orbic with RayHunter exactly for this reason. I took that with me when I’ve gone by protests just to see if there’s one present. Then, if in the clear, shut down my personal devices and attended. I’m paranoid like that I guess…
Setup Meshtastic nodes too.
Having the ability to communicate without using cellular infrastructure is incredibly useful, especially during natural disasters (which ICE certainly qualifies).
Damn I’ll check that out
Benn Jordan has some other ideas too(and a bit more detail on the mesh technologies/DIY options available): https://www.youtube.com/watch?v=W_F4rEaRduk
It wasn’t that long ago we had phones that couldn’t leave the house. This choice does still exist for us.
Does it? It was possible a while ago, but in the last years, we saw train tickets going to apps. There is no ticket machine at my local stop. There are areas where you can only park your car with an app. I need 2FA to get into my accounts. Restaurants have QR code menus. So going to protests or just living your life without a phone is getting harder
I lived without a cell phone for about 3 years (2022-2025), and once in a while there was a small hurdle but overall it was surprisingly easy. 2FA can be done via text/email, I never ran into an instance where I needed an app. Every ticket I bought could be printed at home, so it takes a little more forethought but not a deal breaker. Never ran into any parking stations that couldn’t be paid via a kiosk/card, but YMMV.
These days I own a phone per request of one of my business clients, but it stays turned off at home unless I’m on a job. Once in a while I’ll break it out to use the GPS but most places I drive to I can find by memory. There are many “middle” ground solutions out there too (like Graphene OS), but as a general rule, I would make a habit of leaving your phone at home when you can, and definitely when engaging in anything spicy.
Yes, and printed maps still work. Keeping an address/phone book still works (so do sharpies on your arm).
The choice does exist, but it gets harder and harder to go without a phone
Many jobs expect us to be available at all hours. Younger generations cannot navigate without maps. Phones are also the primary way we record/observe ICE. They’re also our calendar/organizer, notebook, and many other things
Sure, we can have an independent GPS, camera, calendar, and notepad, but the barrier keeps getting higher
We need to develop counter measures, and long-term pass strong laws banning this level of government surveillance
Public payphones in the streets and emergency phones alongside highways have also been removed (at least in my country). So yeah, our society expects us to have our own phones with us whenever we’re away from home.
“This is wrong” — Lucius Fox, The Dark Knight
Prescient, and also an example of copaganda/how corporate media conditions the public to accept this shit because the “good guy” is the one using it.
I mean, they acknowledge that it’s wrong, and they acknowledge that Bruce Wayne is not stable enough to have power by having him give the power to Lucius.
Not all scenes are so one-note that it only ever has one meaning or message.
Lucius shouldn’t have that power either! It’s not an issue of being “stable enough;” it’s an issue of anyone having it. Frankly, your argument kinda proves my point.
It’s analogous to a limited hangout. Sure, they acknowledge it’s wrong, but that doesn’t stop them from doing it and they suffer no bad consequences for that choice. Really, what’s the Aesop people are actually going to take from it? The one based on the demonstrably empty words, or the one based on the actions?
The people should start buying this data to identify ICE personnel involved in incidents. It’s not like you need to be law enforcement to get access to this. You just need money.
I bet a nonprofit would have a reasonable chance of raising the funds to buy the data and publicly publish it.
We need to be more careful than that, no one wants to end up on a list when a non-profit is required to show its books.
Should be a very private and affordable for-profit with some reasonable way to keep payments off the books
Are nonprofits required to track who they receive donations from? I could be wrong, but I don’t think they are. They have to have financial records, but I don’t think that means maintaining a donor list.
Everyone should be using an ad blocker for this reason exactly.
Ads are often the culprit of data for the location data brokers. Fuck the ads.
Turning off our phones isn’t the answer, prohibiting this invasive and predatory practice is the solution. They couldn’t follow you around town and all the way home, and take note of your address without getting flagged for stalking, or at least a restraining order.
They shouldn’t be able to stalk you electronically, any more than they can do it on person.
The people should start buying this data to identify ICE personnel involved in incidents. It’s not like you need to be law enforcement to get access to this. You just need money.
I bet a nonprofit would have a reasonable chance of raising the funds to buy the data and publicly publish it.
We need to be more careful than that, no one wants to end up on a list when a non-profit is required to show its books.
Should be a very private and affordable for-profit with some reasonable way to keep payments off the books
Are nonprofits required to track who they receive donations from? I could be wrong, but I don’t think they are. They have to have financial records, but I don’t think that means maintaining a donor list.
It depends on the details of the non-profit. In the circumstances I see, you’re not required to make it public, but you ARE required to provide the list to the government.
I can say, If you started a non-profit and used it to track ice, they most certainly would obtain a list of your doners if they had to go and take it from the hands of your payment provider. Even most crypto isn’t fully safe because of banking reporting required
That’s a good point, they’d definitely just subpoena your bank records. If crypto is used properly, it can be nigh impossible to trace, though. Bitcoin isn’t very private at all on the blockchain, but if you send over lightning network, my understanding is that it becomes effectively impossible to track, unless your adversary controls enough lightning network nodes to track the payment as it bounces between nodes. They wouldn’t need to control the whole path, but they would need to control nodes VERY close to origin and destination, ideally the adjacent nodes, and enough of those in the middle to be reasonably sure they can accurately follow the money. The lightning network doesn’t leave a detailed ledger behind, so only way to trace a payment is to be involved in its processing, which means controlling the nodes the money passes through on its way to the recipient.
Of course, that’s way too obscure and unknown for the vast majority of people, so I don’t see a nonprofit succeeding that way these days. Maybe if crypto actually does get mainstream, but that’s still a pretty big if.
but if you send over lightning network
Heh onion routing for bitcoin payments, that’s pretty neat. The receiver ends up hanging a bit in the wind.
Maybe it could be a steam game or something with pausible deniablilty
The receiver ends up hanging a bit in the wind.
Actually, the way the payments are structured, no money moves AT ALL if ANYONE in the chain tries to back out. It maintains the trustless nature of crypto. I don’t recall the specifics of how it’s done, though.
Noem is so dumb she could not figure out how to train a dog and she felt her best idea was to shoot it in the head. These are not smart people.
“Required” isn’t the right word but they do record who donates to them because people usually want them to. People donating to non-profits will receive statements from those non-profits at year end so they can deduct the donations from their taxes when filing their return.
People can donate anonymously but if they do so, they give up their right to claim the tax deduction so most do not.
I feel like most people are on the standard deduction these days, right? It’s pretty high and while we’ve itemized in the past, our mortgage interest isn’t high enough to push us over and without that everything else is a tiny drop in the bucket.
It certainly depends. I’m not sure what qualifies as “most people” now. Plenty of people have higher interest rates on their homes from recent purchases than those who’ve purchased homes 4 or 5 years ago, and if you live in a state with higher income tax you’ll have more to deduct. Also self-employed contractors and non-incorporated small business owners are likely going to itemize. My wife and I itemize but we’re fortunate enough to be in a place where we support a lot of charities so itemization is worth it.
Per EFF: US a surveillance regime as much as North Korea, China and Russia.
US surveillance is far more effective than North Korea or Russia’s domestic surveillance
Only China is in the same realm in terms of ability to surveil citizens. They’re just more open about using it for low-level offenses
Thanks for including the app list!
I thought this was going to say they were deploying Stingrays in neighborhoods. Pretty sure this is worse, because at least a Stingray requires something be physically present. Fuck all of this.
My guess is the get the phone info from protests and then use the data from location data brokers to track further.
