My name is “RazorBlade” and I am one of the 4 people on the team here , today I will tell you my own personal story about how in 2022 your phone is spying on every move you make, I experienced this myself and now I am informing you to read and arm yourself with knowledge because knowledge is power only when you combine it with actions.
So here it goes… There were around 100 applications on my phone. I didn’t know what they were doing, but I decided to find out.
I had a feeling that these apps were spying on me. Of course, I’m not saying they were wiretapping me, but they were constantly monitoring where I was, every step I took was been transmitted to someone whether I’d go to get the groceries, drinks or chat with friends etc.
I know that there are plenty of people who buy and sell this information.
So how do they track us?
More importantly, what do they want to do with all our data that they collect?
To get to the bottom of all this, I started this experiment that I am writing about back in February, yes it does go back as far as Feb 2020.
I installed a bunch of applications on my spare phone and then started carrying that phone with me everywhere, they were not just any random apps but apps that regular people use every day.
EASE OF ABUSE
The feeling of being watched increased over the years, and I had reasons for it. I came across a post on one of those underground forums selling data on 8,300 mobile phones that were tracked while in hospitals or women’s shelters.
It was listed For $3,000, but with a little introduction + chat, I was able to exchange that info in exchange for the services from our site, once I got hold of that data it showed where tens of thousands of Americans traveled in 2019.
One of them was 21-year-old Robert Johnson from New York. The information allowed me to easily identify him from the data, which, according to the data provider, had been anonymized.
When I contacted him, I was able to tell him where he was almost every day of 2019. Zoo. Job interview. In the hospital, where he stayed for several days after he had sprained ankle.
Then I told Robert that if it falls into the wrong hands, anyone can use this information, or maybe too late as it may have happened already.
BETRAYAL
We are often told that “commercial tracking” is not so bad, “It’s only used for advertising.” But there are many people who are interested in the digital footprint of our phones, all for malicious reasons.
It was recently discovered that the U.S. military is buying location data and that the Muslim “prayer app” is sharing user “location” data with “defense contractors”.
“It looks like a betrayal,” said the local head of the Council on American-Islamic Relations.
Did you know that in 2018, the owner of a gated restaurant “Kentucky Fried Chicken” was arrested in a border town in Arizona, why? Because he was suspected of being involved in drug smuggling from Mexico through a tunnel under the US border.
TUNNEL: A 180-meter tunnel starting at the Mexican house and ending at the indoor KFC restaurant, surprised? Well, don’t be!
According to the media, the crime was solved in parts because the US Immigration and Customs Enforcement (ICE) uses commercially distributed “location data”.
It turns out that the commercial data was allegedly passed on to the ICE deportation department. US Customs and Border Protection (CBP) has also acquired access to “global location data”.
There is a reason why journalists around the world are asked to think carefully before picking up the phone from a confidential source simply because authorities can access information about their location even without court permission.
If location data falls into the wrong hands, it could affect other people as well. Journalists should constantly fear that it will be possible to identify who provided them with information in confidence.
I REQUIRE ACCESS TO MY DATA
The company that supplied ICE with information about the fast-food restaurant is called Venntel. According to the company’s records, it is located in an industrial cluster in Virginia.
In the same area, you can find familiar names from the defense sector, for example, “Lockheed Martin,” the company that created the “F-35,” and the former employer of “Edward Snowden, Booz Allen Hamilton”.
It is enough to make a 20-minute drive east and you will find yourself in Langley, Virginia, where the headquarters of the CIA is located.
DEFENSE CLUSTER: Venntel is registered in this building in the Virginia Industrial Cluster, USA.
On August 20, I requested a copy of all the information a few apps had on me (can you believe it, bad ops sec huh).
The next day, that App’s legal department asked me to provide some more information for verification purposes, which we did, and then I got the following email from them.
“After receiving this information, we will first check if the Advertiser ID you provided is in our database.”
Advertiser ID is what every smartphone has. This identifier is the key to keeping track of phone users across time and apps.
Phone owners may “restrict the ease of access to this identifier,” but very few do so.
THE APPROVAL OF MY DATA REQUEST
Two weeks later, I received an interesting email attachment.
It contained all the information about where I had been “75406 times since February 15th,” A true “Holy Shit” moment!
Suddenly, I was able to track my every step – on a walk, in a bar, so on and so.
POINTS: The photo on the left shows the registration of my movements in the vicinity of my house. In the photo on the right, you can my workplace, this is where I serve you all from. Over time, a huge number of registered locations have accumulated in these places.
There are no phone numbers or names in the data. However, almost anyone could easily figure out that these are my movements.
The app in question also notified me that it was sharing my information with its “clients” and those “clients” use this information for purposes such as “federal compliance” and “national security” yes, you believe it!
When I ask them who those “Clients” were, The app simply declined to disclose them.
THE RABBIT HOLE!
So how could my location data end up with Venntel in the EU? None of the apps I installed mentioned this company.
Nowhere, not even in a confusing privacy policy that hardly anyone reads before clicking OK.
“Venntel” was able to inform me that it received my information from its parent company, “Gravy Analytics,” and that it only rarely knew about the applications that were associated with it.
Gravy Analytics is a marketing data broker.
The company collects massive amounts of consumer data to improve its ad targeting.
Gravy Analytics also claims to know nothing about the origin of most of the data.
However, the response to the access request contained the names of two more new companies:
- Predicio (France).
- Complementics (USA).
New access requests revealed that some of the location data eventually ended up in Venntel came from the Slovak app “developer Sygic,” which has “70 other apps” in its portfolio.
The developer’s webpage claims that its most popular app has “200 million users”.
On February 15th, I installed two Sygic navigation apps, both asked me to agree to the terms of ad personalization.
If you’re one of those people who hardly read what they consent to, then you’re not alone, in fact, very few people read the terms of use for installed applications and services.
I clicked on “I agree”. Since then, a binding agreement has been made between me and the application.
PRIVACY LAW VIOLATION
It appears that when “Gravy Analytics” received the data, the agreement with “Sygic” was violated.
“Gravy Analytics” states in its privacy policy that my personal information may be used in a set of services for partners and customers of the company.
According to their own privacy policies, their goals include, among others, “fraud detection, law enforcement, and national security.”
In other words, “Gravy Analytics” has shared my location data with its subsidiary, which provides these specific services.
This brings us back to my agreement with Sygic on February 15th.
To get to the bottom of this I consulted with three lawyers who were all privacy specialists.
They believe that the ability to use my personal information for purposes for which I have not consented is a clear violation of the GDPR since this law imposes strict restrictions and requirements on what you can do with personal information.
“If it turns out that partners may use personal information for purposes other than those for which you have agreed, then you will lose your privacy,” says one of the lawyers.
WEATHER FORECAST WITH A GIMMICK
In addition, according to data files from “Gravy Analytics and Venntel,” the weather application Funny Weather also followed me.
From the description, the app should present the weather forecast in a sarcastic, sarcastic manner. Who doesn’t want to spice up their daily weather forecast with a bunch of foul languages?
When installing the application this fall, I agreed that my data can be used for analytics and “monetization”, i.e. financing the application.
The same three lawyers I consulted believe that this agreement is not GDPR compliant because it is not clear from it what is meant by “monetization”.
In addition, collecting analytics is not consistent with all “Venntel” business practices.
BAD WEATHER CONDITIONS: Funny Weather does not recommend sticking your head out of the window to check the weather, as it can ruin your mood.
Funny Weather developer “Lavius Fras” doesn’t work for any big company. He said he did not know “Venntel,” but said he did not hide the business model of the application.
“The fact that I partner with companies that use some of the data the app has access to make money is not confidential,” Lavius Fras wrote to me in an email.
Frase acknowledges that the appendix could have been more clear about the implications of being able to “monetize”. He intends to make changes to the privacy policy for this but continues to maintain that users have been duly informed.
SECRETS & MYSTERIES
How the data from Funny Weather got to Venntel remains a mystery, but it is likely that it went through the French company Predicio, which is listed as an intermediary in the app’s privacy policy.
What other applications Venntel can receive data from is a closely guarded secret. Even the owners of mobile apps don’t seem to know what they were involved in, can you believe it?
“We don’t know Venntel,” said “Zuzana Kasanova from Sygic” when I asked how my data came to be with the company.
Kasanova stated that my consent was legally obtained in accordance with the GDPR, and that her company’s partners are contractually obligated to use my data for marketing purposes only.
“Based on the information you have provided, it is unclear that Sygic GPS Navigation was the source of the data Venntel received about you. If it turns out that this is so, then it is a violation of the agreements we have concluded with our partners.”
My technical analysis clearly shows that the data from Sygic ended up in Venntel. For example, the ID used by Complementics for data from Sygic is also present in data from Venntel.
Kasanova did not answer the question of what implications this will entail for Sygic’s partnerships with Predicio or Complementics.
A HOUSE OF CARDS
With the introduction of the 2018 GDPR, privacy advocates have achieved an important victory.
The pan-European law was intended to provide stricter supervision of companies that trade in user data.
However, parts of the digital advertising industry have not changed much.
I strongly believe these companies are trying to stick with old practices and disguise them as something different, but at the core, they have remained the same and you can clearly see the parts of the digital advertising system are based on an almost systematic violation of the EU GDPR, however; GDPR is excellent in theory, but in practice, it has serious flaws.
In most cases, it is difficult or even impossible sometimes to track the movement of personal data between applications, data brokers, and their clients.
The EU data protection authorities are either unable or unwilling to end GDPR violations.
They will not see any changes without imposing huge fines and bans on data processing, EU member states and the EU Commission must act.
The question is whether anyone would like to hear it?
And also in how easy it will be to prosecute for alleged violations? Is it very difficult to hold responsible companies like “Venntel,” since they have no offices in Europe.
I’m afraid this creates an illusory impression of the rules being applied, but in practice, it is simply impossible to take any legal action.
A LOOK INTO MY PAST
It has been several months since I brought my spare phone along with me.
On my screen, I see the dots winding along the forest paths.
Many clusters where I rested; where I walked quickly, are scattered less often.
SNACK: I came from the right path. Then I paused in the courtyard, a little confused, and then I found a wooden bench on the right. Overall, this photo captures 36 minutes of Sunday, August 9th.
It was a hot Sunday in late summer. Horseflies swarmed, especially over the swampy areas.
We usually forget most of the places we have been and what we did there. However, a couple of hints are enough for the memories to return.
Recovering my steps that summer Sunday was like flipping through an old album, each page of which has its own story.
But the funny thing is that this data, my movements, is stored by someone else.
It is very unpleasant to follow your own steps, even if they are not associated with any love affairs, secret meetings or delicate health problems.
Most of us have moments in our lives that we would not want to share. Even with their loved ones, bosses or the state.
I was able to recover the data flow from mobile apps to “Venntel,” but there were still a lot of unanswered questions.
Which “Venntel Customers” received information about me?
Were these companies in the “defense sector, intelligence or the FBI”?
ANSWERS, IMPOSSIBLE TO GET!
“Gravy Analytics” did not respond to our multiple requests. Their subsidiary “Venntel declined to be interviewed by phone or email”.
In a short statement, Venntel states that my phone movements were not broadcast by ICE or CBP.
They also wrote that they have nothing to do with the application vendors “Sygic or Lavius Fras”.
“We will not leave further comments about our business relationships or interpretation of legislation,” Venntel wrote.
In a statement to NRK, the US Border Protection (CBP) said that it has limited access to commercially available data and that it is being used in accordance with relevant rules and regulations.
CBP Press Officer Jason Givens did not respond to follow-up questions about what restrictions are placed on CBPs when it comes to retrieving data on European citizens or phones located outside US borders.
The “FBI and ICE” also have agreements with “Venntel,” but they did not respond to questions about the company’s ability to track “Europeans inside and outside Europe”.
When Predicio responded to the access request on August 11, the company did not mention “Venntel data transfers” in February-July, the “Funny Weather app” was installed on Aug 10.
Complements co-founder “Walter Harrison” stated that my data was only used for marketing analytics.
Harrison did not answer questions about the company’s relationship with “Gravy Analytics.”
When I asked Harrison about “Gravy Analytics,” he said that the company’s contractual partner “cannot directly or indirectly share any data obtained from Complementics with any US intelligence, immigration or law enforcement agency.”
So there you have it guys if this doesn’t show you how you are being tracked and spied on by these so-called apps that you use every day I don’t know what will…
The bottom line is your favorite everyday apps are selling your data to intelligence agencies around the world who then use that data to spy on you.
Good luck!