Anomaly Six Accused of Selling Smartphone Tracking Data to US Government

US government building with US flag

A report by The Wall Street Journal (WSJ) alleges that data intelligence company Anomaly Six has embedded tracking software in over 500 apps and is selling the collected data to the US Government without user consent. These apps could have hundreds of millions of users worldwide. It is not known for what purposes the US Government is using the data.

Who is Anomaly Six?

Anomaly Six is a small federal contractor based in Virginia with a lot of contacts. The company was founded by two US military veterans with backgrounds in intelligence. Oddly, Anomaly Six has close ties with US defense and intelligence communities.

The company says it provides location data products to branches of the US government and private sector clients. It claims, “we leverage detailed location data from numerous first-party sources to provide insights into groups, behaviors, and patterns.” However, the WJS report suggests that the company’s links with US Government agencies is outside the norm. “Anomaly Six was founded by defense-contracting veterans who worked closely with government agencies for most of their careers and built a company to cater in part to national-security agencies,” says the report.

Anomaly Six’s marketing material also states that it is “able to draw location data from more than 500 mobile applications”. According to the report, these 500 apps could allow the company to “track the movements of hundreds of millions of mobile phones world-wide.” Nonetheless, Anomaly Six alleges that it is just leveraging detailed location data that it has obtained lawfully.

The Allegations

The company draws location data through its Software Development Kit (SDK), which it developed. The report states that Anomaly Six paid mobile app developers to include this mobile location tracking software in their apps. App developers often allow third-party companies to insert SDKs into their apps as this constitutes a lucrative revenue stream. In such deals, app developers get part of the revenue the SDK maker receives upon selling the consumer data collected with the app.

The report notes “According to interviews with numerous people in the industry, there is little regulation in the U.S. about the buying and selling of location data, leading to what one industry veteran called ‘the Wild West.’ Consumers have come to expect free apps, and app makers have turned to selling user data to pay for the costs of developing and running the software.”

It is alleged that anomaly Six aggregates the anonymized data collected through the mobile phone apps and sells it to the US government. This is made possible by the fact that the data is anonymized, and thus not personally identifiable. However, although the data being sold is anonymized, experts state that it is not difficult to ascertain to whom a phone belongs once enough data about an individual is collected. “In the data drawn from apps, each cellphone is typically represented by an alphanumeric identifier that isn’t linked to the name of the cellphone’s owner. But the movement patterns of a phone over time can allow analysts to deduce its ownership – for example, where the phone is located during the evenings and overnight is likely where the phone-owner lives,” explains the report.

The collection of location data through mobile phone apps without the owners’ explicit consent appears to be legal. At least that is the case in the US. Except for in California where the CCPA Privacy Act provides residents some protection. In Europe this would be illegal thanks to the introduction of the General Data Protection Regulation (GDPR) in May 2018.

In the US, app developers do not need to disclose deals such as that with Anomaly Six to users. Nor do they need to disclose that the data collected via the app could be sold to the US Government. This is deemed legal in the US since the data collected by Anomaly Six is technically anonymous and the company is not selling the data for advertising or marketing purposes.

The government’s access to this location data has many privacy experts worried. It raises questions among them about American citizens’ privacy and what kind of information corporations are collecting. They also question what these corporations are doing with the information. There was a huge outcry only a few months ago when Google was sued for a similar offense.

US Government Interest in Location Data

The question remains, why does the US Government want this data? Do they want it for law enforcement purposes or just to keep tabs on its citizens? Is the US using the data for counter terrorism purposes, that is the usual reason given for spying?

Anomaly Six would not answer these questions citing confidentiality reasons. However, some analysts believe that the Trump administration is using the data for immigration and border enforcements. Some have stated that the data is likely being used to generate leads about possible illegal border crossings and the detection or tracking of migrant groups.

It is interesting to note that this report suggests that the US Government is doing to its citizens what they have always accused China of doing. It is tracking its citizens without their knowledge, which is a human rights abuse. Furthermore, in recent times, it banned US business from trading with Huawei and ZTE for these companies’ links to their Chinese Government. However, the report alleges that the US Government has the same links with Anomaly Six. In addition, the US Government has forced the sale of TikTok’s American operations because it claims this Chinese app collects American users’ data. However, WSJ’s report now suggests the US Government is guilty of just the same offence.

Opting Out

Unfortunately, Anomaly Six would not disclose the name of the apps into which it has embedded its SDK. Nor was The WSJ able to ascertain this, despite their best efforts. Consequently, since there is no way of knowing which apps include Anomaly Six’s SDK, users cannot opt out of giving these apps access to track their location.

Information technology expert
Grace is an information technology expert who joined the VPNoverview team in 2019, writing cybersecurity and internet privacy-based news articles. Due to her IT background in legal firms, these subjects have always been of great interest to her.