This article was produced with support from the Capitol Forum.
On a computer screen a map shows the movements of smartphones around the globe. Zooming into an abortion clinic in the south of the United States, the online tool shows more than 700 red dots over the clinic itself, each representing a phone, and by extension, a person.
The tool, called Locate X and made by a company called Babel Street, then narrows down to the movements of a specific device which had visited the clinic. This phone started at a residence in Alabama in mid-June. It then went by a Lowe’s Home Improvement store, traveled along a highway, went past a gas station, visited a church, crossed over into Florida, and then stopped at the abortion clinic for approximately two hours. They had only been to the clinic once, according to the data.
The device then headed back, and crossed back over into Alabama. The tool also showed their potential home, based on the high frequency at which the device stopped there. The tool clearly shows this home address on its map interface.
In other words, someone had traveled from Alabama, where abortion is illegal after the June 2022 overturning of Roe v. Wade, to an abortion clinic in Florida, where abortion is limited but still available early in a pregnancy. Based on the data alone, it is unclear who exactly this person is or what they were doing, whether they were receiving an abortion themselves, assisting someone seeking one, or going to the clinic for another reason. But it would be trivial for U.S. authorities, some of which already have access to this tool, to go one step further and unmask this or other abortion clinic visitors.
The demonstration, performed by a group of privacy advocates that gained access to the tool and leaked videos of it to 404 Media and other journalists, shows in the starkest terms yet how Locate X and other tools based on smartphone location data sold to various U.S. government law enforcement agencies, including state entities, could be used to monitor abortion clinic patients. This comes as more states contemplate stricter or outright bans on abortion. Alabama wants to prosecute people who help others get abortions out of state, Idaho and Tennessee have passed “abortion trafficking” laws that have been blocked by courts from going into effect but which anti-abortion politicians want revived, and cities in Texas have considered an unconstitutional law that would ban people from using city roads for traveling to get an abortion. Last month, Texas attorney general Ken Paxton sued to block federal privacy rules that stop investigators from accessing the medical records of people who travel out of the state to seek an abortion.
It also comes before a U.S. election in which access to abortion is on the ballot in 10 states, including Florida, and is one of the most important issues in the presidential election.
The videos also show that while Apple and Google have taken steps either to stymie the flow of location data in general, or remove sensitive locations like abortion clinics from their own banks of data, the highly sensitive movements of visitors to clinics or essentially any other location are still exposed on a massive scale and finding their way into tools used by U.S. law enforcement. Through a complex data supply chain involving apps or ads on a phone, peoples’ movements are included in Locate X as a side-product of the mobile advertising system.
And all of this tracking is possible without a warrant.
“Warrantless law enforcement access to digital information related to reproductive health care, including location data, threatens reproductive freedom,” Ashley Emery, senior policy analyst, reproductive health and rights at the non-profit the National Partnership for Women & Families, told 404 Media. “If law enforcement can bypass court approval needed to obtain sensitive data and instead use this new surveillance tool to track pregnant people and build cases against them, the implications for abortion and pregnancy criminalization are alarming. This risk is especially salient for Black women, brown women, and low-income women, who are already over-surveilled and over-policed.”
Atlas Privacy, a data removal company that is also suing various data brokers using a novel New Jersey law that protects the addresses of police, judges, prosecutors and their families, gained access to a free trial of Locate X, performed lookups of sensitive locations, and shared videos of those lookups with journalists from 404 Media, NOTUS, Haaretz, Krebs on Security, and the New York Times. Crucially, although Babel Street primarily sells Locate X to law enforcement or government agencies, a private investigator who works with Atlas was able to access the free trial by saying they were an investigator who may work with the government in the future, and not a current law enforcement official. No caveats were given on using the tool, such as locations or use cases, Atlas said.
In a document available online, Babel Street says the tool brings results of its products “into the physical world.”
FROM STATE TO STATE
In addition to the person who crossed state lines to visit the abortion clinic, Atlas was also able to track a phone that they believe may belong to a clinic employee. After selecting a tick box and clicking a button that says “search selected device(s),” Locate X showed the device visited the clinic many times. In this case, Locate X had more than 88,000 “signals,” or locations, for that specific phone.
404 Media is not naming the abortion clinic to protect it from retaliation. But Florida, where the clinic is located, is holding a vote on whether or not abortion should be a state constitutional right. At the time of writing, Florida has a six-week ban on abortion. The vote, if successful at enshrining that right into law, would remove that restriction.
In Alabama, where one of the devices going to the abortion clinic originated and abortion is illegal with very limited exceptions, the governor has threatened to criminally charge organizations that help people get abortions out of the state. Many healthcare clinics that provide abortions also provide many other healthcare treatments and resources.
Eva Galperin, director of cybersecurity at privacy activist group the Electronic Frontier Foundation, said she was “extremely concerned about fishing expeditions, about dragnet surveillance of people crossing state lines in order to go to neighboring states in order to get abortion care.”
“Specifically, Republican officials from states that have outlawed abortion have made it clear that they are interested in targeting people who have gone to neighboring states in order to get abortions, and to make it more difficult for people who are seeking abortions to go to neighboring states,” Galperin added. She said it was not a leap to imagine states using technology like Babel Street in that context. Authorities have already obtained direct messages from Facebook in the prosecution of a teenager who had a self-managed abortion.
Armed with the information in Locate X, it would be easy for authorities to then reveal the identities of people who traveled to abortion clinics, either using their standard legal powers or access to other common commercially available tools. The Locate X data also includes devices’ mobile advertising identifiers (MAIDs), which are unique codes assigned to each phone by its operating system. An industry exists which sells the potential real name of a person using a MAID, shattering their presumed anonymity.
The demonstration videos show that Locate X has various features that can make interpreting the location data easy. Clicking an option called “clustered” shows the device’s most frequently visited locations, which often pinpoints a residential address or place of work. The “animation” feature shows point-by-point where a device traveled inside a specific time period, rather than displaying all of the locations at once. A “signal proximity check” shows which other nearby locations the device went to in a short period of time. And users can set a specific search to “active” which will provide “a daily run to check for updates.” Meaning, that a user could monitor the abortion clinic or other locations for signs of new visitors. The data itself has a delay of around two to three days and results can take a few minutes or even up to 40 minutes to display results, according to the tests. The tool can cost around $28,000, according to procurement documents.
404 Media is highlighting the use case of tracking vulnerable people traveling to abortion clinics because it is a form of travel that some states have specifically proposed criminalizing. But Locate X can analyze a dizzying array of other locations that have alarming implications.
Another lookup that Atlas performed focused on a parking lot in New Jersey reserved for jurors. The Locate X data is so granular that it is able to pinpoint devices that were inside that parking lot. From that, Atlas was able to track a potential jury member from a residence to the parking lot, through the court, to a diner likely to get lunch, back to the courtroom, a bagel place, and then back to the residence. Meaning, this tool could potentially be used to unmask the identities of jurors in trials too.
Demonstrating that the tool did not place restrictions on targeting places of worship, Atlas performed a search on the Sinai Temple, a synagogue in Los Angeles. That search returned nearly 9,000 devices. Another search on the Islamic Center of America, a mosque in Dearborn, Michigan, returned 8,840 devices and nearly 100,000 signals over a span of two years. Atlas then searched for where else 100 of those devices had been, and revealed locations across the United States, and then others in Canada, Lebanon, Jordan, and Iraq. Neither the Sinai Temple nor the Islamic Center of America responded to a request for comment.
Atlas also searched a school in Philadelphia, which returned nearly 7,000 devices. Due to the large number of phones, it is unlikely that these only include adult teachers, meaning that Babel Street may be holding onto data belonging to children too.
Finally, Atlas tracked some specific people and families with their consent and who are Atlas users. One of those was Patrick Colligan, a former police officer and union leader, who uses an Android device. Another was Justyna Maloney, a police officer who has faced harassment online and physically, and uses an iPhone.
THE SUPPLY CHAIN
The data ultimately powering tools like Babel Street’s Locate X can come from two main sources. The first are ordinary apps installed on peoples’ phones, whose developers sell their users’ location data to a broker, who then in turn sells it either directly or through a series of middlemen to a company like Babel Street. The other is through a process called real-time bidding, in which members of the online ad industry try to outbid one another to have their advert be delivered to a certain demographic of users. A side effect is that some companies listen in on that process, and harvest location data on unsuspecting swaths of the public.
Previously Babel Street has obtained its underlying data from another company called Venntel, according to an internal Department of Homeland Security document obtained by 404 Media. Venntel has built its banks of location data in part using map navigation and weather apps.
Venntel did not respond to a request for comment. Babel Street did not respond to multiple requests for comment sent to two press representatives and the company’s CEO Michael Southworth. A note at the top of the interface says that by using the tool, “you hereby acknowledge that your use meets one of the Use Case Restrictions,” but Babel Street did not respond to questions asking about what restrictions exist for the tool.
In a Locate X Addendum published by the UK government, Babel Street says “Locate X Data may not be used as the basis for any legal process in any country, including as the basis for a warrant, subpoena, or any other legal or administrative action (nor may the Locate X Data be cited in any court/investigation-related document).” U.S. authorities have already used tools like this to investigate immigration, drug, and other crimes. And even if not formally entered into a court record or similar, the Locate X data can act as a reliable tip to then source more information elsewhere.
Over the last several years, federal and local law enforcement have turned to commercially available smartphone location data for a variety of investigative use cases. In February 2020, the Wall Street Journal reported that Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) were using purchased location data for immigration and border enforcement. A month later, tech publication Protocol first revealed the existence of Babel Street’s Locate X, and reported that the Secret Service, ICE, and CBP also use the technology. When I was at Motherboard, I reported how the U.S. military was paying for Locate X, as well as tapping into a data supply chain that ultimately sourced some of the location information from a Muslim prayer app. I also found that a military unit that conducts drone strikes bought the tool, as did the Florida state prison system. The Office of the Inspector General found last year that CBP, ICE, and the Secret Service used commercial location data illegally, including in one case where a CBP official tracked coworkers with no investigative purpose.
The newly obtained videos, though, are the first time the public is seeing what exactly the Locate X tool looks like, what its true capabilities are, and what specific sensitive locations it can be used to target.
Atlas said it employs internal and external investigators to check whether data brokers comply with its data nondisclosure requests, which it demands under New Jersey law. As part of that, one of its investigators contacted Babel Street seeking the home addresses in certain areas of New Jersey, Atlas said. During a sales pitch, a Babel Street salesperson asked the investigator if they would be interested in Locate X, Atlas added. Babel Street told the investigator it offers Locate X to the government or “contractors of the government.” The investigator said they were contemplating some government contract work in the future, to which the salesperson said “that’s good enough” and “they don’t actually check,” Atlas said.
“Despite accessing dozens of high-risk targets and sensitive locations in a short period of time, he was never contacted by Babel Street to inquire about his search history or the permissible use of the data,” Atlas said.
Separately, a private investigator source told 404 Media that similar capabilities using commercial smartphone location data have trickled out to his industry. They said they used smartphone location data as part of one of their cases, and provided documents which showed the movements of a phone which was suspected to belong to their target.
This sort of surveillance is only possible because of the mobile advertising ecosystem. Location data is sometimes used to build profiles on device users and better target advertisements to them. Much of that advertising relies on a MAID, the unique advertising ID, on a phone. The MAID acts as the digital glue between a device and its associated data.
But that same underlying system, of Google and Apple linking a unique identifier on the phone to a user’s activity, allows Babel Street and others to build their mass monitoring products. In many cases, a device’s MAID is also displayed inside Babel Street.
“Both Google and Apple can't keep pretending like the mobile advertising IDs broadcasting into the bidstream from hundreds of millions of American devices aren't join keys for tracking people,” Zach Edwards, senior threat analyst at cybersecurity firm SilentPush who has followed the location data industry closely, said. “The privacy risks here will remain until Apple and Google permanently turn off their mobile advertising ID schemes and admit to the American public that this is the technology that has been supporting the global data broker ecosystem.”
Apple and Google have taken different approaches to tackle this sort of monitoring. Apple has a system, available in the iPhone settings, which can block all apps from asking to track a user at once. In July 2022, just weeks after the repeal of Roe v. Wade and the constitutional right to an abortion it provided, Google said it would delete location data showing when users visited an abortion clinic. The fear being law enforcement could demand such data from Google, and that could lead to the identification of abortion seekers. In January, the Guardian reported that Google still retains location history in 50 percent of cases. And that only deals with location data held by Google itself, and not data siphoned off into the location industry by ordinary apps or the advertising system.
Both companies let users configure which apps have access to their location data in their phone’s settings.
A Google spokesperson said in a statement that “Android has clear controls for users to manage app access to device location, and reset or delete their advertising ID. If we learn that someone, whether an app developer, ad tech company or anyone else, is violating our policies, we take appropriate action. Beyond that, we support legislation and industry collaboration to address these types of data practices that negatively affect the entire mobile ecosystem, including all operating systems.”
Apple declined to provide an on the record statement.
When it comes to the MAID, the Apple option to turn off the ability for apps to request to track users appears in a prominent pop-up on the device. Apple said that if a user does this, their MAID (called an IDFA by Apple) is not provided to the requesting app. On Google devices, users have to go deeper into their settings to delete or reset the MAID. Google said once a user does delete it, no MAID is then available to Google or third parties.
Senator Ron Wyden, whose office has investigated the location data industry and pushed for legislation that would stop the purchase of location data without a warrant, specifically pointed at Google for facilitating the type of surveillance performed by Babel Street. He said Google “deserves blame for refusing to follow Apple's lead by removing companies' ability to track phones. Google's insistence on uniquely tracking Android users—and allowing ad companies to do so as well—has created the technical foundations for the surveillance economy and the abuses stemming from it.”
“Whether location data is being used to identify and expose closeted gay Americans, or to track people as they cross state lines to seek reproductive health care, data brokers are selling Americans' deepest secrets and exposing them to serious harm, all for a few bucks. These services could do terrible harm in the hands of MAGA politicians like Donald Trump and JD Vance, who are determined to drag our country backward and rip away the rights of women to make decisions about their own bodies,” Wyden added.
He also criticized the current administration, and said “Congress' failure to regulate data brokers, and the administration's continued opposition to bipartisan legislation that would limit data sales to law enforcement, have created this current privacy crisis.” Wyden previously proposed the Fourth Amendment Is Not For Sale Act which would ban warrantless location data purchases. After initially making progress, the administration opposed the act.
Representative Sara Jacobs, who has proposed a piece of legislation that aims to protect reproductive health data, said in a statement that “There are almost no federal protections for our reproductive and sexual health data. I’m incredibly concerned by all apps, platforms, and entities that retain, sell, and share this sensitive data—especially in the post-Roe era that’s increasingly surveilling and criminalizing abortion.”
“Google should uphold its promises to keep people’s information private and safe, but it shouldn’t be up to companies to do the right thing or for individuals to know how best to protect themselves. That’s why I will continue to push for my bill, the My Body, My Data Act—the only solution in Congress to create a national standard to protect reproductive and sexual health data,” she added.
In recent years the Federal Trade Commission has taken action against multiple companies specifically when it comes to their handling of abortion clinic and places of worship location data. In 2022, the FTC sued a company called Kochava for selling such data. In January, after I revealed that X-Mode was harvesting data from a Muslim prayer app, the FTC banned the company from selling location data related to places of worship and family planning facilities. On Monday, independent researcher Jack Poulson reported that the FTC has opened an investigation into Venntel.
“Federal agencies must continue to use existing rulemaking authority and initiate enforcement actions to protect pregnant people and stop improper disclosures and sales of reproductive health information, including location data,” Emery from the National Partnership for Women & Families said. Without efforts to close this data broker loophole, “law enforcement can sidestep legal process and simply purchase information from data brokers to investigate and prosecute pregnant people for seeking abortion care, or loved ones who help them obtain it.”
A spokesperson for the FTC said “We can’t comment on this specific company’s practices. Speaking generally, the FTC has made it clear, through our recent law enforcement work, that companies that share consumers’ sensitive location data may violate the FTC Act, and we won’t hesitate to take action.”