This article was produced with support from the Capitol Forum.
A location data company is asking police for the address of specific people’s doctors in case that can be useful in finding their mobile phone in a massive set of peoples’ location data, according to a document provided to U.S. law enforcement and obtained by 404 Media.
The document is a “Project Intake Form” that asks police for information about the person of interest they would like to track, such as biographical information and known locations, including family and friends’ addresses and doctors offices they may visit. It shows that, in a time when surveillance of abortion and reproductive health clinics could rise in a post-Roe America, companies providing monitoring tools to the government are prepared to use healthcare information to track down targets. The company is called Fog Data Science, and its product uses location data harvested from smartphones either through ordinary apps or the advertising ecosystem. In 2022 the Electronic Frontier Foundation (EFF) revealed Fog had sold its phone tracking technology to multiple U.S. agencies, including local police. The document is included in a set of emails from March this year that 404 Media obtained through a public records request, showing the company is still pitching its technology to local law enforcement.
“Your objectives help us target what you want most. Details about the POI [person of interest] help us eliminate devices more efficiently,” the document reads. It then asks for details on the target, such as their name or known aliases, their link to criminal activity, their “distinguishing characteristics” such as their “gender, ethnicity, religion.”
It then asks for physical locations that the person is known to frequent, likely to identify mobile phones that have repeatedly been in those locations and determine the person’s other movements. “Any link of the POI to a location at a date and/or time helps us,” Fog writes. “It can be a gym, house of worship, lunch spot, coffee house, sports arena.” The document says latitude and longitude coordinates are useful, but that Fog works with addresses too.
On the following page, Fog writes “locations a POI may visit are valuable, even without dates/times.” The form then lists family’s homes, friends’ homes, and doctor or lawyer offices as potential options.
Screenshots of the Project Intake Form. Image: 404 Media.
The form was included in an email thread between a Fog representative and Bryan Kimbell, chief human trafficking investigator at the Office of the Attorney General in Georgia. The Office of the Attorney General did not respond to a request for comment. Neither did Fog.
In its 2022 investigation, the EFF found Fog claimed to have “billions” of data points concerning more than 250 million devices. Users of that data can log into a map-like interface called Fog Reveal to interact with it. What makes Fog different from other companies in the location data space, such as Babel Street, Venntel, and Anomaly 6, is that Fog sells its tool for relatively cheap and to local and state agencies. The EFF found Fog sells the tool to highway patrols and county sheriffs for less than $10,000 a year.
As a point of comparison, a recent contract 404 Media obtained between the Environmental Protection Agency and Venntel cost $100,000 for one year of API access to Venntel’s dataset. There were also indications in the documents obtained by EFF that Fog obtains its underlying dataset from Venntel, something which was also the case for Babel Street. Those emails also showed Fog assisting law enforcement with looking for certain targets, and that the company offers its services to law and investigation firms. Last week, the FTC announced a series of actions against Venntel and its parent company Gravy Analytics, including a ban on the companies selling sensitive location data. Sensitive locations include health facilities, refugee shelters, and places of worship.
Healthcare facility visits are an especially hot button privacy issue. In 2022, I found a location data firm called Safegraph was selling information related to visits to Planned Parenthood facilities, which showed where groups of people came from, how long they stayed there, and ultimately where they went afterwards. In response, Safegraph stopped selling that data. Later that year, Safegraph closed its data shop entirely.
I also reported that another location data firm called Placer.ai was offering access to multiple caches of data that showed where people who visited Planned Parenthood clinics approximately lived. Placer removed the ability to search for Planned Parenthood related data when I contacted the company for comment.
In October 404 Media and a group of other media outlets published the starkest evidence yet that such location data tools can be used by authorities to target abortion clinics after privacy advocates gained access to Babel Street’s Locate X tool and performed lookups. Those included lookups that allowed the tracking of specific devices to an abortion clinic across state lines.
