How the Pentagon learned to use targeted ads to find its targets—and Vladimir Putin

From the article, which is adapted from a book that came out recently:

IN 2019, A government contractor and technologist named Mike Yeagley began making the rounds in Washington, DC. He had a blunt warning for anyone in the country’s national security establishment who would listen: The US government had a Grindr problem.

...

As he would explain in a succession of bland government conference rooms, Yeagley was able to access the geolocation data on Grindr users through a hidden but ubiquitous entry point: the digital advertising exchanges that serve up the little digital banner ads along the top of Grindr and nearly every other ad-supported mobile app and website. [...] In some cases, it’s making your precise location available in near-real time to both advertisers and people like Mike Yeagley, who specialized in obtaining unique data sets for government agencies.

Working with Grindr data, Yeagley began drawing geofences—creating virtual boundaries in geographical data sets—around buildings belonging to government agencies that do national security work. That allowed Yeagley to see what phones were in certain buildings at certain times, and where they went afterwards. He was looking for phones belonging to Grindr users who spent their daytime hours at government office buildings. If the device spent most workdays at the Pentagon, the FBI headquarters, or the National Geospatial-Intelligence Agency building at Fort Belvoir, for example, there was a good chance its owner worked for one of those agencies. Then he started looking at the movement of those phones through the Grindr data. When they weren’t at their offices, where did they go? [...]

Intelligence agencies have a long and unfortunate history of trying to root out LGBTQ Americans from their workforce, but this wasn’t Yeagley’s intent. He didn’t want anyone to get in trouble. No disciplinary actions were taken against any employee of the federal government based on Yeagley’s presentation. His aim was to show that buried in the seemingly innocuous technical data that comes off every cell phone in the world is a rich story—one that people might prefer to keep quiet. Or at the very least, not broadcast to the whole world. And that each of these intelligence and national security agencies had employees who were recklessly, if obliviously, broadcasting intimate details of their lives to anyone who knew where to look.

As Yeagley showed, all that information was available for sale, for cheap. And it wasn’t just Grindr, but rather any app that had access to a user’s precise location—other dating apps, weather apps, games. Yeagley chose Grindr because it happened to generate a particularly rich set of data and its user base might be uniquely vulnerable.

...

But Yeagley’s point in these sessions wasn’t just to argue that advertising data presented a threat to the security of the United States and the privacy of its citizens. It was to demonstrate that these sources also presented an enormous opportunity in the right hands, used for the right purpose. When speaking to a bunch of intelligence agencies, there’s no way to get their attention quite like showing them a tool capable of revealing when their agents are visiting highway rest stops.

...

There are some limits and safeguards on all this data. Technically, a user can reset their assigned advertising ID number (though few people do so—or even know they have one). And users do have some control over what they share, via their app settings. If consumers don’t allow the app they’re using to access GPS, the ad exchange can’t pull the phone’s GPS location, for example. (Or at least they aren’t supposed to. Not all apps follow the rules, and they are sometimes not properly vetted once they are in app stores.)

...

The discovery that there was extensive data in Syria was a watershed. No longer was advertising merely a way to sell products; it was a way to peer into the habits and routines of billions. “Mobile devices are the lifeline for everyone, even refugees,” Yeagley said.

...

Just as UberMedia was operating in a bit of a gray zone, PlanetRisk had likewise not been entirely forthright with UberMedia. To get the Aleppo data, Yeagley told UberMedia that he needed the data as part of PlanetRisk’s work with a humanitarian organization—when in fact the client was a defense contractor doing research work funded by the Pentagon. (UberMedia’s CEO would later learn the truth about what Mike Yeagley wanted the data for. And others in the company had their own suspicions. “Humanitarian purposes” was a line met with a wink and nod around the company among employees who knew or suspected what was going on with Yeagley’s data contracts.)

...

They realized they could track world leaders through Locomotive, too. After acquiring a data set on Russia, the team realized they could track phones in the Russian president Vladimir Putin’s entourage. The phones moved everywhere that Putin did. They concluded the devices in question did not actually belong to Putin himself; Russian state security and counterintelligence were better than that. Instead, they believed the devices belonged to the drivers, the security personnel, the political aides, and other support staff around the Russian president; those people’s phones were trackable in the advertising data. As a result, PlanetRisk knew where Putin was going and who was in his entourage.

...

Most alarmingly, PlanetRisk began seeing evidence of the US military’s own missions in the Locomotive data. Phones would appear at American military installations such as Fort Bragg in North Carolina and MacDill Air Force Base in Tampa, Florida—home of some of the most skilled US special operators with the Joint Special Operations Command and other US Special Operations Command units. They would then transit through third-party countries like Turkey and Canada before eventually arriving in northern Syria, where they were clustering at the abandoned Lafarge cement factory outside the town of Kobane.

It dawned on the PlanetRisk team that these were US special operators converging at an unannounced military facility. Months later, their suspicions would be publicly confirmed; eventually the US government would acknowledge the facility was a forward operating base for personnel deployed in the anti-ISIS campaign.

...

Locomotive, the first version of which was coded in 2016, blew away Pentagon brass. One government official demanded midway through the demo that the rest of it be conducted inside a SCIF, a secure government facility where classified information could be discussed. The official didn’t understand how or what PlanetRisk was doing but assumed it must be a secret. A PlanetRisk employee at the briefing was mystified. “We were like, well, this is just stuff we’ve seen commercially,” they recall. “We just licensed the data.” After all, how could marketing data be classified?

...

Other governments’ intelligence agencies have access to this data as well. Several Israeli companies—Insanet, Patternz, and Rayzone—have built similar tools to VISR and sell it to national security and public safety entities around the world, according to reports. Rayzone has even developed the capability to deliver malware through targeted ads, according to Haaretz.

Which is to say, none of this is an abstract concern—even if you’re just a private citizen. I’m here to tell you if you’ve ever been on a dating app that wanted your location or if you ever granted a weather app permission to know where you are 24/7, there is a good chance a detailed log of your precise movement patterns has been vacuumed up and saved in some data bank somewhere that tens of thousands of total strangers have access to. That includes intelligence agencies. It includes foreign governments. It includes private investigators. It even includes nosy journalists. (In 2021, a small conservative Catholic blog named The Pillar reported that Jeffrey Burrill, the secretary general of the US Conference of Catholic Bishops, was a regular user of Grindr. The publication reported that Burrill “visited gay bars and private residences while using a location-based hookup app” and described its source as “commercially available records of app signal data obtained by The Pillar.”)