By Byron Tau, Andrew Mollica, Patience Haggin and Dustin Volz
Technology embedded in our phones and computers to serve up ads can also end up serving government surveillance.
Information from mobile-phone apps and advertising networks paints a richly detailed portrait of the online activities of billions of devices. The logs and technical information generate valuable cybersecurity data that governments around the world are eager to obtain. When combined with classified data in government hands, it can yield an even more detailed picture of an individual's behaviors both online and in the real world. A recent U.S. intelligence-community report said the data collected by consumer technologies expose sensitive information on everyone "in a way that far fewer Americans seem to understand, and even fewer of them can avoid."
The Wall Street Journal identified a network of brokers and advertising exchanges whose data was flowing from apps to Defense Department and intelligence agencies through a company called Near Intelligence. This graphic puts those specific examples in the context of how such commercially available information -- bought, sold or captured by dozens of entities -- can end up in the hands of intermediaries with ties to governments.
Near Intelligence, based in India with offices in the U.S. and France, was until earlier this year obtaining data from other brokers and advertising networks. It had several contracts with government contractors that were then passing that data to U.S. intelligence agencies and military commands, according to people familiar with the matter and documents reviewed by the Journal.
Near was surreptitiously obtaining data from numerous advertising exchanges, the people said, and claimed to have data about more than a billion devices. When contacted by the Journal, several ad exchanges said they have cut Near off for violations of their terms of service. The exchanges told the Journal that their data is meant to help target ads, not for other purposes.
Privacy, legal and compliance specialists inside Near warned the company's leadership that it didn't have permission to save real-time bidding data and resell it this way, especially in the wake of tough new European privacy standards that came into place in 2018, the people said. Those specialists also warned the company that indirect sales to intelligence-community clients were a reputational risk. Near's leadership didn't act on those warnings, the people said.
In an email viewed by the Journal, Near's general counsel and chief privacy officer, Jay Angelo, wrote to CEO Anil Mathews that the company was facing three privacy problems. "We sell geolocation data for which we do not have consent to do so...we sell/share device ID data for which we do not have consent to do so [and] we sell data outside the EU for which we do not have consent to do so."
In another message, Angelo called the transfer of European Union data a "massive illegal data dump," adding that the U.S. federal government "gets our illegal EU data twice per day."
A spokesman for Near didn't respond to questions about the messages. The company last week told the Securities and Exchange Commission that Mathews and several other executives had been placed on administrative leave while the board investigates allegations of financial wrongdoing. The spokesman didn't say whether the matter was related to Near's sale of ad-tech data to government contractors.
In a statement, Angelo said Near had over the past year "taken deliberate measures to safeguard privacy," including ending customer relationships that were inconsistent with its values, which forbid Near's data from being used for law enforcement, tracking or surveilling. Near didn't make him available for an interview.
"We are continuously improving our systems for preventing misuse of our data by customers," Near said in a statement.
Other brokers that compete with Near also have done robust business with government contractors, the Journal has previously reported.
Many Near staff were told that the agreements with government contractors were for "humanitarian purposes," people said. Advertising exchanges it worked with told the Journal they had no knowledge of Near asking permission to license their data to a government entity, which wasn't allowed under their agreements with the company.
In another instance, Near contracted with a government-linked client, nContext, that described itself as a digital-marketing company, highlighting commercial work on its website for clients such as a Philadelphia cultural center and New York City's 92nd Street Y.
Corporate ownership records show nContext is a wholly owned subsidiary of defense contractor Sierra Nevada. Federal contracting records show that nContext is a subcontractor on several large intelligence and defense data contracts.
The Defense Counterintelligence Security Agency, part of the Defense Department, confirmed it signed a contract with Sierra Nevada in 2020 in an effort "to better analyze publicly available data and government information to identify cyber threats to cleared contractors." A pilot program the following year included ad data supplied by nContext but was discontinued, a spokeswoman said, adding: "DCSA did not collect any information that would identify people."
Sierra Nevada and nContext didn't respond to requests for comment. Two other government contractors that were licensing Near's data, Aelius and Bazze, also didn't respond to requests for comment.
The National Geospatial-Intelligence Agency, also part of the Defense Department, lawfully procured data and services from commercial vendors to support a "wide variety of missions" including foreign intelligence, humanitarian assistance and navigational safety, a spokeswoman said, and an Air Force spokeswoman said cyber and intelligence personnel use publicly available information "in an ethical and legal manner to understand an-ever changing data landscape that could be used by foreign malicious cyber actors to erode U.S. national security."
The National Security Agency declined to comment. The Defense Department declined to comment on the contract with Joint Special Operations Command.
The U.S. has no comprehensive national privacy law, and therefore no outright prohibition on the collection and resale of such data to private- or public-sector entities. While such contracts for commercially available information are generally unclassified and require no special authority, its use by U.S. agencies for national-security purposes was until recently a closely held secret.
The U.S. intelligence-community report, made public in June and produced by the Office of the Director of National Intelligence, said there is commercially available information "on nearly everyone that is of a type and level of sensitivity that historically could have been obtained" through targeted collection methods such as wiretaps, cyber espionage or physical surveillance.
Now ODNI is completing a framework to govern U.S. intelligence agencies' use of such information, said spokeswoman Nicole de Haay.
"We will publicly share as much of this framework as possible," she said.
Write to Byron Tau at byron.tau@wsj.com, Andrew Mollica at andrew.mollica@wsj.com, Patience Haggin at patience.haggin@wsj.com and Dustin Volz at dustin.volz@wsj.com
(END) Dow Jones Newswires
October 13, 2023 08:23 ET (12:23 GMT)
Copyright (c) 2023 Dow Jones & Company, Inc.