Venntel, a government contractor that sells location data of smartphones to U.S. law enforcement agencies including ICE, CBP, and the FBI, gathers information through a highly complex supply chain of advertising firms, data resellers, and ultimately innocuous-looking apps installed on peoples’ phones around the world, according to a cache of documents obtained by Norwegian media organization NRK and shared with Motherboard.

Although it’s not clear if Venntel ultimately provides all data generated from this specific supply chain to agencies such as ICE, the documents provide much deeper and previously unreported insight into how data moves from apps, middlemen companies, and through to data brokers. In this case, Venntel.

“I don’t think people understand just to what degree your location tells you everything you need to know about someone’s life; just how invasive that is,” a source who previously worked at another location data firm that has contracts with U.S. law enforcement and military agencies told Motherboard. Motherboard granted the source anonymity to protect them from retaliation from the company they work for.

Do you work at Venntel, Babel Street, or other company providing location data to the government? Did you used to? Do you know anything else about the sale of location data? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

In February, The Wall Street Journal reported that Venntel had sold access to smartphone location data to ICE and CBP. ICE used the data to identify immigrants who were later arrested and CBP used Venntel’s product to find cell phone activity in unusual places, such as remote sections of the U.S.-Mexico border, the report said.

Since then, Motherboard found that the Venntel data is “global,” according to a CBP document Motherboard obtained. The IRS has also used Venntel’s data, and is currently under investigation by the Inspector General for doing so without a warrant. Public procurement records show Venntel has also sold products to the DEA and FBI.

The new documents, obtained by NRK through legal requests as part of the General Data Protection Regulation (GDPR)—Europe’s privacy legislation—name specific data brokers that ultimately help send information to Venntel, and provide the first public sketch of the firm’s supply chain.

The process starts with particular apps. In this case, Martin Gundersen from NRK installed a number of apps onto an Android device, including some from map navigation company Sygic such as “Sygic GPS Navigation & Offline Maps” which has over 50 million downloads according to its Google Play Store page. NRK also installed another separate app called “Fu*** Weather (Funny Weather),” which has also been downloaded more than 1 million times.

With a GDPR request, a European resident can request information from a company such as the third parties their personal data is disclosed to. In response to such a request, Sygic said it shared personal data with two firms called Complementics and Predicio.

Complementics is a U.K. and U.S. based location firm that “monetizes data internationally,” according to its website. Predicio, meanwhile, is based in Paris and offers “ultra granular location data at scale,” one of its product descriptions reads.

At least some app developers that work with these companies are not aware where their users’ data ultimately travels to once it has landed with the middlemen companies.

“Predicio shares data with many companies and those may share the information with others and so on. Therefore, it’s practically impossible for me to know about each possible data flow,” Lawiusz Fras, the developer of the Fu*** Weather app, told Motherboard in an email.

“My cooperation with Predicio is intended to cover the expenses of Fu*** Weather’s operation, especially the fees I pay for weather data. One may not be aware that every user of the app generates not only revenue but also costs,” Fras added.

A subsequent GDPR response from large mobile advertising company Gravy said that it obtains data from Complementics and Predicio. In turn, Gravy said in its own GDPR response that it provided the data to Venntel, the contractor which includes ICE as a client.

“To date, the only Gravy customer who has received your personal data is Venntel, Inc.,” the Gravy response reads. Venntel is a wholly-owned subsidiary of Gravy. The Venntel web domain was also at one point registered to a Gravy email address, according to historical online records. 

A graphic showing how data moves from apps like Fu*** Weather or those made by Sygic to middlemen companies, before being sold to Gravy Analytics, ultimately arriving with Venntel. Image: Martin Gundersen/NRK.

In an email to Motherboard, Walter Harrison, co-founder of Complementics, said “Gravy is not authorized to share and has committed by contract that it will not share any data it receives from Complementics directly or indirectly with any U.S. government intelligence, immigration enforcement, or law enforcement agency.” The company does still work with Gravy however: as part of the GDPR requests the companies provided several spreadsheets which contained the location data they held on NRK’s Gundersen. In those, the same particular identifier for the specific app that the location data came from appears in the Complementics, Gravy, and Venntel spreadsheets, linking the three companies together further.

The data provided by Gravy and Venntel also mentioned “Fu*** Weather,” showing how data traveled from that particular app ultimately to the companies.

In an email to NRK, Venntel said that “Venntel has not shared your data with ICE or CBP,” referring specifically to the location data Venntel ultimately obtained from Gundersen’s Android phone. It is not clear whether this is due to the data being sourced from a European-based phone, whether ICE or CBP did not specifically purchase access to data from that region, or some other technical reason. Venntel did not respond to Motherboard’s request for comment.

In its GDPR response, Venntel said it had provided Gundersen’s personal information to “commercial third-party customers, who provide data analytics services to their customers.”

“It’s practically impossible for me to know about each possible data flow.”

When asked if they had any issue with their users’ data ending up with a U.S. law enforcement contractor, Fras, the developer of the Fu*** Weather app, said “I wouldn’t like to comment [on] Venntel and their practices, as I haven’t reviewed all the available information about their business. Even if I had, I’m afraid that I wouldn’t be the right person to judge them.”

Predicio and Sygic did not respond to Motherboard’s request for comment. Sygic told NRK in an email that “Based on the information you provided, it is not clear that the source of data Venntel has about you is Sygic GPS Navigation. If proven to be true, it is a breach of the contracts we have with the respective partners.”

The supply chain also suggested a connection to X-Mode, a company that pays app developers to install location data harvesting code into their apps. Earlier this month Motherboard revealed how X-Mode was collecting data and selling it to U.S. defense contractors, and by extension, the U.S. military. One app providing data to X-Mode was Muslim Pro, a Quran app with over 98 million downloads, according to the app’s website.

Included on X-Mode’s Trusted Partner page, which lists recipients of location data it collects, is Complementics, which as the GDPR requests showed has worked with Gravy, and by extension Venntel.

An X-Mode spokesperson told Motherboard in an email that “Complementics has confirmed to us that they do not make available X-Mode data to Venntel, or for any government usage.  Doing so would violate their agreement with us.”

In a statement, Senator Ron Wyden said “Venntel has stonewalled Congress for months and refused to identify the sources of the data it is selling to Customs and Border Protection and other government agencies. The U.S. needs far stronger laws to protect Americans’ privacy, and ensure transparency about where our data is going.”

“I’m introducing the Fourth Amendment is Not For Sale Act soon to ensure shady data brokers don’t let the government shortchange Americans’ rights,” the statement added.

Wyden’s office has conducted its own investigations into Venntel and the wider location data industry. The House Committee on Oversight and Reform is also investigating the company.

On Wednesday, the Wall Street Journal reported that the DHS’ own watchdog said it was formally investigating the agency’s use of location data.

“The audit is to determine if the Department of Homeland Security (DHS) and its components have developed, updated, and adhered to policies related to cell-phone surveillance devices,” Joseph V. Cuffari, the Inspector General, wrote in a recent letter.

Also on Wednesday, the American Civil Liberties Union (ACLU) filed a lawsuit with the DHS, CBP, and ICE seeking documents related to the agency’s use of location data.