Skip to:

The Wall Street Journal Features Center for Cyber Innovation Research

July 22, 2020

DrMayIn 2019, a group of Americans was observing the cellphone signals coming from military sites across Eastern Europe.

At one of the locations, the Nyonoksa Missile Test Site in northern Russia, the group identified 48 mobile devices present on Aug. 9, one day after a mysterious radiation spike there generated international headlines and widespread speculation that a Russian missile test had gone wrong.

The Americans were able to track the movements of those devices over time. One went to the Paradisus Varadero Resort and Spa in Varadero, Cuba, for nine days. Others scattered across the country—going to the Russian cities of St. Petersburg and Moscow or to secure Russian military districts in Severodvinsk and Archangel. One went to Ganja, Azerbaijan, which runs along a strategic overland trade corridor between Asia and Europe.

The trackers weren’t professional intelligence analysts with access to secret intercepts. Rather, they were a team of academic researchers in Starkville, Miss., working with their graduate research assistants and undergraduate interns on the campus of Mississippi State University, using a commercially available software program.

The data they used was GPS location information usually drawn from cellphone apps—typically from games, weather services and such—and collected and made available for purchase by the advertising industry.

The effort was a demonstration to the military of the power of commercial cellphone data to provide valuable intelligence. From the data, they could begin to make inferences—Nyonoksa, for instance, had the fewest devices present of any of the three sites they were monitoring, leading them to conclude either that it was more heavily restricted than the other three or that the recent radiation accident had forced an evacuation.

By monitoring cellphones in Russian government buildings and foreign embassies in Moscow, they were able to conclude that no high-level Russian officials or foreign diplomats had visited the test sites recently. And they homed in on the Azerbaijan trip as worthy of future study “because of contentious relations between Russia and Azerbaijan” and the importance of the corridor around Ganja as an overland connection between Europe and Asi.

The researchers’ experiment underscores how the global marketing industry’s practice of collecting and reselling reams of user data, often for marketing and advertising purposes, can be turned toward other ends. The data can be easily purchased and exploited by foreign and domestic national-security agencies, law-enforcement officials and others for surveillance and monitoring.

The sites that the Mississippi State researchers were able to pull cellphone data from were extremely sensitive: Besides drone test facilities, they also were monitoring numerous U.S. and foreign embassies and the Kremlin Senate building in Moscow, documents show.
The team was working on a U.S. Army-sponsored, unclassified, experimental project that sought to leverage “open-source” commercial data for intelligence purposes. The team’s monitoring efforts were described in detail in unclassified documents obtained by The Wall Street Journal from Mississippi State under state open-records laws.
“This project has served as a great opportunity for both undergraduate and graduate students at MSU to develop real-world skills and knowledge that will benefit them greatly as they seek employment in the future,” said David May, the principal investigator on the study and a sociology professor at Mississippi State.

Edric Thompson, a spokesman for the U.S. Army Combat Capabilities Development Command, which funded the project, said it was selected for military funding because it had “good potential use for being able for our soldiers to share information with each other.”
Mr. Thompson said the collection of cellphone location data was permitted under Army regulations so long as no personal characteristics about the phone’s owner were collected. He said the Mississippi State study also included an analysis of the ethical and policy implications about the use of such data that would help inform the military in the future.

The tool that enabled this kind of bird-dogging of personnel at Russian airfields was sold by Babel Street, an open-source intelligence software platform that is widely used by law enforcement, intelligence agencies, military units and private companies. Babel Street has contracts with government agencies big and small—from the Department of Homeland Security and the U.S. military to county police departments across the country.

Babel Street publicly advertises itself as a social-media monitoring service, allowing its law-enforcement, intelligence and military clients to mine public social-media data for leads about criminal activity and do real-time monitoring of unfolding events.

But Babel Street also sells a product called “Locate X”—access to cellphone location data drawn from the advertising industry. The existence of the product, which isn’t described on the company’s website, was revealed in March by the website Protocol. The company didn’t respond to requests for comment.

For the military and intelligence officials, such data can show staffing levels at sensitive sites and movement patterns of officials and give clues about the behavior of adversaries. For law enforcement, marketing data offers the opportunity to try to identify suspects in the vicinity of crimes.

According to documents reviewed by the Journal and people familiar with the company, Locate X provides advertising data drawn from the marketing industry to intelligence, military and law-enforcement agencies for monitoring purposes. Its terms of service say that the customer may not even disclose the existence of Locate X. Mississippi State cited a confidentiality obligation in its contract with Babel and declined to answer questions about the product.
Written by Byron Tau