Own a rifle? Got a scope to go with it? The U.S. government might soon know who you are, where you live and how to reach you.
That’s because the government wants Apple and Google to hand over names, phone numbers and other identifying data of at least 10,000 users of a single gun scope app, Forbes has discovered. It’s an unprecedented move: Never before has a case been disclosed in which American investigators demanded personal data of users of a single app from Apple and Google. And never has an order been made public where the feds have asked the Silicon Valley giants for info on so many thousands of people in one go.
According to an application for a court order filed by the Department of Justice (DOJ) on September 5, investigators want information on users of Obsidian 4, a tool used to control rifle scopes made by night-vision specialist American Technologies Network Corp. The app allows gun owners to get a live stream, take video and calibrate their gun scope from an Android or iPhone device. According to the Google Play page for Obsidian 4, it has more than 10,000 downloads. Apple doesn’t provide download numbers, so it’s unclear how many iPhone owners could be swept up in this latest government data grab.
If the court approves the demand, and Apple and Google decide to hand over the information, it could include data on thousands of people who have nothing to do with the crimes being investigated, privacy activists warned. Edin Omanovic, lead on Privacy International's State Surveillance program, said it would set a dangerous precedent and scoop up “huge amounts of innocent people’s personal data.”
“Such orders need to be based on suspicion and be particularized—this is neither,” Omanovic added.
Why the data grab?
The Immigration and Customs Enforcement (ICE) department is seeking information as part of a broad investigation into possible breaches of weapons export regulations. It’s looking into illegal exports of ATN’s scope, though the company itself isn’t under investigation, according to the order. As part of that, investigators are looking for a quick way to find out where the app is in use, as that will likely indicate where the hardware has been shipped. ICE has repeatedly intercepted illegal shipments of the scope, which is controlled under the International Traffic in Arms Regulation (ITAR), according to the government court filing. They included shipments to Canada, the Netherlands and Hong Kong where the necessary licenses hadn’t been obtained.
“This pattern of unlawful, attempted exports of this rifle scope in combination with the manner in which the ATN Obsidian 4 application is paired with this scope manufactured by Company A supports the conclusion that the information requested herein will assist the government in identifying networks engaged in the unlawful export of this rifle scope through identifying end users located in countries to which export of this item is restricted,” the government order reads. (The order was supposed to have been sealed, but Forbes obtained it before the document was hidden from public view.) There's no clear stipulation on the government's side to limit this to countries outside of America, though that limitation could be put in place.
It’s unclear just whom ICE is investigating. No public charges have been filed related to the company or resellers of its weapons tools. Reports online have claimed ATN scopes were being used by the Taliban.
If the court signs off on the order, Apple and Google will be told to hand over not just the names of anyone who downloaded the scope app from August 1, 2017 to the current date, but their telephone numbers and IP addresses too, which could be used to determine the location of the user. The government also wants to know when users were operating the app.
The request is undeniably broad and would likely include all users of the app within America, not just users abroad who might indicate illegal shipments of the gun appendage. Tor Ekeland, a privacy-focused lawyer, said it amounted to a “fishing expedition.” (The DOJ hadn’t responded to a request for comment at the time of publication.)
“The danger is the government will go on this fishing expedition, and they’ll see information unrelated to what they weren’t looking for and go after someone for something else,” Ekeland said. He said there’s a long history of that kind of behavior from the U.S. government. And he warned that the government could apply this demand to other types of app, such as dating or health apps.
“There’s a more profound issue here with the government able to vacuum up a vast amount of data on people they have no reason to suspect have committed any crime. They don’t have any probable cause to investigate, but they’re getting access to data on them,” Ekeland added.
Even those who’ve worked in government surveillance were stunned by the order. “The idea that this data will only be used for pursuing ITAR violations is almost laughable,” warned Jake Williams, a former NSA analyst and now a cybersecurity consultant at Rendition Infosec.
“Google and Apple should definitely fight these requests as they represent a very slippery slope. This type of bulk data grab is seriously concerning for a number of reasons, not the least of which is that the download of an application does not automatically imply the ‘intended use’ of the application. For instance, researchers often bulk download applications looking for interesting vulnerabilities.”
He said that if the request was granted it may also have a “serious chilling effect on how people use the Google and Android app stores.” He added, “The idea that Google could be compelled to turn over, in secret, all of my identifiers and session data in its possession because I downloaded an application for research is such a broad overreach it's ridiculous.”
Though the order is unprecedented in America, non-U.S. governments have tried a similar tactic before on a grander scale. As Forbes reported, an unnamed government had asked Apple for data on 58 million users of a single app as they tried to trace a terrorist cell. Apple declined to provide the data.