Wolfie Christl

@wchr
5K Followers
259 Following
2.5K Posts

Public-interest researcher https://crackedlabs.org | Tech and society. Tracking, surveillance, consumer data, platform power, algorithmic decisions, datafication of work.

https://wolfie.crackedlabs.org/en

Wolfie ChristlApr 23
New Citizen Lab report by Gary Miller and Swantje Lange, with an incredibly sophisticated analysis of covert surveillance operations with a focus on location tracking, which target phones by exploiting/attacking weaknesses in global 3G/4G telecom networks and sending invisible SMS while acting as trusted telecom operators:
https://citizenlab.ca/research/uncovering-global-telecom-exploitation-by-covert-surveillance-actors/
The Citizen Lab Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors

Our investigation uncovers two sophisticated telecom surveillance campaigns and, for the first time, links real-world attack traffic to mobile operator signalling infrastructure. The findings expose how suspected commercial surveillance vendors (CSVs) exploit the global telecom interconnect ecosystem, leverage private operator networks, and conduct covert location tracking operations that can persist undetected for years.

The Citizen Lab
Show threadWolfie ChristlApr 20

I think it may rely on data from digital advertising, mobile apps or other commercial sources because the 'statement of work' mentions:

- "Correlation of target activity across mobile IoT devices" ... "multiple device types, networks" ... "Wi-Fi access points and network identifiers"
- "real-time geolocation capability against mission targets", "current and historical location intelligence, pattern-of-life analysis, and positional awareness across domestic and international areas of interest"

Show threadWolfie ChristlApr 20
The ICE contractor, a defense firm called Edge Ops, promotes 'Project SAFE HAVEN' as an AI surveillance system to "map illegal migrants" and "identify, locate, and map both illegal migrants and the criminals who have crossed into the U.S. over the past several years" based on "years" of "non-traditional" data.
https://edgeops.io/services/
Wolfie ChristlApr 20

ICE entered into another 1-year $12.2m contract with defense contractor Edge Ops for an intrusive system that looks a lot like surveillance tech based on advertising/app data, according to public records first reported by The Lever.

The system/program, called 'SAFE HAVEN', aims to track, locate and profile migrants and 'extremists', among others, according to the 'statement of work' of the ICE contract (May 1, 2026 - April 30, 2027).
https://sam.gov/workspace/contract/opp/b08731987c1c482182e85178d52c94be/view

The Lever:
https://www.levernews.com/inside-ices-12-million-plan-to-map-immigrants-patterns-of-life/

Wolfie ChristlApr 17

Last week, we at The Citizen Lab and VSquare exposed Hungarian intelligence’s use of Webloc, an ad-based surveillance system based on mobile app data.

Update: The Hungarian GDPR regulator told us it's launched an investigation into the matter. A great first step.

I hope Hungary's new govt secures the mandate and independence of its regulator.

Other European data protection authorities must follow and investigate ad-based surveillance firms and their data supply chains:
https://mastodon.social/@wchr/116403306330427864

Show threadWolfie ChristlApr 17

Here's what start.io offered via the German data broker Datarade until 2025:

* 10 billion daily location records plus audience/profile data harvested from 2.4 billion mobile devices ("MAU") via 500k apps

https://web.archive.org/web/20250211184839/https://datarade.ai/data-providers/startapp-soda/profile

According to the detailed 2022 offer page, the data contained a timestamp, Advertising ID, GPS location, IP, Wi-Fi data and device info. I was obtained from start.io's "private in-app SDK and direct integrations":
https://web.archive.org/web/20221020131708/https://datarade.ai/data-products/startapp-raw-location-data

Wolfie ChristlApr 16
Wolfie ChristlApr 16

Last week, we published a Citizen Lab report on the ad-based location surveillance system Webloc, its capabilities and its customers (https://citizenlab.ca/research/analysis-of-penlinks-ad-based-geolocation-surveillance-tech/).

Webloc obtains data from consumer apps installed on phones. How? We don't know.

But the ad targeting segments shown in this 2021 Webloc screenshot caught my eye:

Show threadWolfie ChristlApr 16

I bet almost nobody using apps that contain Startapp's tracking code has ever heard of the company, let alone consented to how it exploits their data.

Whether it has ever provided data to Webloc or not (we don't know), GDPR regulators, the FTC, Google and Apple must investigate its data practices.

Show threadWolfie ChristlApr 16

In a nutshell, Startapp/start.io is a major third-party tracking vendor harvesting data from up to a billion smartphone users via mobile apps.

According to Exodus Privacy, its SDK is currently embedded in 4,266 mobile apps:
https://reports.exodus-privacy.eu.org/en/trackers/195/

Show threadWolfie ChristlApr 16

Startapp, founded in Israel and renamed start.io in 2021, operates software for advertising and data collection that is embedded in thousands of apps (https://www.start.io/about-us/), a so-called mobile SDK.

According to its website, it delivers “hundreds of millions of ads per day across thousands of global leading apps” and has access to “more than 100 billion first-party data signals per day across the globe”. Marketers can "use these anonymized signals to understand and predict consumer behavior”.