From the Texas Observer:
Everything is bigger in Texas—including state police contracts for surveillance tech.
In June, the Texas Department of Public Safety (DPS) signed an acquisition plan for a 5-year, nearly $5.3 million contract for a controversial surveillance tool called Tangles from tech firm PenLink, according to records obtained by the Texas Observer through a public information request. The deal is nearly twice as large as the company’s $2.7 million two-year contract with the federal Immigration and Customs Enforcement (ICE).
Tangles is an artificial intelligence-powered web platform that scrapes information from the open, deep, and dark web. Tangles’ premier add-on feature, WebLoc, is controversial among digital privacy advocates. Any client who purchases access to WebLoc can track different mobile devices’ movements in a specific, virtual area selected by the user, through a capability called “geofencing.” Users of software like Tangles can do this without a search warrant or subpoena. (In a high-profile ruling, the Fifth Circuit recently held that police cannot compel companies like Google to hand over data obtained through geofencing.) Device-tracking services rely on location pings and other personal data pulled from smartphones, usually via in-app advertisers. Surveillance tech companies then buy this information from data brokers and sell access to it as part of their products.
WebLoc can even be used to access a device’s mobile ad ID, a string of numbers and letters that acts as a unique identifier for mobile devices in the ad marketing ecosystem, according to a US Office of Naval Intelligence procurement notice.
Wolfie Christl, a public interest researcher and digital rights activist based in Vienna, Austria, argues that data collected for a specific purpose, such as navigation or dating apps, should not be used by different parties for unrelated reasons. “It’s a disaster,” Christl told the Observer. “It’s the largest possible imaginable decontextualization of data. … This cannot be how our future digital society looks like.”
While a device’s mobile ad ID is technically an anonymous piece of information, it is easy to cross reference other data points to determine the owner, according to Beryl Lipton, an investigative researcher at the Electronic Frontier Foundation. “If there is another data point—like the address of the person who lives at the place where your phone seems to be all of the time—it can be very easy to quickly identify and build a profile of people using this supposedly anonymous information,” Lipton said.
In 2018, the U.S. Supreme Court ruled in Carpenter v. United States that police must have a warrant to obtain cell phone location data from service providers like AT&T and Verizon. But Nate Wessler, the attorney who argued the Carpenter case and the deputy director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project, told the Observer that companies have justified selling phone location information through data brokers by arguing that mobile ad IDs are anonymous.
“These companies absolutely trot that out as one of their defenses, and it is pure poppycock. … It’s transparently a ridiculous defense, because the entire thing that they’re selling is the ability to track phones and to be able to figure out where particular phones are going,” Wessler said.
The privacy implications of police using services—like Tangles—that provide location data are “identical” to the issues raised in the Carpenter case, Wessler said. That’s because location data harvested from apps, as opposed to that obtained from service providers, can be even more invasive, he said. “You can tell just as much about somebody’s GPS history from their apps as you can from their cell phone location data from their phone provider. And in some cases, you can tell more,” Wessler said.
Tangles is a product offered by the cybersecurity company Cobwebs Technologies, which was founded in Israel in 2014 by three former members of Israeli military special units. The company has said their products, which are marketed as open source intelligence (OSINT) tools, have been used to combat terrorism, drug smuggling, and money laundering, but Meta has accused the company of operating as a surveillance-for-hire outfit. In 2023, Cobwebs Technologies was acquired by the Nebraska-based tech firm PenLink Ltd.
Christl, the Austria-based digital rights researcher, said that companies selling software that incorporates data harvested from mobile phone apps have greatly expanded the definition of OSINT tools. If a company has to buy personal data from third-party brokers to incorporate into a software that they sell to police, he said, then that isn’t really an open source tool.
Lipton, the investigative researcher at the Electronic Frontier Foundation, said that’s troubling for the public. “People don’t realize that some of this stuff comes with a high cost,” she said. “Both price-wise and privacy-wise.”
In a written statement, a PenLink spokesperson told the Observer their “open-source intelligence (OSINT) solutions are used to protect our communities from crime, threats, and cyber-attacks by providing seamless access to data that is publicly available. From a technology perspective, we want to note that we operate only according to the law, adhering to strict standards and regulations.” The spokesperson did not answer other specific questions.
Cobwebs Technologies, now part of PenLink, has scored contracts through its Delaware-based subsidiary Cobwebs America Inc. with various federal agencies, including ICE, the Internal Revenue Service, the Bureau of Indian Affairs and Bureau of Indian Education, and the U.S. Fish and Wildlife Service. ICE holds Cobwebs America’s highest-dollar federal contract so far, according to usa.spending.gov.
DPS’ Intelligence and Counterterrorism division has used Tangles since 2021, as first reported by The Intercept. The agency first purchased the software as part of Governor Greg Abbott’s multi-billion dollar Operation Lone Star border crackdown, doling out an initial $200,000 contract as an “emergency award” with no public solicitation. Each year since, DPS has expanded the contract: In 2022, it paid $300,000, and in 2023, more than $400,000, according to contracting records on DPS’ website. The agency’s new plan for a 5-year Tangles license, from 2024 through 2029, will cost about $1 million per year.
In its acquisition plan, DPS states that Intelligence and Counterterrorism division personnel need the tool to “identify and disrupt potential domestic terrorism and other mass casualty threats.” The plan references two Texas mass shootings. In August 2019, a racist white man from Allen killed 23 at a Walmart in El Paso. A few weeks later, a different perpetrator went on a deadly shooting in Midland and Odessa. The plan does not mention the 2022 Uvalde school shooting, when 91 DPS officers formed part of a massive botched law enforcement response.
“Following the attacks in El Paso and Midland-Odessa Governor Abbott issued several executive orders designed to prevent similar events,” the acquisition plan obtained by the Observer states. “In response to these orders, DPS [Intelligence and Counterterrorism division] dedicated staff to identify potential mass attackers and terrorist threats.”
It is unclear how DPS has used Tangles or whether the software has helped stop any potential mass shootings. DPS did not respond to written questions or an interview request for this story.
After DPS purchased the initial license for Cobwebs’ software in 2021, local Texas law enforcement agencies followed suit. Operation Lone Star spending records from the Goliad County Sheriff’s Office, obtained by the Observer, show that the Goliad sheriff obtained a “cooperative use of [Cobwebs] software” in fall 2023 along with the sheriffs of Refugio and Brooks counties to “identify, link, and track the movements of cartel operatives throughout the region.”
Other Texas clients that have purchased Cobwebs’ software include the Dallas and Houston police departments and the sheriff’s office in Jackson County, which shares access with the Matagorda County Sheriff’s Office, according to local government meeting minutes and DPS emails.
Prior to its acquisition by PenLink, Cobwebs Technologies received backlash for how clients used its products. In 2021, Meta banned seven companies—including Cobwebs—that it had identified as participating in an online surveillance-for-hire ecosystem. As part of its sanctions, Meta removed 200 accounts operated by Cobwebs and its customers. In a company report, Meta investigators wrote that they identified Cobwebs customers in Bangladesh, Hong Kong, the United States, New Zealand, Mexico, Saudi Arabia, Poland, and other countries.
Cobwebs’ customers were not solely focused on public safety activities, Meta’s report said. “We also observed frequent targeting of activists, opposition politicians and government officials in Hong Kong and Mexico,” the report stated.
Agencies across the globe have used Tangles. From at least 2021 to 2022, Salvadoran police used it, according to the investigative outlet El Faro.Police in Mexico have also purchased the software, according to Excelsior, a Mexico City newspaper.
In 2022, a Cobwebs Technologies sales rep asked a DPS employee if the state agency could serve as a customer referral for a police agency in Israel, according to an email obtained by the Observer. In the email, the sales rep stated that DPS had at least 20 Tangles users at the time. DPS’ new acquisition plan allows for 230 named users.
Wessler, the ACLU attorney, said the sale of mobile device data to third-party data brokers and surveillance tech firms remains a legal gray area. “There are some legal frameworks that get at the edges of this, but there’s a whole kind of core of issues that the law just hasn’t caught up to,” Wessler said.
But he said other government agencies already have moved away from purchasing products that use massive amounts of cell phone location data. The services can be expensive, the use of data is invasive, and there isn’t much evidence that these services have substantially helped investigations or solved a lot of cases, he added.
“It’s just like the juice isn’t worth the squeeze,” Wessler said. “We shouldn’t be spending taxpayer money for this kind of haystack of data that they then are trying to pick needles out of, right?”