In 2017, as Phunware was moving into the election space, the company’s Web site announced, “As soon as the first few campaigns recognize the value of mobile ad targeting for voter engagement, the floodgates will open. Which campaign will get there first and strike it rich?” A year later, according to people familiar with the effort, the company used its location-tracking capabilities to create a lobbying campaign on behalf of a health-care company aiming to influence legislators in Georgia. It put a “geofence” around the governor’s mansion that recorded the I.D. of every device that went in and out of the building, and then used the I.D.s to send targeted messages to those phones (likely including the governor’s) about the legislation it was aiming to influence. The legislation passed. Phunware’s leadership has also discussed their ability to geofence polling places, according to people who were present during these discussions, in order to send targeted campaign ads to voters as they step into the voting booth. While it is illegal to advertise in the vicinity of the polls, using location data in this way to send targeted ads could enable a campaign to breach that border surreptitiously.
Phunware’s data collection on behalf of the Trump campaign likely extends beyond the app as well. According to Phunware’s chief operating officer, Randall Crowder, the company has created a “data exchange” that “enables digital marketers to design custom audiences within minutes using geographic, interest, intent, and demographic segments . . . high-quality G.P.S. location data points from one hundred million-plus devices in the United States to increase scale of location-based audiences.” In its promotional materials, the company also claims to have unique device I.D.s for more than a billion mobile devices worldwide, and to have developed what it calls a Knowledge Graph—a “consumer-centric collection of actions, preferences, characteristics and predicted behavior” from the data it has siphoned from mobile phones and tablets. Much like Facebook’s social graph, which has been described as “the global mapping of everybody and how they’re related,” this enables the company to quickly sort through large data sets, uncovering connections and relations that otherwise would be obscured. For example: middle-aged women who live alone, rarely vote, own guns, and live in a border state.
So how did Phunware obtain a billion unique device I.D.s? As the company described it to the S.E.C., they were collected from phones and tablets that use Phunware’s software. But, according to people who have worked with the company, in addition to the data it obtains through its software, Phunware has been using its ad-placement business as a wholesale data-mining operation. When it bids to place an ad in an app like, for example, Pandora, it scoops up the I.D. of every phone and tablet that would have been exposed to the ad, even if it loses the bid. By collecting and storing this information, the company is able to compile a fairly comprehensive picture of every app downloaded on those devices, and any registration data a user has shared in order to use the app.
This information can yield rich demographic data. If a campaign is looking for young men with an affinity for guns, for instance, it might look at who has downloaded both Call of Duty and CCW, the Concealed Carry Fifty State app. Then, using the location data associated with the device I.D., the data can be unmasked and linked to an individual. Once a campaign knows who someone is, and where a person lives, it is not difficult to start building a voter file, and using this information to tailor ads and messages.
Tom Wheeler, the former chair of the Federal Communications Commission, told me, “These are Cambridge Analytica-like techniques. It’s collecting the descriptive power of data from multiple sources, most of which the consumer doesn’t even know are being collected. And that’s what Cambridge Analytica did.”
In late July, a group of lawmakers, led by Senator Bill Cassidy, Republican of Louisiana, and his Democratic colleague Ron Wyden, of Oregon, sent a letter to the chair of the Federal Trade Commission asking him to investigate whether using bidding information in this way constitutes an unfair and deceptive practice. “Few Americans realize that companies are siphoning off and sharing that ‘bidstream’ data to compile exhaustive dossiers about them,” they wrote, “which are then sold to hedge funds, political campaigns, and even to the government without court orders.” According to Charles Manning, the C.E.O. of Kochava, a data marketplace, “There are no regulatory bodies that appear to be aware of the technological foundations upon which digital advertising operates. This is a challenge, because without understanding how programmatic ads are bought and sold, regulators face an uphill battle in applying regulation that deals with opaque supply chains where fraudulent behavior can flourish.”
The Trump app, at least, is explicit about what it expects from its users: “You may be asked to provide certain information, including your name, username, password, e-mail, date of birth, gender, address, employment information, and other descriptive information,” the app’s privacy policy states. “The Services [of the app] may include features that rely on the use of information stored on, or made available through, your mobile Device. . . . We . . . reserve the right to store any information about the people you contact via the Services. . . . We reserve the right to use, share, exchange and/or disclose to DJTFP affiliated committee and third parties any of your information for any lawful purpose.” (When I asked Woolley why the campaign was asking supporters to share their contacts, since it already had access to them through the app’s permissions, he pointed out that, when a user shares their contacts to earn points, “that actually sends out messages to your contacts asking them to download the app. So rather than just getting data on your friends and family, they are able to also reach out to them using you as a reference.”)
The policy also notes that the campaign will be collecting information gleaned from G.P.S. and other location services, and that users will be tracked as they move around the Internet. Users also agree to give the campaign access to the phone’s Bluetooth connection, calendar, storage, and microphone, as well as permission to read the contents of their memory card, modify or delete the contents of the card, view the phone status and identity, view its Wi-Fi connections, and prevent the phone from going to sleep. These permissions give the Trump data operation access to the intimate details of users’ lives, the ability to listen in on those lives, and to follow users everywhere they go. It’s a colossal—and essentially free—data-mining enterprise. As Woolley and his colleague Jacob Gursky wrote in MIT Technology Review, the Trump 2020 app is “a voter surveillance tool of extraordinary power.”
I learned this firsthand after downloading the Trump 2020 app on a burner phone I bought in order to examine it, using an alias and a new e-mail address. Two days later, the President sent me a note, thanking me for joining his team. Lara Trump invited me (for a small donation) to become a Presidential adviser. Eric Trump called me one of his father’s “FIERCEST supporters from the beginning.” But the messages I began getting from the Trump campaign every couple of hours were sent not only to the name and address I’d used to access the app. They were also sent to the e-mail address and name associated with the credit card I’d used to buy the phone and its SIM card, neither of which I had shared with the campaign. Despite my best efforts, they knew who I was and where to reach me.
