Sunday, September 13, 2020

How the Trump Campaign’s Mobile App Is Collecting Massive Amounts of Voter Data

 

How the Trump Campaign’s Mobile App Is Collecting Massive Amounts of Voter Data

 

By Sue Halpern

September 13, 2020

The data-collecting methods of the software company Phunware’s Trump 2020 app are reminiscent of those used by Cambridge Analytica.

Since the Trump campaign set up a shell company called American Made Media Consultants, in 2018, an entity it describes as a “vendor responsible for arranging and executing media buys and related services at fair market value,” it’s been nearly impossible to know whom the campaign is paying, for what, and how much. But, on May 27th, Alan Knitowski, the C.E.O. of Phunware, an Austin-based ad broker and software company, announced a “strategic relationship with American Made Media Consultants on the development, launch and ongoing management and evolution of the Trump-Pence 2020 Reelection Campaign’s mobile application portfolio.” Although Phunware never showed up in the campaign’s F.E.C. reports, Phunware’s S.E.C. filings show that, since last year, it has been paid around four million dollars by A.M.M.C.

On its face, Phunware seems like a strange choice to develop the campaign’s app. Before working for President Trump, Phunware’s software was being used in relatively few applications, the most popular being a horoscope app. And, since 2019, it has been embroiled in a lawsuit with Uber, a former client of the company’s ad-placement business. The dispute stems from a yearlong investigation by two former Phunware employees who discovered that the company was pretending to place Uber ads on Web sites like CNN when, in fact, they were appearing on pornography sites, among others, if they appeared at all. But, according to former Phunware employees and business associates, the company’s value to the Trump campaign is not in software development. “The Trump campaign is not paying Phunware four million dollars for an app,” a former business partner of the company told me. “They are paying for data. They are paying for targeted advertising services. Imagine if every time I open my phone I see a campaign message that Joe Biden’s America means we’re going to have war in the streets. That’s the service the Trump campaign and Brad Parscale”—the Trump campaign’s senior adviser for data and digital operations—“have bought from Phunware. An app is just part of the package.”

The Trump 2020 app is a massive data-collection tool in its own right. When it launched, on April 23rd, Parscale, who was then Trump’s campaign manager, urged his followers on Facebook to “download the groundbreaking Official Trump 2020 App—unlike other lame political apps you’ve seen.” Despite the hype, the 2020 app recapitulates many of the functions found on the 2016 app. There’s a news feed with Trump’s social-media posts, an events calendar, and recorded videos. The “gaming” features that distinguished the 2016 app are still prominent—a “Trump’s army” member who accumulates a hundred thousand points by sharing contacts or raising money is promised a photograph with the President, while other members can use points to get discounts on maga gear. Users are prompted to invite friends to download the app—more points!—and can use the app to sign up to make calls on behalf of the campaign, to be a poll watcher, to register voters, and to get tickets to virtual and in-person events.

The most obvious new feature on the 2020 app is a live news broadcast, carefully curated by the campaign to push the President’s talking points. It is hosted by a cast of campaign surrogates, including Lara Trump, Eric Trump’s wife, and Kimberly Guilfoyle, Donald Trump, Jr.,’s girlfriend and the campaign’s national finance chair. There are also channels aimed at particular demographic groups, among them Women for Trump, Black Voices for Trump, and Latinos for Trump. Though it is a crude approximation of a traditional news outlet, the Trump app enables users to stay fully sequestered within the fact-optional Trump universe. “I think everything we do is to counter the media,” Parscale told Reuters in June. “This is another tool in the tool shed to fight that fight, and it’s a big tool.” In May, after Twitter labelled one of Trump’s tweets as being in violation of its standards, sparking renewed claims of liberal-media censorship of conservatives (despite the fact that the tweet was not taken down), downloads of the campaign app soared.

To access the Trump app, users must share their cell-phone numbers with the campaign. “The most important, golden thing in politics is a cellphone number,” Parscale told Reuters. “When we receive cellphone numbers, it really allows us to identify them across the databases. Who are they, voting history, everything.” Michael Marinaccio, the chief operating officer of Data Trust, a private Republican data company, said recently that “what’s new this year, or at least a sense of urgency, is getting as many cell-phone numbers as we can in the voter file data.” An effective way to do that is to entice supporters to share not only their own cell-phone numbers with the campaign but those of their contacts as well. One estimate, by Eliran Sapir, the C.E.O. of Apptopia, a mobile-analytics company, is that 1.4 million app downloads could provide upward of a hundred million phone numbers. This will enable the Trump campaign to find and target people who have not consented to handing over their personal information. It’s not unlike how Cambridge Analytica was able to harvest the data of nearly ninety million unsuspecting Facebook users, only this time it is one’s friends, family, and acquaintances who are willfully handing over the data for a chance to get a twenty-five-dollar discount on a maga hat.

By contrast, the new Biden app still collects data on users, but it outlines the specific uses of that data and doesn’t automatically collect the e-mail and phone numbers of users’ friends and family. “Unlike the Biden app, which seeks to provide users with awareness and control of the specific uses of their data, the Trump app collects as much as it can using an opt-out system and makes no promises as to the specific uses of that data,” Samuel Woolley, the director of the propaganda research project at the University of Texas’s Center for Media Engagement, told me. “They just try to get people to turn over as much as possible.”

ATrump spokesperson told me, “The Trump 2020 app was built by Phunware as a one-stop destination with a variety of tools to get voters engaged with President Trump’s reëlection campaign.” Among its main contributions to the app’s data-mining capabilities is a “location experience kit,” which the company had previously marketed to hospitals and malls to help people navigate unfamiliar buildings. Visitors could pair their phone’s Bluetooth with beacons set up throughout the facility. Initially, the Trump 2020 app was built around big rallies, where this feature would have been useful. According to one former employee, however, the company’s location software, which functions even when the app is not open, may be capable of sucking up more than geographic coördinates. It could potentially “sniff out all of the information you have on your phone. Any sort of registration data, your name, your phone number, potentially your Social Security number, and other pieces of data. It could sniff out how many apps you have on your phone, what type of apps you have on your phone, what apps you deleted recently, how much time you’ve spent in an app, and your dwell time at various specific locations. It could give a very intimate picture of that individual and their relationship with that mobile device.” (Phunware did not respond to multiple requests for comment.)

In 2017, as Phunware was moving into the election space, the company’s Web site announced, “As soon as the first few campaigns recognize the value of mobile ad targeting for voter engagement, the floodgates will open. Which campaign will get there first and strike it rich?” A year later, according to people familiar with the effort, the company used its location-tracking capabilities to create a lobbying campaign on behalf of a health-care company aiming to influence legislators in Georgia. It put a “geofence” around the governor’s mansion that recorded the I.D. of every device that went in and out of the building, and then used the I.D.s to send targeted messages to those phones (likely including the governor’s) about the legislation it was aiming to influence. The legislation passed. Phunware’s leadership has also discussed their ability to geofence polling places, according to people who were present during these discussions, in order to send targeted campaign ads to voters as they step into the voting booth. While it is illegal to advertise in the vicinity of the polls, using location data in this way to send targeted ads could enable a campaign to breach that border surreptitiously.

Phunware’s data collection on behalf of the Trump campaign likely extends beyond the app as well. According to Phunware’s chief operating officer, Randall Crowder, the company has created a “data exchange” that “enables digital marketers to design custom audiences within minutes using geographic, interest, intent, and demographic segments . . . high-quality G.P.S. location data points from one hundred million-plus devices in the United States to increase scale of location-based audiences.” In its promotional materials, the company also claims to have unique device I.D.s for more than a billion mobile devices worldwide, and to have developed what it calls a Knowledge Graph—a “consumer-centric collection of actions, preferences, characteristics and predicted behavior” from the data it has siphoned from mobile phones and tablets. Much like Facebook’s social graph, which has been described as “the global mapping of everybody and how they’re related,” this enables the company to quickly sort through large data sets, uncovering connections and relations that otherwise would be obscured. For example: middle-aged women who live alone, rarely vote, own guns, and live in a border state.

So how did Phunware obtain a billion unique device I.D.s? As the company described it to the S.E.C., they were collected from phones and tablets that use Phunware’s software. But, according to people who have worked with the company, in addition to the data it obtains through its software, Phunware has been using its ad-placement business as a wholesale data-mining operation. When it bids to place an ad in an app like, for example, Pandora, it scoops up the I.D. of every phone and tablet that would have been exposed to the ad, even if it loses the bid. By collecting and storing this information, the company is able to compile a fairly comprehensive picture of every app downloaded on those devices, and any registration data a user has shared in order to use the app.

This information can yield rich demographic data. If a campaign is looking for young men with an affinity for guns, for instance, it might look at who has downloaded both Call of Duty and CCW, the Concealed Carry Fifty State app. Then, using the location data associated with the device I.D., the data can be unmasked and linked to an individual. Once a campaign knows who someone is, and where a person lives, it is not difficult to start building a voter file, and using this information to tailor ads and messages.

Tom Wheeler, the former chair of the Federal Communications Commission, told me, “These are Cambridge Analytica-like techniques. It’s collecting the descriptive power of data from multiple sources, most of which the consumer doesn’t even know are being collected. And that’s what Cambridge Analytica did.”

In late July, a group of lawmakers, led by Senator Bill Cassidy, Republican of Louisiana, and his Democratic colleague Ron Wyden, of Oregon, sent a letter to the chair of the Federal Trade Commission asking him to investigate whether using bidding information in this way constitutes an unfair and deceptive practice. “Few Americans realize that companies are siphoning off and sharing that ‘bidstream’ data to compile exhaustive dossiers about them,” they wrote, “which are then sold to hedge funds, political campaigns, and even to the government without court orders.” According to Charles Manning, the C.E.O. of Kochava, a data marketplace, “There are no regulatory bodies that appear to be aware of the technological foundations upon which digital advertising operates. This is a challenge, because without understanding how programmatic ads are bought and sold, regulators face an uphill battle in applying regulation that deals with opaque supply chains where fraudulent behavior can flourish.”

The Trump app, at least, is explicit about what it expects from its users: “You may be asked to provide certain information, including your name, username, password, e-mail, date of birth, gender, address, employment information, and other descriptive information,” the app’s privacy policy states. “The Services [of the app] may include features that rely on the use of information stored on, or made available through, your mobile Device. . . . We . . . reserve the right to store any information about the people you contact via the Services. . . . We reserve the right to use, share, exchange and/or disclose to DJTFP affiliated committee and third parties any of your information for any lawful purpose.” (When I asked Woolley why the campaign was asking supporters to share their contacts, since it already had access to them through the app’s permissions, he pointed out that, when a user shares their contacts to earn points, “that actually sends out messages to your contacts asking them to download the app. So rather than just getting data on your friends and family, they are able to also reach out to them using you as a reference.”)

The policy also notes that the campaign will be collecting information gleaned from G.P.S. and other location services, and that users will be tracked as they move around the Internet. Users also agree to give the campaign access to the phone’s Bluetooth connection, calendar, storage, and microphone, as well as permission to read the contents of their memory card, modify or delete the contents of the card, view the phone status and identity, view its Wi-Fi connections, and prevent the phone from going to sleep. These permissions give the Trump data operation access to the intimate details of users’ lives, the ability to listen in on those lives, and to follow users everywhere they go. It’s a colossal—and essentially free—data-mining enterprise. As Woolley and his colleague Jacob Gursky wrote in MIT Technology Review, the Trump 2020 app is “a voter surveillance tool of extraordinary power.”

I learned this firsthand after downloading the Trump 2020 app on a burner phone I bought in order to examine it, using an alias and a new e-mail address. Two days later, the President sent me a note, thanking me for joining his team. Lara Trump invited me (for a small donation) to become a Presidential adviser. Eric Trump called me one of his father’s “FIERCEST supporters from the beginning.” But the messages I began getting from the Trump campaign every couple of hours were sent not only to the name and address I’d used to access the app. They were also sent to the e-mail address and name associated with the credit card I’d used to buy the phone and its sim card, neither of which I had shared with the campaign. Despite my best efforts, they knew who I was and where to reach me.