Operational Security, OPSEC, is a part of the lexicon of every Facility Security Officer, every Counterintelligence Officer, and every member of the uniformed services from day one. Actions and words can and will be used by an adversary as they conduct analysis to put together not only their analytic situational understanding but also their targeting matrix.

The recent article in The Intercept on the alleged marriage of capabilities of Anomaly Six and Zignal Labs to track and collate mobile phone location data and social media purchased directly from Twitter drives home the importance of OPSEC with a sledgehammer.

Anomaly Six and Zignal Labs

Allegedly, Anomaly Six uses cellphone location tracking technology which they purchase “location data, tracking hundreds of millions of people around the world.” According to The Interceptsmartphone apps harvest individual’s location and then send it on to advertisers. The advertisers then apparently resell this data to entities like Anomaly Six. This daisy chain of location data goes to one or more apps and then onward to advertisers, with each step collating and analyzing the data, and it paints one aspect of an individual’s actions and location.

We don’t need to go far back in history to remember the exploitation of health apps GPS tracking which detailed government employee exercise pathways in proximity to key government locations.

How much data are we talking about Anomaly Six allegedly compiling? The “dragnet yields between 30 to 60 location pings per device per day and 2.5 trillion locational data points annually worldwide.” In addition, according to the article, the company has accumulated an email library consisting of over two billion email addresses and individual information associated with the various app registration process.

The other side of the equation, alleged in the article, hinges on the capabilities of Zignal Labs which apparently purchases the Twitter firehose of millions of Tweets. Thus, the Twitter stream, a disparate but relatable data set, is melded with the location data harvested from a user’s device produces – an end result which contains a more finite level of location and perhaps in the aggregate contextual specificity.

OPSEC Nightmare

The article also alleges that this capability has been used against the United States Defense Department users, has been demonstrated as able to track the Russian military buildup around Ukraine.

Indeed, the ability to walk a given mobile phone’s locations back in time was demonstrated. Using geofencing around the NSA and CIA Headquarters’ buildings as the starting point, 183 separate phones were identified, via commercial capabilities, available for purchase, able to be tracked both historically and going forward. In the demo discussed in the article, an individual was traced between various locations and based on “regularity” their home residence location was deduced with a Google Street View associated view of the location. The next step is easy enough. Delve into public records to identify who resides at the given location.

A foreign intelligence services dream tool.

Yes, an OPSEC nightmare.

Weaponizing mobile phone tracking was recognized early in Russia’s war of choice against Ukraine. On February 26, two days after the initiation of the conflict, the Ukraine Ministry of the Interior asked individual cell phone users to turn off their geolocation capability on their phones as the Russian military was using this information to track Ukraine movements and gathering points.

Then on May 13, retired U.S. Army General Mark Hertling commented in a Tweet how Russian use of cell phones “shows a lack of OPSEC in the Russian army” within the context of a map of Russian cell phone sims overlaid on the Ukraine-Russia front.

 Zignal and Anomaly Six statements

Zignal’s spokesperson, Tom Korolsyshun told The Intercept, “Zignal abides by privacy laws and guidelines set forth by our data partners.”  Zignal added, “While Anomaly 6 has in the past demonstrated its capabilities to Zignal Labs, Zignal Labs does not have a relationship with Anomaly 6. We have never integrated Anomaly 6’s capabilities into our platform, nor have we ever delivered Anomaly 6 to any of our customers.”

While Anomaly Six’s co-founder, Brendan Huff, told The Intercept via email, “Anomaly Six is a veteran-owned small business that cares about American interests, natural security, and understands the law.”

What next?

FSO’s will be well served to advise all personnel of the above commercial off the shelf capability, which no doubt is duplicated by nation states and thus an OPSEC threat to any and all government classified engagements. A threat as detailed above, which is both exploitable domestically, as well as when deployed abroad.

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of securelytravel.com