With Locate X, an agency like the Secret Service could, for instance, create a geo-fence around a crime scene. It could then identify mobile devices that were in that area prior to the crime and see where those devices traveled before or after the incident. Police took that approach following a burglary in 2019, and they ended up investigating an innocent cyclist based on his RunKeeper data.

In March, Protocol reported that US Customs and Border Protection purchased Locate X, and a former Babel Street employee told Protocol that the Secret Service and US Immigration and Customs Enforcement (ICE) were using the location-tracking tech. But Motherboard has the first confirmation that the Secret Service did in fact purchase Locate X. 

This isn’t a new issue. Federal agents have reportedly been buying commercially-available cell phone location data to track immigrants for years. A recent report on Black Lives Matter protestors released by Mobilewalla shows just how much info private companies can glean from smartphone apps.

It’s unclear how federal agencies get away with obtaining this info without a warrant. In 2018, the US Supreme Court ruled that law enforcement need a warrant to perform cell phone tower searches. But why bother when you have app data?

Senator Ron Wyden is reportedly planning legislation to block law enforcement from purchasing products like Locate X.

“It is clear that multiple federal agencies have turned to purchasing Americans’ data to buy their way around Americans’ Fourth Amendment Rights. I’m drafting legislation to close this loophole, and ensure the Fourth Amendment isn’t for sale,” Wyden said in a statement provided to Motherboard.

In the fall of 2018, the hackers deployed a type of malware called Reign, which is linked to “Five Eyes,” an intelligence-sharing alliance comprised of the US, Britain, Australia, New Zealand and Canada. It’s unclear which of those countries might be behind the breach, though. A Yandex spokesperson told Reuters that the hack was detected early and that no user data was compromised, but Reuters‘ sources claim the hackers had access to Yandex’s research and development unit for at least several weeks.

As Reuters‘ notes, Western cyberattacks against Russia are rarely acknowledged, but earlier this month we learned that the US planted malware in Russia’s power grid. Last spring, a few months before the alleged Yandex hack, the US elevated its cyber warfare division and vowed to take a more aggressive approach to online threats. Even the private company Jigsaw, an Alphabet subsidiary, experimented with hiring a Russian troll just to see if it could. In those cases, some feared the US might provoke more digital aggression from Russia. This Yandex breach could add to those fears.