In Texas, everything is big, including state police contracts for surveillance technology.
The Texas Department of Public Safety (DPS) in June awarded tech company Penlink a five-year, $5.3 million contract for the controversial surveillance tool Tangles, nearly double the size of the company’s two-year, $2.7 million contract with the federal Immigration and Customs Enforcement (ICE), according to records obtained by the Texas Observer through a Freedom of Information request.
Tangles is an artificial intelligence-powered web platform that collects information from the open, deep, and dark web. Tangles’ signature add-on feature, WebLoc, has been controversial among digital privacy advocates. Clients who purchase access to WebLoc can track the movements of various mobile devices within a specific virtual area selected by the user through a feature called “geofencing.” Users of software such as Tangles can do this without a search warrant or subpoena. (In a high-profile decision, the Fifth Circuit Court of Appeals recently ruled that police cannot force companies such as Google to hand over data obtained through geofencing.) Device tracking services rely on location information and other personal data obtained from smartphones, typically through in-app advertisers. Surveillance technology companies buy this information from data brokers and sell access as part of their products.
According to a procurement notice from the U.S. Office of Naval Intelligence, WebLoc can also be used to access a device’s mobile advertising ID, a string of numbers and letters that serves as a unique identifier for a mobile device within the ad marketing ecosystem.
Wolfi Kristl, a public interest researcher and digital rights activist based in Vienna, Austria, argues that data collected for a specific purpose, like navigation or dating apps, should not be used by a variety of parties for unrelated reasons. “This is a catastrophe,” Kristl told the Observer. “This is the biggest possible decontextualization of data. … This must not be how our future digital society will look.”
Beryl Lipton, a research scientist at the Electronic Frontier Foundation, said that while a device’s mobile advertising ID is technically anonymous information, it’s easy to cross-reference it with other data points to identify its owner. “If you have other data points, like the address of the person where you expect their phone to be, it’s very easy to use this supposedly anonymous information to quickly identify them and build a profile on them,” Lipton said.
In 2018, the US Supreme Court ruled in Carpenter v. United States that police need a warrant to obtain cellphone location data from service providers like AT&T and Verizon. But Nate Wessler, a lawyer who worked on Carpenter and is deputy director of the ACLU’s Speech, Privacy, and Technology Project, told the Observer that companies are justifying the sale of cellphone location data through data brokers by arguing that mobile advertising IDs are anonymous.
“These companies hold that up as a defense, but it’s complete nonsense. … It’s an obviously ridiculous defense, because all they’re selling is the ability to track cell phones and figure out where a particular cell phone is going,” Wessler said.
Wessler said the privacy implications of police use of location services like Tangles are “the same” as the issues raised in the Carpenter case, because location information collected from an app, as opposed to location information obtained from a service provider, can be even more intrusive, he said. “An app can tell you just as much about someone’s GPS history as you can from location data obtained from their cell phone provider, and in some cases even more,” Wessler said.
Tangles is a product of cybersecurity company Cobwebs Technologies, which was founded in Israel in 2014 by three former members of the Israeli military special forces. The company says its products, marketed as open source intelligence (OSINT) tools, are used to combat terrorism, drug smuggling and money laundering, but Meta accuses the company of operating as a surveillance contractor. In 2023, Cobwebs Technologies was acquired by Nebraska-based technology company Penlink.
Kristl, the Austria-based digital rights researcher, said companies that sell software that incorporates data collected from mobile phone apps have significantly expanded the definition of an OSINT tool. If a company has to buy personal data from a third-party broker to incorporate it into software it sells to police, it’s not really an open source tool, he said.
Lipton, a research scientist at the Electronic Frontier Foundation, said that’s a problem for the public. “People don’t understand that some of this stuff comes with a high price,” she said, “both in terms of price and in terms of privacy.”
“Our open source intelligence (OSINT) solutions are used to protect the community from crime, threats and cyber attacks by providing seamless access to publicly available data. From a technology perspective, we would like to point out that we adhere to strict standards and regulations and only operate in accordance with the law,” a Penlink spokesperson told Observer in a written statement. The spokesperson did not respond to other specific questions.
CobWebs Technologies, now part of PennLink, has contracted with a variety of federal agencies, including ICE, the Internal Revenue Service, the Bureau of Indian Affairs and Bureau of Indian Education, and the U.S. Fish and Wildlife Service, through its Delaware-based subsidiary, CobWebs America Inc. ICE is CobWebs America’s highest-paid federal contract to date, according to usa.spending.gov.
As first reported by The Intercept, DPS’s intelligence and counterterrorism division has been using Tangles since 2021. The department first purchased the software as part of Gov. Greg Abbott’s multibillion-dollar border enforcement operation, Operation Lone Star, and initially awarded the contract for $200,000 as an “emergency contract” without public bidding. DPS has expanded the contract every year since, paying $300,000 in 2022 and more than $400,000 in 2023, according to contract records on the DPS website. The department’s new five-year Tangles licensing plan (from 2024 to 2029) will cost about $1 million per year.
DPS said in its procurement plan that it needs tools to help its intelligence and counterterrorism division officers “identify and disrupt potential domestic terrorism and other mass casualty threats.” The plan mentions two mass shootings in Texas. In August 2019, a racist white man from Allen killed 23 people at a Walmart in El Paso. A few weeks later, another gunman committed mass shootings in Midland and Odessa. The plan makes no mention of the 2022 Uvalde school shooting, a massive incident in which 91 DPS officers failed to respond to law enforcement.
“Following the attacks in El Paso and Midland-Odessa, Governor Abbott issued several executive orders to prevent similar incidents,” the planning document obtained by the Observer states. “In response to these orders, DPS (Division of Intelligence and Counterterrorism) deployed staff to identify potential mass attackers and terrorist threats.”
It’s unclear how DPS used Tangles or whether the software helped prevent mass shootings. DPS did not respond to written questions or requests for an interview on the subject.
After DPS purchased the first licenses for CobbWebs’ software in 2021, local law enforcement agencies in Texas followed suit: The Goliad Sheriff’s Office acquired “joint use of (CobbWebs’) software” with the sheriffs of Refugio and Brooks counties in fall 2023 to “identify, link and track the movements of cartel operatives throughout the region,” according to Goliad County Sheriff’s Office Operation Lone Star expenditure records obtained by the Observer.
Other Texas customers that have purchased CobbWebs’ software include the Dallas Police Department, Houston Police Department and the Jackson County Sheriff’s Office, which shares access with the Matagorda County Sheriff’s Office, according to local government minutes and DPS emails.
Prior to its acquisition by Penlink, CobWebs Technologies had received criticism for how its products were used by customers. In 2021, Meta banned seven companies, including CobWebs, that it identified as participating in the online surveillance contracting ecosystem. As part of the sanctions, Meta removed 200 accounts operated by CobWebs and its customers. Meta’s investigators identified CobWebs customers in Bangladesh, Hong Kong, the United States, New Zealand, Mexico, Saudi Arabia, Poland and other countries, the company wrote in its report.
According to Meta’s report, CobWeb’s clients aren’t just focused on public safety activities: “We have also observed frequent targeting of activists, opposition politicians, and government officials in Hong Kong and Mexico,” the report said.
Police agencies around the world use Tangles, including El Salvador’s police force, which used it at least from 2021 to 2022, according to investigative journalism outlet El Faro. Mexico’s police force has also purchased the software, according to Mexico City newspaper Excelsior.
According to emails obtained by the Observer, in 2022, a Cobweb Technologies sales representative asked a DPS employee if the state agency could act as a customer introduction for the Israeli police agency. In the email, the sales representative said DPS had at least 20 Tangles users at the time. DPS’s new acquisition plan allows for 230 named users.
Wessler, the ACLU attorney, said selling mobile device data to third-party data brokers and surveillance technology companies remains a legal gray area. “While there is some legal framework that defines the boundaries of this issue, there are many issues where the law has not yet caught up,” Wessler said.
But other government agencies have already stopped buying products that make extensive use of cellphone location data, he said. Such services can be expensive, their data use is intrusive and there is little evidence they have significantly aided investigations or solved many cases, he added.
“It’s like the juice isn’t worth it,” Wessler said. “We shouldn’t be spending taxpayer money on a haystack of data where they’re trying to pick out needles, right?”