Skip to content
Naked Security Naked Security

Google & Apple pushed to reveal gun scope app users’ names to feds

It's a first: The government has never demanded personal data of a single app's users from Apple & Google.

US Immigration and Customs Enforcement (ICE) is looking into illegal exports of a gun scope, and its investigation includes going after Apple and Google to get them to hand over the names of who’s using an associated gun-scope app.

The Department of Justice (DOJ) on Thursday filed a court order demanding that the two companies turn over data on some 10,000 users of Obsidian 4: an app from American Technologies Network Corp. (ATN) that connects the scope to smartphones or tablets via Wi-Fi so that gun owners can watch a live video stream of their hunt and calibrate their smart scope.

Apple doesn’t release app download numbers, but Google Play says that the app’s been downloaded over 10,000 times. How many of those installs are from actual users is another question, though, given how many recent reviews say that they’re only downloading in protest of the government demanding that Google and Apple hand over a list of the app’s users.

The court order was supposed to be sealed, but Forbes got hold of it before it was hidden from public view.

If the DOJ gets a court to sign off on the demand, Apple and Google will be told to hand over the names of anyone who downloaded the scope app from 1 August 2017 to the present; their telephone numbers and IP addresses, which can be used to determine where the users are located; and session data, such as when users were operating the app.

ATN itself isn’t under investigation in connection to the alleged illegal exports. The court order reportedly describes an intercepted shipment of the company’s scopes, in violation of the International Traffic in Arms Regulation (ITAR). The shipments didn’t hold the required import licenses when they were reportedly found in Hong Kong, Canada and the Netherlands.

According to the court order, the data it’s demanding will help ICE find app users thought to be in violation of the laws. From the document:

This pattern of unlawful, attempted exports of this rifle scope in combination with the manner in which the ATN Obsidian 4 application is paired with this scope manufactured by Company A supports the conclusion that the information requested herein will assist the government in identifying networks engaged in the unlawful export of this rifle scope through identifying end users located in countries to which export of this item is restricted.

Fishing expedition

Privacy experts, such as Tor Ekeland, a privacy-focused lawyer, told Forbes called it a fishing expedition that could ensnare data on thousands of innocents, and then use that information to “go after someone for something else”.

It’s also likely that the government could issue the same type of broad demand to go after user data from other types of apps, such as dating or health apps. Ekeland said:

There’s a more profound issue here with the government able to vacuum up a vast amount of data on people they have no reason to suspect have committed any crime. They don’t have any probable cause to investigate, but they’re getting access to data on them.

Jake Williams, a former NSA analyst and now a cybersecurity consultant at Rendition Infosec, told Forbes that if the request is granted, it could have a “serious chilling effect on how people use the Google and Android app stores.”

The idea that Google could be compelled to turn over, in secret, all of my identifiers and session data in its possession because I downloaded an application for research is such a broad overreach it’s ridiculous.

12 Comments

“The court order was supposed to be sealed, but Forbes got ahold of it before it was hidden from public view.”
Makes you ponder how frequent they do this secret spying. One more dirty little secret of a once proud government.

It seems obvious that 10,000 individuals did not send shipments overseas. So why do they need to breach the privacy of all 10,000.
What probable cause was offered?
Why not go after those who exported?
BTW Mahhn – ITAR has been a law for MANY many years – even before your definition of ‘once proud’. Your obvious focus on 1 administration belies your prejudice and brings your credibility into question.
The mind is like a parachute – it works best when open

I’ll give you a pass on slandering me since you don’t know me. I know these types of warrants have happened for decades, that doesn’t make them okay. Once proud, refers to 40 years ago – although there was still corruption and secrets, there were less, and far more national pride than today. I don’t give a poop who is in the admin seat, haven’t liked anyone since the ’80’s but that’s none of your business. Your mind is like a parachute, only helps one person. I’m talking on a lager scale than just today.

Thumbs up for the first half of your comment. But where do you see any reference to “1 administration”? That “once proud” description covers a long stretch of time, going back to the 18th century. Mahhn did not specify any distinct point in time, so it seems to me that you’re forming conclusions of your own with no sound basis. Open your own parachute!

When we have to start handing over information such as this, legally obtained by the end user, god only knows what our governments are going to do with that information. I know I was there, I am a retired peace officer, it’s the old adage , you give them an inch and they’ll take a yard, not a foot mind you a yard, do you see where I’m going with this? These apps weren’t developed for criminals, they were developed for legitimate use by ethical and legitimate hunters and sport shooting individuals and will be used to persecute and prosecute law abiding gun owners, both in CANADA & the Great UNITED STATES OF AMERICA, certainly for sure here in Canada, we’ve seen it happen here before!!!!

Difficult one – how to get the balance between privacy and public good when you have things that can be seriously misused. We had a similar debate when the wearing of seat belts was made compulsory. Everyone knew someone who was saved through being thrown clear. The reality was that for something like every person whose injuries were worse through wearing a seat belt, there were 99 whose injuries were less (living instead of dying in some cases) and it didn’t take people long to accept where the balance was. The problem in this case is as much the fact that we don’t know about it. Would it be more honest if some apps were classified and use reported (to authorities) openly – if you had a legitimate use for the app, then there would be no problem?

Maybe I’m way off here, I’m not an attorney after all, but when a warrant is requested, the items/information that are sought are named in the warrant. If you don’t know what you’re looking for, you can’t get a warrant. Why not use that principle of least privilege here? If the government is looking for people using this app in countries where export of the scope is restricted, then why not name those countries to Google and Apple and request information only on usage from those countries? Would that not protect the law abiding citizens while giving law enforcement the data it needs?

That would be a far fairer way of pulling warrants. But fair doesn’t fit in here, ease of getting all the names, verifying who still has theirs (someone is going to knock on that door) then following up on those that don’t is what I would expect is what’s in process. Glad I don’t have one, I’m sure everyone that has FBI people knocking on their door is going to be very – uncomfortable, guilty or not.

Kudos Sophos for raising awareness.

They just keep trying, keep pushing the Constitution’s edges, hunting for that special hole that the Supreme Court will give them to make random unwarranted personal data mining legal, and secret. With the SC we’re stuck with for decades, the only protection now is voting. Take the jackbooters out of office.

Clearly there are too many people who have no clue about international law such as ITAR and EAR. Both of which this item falls under because of it dual purpose (civilian and military) application.
Looking at the google play store, Obsidian 4 does not include an ITAR /EAR warning as it should. Also rates at 2.9 which doesn’t bode well for its reliability.
For anyone who owns once of these things, a) did you read you included documentation ? there should be a warning. And b) dude, I’m jealous. How good is it? ATN usually makes good stuff.

In which court was the warrant request filed? None of the articles, that I have read on this news story, have identified the particular court.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?