n a June day last year, a skinny, dreadlocked 29-year-old rapper known as Tony Da Boss lay in bed in a redbrick apartment on a tree-lined street in Charlotte, North Carolina. It was not the kind of place you’d associate with a million-dollar criminal conspiracy. But Da Boss (real name Damonte Withers) was a leader of the FreeBandz Gang, an amateur hip-hop crew of twentysomethings who were into much more nefarious activities than laying down tracks.
There were warning signs that things were going to get real. Alerts on Da Boss’ iPhone warned that his Google Nest surveillance cameras with views into and outside the apartment had picked up movement. Outside, a full cast of law enforcement personnel from the Secret Service, the U.S. Postal Inspection Service and the local police department were primed to swoop in.
Inside, they found piles of marijuana and multiple firearms. More intriguing, there were bundles of cash alongside fake-ID-card printers, 36 credit card blanks and reams of printouts containing American citizens’ personal data. Investigators spotted the Nest cameras and would soon make the first publicly known federal government demand for customer information and surveillance footage from Google’s smart home division.
From January to June 2018, seven members of Da Boss’ gang pleaded guilty to various identity theft charges. In total they had caused about $1.2 million in damage, using stolen identities to buy luxury cars and iPhones and to lease apartments in Charlotte. Both they and their crimes would have been quickly forgotten as garden variety larceny were it not for the way they stole those identities.
Cops alleged Da Boss and his co-conspirators had access to the Holy Grail for any Internet-age scam artist: a surveillance technology that police and debt collectors use to track most of the United States’ 325 million inhabitants via their Social Security numbers, license plates, address histories, names and dates of birth. The mass-monitoring tech, called TLO, is a product of the Chicago-based credit reporting giant TransUnion, which last year had revenues of nearly $1.9 billion. One brochure for the service promises access to a startling amount of personal data drawn from myriad sources: more than 350 million Social Security numbers of dead and living Americans, 225 million employment histories and four billion address records. Add to that billions of vehicle registrations and call records and you have one of the largest commercial surveillance databases in existence.
It’s used not just by cops but also by debt collectors and private companies carrying out background checks. Private investigators use it to track cheating spouses. But in the wrong hands it can be used to steal the identity of almost anyone in America. And Da Boss and his crew got access to it.
Writing in support of the court order to use the Nest camera footage in its investigation, U.S. Postal Service investigator Randall Berkland said TLO allowed users to research virtually anyone in the United States. Berkland would know: He’d used the tool extensively to investigate several crimes. And, he added, “Users would have unlimited access and resources to commit identity theft and fraud.”
“The opportunity for misuse is massive,” says Cooper Quintin, a technologist with the Electronic Frontier Foundation, which advocates for Internet civil rights. “Even if one were to require a court order for access to this database it could still be stolen by hackers, spies or rogue employees and used for illegal and harmful purposes.”
ounded in 2009, TLO was the brainchild of the data mining pioneer Hank Asher, who died in 2013. The name, an abbreviation of The Last One, was Asher’s final entrepreneurial project, the third of a trio of massive data mining enterprises, which included Database Technologies and Seisint. Database Technologies, whose main product, AutoTrack, was used by insurance companies and cops to hunt down people’s vehicles, merged with Choicepoint in 2000; Seisint, which did much the same as Database Technology on a grander scale, sold to database goliath LexisNexis for $775 million in 2004. In 2008, Choicepoint was bought by LexisNexis’ parent company, Reed Elsevier, for $4.1 billion.
Asher, a bulky, bearded, eccentric savant who admitted to smuggling cocaine into the U.S. in the 1980s (he never faced charges), was an innovator in the field of surveillance via data correlation, long before dark arts companies like Palo Alto, California’s Palantir grew into unicorns sporting multibillion-dollar valuations.
“He was, in my humble opinion, a technology genius, a computer math genius,” says Martha Walters Barnett, a former TLO chief privacy officer. “He was among the first to acknowledge … that insignificant, unrelated pieces of data, when put together in the right way, could become a powerful tool.”
According to a 2004 report in Vanity Fair, Asher’s software helped identify associates of the 9/11 terrorists. It was later celebrated by Dick Cheney and Rudy Giuliani, though privacy activists warned it was a dangerous surveillance tool. Believing the privacy concerns around his work were overblown, Asher went on to create TLO. Though it was designed to hunt child predators, Asher had big ambitions for the product, which stalled after his death. A year later, TransUnion bought TLO for $154 million.
Today TransUnion says TLO is capable of “processing trillions of records at sub-second speeds.” It can quickly uncover relevant data like individuals’ family members and social media profiles. One of the most important features for law enforcement combines photos from surveillance cameras with a huge trove of license plate numbers to nearly instantly track suspect vehicles. Among its biggest government clients are the Department of Justice, the Secret Service and the U.S. Navy. A license for a single user costs less than $1,500 a month.
Barnett says she and Asher worked together to ensure there was no abuse of TLO. Onsite visits would be made to clients, who would undergo a strict vetting process. Only those who passed muster were given a login, Walters says. “We were very selective.”
When it came to law enforcement, TLO was more trusting. From the very beginning, the software was made available to any cop in the country who wanted it.
A TransUnion spokesperson says the same auditing processes are in place today, including site visits for every customer and multiple checks with state authorities to guarantee the authenticity of clients. But on occasion, crooks have found ways to slip through the cracks. And in 2017, the government alleged that a rogue employee at a debt collection company abused access to the database and worked with a group of young gangster rap wannabes to start stealing Americans’ identities.
t remains unclear just how many routes Da Boss and his crew had into TLO. But they had more than one. According to court records, Da Boss and a number of his crew (James Willingham, Deandre Howze and Alexsandera Mobley) had direct access to TLO information. Mobley was querying names on TLO as far back as October 2016, her indictment claims.
At least at times, the rap crew bought their way in with the help of another charged coconspirator, Lakesiah Norman. Norman had direct access to TLO through her part-time work at an unnamed Charlotte debt collection agency between May and October 2017. That’s according to a court document supporting her plea agreement, signed in May 2018.
Norman would query the database, find people with good credit ratings who were ripe targets for identity theft and sell their information, including name, Social Security number and date of birth. Norman did this for at least 20 people, charging just $100 for each victim’s data.
Da Boss’ group got access in other ways, too. A TransUnion spokesperson told Forbes that four other authorized customers of TLO had their access to the database abused by rogue employees to feed the FreeBandz Gang. The spokesperson declined to provide more detail.
The irony that TLO was abused for months by the same kinds of thieves the surveillance tech was designed to ensnare has not been lost on critics of TransUnion. “Their whole business is supposedly identifying people,” says Jay Stanley, a senior policy analyst at the ACLU, “but they can’t even authenticate people who’re their customers.”
nce they’d stolen citizens’ identities, the rappers went on spending sprees, according to the government. The DOJ said the scammers used fake IDs to purchase and resell iPhones and iPads. They leased luxury apartments and purchased expensive cars. In one case, two of the coconspirators took out a fraudulent loan of about $30,000 and used the funds to acquire a 2014 Mercedes-Benz, according to North Carolina court filing supporting Mobley’s plea deal.
It’s unclear if their Nest cameras were bought with illicit funds. But the purchase backfired. Just as the crooks turned the turbo-powered TLO software on its head, cops used the Nests against their owners. In June last year, Postal Service investigator Berkland obtained a warrant ordering Google to hand over all the data related to those cameras. The company complied, shipping surveillance footage back, along with personal details of its owners. It’s the first known case in the United States in which a federal law enforcement agency has demanded information from a Nest provider, and it has obvious implications for anyone who has purchased a smart home appliance that contains a camera or a microphone. The DOJ declined to comment.
A Nest spokesperson says the company doesn’t comment on specific cases but notes that it has received demands for data from governments before, which it has revealed in a transparency report. Within that report are the number of requests received and the percentage of those requests that resulted in data being handed to the authorities. The report doesn’t break down requests by geography, and Nest didn’t provide information on the number of orders from the U.S. government.
The various members of Da Boss’ gang pleaded guilty in July and are awaiting sentencing. It’s the first publicly known fraudulent use of TLO, but it has happened before. TransUnion says that while breaches like the one perpetrated by the FreeBandz Gang members are rare, it wasn’t the first time criminals have gained access to its databases. TransUnion declined to provide any specific detail on other incidents.
Average citizens have little recourse. There’s no easy way to have their information removed from TLO. “As long as such a database exists,” says the EFF’s Quintin, “it is a threat to the privacy of every American.”
Reach Thomas Brewster at [email protected] Cover image by Richard Mia for Forbes.This post was originally published here