A small Nebraska company is helping law enforcement around the world spy on users of Google, Facebook and other tech giants. A secretly recorded presentation to police reveals how deeply embedded in the U.S. surveillance machine PenLink has become.
PenLink might be the most pervasive wiretapper you’ve never heard of.
The Lincoln, Nebraska-based company is often the first choice of law enforcement looking to keep tabs on the communications of criminal suspects. It’s probably best known, if it’s known at all, for its work helping convict Scott Peterson, who murdered his wife Laci and their unborn son in a case that fomented a tabloid frenzy in the early 2000s. Nowadays the company has been helping cops keep tabs on suspected wrongdoing by users of Google, Facebook and WhatsApp – whatever web tool that law enforcement requests.
With $20 million revenue every year from U.S. government customers such as the Drug Enforcement Administration, the FBI, Immigration Customs Enforcement (ICE) and almost every other law enforcement agency in the federal directory, PenLink enjoys a steady stream of income. That doesn’t include its sales to local and state police, where it also does significant business but for which there are no available revenue figures. Forbes viewed contracts across the U.S., including towns and cities in California, Florida, Illinois, Hawaii, North Carolina and Nevada.
“PenLink is proud to support law enforcement across the U.S. and internationally in their effort to fight wrongdoing,” the company said. “We do not publicly discuss how our solution is being utilized by our customers.”
Sometimes it takes a spy to get transparency from a surveillance company. Jack Poulson, founder of technology watchdog Tech Inquiry, went incognito at the National Sheriffs’ Association’s winter conference in Washington. He recorded a longtime PenLink employee showing off what the company could do for law enforcement and discussing the scale of its operations. Not only does the recording lift the lid on how deeply involved PenLink is in wiretapping operations across the U.S., it also reveals in granular detail just how tech providers such as Apple, Facebook and Google provide information to police when they’re confronted with a valid warrant or subpoena.
Scott Tuma, a 15-year PenLink veteran, told attendees at the conference that the business got off the ground in 1987 when a law enforcement agency had an abundance of call records that it needed help organizing. It was in 1998 that the company deployed its first wiretap system. “We’ve got those, generally, scattered all over the U.S. and all over the world,” Tuma said. Though he didn’t describe that tool in detail, the company calls it Lincoln.
Today, it’s social media rather than phones that’s proving to be fertile ground for PenLink and its law enforcement customers. Tuma described working with one Justice Department gang investigator in California, saying he was running as many as 50 social media “intercepts.” PenLink’s trade is in collecting and organizing that information for police as it streams in from the likes of Facebook and Google.
The PenLink rep said that tech companies can be ordered to provide near-live tracking of suspects free of charge. One downside is that the social-media feeds don’t come in real time, like phone taps. There’s a delay – 15 minutes in the case of Facebook and its offshoot, Instagram. Snapchat, however, won’t give cops data much more than four times a day, he said. In some “exigent circumstances,” however, Tuma said he’d seen companies providing intercepts in near real time.
Making matters trickier for the police, to get the intercept data from Facebook, they have to log in to a portal and download the files. If an investigator doesn’t log in every hour during an intercept, they get locked out. “This is how big of a pain in the ass Facebook is,” Tuma said. PenLink automates the process, however, so if law enforcement officers have to take a break or their working day ends, they’ll still have the intercept response when they return.
A spokesperson for Meta, Facebook’s owner, said: “Meta complies with valid legal processes submitted by law enforcement and only produces requested information directly to the requesting law enforcement official, including ensuring the type of legal process used permits the disclosure of the information.”
Jennifer Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union, reviewed the comments made by Tuma. She raised concerns about the amount of information the government was collecting via PenLink. “The law requires police to minimize intercepted data, as well as give notice and show necessity,” she said. “It’s hard to imagine that wiretapping 50 social media accounts is regularly necessary, and I question whether the police are then going back to all the people who comment on Facebook posts or are members of groups to tell them that they’ve been eavesdropped upon.”
She suggested that Tuma’s claim that a “simple subpoena” to Facebook could yield granular information – such as when and where a photo was uploaded, or when a credit-card transaction took place on Facebook Marketplace – may be an overreach of the law.
There’s a lot of nuance involving where government actions might stray over the line, said Randy Milch, a New York University law professor and former general counsel at telecoms giant Verizon Communications. “While I’m sympathetic to the idea that the government is going to ask for more than it needs, simply saying ‘too much data must mean an overreach’ is the kind of arbitrary rule that isn’t workable,” he told Forbes. “The government doesn’t know the amount of the data it’s seeking” before the fact. Milch noted that the Stored Communications Act explicitly allows for subpoenas to collect records including names, addresses, means and source of payment, as well as information on session times and durations.
‘Google’s the best’
In his Washington talk, Tuma gushed over Google’s location-tracking data. Google “can get me within three feet of a precise location,” he said. “I cannot tell you how many cold cases I’ve helped work on where this is five, six, seven years old and people need to put [the suspect] at a hit-and-run or it was a sexual assault that took place.” If people are carrying their phones and have Gmail accounts, he said, law enforcement “can get really lucky. And it happens a lot.” Facebook, by comparison, will get a target within 60 to 90 feet, Tuma said, while Snapchat has started providing more accurate location information within 15 feet.
Snapchat didn’t respond to requests for comment.
Tuma also described having a lot of success in asking Google for search histories. “Multiple homicide investigations, I’ve seen it: ‘How to dispose of a human body,’ ‘best place to dump a body.’ Swear to God, that’s what they search for. It’s in their Google history. They cleared their browser and their cookies and things, they think it’s gone. Google’s the best.” A Google spokesperson said the company tries to balance privacy concerns with the needs of police. “As with all law enforcement requests, we have a rigorous process that is designed to protect the privacy of our users while supporting the important work of law enforcement,” the spokesperson said.
Tuma described Apple’s iCloud warrants as “phenomenal.” “If you did something bad, I bet you I could find it on that backup,” he said. (Apple didn’t respond to requests for comment.) It was also possible, Tuma said, to look at WhatsApp messages, despite the platform’s assurances of tight security. Users who back up messages effectively remove the protection provided by the app’s end-to-end encryption. Tuma said he was working on a case in New York where he was sitting on “about a thousand recordings from WhatsApp.” The Facebook-owned app may not be so susceptible to near real-time interception, however, as backups can only be done as frequently as once a day. Metadata, however, showing how a WhatsApp account was used and which numbers were contacting one another and when, can be tracked with a surveillance technology known as a pen-register. PenLink provides that tool as a service.
All messages on WhatsApp are end-to-end encrypted, said a company spokesperson, and it’s transparent about how it works with law enforcement. “We know that people want their messaging services to be reliable and safe – and that requires WhatsApp to have limited data,” the spokesperson said. “We carefully review, validate and respond to law enforcement requests based on applicable law and in accordance with our terms of service, and are clear about this on our website and in regular transparency reports. This work has helped us lead the industry in delivering private communications while keeping people safe, and has led to arrests in criminal cases.” They pointed to a release last year of a feature that allows users to encrypt their backups in the iCloud or Google Drive, while noting that when they respond to a law enforcement request, they don’t provide the data to any private company like PenLink, but directly to law enforcement.
Going dark or swimming in data?
In recent years, the FBI and various police agencies have raised concerns about end-to-end encryption from Google or Facebook cutting off valuable data sources. But Tuma said that Silicon Valley’s heavyweights aren’t likely to start hiding information from police because it would mean doing the same to advertisers. “I always call B.S. on it for this reason right here: Google’s ad revenue in 2020 was $182 billion,” Tuma said.
Granick of the ACLU said that such claims showed that the FBI, contrary to what the bureau claimed, wasn’t losing sight of suspects because of encrypted apps like WhatsApp. “The fact that backups and other data are not encrypted creates a treasure trove for police,” Granick said. “Far from going dark, they are swimming in data.” It’s noteworthy that Signal, an encrypted communications app that’s become hugely popular in recent years, does not have a feature that allows users to back up their data to the cloud.
Indeed, the amount of data being sent by the likes of Google and Facebook to police can be astonishing. Forbes recently reviewed a search warrant in which the police were sent 27,000 pages of information on a Facebook account of a man accused of giving illegal tours of the Grand Canyon. Tuma said he’d seen even bigger returns, the largest being around 340,000.
Though its headcount is small – less than 100 employees, according to LinkedIn – PenLink’s ability to tap a wide range of telecoms and internet businesses at scale has made the company very attractive to police over the last two decades. Over the last month alone, the DEA ordered nearly $2 million in licenses and the FBI $750,000.
Through a Freedom of Information Act request, Forbes obtained information on a $16.5 million PenLink contract with ICE that was signed in 2017 and continued to 2021. It details a need for the company’s suite of telecommunications analysis and intercept software applications, including what it called its PLX tool. The contract requires PenLink, at a minimum, to help wiretap a large number of providers, including AT&T, Iridium Satellite, Sprint, Verizon, T-Mobile, Cricket, Cablevision, Comcast, Time Warner, Cox, Skype, Vonage, Virgin Mobile and what the government calls “social media and advertising websites” such as Facebook and WhatsApp.
PenLink’s work wouldn’t be possible without the compliance of tech providers, who, according to Granick, “are storing too much data for too long, and then turning too much over to investigators. Social media companies are able to filter by date, type of data, and even sender and recipient. Terabytes of data are almost never going to be responsive to probable cause, which is what the Fourth Amendment requires.”