The Trump campaign app is tapping a "gold mine" of data about Americans
President Trump's campaign app is targeted to his most fervent supporters, but it is able to collect data about a swath of the American public far larger than his base.
The app requests access to significantly more information from each user's phone than Joe Biden's, and is on as many as 1.4 million devices, compared to 64,000 for Biden, according to figures provided to CBS News by Apptopia.
And the data collected from Trump's app can be poured into an information ecosystem designed to replace the Facebook features — since disabled — that made the 2016 Cambridge Analytica scandal possible, according to a former executive for the firm that developed the app.
Both campaigns see value in your contact list
Download either "The Official Trump 2020 App" or the "Team Joe App,"and you are quickly asked to provide the campaigns with access to your contacts. You don't have to click "OK," but if you do, the campaigns know the name and number of everyone whose information you have stored. At no point do the campaigns ask those contacts for permission to have that information, and they are not legally required to.
A person's contact list is a particularly valuable set of data, said Eliran Sapir, the CEO of Apptopia.
"One particular permission that is probably the biggest gold mine is the phone book. That's essentially the social network on your phone," Sapir said.
Since many people have hundreds of contacts on their phone, Sapir said the Trump campaign's contact list data haul is "orders of magnitude" larger than Biden's.
"With 1.4 million downloads, that could result in tens of millions, maybe a hundred million plus, phone numbers," Sapir said.
A list of these names and phone numbers is especially useful when cross-referenced with data collected from other sources, said Jacob Gursky, a University of Texas at Austin researcher who analyzed the apps with fellow researcher Samuel Woolley. The pair called the Trump app "a voter surveillance tool of extraordinary power" in an article in the MIT Technology Review.
"By connecting you with your personal relationships, they're able to have you blur the line between your personal life and the political and create more effective messaging than they could ever create on their own," said Gursky.
The Trump campaign did not reply to questions sent by CBS News about the app, its data permissions and its developer.
A Biden campaign official confirmed in an email to CBS News that the campaign uses the contact lists to figure out who to target.
"Users are asked to upload their contact lists to suggest the best contacts to message about the Biden campaign," the official said. "The contact information is used for no other purpose and will be safely erased once the campaign concludes. Users can also decline sharing their contacts, and the app then functions more as a campaign newsfeed."
The official said no other personal data is collected from the Biden campaign app.
The Trump campaign app doesn't just ask for access to your friends' contacts. The app seeks permission to access a far more extensive list of data than Biden's, including:
A phone's unique device ID, which Sapir called "a valuable piece of data" that is useful when targeting ads to specific people.
Bluetooth access, and "approximate" and "precise" location data, which allow for the collection of very detailed information about a person's movements.
Find accounts associated with other apps on the device, which Sapir said is useful in "fingerprinting," a targeted digital advertising method that involves using a variety of data about individuals to create profiles of them.
Read, write, or delete files stored on the phone, a permission that Sapir said is typically limited to files and folders associated with the app, such as photos, videos or documents downloaded from messaging and social media apps
Change audio settings, a permission often associated with video and music apps.
The Trump campaign did not reply to questions about these permissions. The Biden campaign official criticized the Trump app's list of permissions and noted the Biden app was developed "completely in-house so that we could be deliberate about protecting the data and privacy of our supporters."
A look inside Phunware
The Trump app was developed by a company called Phunware, which has a significant stockpile of data to work with. Phunware says on its website that it has the ability to collect data from more than one billion active mobile devices per month. The campaign and Phunware did not reply to questions about whether the campaign's data is matched with Phunware's data.
A former Phunware executive, Ian Karnell, told CBS News the company's pitch to political clients was that it could replace the data that Facebook had taken away, the so-called "Graph API" that allowed Cambridge Analytica to collect a wealth of information about millions of people and their connections.
"We said, 'We have this mobile graph that has years of device ID information that we've matched with voter records with some of the biggest voter record databases in the United States at that point. And we'll be able to share that graph data back with you. You can extract that and leverage that," Karnell said.
Karnell said the Trump campaign app includes an "egregious" set of permission requests.
"They want access to everything. The ability to aggregate all of the different data points that one can collect from a mobile device from a geolocation perspective: where you live, where you work, where you shop," said Karnell.
Karnell was not involved in developing the Trump campaign app. He launched an internal investigation in 2016 that allegedly revealed the "lion's share" of charges to Uber, a former Phunware customer, were based on fraudulent data. The investigation was cited by Uber in an ongoing legal dispute between the two companies.
Karnell is referred to as "Employee B" in documents filed by Uber, but he agreed to be identified by CBS News.
Phunware has denied all allegations by Uber and, in a declaration filed last October, Phunware CEO Alan Knitowski denied Karnell's description of alleged fraudulent practices, calling it "flat out wrong." Karnell was fired by Phunware in 2018 for what Phunware called "poor performance."
Knitowski referred questions about the app to the Trump campaign. Asked if his former employee's description of Phunware's political operation was accurate, Knitowski said in an email, "nobody but the company is authorized to speak for the company on anything.
"Please understand that you are not authorized or permitted to publish anything on Phunware that doesn't come from the company … especially from people that don't even work here," Knitowski wrote.
Karnell said that one of Phunware's major offerings to corporate and political clients is data drawn from proximity beacons, stationary devices that use Bluetooth signals to collect information about phones that pass nearby.
Karnell said prior to working for the Trump campaign, Phunware used the devices to collect information at rallies and marches.
"We were looking to identify audiences of individuals who would show up at women's marches, and did that longitudinally. I wanted to be able to find out, are we seeing new mobile devices?" Karnell said.
Karnell said those beacons can be crucial to identifying voters who may have soured on Trump in the past four years, by highlighting people who attended rallies in 2016, but may not have attended this year.
When the Trump campaign debuted its website on May 10, 2017, its privacy policy initially included language that referred to proximity beacons. The reference to proximity beacons was removed that day after CBS News asked about it. In July 2019, soon after Phunware began working for the campaign, it added back that language.
"We may also collect other information based on your location and your device's proximity to 'beacons' and other similar proximity systems, including, for example, the strength of the signal between the beacon and your device and the duration that your device is near the beacon," the privacy policy reads.
Jennifer Stromer-Galley, the author of the book "Presidential Campaigning in the Internet Age," said Trump's app is far superior to Biden's in terms of "content and functionality, and also the data that's being collected about you and your behaviors."
"I would say the Biden app is more or less a failure. It does not have native features or content. It doesn't provide for any of the kinds of tools you would expect from a (presidential campaign's) mobile application," said Stromer-Galley, the director of Syracuse University's Center for Computational and Data Science.
The Biden campaign did not respond to Stromer-Galley's criticism.
The incumbent's advantage
Trump's 2016 app was created by a company called uCampaign. The Android coding framework for Phunware's 2020 version still includes several references to uCampaign. And the Android store download page for the 2020 Trump app continued this year to link to uCampaign's privacy policy, not the Trump campaign's, until June 25, when CBS News inquired about it.
uCampaign's CEO Thomas Peters said in an email that his company wasn't involved in producing the 2020 app, but that the 2020 campaign had used its 2016 "bundle ID" to automatically make the new app available as an update to anyone who had downloaded the old one.
In practical terms, this gave the Trump campaign a tremendous advantage. The Trump apps' 1.4 million downloads date back to August 2016, according to Apptopia data. By comparison, Biden's app has been downloaded just 64,000 times since its launch in December.
Karnell said the data that can be compiled from that massive app user base can provide the Trump campaign with a significant advantage in identifying undecided or persuadable voters.
"If I'm (the campaign), I want to know the people that I can influence. Who's not necessarily sold on voting for Trump again and so it's a land grab for as much data as they can get. They're limited this time in what they could do on Facebook, so they're doing it this way," Karnell said.
A quest to understand that kind of "land grab" led The New School professor David Carroll to Britain's High Court of Justice. Carroll's July 2017 lawsuit against London-based Cambridge Analytica for the data it had collected about him was at the center of the Netflix documentary "The Great Hack."
Carroll said one of the lessons of his effort to get his set of the 5,000 data points Cambridge Analytica claimed to have stored about millions of Americans was that political data gathering is "a wild west."
"There are no rules, anything goes, and we just can't have a system that's anything goes. I think what the Cambridge Analytica scandal showed us more generally is that there are certain issues for which people do care about their privacy, and politics is one of those," Carroll said.