Mr. Bishop was seeking their support. An outside Republican group was looking for something more. It wanted their data.
Unknown to the crowd, the Committee to Defend the President, a Republican political-action committee that supports Mr. Trump, had hired a company to collect unique identification numbers from attendees’ smartphones that evening, based on location data those phones were sending to third parties. The goal was to target ads at people it could drive to the polls the next day. Mr. Bishop won by about 3,800 votes.
The PAC now plans to use the technique, which is called geofencing, in the run-up to the 2020 presidential election in about half a dozen swing states to find people who may not be registered to vote, said its chairman, Ted Harvey.
“It’s another aggressive, on-the-ground effort to get those people identified,” Mr. Harvey said.
Democratic and Republican candidates, political parties and outside groups are increasingly tapping into a new source of data as they gear up for the 2020 election: your smartphone. That is allowing for more granular—and sometimes invasive—voter targeting than has been used before.
Armed with this data, campaigns can track down and segment potential voters based on apps they use and places they have been, including rallies, churches and gun clubs. In some cases, voters might see an ad on their mobile phone. In others, companies can match data to a specific person, allowing campaigns to determine who gets a fundraising call or a knock on the door.
In September 2018, the campaign of then-Senate candidate Beto O’Rourke was able to identify some attendees’ mobile device ID numbers during a rally with musician Willie Nelson.
A company collected the unique ID numbers of phones that pinged their location while at the event, according to people familiar with the Senate campaign. The company, working with an O’Rourke campaign consulting firm, then matched some of those IDs with contact information, such as email addresses. The resulting list allowed the campaign to follow up with those contacts later on. “It’s just a neat idea, and it worked,” one of the people said.
Mr. O’Rourke’s presidential campaign hasn’t so far gathered data this way, people familiar with the matter said.
Political campaigns have long compiled exhaustive lists of all registered voters from state offices or other groups. They later supplemented that with demographic and purchasing information from data brokers in an approach called “microtargeting” that has been used for years. Now detailed information gathered from smartphones is adding a new dimension to those techniques.
“It’s the marriage of the online and offline data about the individual—that’s the biggest force multiplier,” said Justin Miller, a political data consultant who has worked on campaigns for Barack Obama and Hillary Clinton.
While some are treading more lightly in data collection in the wake of the Cambridge Analytica scandal, in which a data firm tied to President Trump’s 2016 campaign improperly accessed data of Facebook users, others are forging ahead until there is a consensus on where the lines will be drawn.
“I would gladly trade job security for more privacy,” said Mr. Miller. “But since we don’t have it, I’ll keep building models.”
Among the most personal—and powerful—pieces of information available about voters are their location histories.
Many popular smartphone applications frequently broadcast their location to an array of online data brokers and advertising companies. It can come through code called software-development kits, or SDKs, hidden inside apps, or as part of the information that apps auction off to ad companies, testing from The Wall Street Journal shows.
Generally, apps ask for permission to access users’ location, and apps may need to be open to transmit that data. Apps get better ad rates—and are sometimes paid directly—when they send this data to advertisers and brokers.
Such precise location data can over time reveal where you live and where you work. It can also lead to more personal insights, such as when you go to the gym, which doctor you frequent or how often you attend religious services. (See tips on how to limit location tracking below.)
Companies can tie location data to an individual’s identity by matching an advertising ID number associated with a phone to customer information, or by matching the address a phone pings at night with lists purchased from data brokers.
Textfree, a texting and calling app ranked among the most popular lifestyle apps in the U.S., sends latitude and longitude data, along with a unique ID, to multiple tech companies that help supply ads, including Rubicon Project Inc. and OpenX Technologies Inc., often many times per minute, according to Journal testing.
Other companies can tap that flow of advertising information, known as the “bidstream,” either directly or through intermediaries, according to industry executives. That allows such companies to track locations over time, or—as in the case of Mr. Harvey’s Committee to Defend the President—draw a fence around a location and identify devices that were there at a given moment.
Greg Woock, chief executive of Pinger Inc., the maker of Textfree, says that the company is “clear about advertising in our terms of service” and that users can decline to share their location in their phone settings.
During the 2018 midterm election, the conservative advocacy group CatholicVote drew on information harvested from SDKs in mobile apps to identify people who had set foot in Catholic churches at least twice within 60 days and assigned them a “religious intensity score” based on the frequency of their visits, according to the group and a consulting firm that worked for it. CatholicVote used that information to target roughly 600,000 people with ads for five Senate races, mostly in the Midwest.
One ad in Missouri in support of Republican Josh Hawley for U.S. senator called his opponent, Democrat Claire McCaskill, “anti-Catholic.” Sen. Hawley won. His 2018 campaign manager, Kyle Plotkin, said the campaign was unaware of the targeting. Ms. McCaskill didn’t respond to requests for comment.
“It’s no secret that the more often you go to church, generally the more conservative you are,” said Brian Burch, president of CatholicVote, who said the technique was more successful than other methods of targeting Catholics.
CatholicVote and its consultants said they didn’t match names with the smartphone data, only individuals’ home addresses. In the future, Mr. Burch said he hopes to use geofencing to select which volunteers to send to visit which homes. “You’re far less likely to slam the door in the face of someone you’re going to see the next week in church,” he said.
Many apps’ privacy policies say they gather user locations to help target advertising, but the use of such data for political purposes is rarely disclosed prominently, if at all. Data collection from apps is generally legal in most states as long as it is disclosed. The U.S. Federal Trade Commission can investigate if it believes users should have been told more specifically of certain uses of their data, privacy lawyers say.
In the European Union, a new privacy law usually forbids collection of certain types of sensitive data—such as about one’s religion, health or political opinions—without explicit consent.
Several political operatives and campaign officials say they have sought out data from technology companies—including Los Angeles-based Factual Inc. and San Francisco-based NinthDecimal Inc.—that supply location-based services to commercial clients.
Companies commonly use the firms to target ads at people who have visited their stores or those of competitors, or to identify people in the market, say, for a new car because they have visited dealerships.
Factual says it gets location data in large part directly from app developers. It also has its own code integrated into apps such as Perfect365, which allows users to simulate how their faces look in various types of makeup, according to app-intelligence services MightySignal Inc. and Apptopia Inc. Perfect365 sends data to Factual and at least three other location-data firms, Journal testing shows, often including users’ precise latitude and longitude.
A spokesman for Factual says the company works to gather data only from apps that gather appropriate consent, and has policies in place to stop clients from zeroing in on individuals’ identities.
NinthDecimal and Perfect365 didn’t respond to requests for comment.
In 2018, a group opposing a California proposition aimed at curbing profits at dialysis centers used IQM Corp., a political ad-tech firm, to collect bidstream data from mobile phones to target mobile ads to people who visited California dialysis centers a few times a week, according to people familiar with the matter. The proposition failed.
The Committee to Defend the President, the Republican PAC that plans to keep targeting people who attend some of Mr. Trump’s rallies, turned to Louisville, Ky.-based El Toro.
El Toro tells clients that it can pinpoint devices that were in a place going back six months and deliver digital ads to any device in the home of a specific voter, according to pitch documents reviewed by the Journal. The company promises to boost turnout by at least 5%, or campaigns get their money back in big campaigns, the documents say.
Users include candidates and political groups on both the left and the right, according to Federal Election Commission records.
Elevate Ohio, a liberal PAC, spent at least $20,000 on El Toro for a few advertising buys in 2018, said Jeff Ruppert, the PAC’s treasurer and counsel. Mr. Ruppert said Elevate Ohio and other progressive PACs he is involved in used El Toro for races including for Democrat Sherrod Brown, who won his U.S. Senate race, as well as losing campaigns for the U.S. House and Ohio’s governor’s office.
Among the locations where the progressive Ohio PACs have used El Toro or similar firms to collect device information were Ohio State football games and political rallies.