Targeted Advertising Fuels Government Surveillance: How Your Location Data is Being Harvested and Used Without Warrants

The unsettling experience of encountering online advertisements that seem to possess an uncanny knowledge of our lives has become a common digital phenomenon. While often perceived as a mere annoyance or a testament to sophisticated marketing algorithms, new reporting has unveiled a far more disturbing reality: the very same online advertising systems are being exploited by government agencies to conduct warrantless surveillance, specifically tracking individuals’ locations. This revelation, confirmed by recent investigative journalism, highlights a critical intersection of pervasive data collection practices and unchecked governmental power, raising profound concerns for individual privacy and civil liberties.

For years, the internet advertising industry has operated on a model of extensive data harvesting, continuously collecting a vast array of user information, including precise location data. This data is ostensibly used to serve what are termed "more relevant ads." However, parallel to this commercial surveillance, federal law enforcement agencies have been actively purchasing location data from a shadowy network of data brokers, entities largely unknown to the general public. This practice bypasses traditional legal safeguards, such as warrants, that would normally be required to obtain such sensitive personal information.

A recent report, uncovered by the investigative outlet 404 Media, provides direct evidence that U.S. Customs and Border Protection (CBP) has leveraged location data sourced from the internet advertising ecosystem to track individuals’ movements. The report centers on a CBP document that explicitly admits the agency’s utilization of "commercially available marketing location data." This admission confirms long-standing concerns that the technical infrastructure powering targeted advertising also serves as a conduit for state surveillance. The document details how CBP’s program drew upon the processes used in selecting targeted ads, processes that are integral to nearly every website and application encountered online. This insight into the mechanisms of ad targeting and its repurposing for surveillance is crucial for understanding the scope of the problem and the potential solutions.

The Intertwined Nature of Advertising and Government Surveillance

The online advertising industry has, in effect, constructed a massive surveillance apparatus. In the absence of robust privacy legislation, surveillance-based advertising has become the default mode of operation online. Companies meticulously track users’ online and offline activities, subsequently sharing this data with ad technology firms and data brokers. These entities then utilize the information to refine ad targeting. Law enforcement agencies, recognizing this infrastructure, exploit it to acquire data that would typically necessitate a court-ordered warrant, most notably location data. They rely heavily on the multi-billion dollar data broker industry, which acts as an intermediary for acquiring location data harvested from individuals’ smartphones.

Evidence of this practice has been accumulating for years. Federal law enforcement agencies, including immigration enforcement bodies like CBP and Immigration and Customs Enforcement (ICE), have been documented as utilizing location data brokers as a significant component of their surveillance capabilities. Reports have indicated that ICE, CBP, and the FBI have purchased location data from brokers such as Venntel, using it to identify immigrants who were subsequently arrested. In a particularly concerning development last year, ICE acquired a sophisticated surveillance tool known as Webloc. This software is capable of collecting location data from millions of phones daily, making it remarkably easy to search for specific phones within defined geographic areas over extended periods. Webloc also offers the capability to filter location data by unique advertising identifiers assigned by Apple and Google to individual devices, further deepening the invasiveness of this surveillance.

The recent document obtained by 404 Media represents the first time CBP has openly acknowledged that a portion of the location data it procures originates from the real-time bidding (RTB) system, the very engine that drives the majority of online advertisements. CBP’s own documentation states that "RTB-sourced location data is recorded when an advertisement is served." Although the document specifically pertains to a pilot program conducted between 2019 and 2021, CBP and other federal agencies have demonstrably continued to purchase and employ commercially obtained location data. ICE, for instance, has acquired additional location tracking tools since then and has recently expressed interest in "Ad Tech" tools for investigative purposes, signaling an ongoing reliance on these data streams.

CBP’s acknowledgment highlights two primary methods through which location data is harvested and fed into the ad ecosystem: Software Development Kits (SDKs) and RTB. Applications designed for a wide range of purposes – from weather and navigation to dating, fitness, and "family safety" – often request location permissions to function. Once granted, this access can be exploited. Apps might share location data directly with data brokers via SDKs embedded within their code, or indirectly, and often without the app developers’ explicit knowledge, through RTB mechanisms. Data brokers can secure location data from SDKs by paying app developers to integrate their tracking technologies. In the case of RTB, data brokers bypass the need for direct relationships with individual apps and websites, leveraging the extensive network of ad companies already integrated into most online platforms.

The Mechanics of Real-Time Bidding: A Gateway to Mass Surveillance

Real-time bidding (RTB) is the automated auction process that facilitates the display of most online advertisements. In a process that unfolds in mere milliseconds, ad spaces on websites and applications are offered to advertisers. Crucially, these rapid auctions not only determine which advertisements users see but also expose sensitive personal information, including precise location data, to potentially thousands of companies daily.

The fundamental vulnerability of RTB lies in the fact that while only one advertiser ultimately wins the auction and displays their ad, all participating entities receive data about the user who was targeted. This creates an environment where any entity posing as an ad buyer can gain access to a continuous stream of sensitive data pertaining to billions of individuals each day. Data brokers have capitalized on this loophole, harvesting location data at an unprecedented scale. For example, the Federal Trade Commission (FTC) reported that location data broker Mobilewalla collected data on over a billion individuals, with an estimated 60% of this data originating from RTB auctions. Leaked data from another prominent location data broker, Gravy Analytics, has revealed associations with thousands of applications, including those from major tech companies, popular games, dating apps, fitness trackers, and even religious-focused applications. In many instances, app developers have disavowed any knowledge of these data brokers collecting their users’ information.

Venntel, a data broker that has supplied information to ICE, explicitly states on its website that "Commercially available bidstream data from the advertising ecosystem has long been one of the most comprehensive sources of real-time location and device data available." The privacy implications of RTB extend beyond the actions of individual data brokers. The very architecture of RTB auctions broadcasts sensitive personal data to thousands of companies hundreds of times per day, with virtually no oversight regarding how this information is ultimately exploited. Once data is disseminated through RTB, it becomes exceedingly difficult, if not impossible, to trace its recipients or control its subsequent use.

Protecting Your Digital Footprint: Individual and Systemic Solutions

The revelations concerning the government’s exploitation of location data underscore the escalating dangers of pervasive online tracking. However, individuals are not entirely powerless in safeguarding their digital privacy. Several key steps can be taken to enhance protection:

• Limit Location Sharing: Users can disable location services on their mobile devices altogether or restrict app access to location data on a case-by-case basis. This involves navigating to the privacy settings on both iOS and Android operating systems and carefully reviewing app permissions.
• Adjust Ad Tracking Settings: Both Apple and Google provide mechanisms for users to limit ad tracking. By disabling "Limit Ad Tracking" on iOS or "Opt out of Ads Personalization" on Android, users can reduce the unique advertising identifiers associated with their devices, making it harder for advertisers and data brokers to build comprehensive profiles.
• Utilize Privacy-Focused Browsers and VPNs: Employing browsers that prioritize privacy, such as Brave or DuckDuckGo, and using Virtual Private Networks (VPNs) can help mask IP addresses and encrypt internet traffic, adding layers of protection against tracking.

For more comprehensive guidance, resources like the Electronic Frontier Foundation’s (EFF) guides on protecting oneself from mobile-device-based location tracking offer detailed strategies. The most effective security measures often depend on individual circumstances and the specific risks involved. For instance, heightened precautions may be warranted when visiting sensitive locations, such as participating in protests or engaging in activities where digital surveillance could have significant repercussions.

The Imperative for Tech Companies and Lawmakers to Act

The burden of defending personal data should not fall solely on individuals. Tech companies and lawmakers must take decisive action to address the systemic issues that enable widespread surveillance.

Ad tech companies bear a significant responsibility for their role in facilitating warrantless government surveillance, alongside other privacy harms. The systems they have developed for targeted advertising are actively being repurposed for tracking individuals’ locations. The most effective method to prevent online advertising from fueling surveillance is to move away from targeting ads based on detailed behavioral profiles. Contextual advertising, which targets ads based on the content a user is viewing rather than their personal data, offers a privacy-preserving alternative.

Beyond this fundamental shift, tech companies can mitigate the use of their systems for government location tracking by:

• Implementing Stricter Data Access Controls: Ad tech platforms should establish robust verification processes for buyers of location data, ensuring that only legitimate entities with a demonstrable need and legal basis can access such information.
• Enhancing Transparency: Companies should provide clear and understandable information to users about how their data is collected, shared, and used, particularly in the context of advertising and data brokerage.
• Adopting Privacy-Preserving Technologies: Investing in and implementing technologies that minimize data collection and enhance user privacy by design can significantly reduce the amount of sensitive information available for exploitation.

Lawmakers also have a critical role to play in protecting constituents’ privacy. The enactment of strong federal privacy laws is essential to curb the pervasive spying and selling of personal information. The EFF advocates for data privacy legislation with robust enforcement mechanisms and a ban on ad targeting based on online behavioral profiles, recognizing that such targeting creates a powerful financial incentive for companies to engage in extensive user tracking.

Furthermore, legislators must address the "data broker loophole" that undermines the Fourth Amendment. Currently, law enforcement agencies can bypass the constitutional requirement of obtaining a warrant signed by a judge by simply purchasing sensitive location data from private brokers. The state of Montana recently took a significant step by becoming the first state to pass a law prohibiting the government from acquiring sensitive data that would otherwise necessitate a warrant. In 2024, Senator Ron Wyden’s EFF-endorsed "Fourth Amendment is Not for Sale Act" passed the House of Representatives, indicating growing legislative concern, though it ultimately stalled in the Senate. Similar legislative efforts are crucial to close this end-run around constitutional protections.

The practice of online behavioral advertising is not merely an inconvenience; it represents a significant threat to privacy and civil liberties. The silent harvesting, opaque sale, and subsequent invasion of privacy through data brokers and government agencies is unacceptable. The recent revelations concerning warrantless government surveillance, facilitated by the ad tech ecosystem, should serve as a stark and urgent wake-up call regarding the profound dangers posed by pervasive online behavioral advertising. The continued exploitation of this data infrastructure without adequate legal oversight and public accountability poses a direct challenge to fundamental rights, demanding immediate and comprehensive action from all stakeholders.