(Headline article below) A good write up on the farce the government uses to avoid the 4th amendment, as well as the government not passing privacy legislation to protect smartphone users. And you can deny apps access to location, and just turn off phone location unless you need it (definitely don’t use Google’s precision location utilizing WiFi, BT…), also utilize airplane mode… Google will let you delete the ad identifier, turn off some tracking, set it to delete all data after 90 days… And when installing apps, pay close attention to data safety (Roblox below), and you can deny apps access to location data. Also, with Android, any apps you need on occasion where you don’t like their data safety policy, you can stop from running in the background unless you’re using them, stopping them again afterwards. And next year we should have a Motorola Graphene OS phone option for much better privacy (you can install Graphene OS on Pixel devices now).
https://reclaimthenet.org/the-us-government-built-a-tracking-bazaar
The government spent years defending a market that sells anyone’s location to anyone with money and the bill just came due in a war zone.
By Ken Macon
Last week, the Pentagon admitted that foreign adversaries have been using commercial phone data, the kind harvested from everyday apps and sold to anyone with money, to locate American troops in an active war zone. It is the same data the US government has spent years buying for itself, mostly because buying it lets agencies skip the warrant a court would otherwise make them get.
The reason buying beats asking goes back to one ruling. In 2018 the Supreme Court decided in Carpenter v. United States that police need a warrant to pull a person’s location history from a phone company.
The ruling said nothing about buying that same history from a company that had already collected it.
Brokers harvest location data from ordinary apps and games, clean it up, and sell it to whoever has the budget. Agencies noticed they could purchase the exact records a judge would otherwise have to approve. So they purchased them.
The list of buyers is long and it crosses administrations. Customs and Border Protection paid the broker Babel Street more than $2.7 million for a tracking subscription in 2019 and another $265,000 the next year.
The Secret Service bought app location data from the same company.
The Treasury Department’s sanctions office paid Babel Street $154,982 in July 2021.
The IRS bought location data. The NSA buys Americans’ browsing records, the websites they visit, and the apps they open, and the Navy got its surveillance feed through an adtech firm.
The FTC has separately gone after brokers like X-Mode, Mobilewalla, and Venntel for selling Americans’ movements, including to government agencies, without anyone’s consent.
Consent was the word agencies hid behind. Somewhere in an app’s terms of service a user had tapped “agree,” and the government treated that tap as permission to buy the resulting location trail without a warrant, a subpoena, or a judge ever hearing about it. When the Secret Service was challenged on it, the agency’s position was that Americans had consented to being tracked by using their phones in the first place. The argument was thin. It held up mostly because almost no one outside a handful of senators was paying attention.
The stakes climbed as the tools improved. A heap of location pings is one thing when a human has to sift through it and something else when software can sort millions of devices in seconds and flag the ones that sleep on a base.
Wyden has warned that artificial intelligence turns these stored troves into something far more dangerous than they were when agencies first started buying.
The Department of Homeland Security signed a contract worth roughly $1 billion with Palantir to build AI-driven surveillance that runs on exactly this kind of purchased data.
More than 130 civil society groups asked Congress to close the broker loophole during the last surveillance reauthorization fight, warning that leaving it open would feed a new generation of automated tracking.
Ron Wyden was one of the few paying attention and he has spent years trying to close the gap. Bills keep getting written. The Fourth Amendment Is Not for Sale Act passed the House. The Government Surveillance Reform Act, written with Senator Mike Lee, would require warrants for these purchases.
Senators Bill Cassidy, Elizabeth Warren, and Marco Rubio reintroduced a separate bill to stop brokers from selling lists of military personnel to China, Russia, Iran, and North Korea.
None of it has become law. The FTC keeps suing individual brokers one at a time, which Wyden has compared to playing whack-a-mole while the trade underneath keeps running.
The government’s appetite has not cooled. In March, FBI Director Kash Patel sat in front of the Senate Intelligence Committee and Wyden asked him to commit to not buying Americans’ location data. Patel declined, saying the bureau “uses all tools” to do its mission and that the data had produced valuable intelligence.
It was the first time since 2023 that the FBI admitted it was actively buying again. Back then, Patel’s predecessor Christopher Wray had told senators the bureau had bought such data before but stepped away from it. Wyden called the current practice an “outrageous end-run around the Fourth Amendment.” Patel did not disagree so much as decline to stop.
This is the market the government protected, funded, and refused to give up, because skipping the warrant was convenient. The problem with building a place where anyone’s movements are for sale is that adversaries carry credit cards too.
On May 28, Wyden and Representative Pat Harrigan released an unclassified response from US Central Command. CENTCOM reported it had received multiple threat reports about, in its own words, “adversary exploitation of commercial location data to target or surveil U.S. personnel in theater.”
The document was dated in April. Wyden’s office said the holdup was markings restricting public release, which Wyden pushed on until the response came out.
The confirmation came for an operation CENTCOM calls Epic Fury, in a region that covers the Gulf, where American forces spent the spring trading fire with Iran around the Strait of Hormuz.
This is the first time the government has admitted on the record that the broker data it loves has been turned around and used against US forces in an active conflict.
The data flows the way it always does. Apps on a soldier’s phone collect location, sell it to brokers, and the brokers resell it down a chain of middlemen. Some of it leaks through the ad auction itself, where a single request to show you an ad broadcasts your location and device details to dozens of companies at once, any of which can keep the record. A unique advertising ID ties those records to one device. Collect enough of them and you can follow a person day after day.
Wyden and Harrigan wrote that this same data reveals where troops gather and their “pattern of life,” which an adversary can use to aim missiles, drones, and roadside bombs.
None of this is a surprise to anyone who runs the military. The Wall Street Journal reported in 2016 that the phones of American soldiers in conflict zones could be followed through commercial data.
In 2023 researchers at Duke University set out to measure how easy it would be for a foreign adversary to buy data on US troops. They scraped hundreds of broker sites, then bought servicemember records from a US web address and again from one ending in .asia, to show a foreign buyer could do it just as easily. Reacting to the findings, Senator Warren said brokers were “selling sensitive information about service members and their families for nickels.”
The exposures kept coming. Reporters at Wired and two German outlets bought broker data and mapped the daily movements of people in and around 11 US military and intelligence sites in Germany.
A study from the Army Cyber Institute at West Point, published in February, found that 21.2% of the 1,000 most requested internet resources on the Army’s unclassified networks were tracker domains, sites built to harvest data.
Those trackers accounted for nearly 42% of all web requests. The same surveillance economy the FBI shops in runs straight through the Army’s own servers.
The market was already being used against ordinary Americans long before anyone worried about the troops.
Wyden saw the whole shape of it a while ago. Back in 2024, applauding an FTC action against a location broker, he said the brokers had let the government surveil Americans without a warrant and let foreign countries “spy on service members with just a credit card.” That was a year and a half before CENTCOM confirmed it had happened.
For civilians, the exposure is constant and nobody sends a memo about it. For years the major wireless carriers sold their customers’ real-time location to aggregators that resold it down the line, until it reached bail-bond agents and bounty hunters.
In 2019 reporters at Vice paid a bounty hunter $300 and got back the location of a test phone. One trail ran through a prison-phone company called Securus, which a Missouri sheriff used to track people without a court order.
The FCC fined AT&T, Verizon, T-Mobile, and Sprint nearly $200 million in 2024, long after the practice surfaced and after the carriers had kept selling for about a year past the point they promised to stop. The phones belonged to ordinary people, so it stayed a consumer-protection story.
The brokers also leak. In January 2025 a hacker, reportedly Russian, broke into Gravy Analytics and made off with around 17 terabytes of location data. Gravy tracks more than a billion devices and pulls in roughly 17 billion location signals a day.
The sample the hacker posted to a cybercrime forum drew precise movements from thousands of everyday apps, among them Candy Crush, Tinder, fitness apps, period trackers, and prayer apps.
The leaked points fell on the White House, the Kremlin, the Vatican, and US military bases. The FTC had ordered Gravy to stop selling sensitive location data only weeks before the breach, which did nothing for the records already sitting on the company’s servers.
None of it produced anything like the reaction the CENTCOM memo got. The Gravy breach made headlines for a few days and the trade carried on. The data is collected the same way from the same apps whether the phone belongs to a private in theater or a teenager grinding through Candy Crush. A soldier’s location gets called a national security threat. A civilian’s location is the product working as designed.
The fix the lawmakers are now asking for is small enough to be embarrassing. Turn off the advertising IDs on military phones, switch off location sharing in the field, and stop putting Google’s Chrome on government devices in favor of a browser that collects less.
Harrigan said Chrome browsers “are built from the ground up to collect and share user data,” and that leaving them on military phones hands adversaries a weapon against American troops.
Google said Chrome had “industry-leading security” and noted it has pushed for tougher rules on data brokers. The Pentagon told reporters it would answer Wyden directly and said nothing else, though it mentioned it was switching to a system that can disable location services on government phones, with a target date of early May. Whether that happened is unclear.
So the government spent the better part of a decade defending a loophole because buying data was easier than asking permission. Fourteen members of Congress are now alarmed that the loophole runs both directions. It was always going to. A market that sells anyone’s location to anyone with money does not check which side the buyer is on.