Since people around you will think you are also wearing a tinfoil hard, you had better stick to the phones with hardware switches as sibling comment mentions
https://securitylab.amnesty.org/latest/2025/12/intellexa-lea...
The fact that we still just allow arbitrary 3rd party code to run through ad networks is bizarre.
It's interesting to imagine how things would change if those ad-networks were legally liable for their role in spreading scams and malware.
This is another reason why you should not be carrying a phone everywhere except for times where you absolutely need one.
And it's a pretty new account.
The location data in these networks is very inaccurate. Your OS and browser actually do a pretty good job of locking down your location data unless you give explicit permission. It's in the ad network's interests to lie about the quality of their data - so a lot of the "location" data is going to be a vaguely accurate guess based on your IP address.
But also, location data is really important to ads right now because, contrary to common perception, per user tracking is very, very hard. Each SDK might be tattling on you, but unless you give them a key to match you across apps, each signal from each app is unique. Which is why you are often served advertisements based on what other people on your network is searching - it's much easier to just blast everyone at that IP address than it is to find that specific user or device again in the data stream.
Bidstream data in particular is very fraught. You're only getting the active data at the point the add is served, but it's not easy to aggregate in any way. You'll be counting the same person separately dozens or hundreds of times with different identifiers for each. The data you get from something like Mobilewalla is not useful for tracking individuals so much as it's useful for finding patterns.
I think it's pretty telling from the few examples shared about how agencies actually use the data:
>"CBP uses the information to “look for cellphone activity in unusual places,” including unpopulated portions of the US-Mexico border."
>According to the Wall Street Journal, the IRS tried to use Venntel’s data to track individual suspects, but gave up when it couldn’t locate its targets in the company’s dataset.
>In March 2021, SOCOM told Vice that the purpose of the contract was to “evaluate” the feasibility of using A6 services in an “overseas operating environment,” and that the government was no longer executing the contract
Something is going to have to be figured out about this data - realistically the only way is a sunset on customized advertisements. However, I would personally not be worried (yet) that the government is going to be able to identify an individual and track them down using these public sources as they currently are.
Many devices, when running, and in some cases even if turned off but connected to their battery, will ping cell towers (maybe even BLE/Wifi) and get triangulated by the network infrastructure (such as cell towers) without actively broadcasting the GPS location.
That's why I don't quite understand why the gubernment needs to have finer grained data (esp around the US/Mexican border). Precision location info would only be needed if you need to track people in densely populated areas.
But it is necessary to send it somewhere, otherwise the internet wouldn't work.
Unfortunately it seems to have become accepted for our devices to communicate constantly and often with services we never explicitly started communication with (like Ad networks used in Apps).
Permission systems on devices should care about Network connections just as much as Location. Ideally when installing an app you'd get the list of domains it requests to communicate with, and you could toggle them. Bonus points if the app store made it a requirement to identify which Domains are third parties and the category like an Ad service.
The problem is that we have markets where we: - Incentivize organizations to pursue profits at the expense of everything else, which includes social good and civic rights - Rarely hold bad actors accountable (and almost never in a timely manner)
Which means, given enough time, we're always going to trend to whatever makes the most money. Targeted advertising makes money, and will continue to do so unless or until we collectively decide to make it a greater risk to profits than it is today.
You'd be surprised what can be done when data from different source is fused together.
Large-Scale Online Deanonymization with LLMs: https://news.ycombinator.com/item?id=47139716
Robust De-anonymization of Large Sparse Datasets: https://www.cs.cornell.edu/~shmat/shmat_oak08netflix.pdf
Let me share a thing:
Factual, a company that specializes in hyperlocal geofencing, uses geofencing much smaller than the self-regulation that their industry allows in their own rules. I learned this after a coworker quit because our company was allowing ad targeting to people using these smaller geofences. The whole company had an all-hands about it where the CEO of the company told everyone that we were not going to stop using Factual nor the smaller-than-allowed geofences because we, ourselves, were not the ones to produce those geofences. We were just a man in the middle helping to build a system to track people at high resolution.
Please try to reconcile with what your industry has and continues to destroy.
I don't see anything contradictory between your comment and the OP. Having an amoral CEO who condones breaking geotargeting self-regulation doesn't contradict OP's claim that it's hard to tie geotargeting data in bidstreams back to a particular person.
The US government contracts with commercial data providers stipulate that all US data must be removed. There are quite a few regulatory controls that are adhered to.
There’s really not any legal practical way to avoid ALPRs.
I’m pretty sure the government knows where I am 24/7. I’m not going to worry about targeted advertising by the government anymore and just worry about it the people reselling it to non-governments for use.
https://web.archive.org/web/20070920193501/http://www.radaro...
The invasion of privacy has been slow, creeping, and just waiting for that Turnkey Tyrant. We fooled ourselves into thinking we'd never elect someone who would turn that key. But in reality the key has been slowly turning, until finally it opened the latch
> 1. Disable your mobile advertising ID
> 2. Review apps you’ve granted location permissions to.
I'm surprised they missed the most important step, which is blocking the advertisers from collecting your data in the first place. This is easily done in the browser with uBlock Origin and system-wide with DNS filtering.
Whatever you are doing is meaningless privacy theatre
Like yeah, sure, governments collecting data deserves scrutiny. 100%. But at least in most democracies there are audits, oversight bodies, privacy commissioners, courts, access to information laws, etc. There are actual mechanisms where someone can ask “why are you doing this?” and force an answer.
Meanwhile we hand over our location, browsing habits, shopping patterns, sleep schedule, and probably our favorite pizza topping to dozens of private companies every day. Those companies can aggregate it, sell it, profile you, feed it into ad markets, train models with it, or ship it across borders… and most of the time nobody outside the company even knows it’s happening.
So yeah, data collection in general is worth debating. But the irony is wild when people lose their minds over the one place that at least has some governance and accountability, while the entire private ad-tech ecosystem is basically “trust us bro” with a 40-page terms of service nobody reads.
For years, people have been sharing everything they do, what they do, people they spent time with, where they live.
Advertisement industry just adds more info to complete your profile, what you buy, what you watch, what you speak online, etc.
I think it’s more concerning that programmers seem to have no care or shame about designing systems that works against the users’ interests. Did you share something intimate in our chat? Well it’s not E2E, moron, we have that now. How could you be this stupid?
I can’t think of another profession (except pure value extraction types) which revels in exploiting people for not having the time or care to arrange their digital lives around the booby traps that nerds set for them.
Anecdotally, it feels like it fits right in with the "if there's no cop around to give me a ticket, I can drive however I want" attitude I've seen post-Covid. People entering two-way turn lanes or HOV merge lanes to PASS people in the main lane. People going through stop signs without any stopping while I'm waiting for my turn. Using the HOV on-ramp lane with only the driver to merge onto the freeway where it's clearly marked "24 hour HOV lane", etc.
It's as if the entire social compact evaporated during/after Covid, and "everyone only out for themselves" is the norm now.
Or maybe I'm just more aware of it and more cynical.
I concur on missing the turn of the century optimism that tech could make a brighter future.
When a poor lad comes on a work visa and is elevated from a literal poverty to a somewhat decent standard of living, would you expect them to stand up and make sure some camera recordings can’t be used in a way they aren’t supposed to be used? Do you expect them to even consider if their management may abuse that some years in the future (when the code is an unholy mess of duct tape and all the effort goes into making it work for the stated purpose), when their mind is all busy thinking about bills, health, family abroad, and the general sense of doom impending with pandemics and wars and extreme corruption all around? Nah, that lad’s also being exploited here, not exploiting others. Not that any sins are absolved but he’s a lot less of a monster than your comment paints. And there are corporations with tens of thousands of such lads and lasses and other folks. And that’s just one of myriad of possible nuances that break the trope of evil programmers screwing the world up.
Blame the rot that starts at the head, it’d be at least a bit more accurate.
> I can’t think of another profession
That’s because you framed the criteria so narrowly that it includes almost only programmers. And even then you still confused between management and implementors. And even then you’re forgetting the management, who’s definitely more to blame than workers.
The only people who didn't understand this were either delusional or being paid not to.
A very easy, effective, multi-layer setup:
1. Browser adblocker
2. Pi hole running locally
3. Pi hole at your home network router level
And 4, not as easy but effective, a firewall like Little Snitch
Edit: the other good news is your old data loses value quickly, so starting today is still very effective: you haven’t missed the boat yet!
1. Adblocking via private DNS (e.g. https://mullvad.net/en/help/dns-over-https-and-dns-over-tls)
2. Prefer websites over native apps wherever possible
3. Browser adblocker
Hosts file adblocking is also possible on a phone where you have root.
A law that says the government can't ask for this stuff doesn't help very much. They'll ignore it when it suits them.
A law that says it's illegal for private companies to hand it over would be better. When caught between a request from the government and a law that says they're not allowed to honor that request, there's a good chance they'll obey the law rather than the rogue agency.
A law that says it's illegal for private companies to collect this data in the first place would be even better. It could still be worked around, but it's more likely to be uncovered, and they'd only get data after the point where they convinced a company to start collecting it.
The issue here isn’t simply “lack of privacy law.” It’s:
1. apps collecting precise location data in the first place,
2. adtech infrastructure broadcasting that data through RTB,
3. brokers aggregating and reselling it,
4. government agencies buying it to avoid the constraints that would apply if they tried to collect it directly, and
5. regulators failing to stop any of the above in a meaningful way.
European law is relevant to some of that, but not as a magic shield. GDPR and ePrivacy principles are obviously more restrictive on paper than the US free-for-all, especially around consent, purpose limitation, data minimization, and downstream reuse. But “on paper” is doing a lot of work there. Europe has had years of complaints about RTB specifically, and yet the adtech ecosystem did not exactly disappear. That should tell you something.
So the real answer is: yes, a stronger privacy regime can help, but no, this is not a problem that gets solved by vaguely importing “European-style privacy laws” as a concept. If the underlying business model still allows mass collection, opaque sharing, and resale of location data, then state access is a policy choice away. Governments don’t need to build a panopticon if the commercial sector already did it for them.
Also, the most important legal question here is not just whether private companies should be allowed to collect/sell this data. It’s whether the government should be allowed to buy commercially available data to do an end-run around constitutional and statutory limits. That is a distinct issue. You need rules for both the commercial market and state procurement, otherwise the state just shops where the Fourth Amendment doesn’t reach.
In other words, the contrast is not “Europe = protected, US = authoritarian.” The contrast is between systems that at least attempt to constrain collection and reuse, and systems that let surveillance markets mature first and ask questions later. Even in Europe, enforcement gaps, law-enforcement carveouts, and institutional incentives matter enormously.
So if the goal is to understand the story, the useful question isn’t “would Europe stop this?” It’s “what combination of collection limits, resale bans, procurement bans, audit requirements, and enforcement would actually make this impossible in practice?” Anything short of that is mostly aesthetics.
Unless you have some body which is a) serious about enforcement, b) sufficiently toothful to make a dent and c) not undermined by wider geopolitical posturing or economic neutering, you can have all of the regulation you might want and still end up in the same place. I'm not arguing that we shouldn't try and control this, but that we have some extremely large genies to stuff back into bottles along the way.
- you always denied those popups
- .. including any hidden legitimate interest sections that are being treated as a second, opt-out "consent" for things that really don't actually qualify as legitimate interest
- and the companies actually followed it
Then in theory the companies won't have that data. But doing 1 is tedious, companies exercise dark patterns to avoid you doing 2, and it's hard to audit if they've done 3, so most people are probably in those data sets.
Also, a government likely to buy this data for purposes like in the original article, is unlikely to be the type of government that goes around slapping companies for not complying with privacy regulation on that data.
It's similar to when you use Linux or an obscure privacy-preserving browser. You've made yourself way more unique just by doing that.
(I'm not sure how the math works out though, vs. actually running all that nasty tracking stuff.)
But, yeah, anti-fingerprinting is still a useful signal if less people do it. So more people should do it; especially if they're less likely to be targeted.
"More haystack" makes their job harder.
It was able to track me as long as my IP address didn't change, but as soon as I switched VPN endpoints, it gave me a new identifier.
More of us should learn to do things the hard way more often, and to be familiar with less-convenient things. There are life-changing advantages to doing things the hard way at least some of the time.
For the user there is no way to pay the 0.0000001c that it takes to load a web page, for the web master there is no way to get paid the $10,000 it takes to serve the users. So we settled on advertising which can somewhat cover those costs since each individual add is basically worthless but an add campaign isn't.
The problem is so complex that every action you take compounds and extends far beyond what you realize. Especially as we're living in such a connected world. Those ripples propagate through all the ponds we've connected together.
I don't think it's money, convenience, or any of that. I think it's just that the world is getting more and more complicated. That our actions and inactions have larger and larger effects. We've done a lot of good, but we've also made it a lot easier to feel the flapping of a butterfly's wings on the other side of the planet.
Does sharing location with family (Android) leak any data?
"Jeffrey Epstein’s Island Visitors Exposed by Data Broker" - https://www.wired.com/story/jeffrey-epstein-island-visitors-...
ece•1d ago