How CBP's Phone Tracking via Ad Data Exposes Modern Surveillance

The Wired Report: CBP's Warrantless Location Dragnet

In 2020, a Wired investigation titled "The US Border Patrol Is Using 'Smartphone Location Data' to Track Immigrants" pulled back the curtain on a modern surveillance dragnet. The report revealed that U.S. Customs and Border Protection (CBP), along with Immigration and Customs Enforcement (ICE), had been purchasing access to a sprawling database of smartphone location information. This data wasn't obtained through warrants or targeted surveillance operations. Instead, it was bought off the shelf from commercial data brokers.

The core revelation was both simple and alarming: through standard procurement contracts, federal law enforcement agencies gained access to the precise movements of millions of smartphones within the United States. This data was originally harvested from ordinary mobile apps—think weather, games, or shopping apps—through embedded software development kits (SDKs) from advertising networks and data brokers. The stated purposes ranged from border security and detecting cross-border tunnels to general immigration enforcement.

The legal justification hinges on a decades-old principle known as the "third-party doctrine." Established in Supreme Court precedents, this doctrine holds that information you voluntarily share with a commercial entity (like an app developer or a phone company) is not protected by the Fourth Amendment's warrant requirement. In the government's view, by allowing an app to access your location, you've "shared" that data with a third party, forfeiting your reasonable expectation of privacy. This loophole allows agencies to purchase sensitive geolocation data they would otherwise need a judge's sign-off to collect directly, effectively outsourcing surveillance to the private sector.

From Ads to Ankle Monitors: The Anatomy of Ad Data Surveillance

Photo by Logan Voss on Unsplash

To understand the scale of this issue, you need to follow the data pipeline. It’s a multi-step process that turns a simple app download into a government tracking tool.

The Tracking Pipeline:

1. The Permission Grant: A user downloads a common, often free, app and grants it location permissions, sometimes without realizing the "Always Allow" setting is selected.
2. The Hidden Code: The app contains an SDK from an ad network or a data broker (like Venntel, Babel Street, or X-Mode, as identified in reports from Wired and The Wall Street Journal). This SDK collects not just your location, but a device identifier such as an Advertising ID (AAID on Android, IDFA on iOS).
3. Data Aggregation: Precise location pings—accurate to within a few meters, compared to cell tower triangulation's imprecise hundreds of meters—are collected, timestamped, and bundled with the device ID.
4. The Brokerage Market: Data brokers aggregate this information from thousands of apps, creating comprehensive movement profiles. They can infer home and work addresses, daily routines, and associations based on co-location with other devices.
5. Government Procurement: Agencies like CBP and ICE then purchase access to these databases. Public records requests have revealed contracts, such as a CBP deal with Venntel worth over $500,000.

Real-World Impact: This isn't a theoretical privacy concern. The American Civil Liberties Union (ACLU) has documented how ICE used this commercially purchased location data to track and arrest immigrants. Investigations have shown the capability to track devices visiting sensitive locations, including clinics and places of worship. The data is so precise and pervasive that it functions as a digital ankle monitor for the entire population, deployed without any individual suspicion.

Why This Is a Sea Change in Government Surveillance

Photo by Brett Jordan on Unsplash

The shift represented by this practice is fundamental. It moves law enforcement capability from targeted investigation to persistent, population-scale observation.

Scale vs. Specificity: Traditional surveillance tools—a wiretap, a GPS tracker placed on a single car—require justification and are limited in scope. This ad-data procurement model enables the persistent location tracking of millions of devices simultaneously, the vast majority belonging to individuals not under any investigation. It inverts the traditional model of "suspect first, surveillance second" to "surveillance always, suspect identified later."

Circumventing Oversight: This model cleverly bypasses all three pillars of democratic oversight:

• Judicial: No warrant is required from a judge.
• Legislative: No new law was passed by Congress authorizing this specific activity; it exploits an old legal doctrine in a new technological context.
• Public: The contracts are often hidden behind procurement veils, with details only emerging through leaks and FOIA requests.

The Chilling Effect: As highlighted by civil liberties organizations like the Electronic Frontier Foundation (EFF) and the ACLU, the knowledge that one's movements can be so easily archived and analyzed by the state can deter people from exercising fundamental rights. This includes attending protests, visiting reproductive healthcare facilities, seeking legal counsel, or reporting crimes to law enforcement. It creates a society where anonymity in public becomes a relic of the past.

Regulatory Whack-a-Mole: Attempts to Curb the Practice

Recognizing the threat, regulators and legislators have begun to respond, but progress is fragmented and slow.

The FTC's Stance: In August 2022, the Federal Trade Commission took a landmark action by filing a complaint against data broker Kochava. The FTC alleged that Kochava’s sale of precise geolocation data, which could be used to track people to sensitive locations, constituted an unfair practice. The FTC has also advanced a broader rulemaking initiative aimed at curbing "commercial surveillance and lax data security."

State-Level Actions: States are stepping into the void. California's Delete Act, signed in 2023, establishes a mechanism allowing consumers, with a single request, to demand the deletion of their personal data held by registered data brokers. Similar legislative efforts are underway in other states, creating a patchwork of protections.

Federal Bill Stalemate: At the federal level, a direct solution has been proposed but remains stalled. The bipartisan Fourth Amendment Is Not For Sale Act (S. 1265, H.R. 2738) would explicitly close the third-party doctrine loophole for sensitive data like location. It would require government agencies to obtain a warrant or court order before purchasing Americans' data from data brokers. Despite support from privacy advocates across the political spectrum, the bill has not yet been brought to a vote, highlighting the legislative gridlock on this issue.

Actionable Steps: How to Minimize Your Location Exposure

Photo by Maria Oswalt on Unsplash

While systemic change requires legislation, you can take immediate steps to dramatically reduce the amount of location data you leak into the commercial ecosystem. Your goal is to shrink your digital footprint.

1. Audit and Restrict App Permissions (Do This Now): This is your most powerful defense. Your phone’s location settings are the primary gatekeeper.

• On iOS: Go to Settings > Privacy & Security > Location Services. Review every app. For most, set it to "While Using" or "Never." Be extremely wary of any app that requests "Always" access—question if it's absolutely critical (e.g., a navigation app). Turn off "Significant Locations" (found at the bottom of the Location Services menu).
• On Android: Go to Settings > Location or Settings > Privacy > Permission manager. Review and revoke location access for any app that doesn't have a clear, necessary need for it. Also check Settings > Security & Privacy > Privacy > Location Services for system-level controls.

2. Limit Ad Tracking and Reset Identifiers: Your Advertising ID is the key that links your location pings across apps. Limiting its use is crucial.

• On iOS: Go to Settings > Privacy & Security > Tracking. Disable "Allow Apps to Request to Track." This enforces a global opt-out. You can also periodically go to Settings > General > Transfer or Reset [Device] > Reset > Reset Advertising Identifier to create a new, unlinked ID.
• On Android (varies by version/manufacturer): Go to Settings > Privacy > Ads (or Google > Ads). Tap "Delete advertising ID" or enable "Opt out of Ads Personalization." Perform this reset regularly.

3. Use Privacy-Focused Tools and Cultivate Awareness:

• Choose Alternative Apps/Browsers: Opt for browsers like Firefox Focus or Brave, which block trackers by default. Use search engines like DuckDuckGo. Before downloading any app, check its privacy label (iOS) or "Data safety" section (Google Play)—avoid apps that state they collect data and share it with third parties.
• Understand the Limits of a VPN: A reputable VPN service, like GhostShield VPN, is essential for encrypting your internet traffic and masking your IP address from your ISP and websites. This protects the data you send and receive. However, it's critical to know that a VPN does not prevent location harvesting by app SDKs. If an app has permission to access your phone's GPS or Wi-Fi/Cell-based location services, it can still collect and transmit your precise coordinates. Use a VPN for network privacy, but pair it with aggressive app permission controls for comprehensive location privacy.
• Consider a De-googled Phone: For advanced users, installing a privacy-focused Android distribution like GrapheneOS (on supported Pixel phones) offers unparalleled control over sensors and network access.

Key Takeaways

• The Core Issue: The infrastructure of mobile advertising has been co-opted into a pervasive, warrantless government surveillance tool. Agencies like CBP and ICE purchase precise location data harvested from ordinary apps.
• The Legal Gap: The outdated "third-party doctrine" creates a massive loophole, allowing the government to buy data it would need a warrant to collect directly, eroding Fourth Amendment protections.
• Unprecedented Scale: This practice enables persistent, population-scale tracking, a fundamental shift from targeted investigations to mass observation that alters the citizen-state power dynamic.
• Regulation is Lagging: While the FTC and states like California are taking action, comprehensive federal legislation (like the Fourth Amendment Is Not For Sale Act) to close the loophole remains stalled in Congress.
• You Can Reduce Your Footprint: Proactively and aggressively managing app location permissions, limiting ad tracking, and choosing privacy-focused tools are essential, immediate steps to minimize your exposure in the current landscape.