I work with Ad Data a lot in my job, and there's a lot of misconceptions about what this data that journalists love to propogate:
The location data in these networks is very inaccurate. Your OS and browser actually do a pretty good job of locking down your location data unless you give explicit permission. It's in the ad network's interests to lie about the quality of their data - so a lot of the "location" data is going to be a vaguely accurate guess based on your IP address.
But also, location data is really important to ads right now because, contrary to common perception, per user tracking is very, very hard. Each SDK might be tattling on you, but unless you give them a key to match you across apps, each signal from each app is unique. Which is why you are often served advertisements based on what other people on your network is searching - it's much easier to just blast everyone at that IP address than it is to find that specific user or device again in the data stream.
Bidstream data in particular is very fraught. You're only getting the active data at the point the add is served, but it's not easy to aggregate in any way. You'll be counting the same person separately dozens or hundreds of times with different identifiers for each. The data you get from something like Mobilewalla is not useful for tracking individuals so much as it's useful for finding patterns.
I think it's pretty telling from the few examples shared about how agencies actually use the data:
>"CBP uses the information to “look for cellphone activity in unusual places,” including unpopulated portions of the US-Mexico border."
>According to the Wall Street Journal, the IRS tried to use Venntel’s data to track individual suspects, but gave up when it couldn’t locate its targets in the company’s dataset.
>In March 2021, SOCOM told Vice that the purpose of the contract was to “evaluate” the feasibility of using A6 services in an “overseas operating environment,” and that the government was no longer executing the contract
Something is going to have to be figured out about this data - realistically the only way is a sunset on customized advertisements. However, I would personally not be worried (yet) that the government is going to be able to identify an individual and track them down using these public sources as they currently are.
I worked in ad-tech for a year before I left the tech industry as a whole. I've also done a fair bit of investigative journalism.
Let me share a thing:
Factual, a company that specializes in hyperlocal geofencing, uses geofencing much smaller than the self-regulation that their industry allows in their own rules. I learned this after a coworker quit because our company was allowing ad targeting to people using these smaller geofences. The whole company had an all-hands about it where the CEO of the company told everyone that we were not going to stop using Factual nor the smaller-than-allowed geofences because we, ourselves, were not the ones to produce those geofences. We were just a man in the middle helping to build a system to track people at high resolution.
Please try to reconcile with what your industry has and continues to destroy.
>Please try to reconcile with what your industry has and continues to destroy.
I don't see anything contradictory between your comment and the OP. Having an amoral CEO who condones breaking geotargeting self-regulation doesn't contradict OP's claim that it's hard to tie geotargeting data in bidstreams back to a particular person.
For example, it was very hard for me to identify myself in an anonymized public dataset of vehicle trips, but I did. It was also hard to FOIA for the documents showing them writing SQL to spot my trip.. but I did.
I remember when the first article was posted. Their method requires two parallel corpuses e.g. people who write on LinkedIn (under their real name) and Reddit.
Also, people who post under their real name are likely to write with their real voice:
> Any deanonymization setup with ground truth introduces
distributional biases. In our cross-platform datasets, the pro-files are likely easier to deanonymize than an average profile: the very fact that ground truth exists implies that the user may not have cared about anonymity in the first place. Similarly, two split-profiles of a single user are inherently alike, whereas two pseudonymous accounts of the same person (e.g., an official and a pseudonymous alt account) might expose more heterogeneous micro-data.
There are whole companies that de-anon ad data as a service. Which gives the lots of data brokers the ability to not do the last mile and feel good about themselves. It’s a joke.
But dude... just think of all the optimal personalized mattres sales they can do with that data. I mean, people that use the bathroom at 3:57pm for seven minutes are 0.00138% more likely to buy a new mattress within the next six months. They need that data. Think of all the unsold mattresses.
i'm not confident they know where i am at all. i routinely get ads on social media for places (super random US states, cities, etc.) nowhere near where i live (SF Bay Area).
Well, in the case of a company trying to market to you, it literally _is_ their business. It makes them money.
The problem is that we have markets where we:
- Incentivize organizations to pursue profits at the expense of everything else, which includes social good and civic rights
- Rarely hold bad actors accountable (and almost never in a timely manner)
Which means, given enough time, we're always going to trend to whatever makes the most money. Targeted advertising makes money, and will continue to do so unless or until we collectively decide to make it a greater risk to profits than it is today.
At this point, your device is not giving anyone your location without explicit permission. So it really just comes down to your IP Address, which services do need.
I think your is statement is inaccurate to the point of being intentionally misleading:
Many devices, when running, and in some cases even if turned off but connected to their battery, will ping cell towers (maybe even BLE/Wifi) and get triangulated by the network infrastructure (such as cell towers) without actively broadcasting the GPS location.
That's why I don't quite understand why the gubernment needs to have finer grained data (esp around the US/Mexican border). Precision location info would only be needed if you need to track people in densely populated areas.
That location information is not available to apps or ad networks without user consent. The government can access it from the carrier with a warrant, but that's not what we're discussing here.
Carriers have also sold customer location data, no search warrant required. Though we can rest assured that the FCC has slapped the carriers' wrists with the utmost seriousness.
IP Address is all you need to get fairly accurate (town or neighborhood) location for most of North America.
But it is necessary to send it somewhere, otherwise the internet wouldn't work.
Unfortunately it seems to have become accepted for our devices to communicate constantly and often with services we never explicitly started communication with (like Ad networks used in Apps).
Permission systems on devices should care about Network connections just as much as Location. Ideally when installing an app you'd get the list of domains it requests to communicate with, and you could toggle them. Bonus points if the app store made it a requirement to identify which Domains are third parties and the category like an Ad service.
If you use Google Location Services, which is stock install on basically all Android devices, it absolutely is uploading "anonymized" GPS data all the time.
I think the issue here is one of informed consent. You might say, "OK, this makes sense" when agreeing to location data for a weather app. In the context of whether it's going to hail soon, location is reasonable. What you only see in those GDPR-type banners is that the data is being re-sold off to 1001 "partners", none of whom are important for my hail-to-head concerns. Never mind all the cases where it's re-sold on to all the governments and personal-level creeps through aggregators.
It's unfortunate the Privacy Act included an exception for law enforcement. I imagine at the time it wasn't clear that every action taken by the govt would be called law enforcement.
There is an ethical framework for handling personal data collected and maintained by the US govt called the Fair Information Practice Principles (https://www.fpc.gov/resources/fipps/).
It really is too bad that "any legal purpose" is the stated boundary for our elected govt rather than a more noble appeal to public service.
I am evolving my views on personal privacy. I am, like many people, trying to passively defend myself. However, the environment today is more akin to people coming up and punching you than it is to just avoiding door to door sales people. We are being actively attacked, and real harm is being caused. People are loosing their entire livelihoods, or worse, to attacks on their privacy like this. At the moment all I see out there is sit there and take it. Nothing I do will keep my life private in a meaningful way. The best I can hope for is that companies wont tell me too loudly that they know when I go to the bathroom and how heavy I am, they will just show me targeted ads that prove they know those things and sell my data so corrupt agencies can decide how best to abuse it, legally. So, what options are left if the only tool you are given is sit there and take it but nobody is actually defending you?
I have 26 apps on my phone. Of those, four are Safari extensions, one is a PWA and another I wrote myself. I use a restrictive nextDNS profile that also blocks Apple's native tracking (as best they can) and don't use social media. I feel like that's the best I can realistically do.
And you do realize your cellphone is constantly sharing your location with your cell phone company which is more than willing to give it to the government without a warrant.
Whatever you are doing is meaningless privacy theatre
I wouldn't call that meaningless privacy theater. For one, you can buy a SIM anonymously, and make the cell location data essentially useless. Second, protection at the DNS level prevents other types of data exfiltration (such as cross-site tracking by the Meta Pixel). By not using social media and communicating over secure apps like Signal, you can indeed achieve a high degree of resistance against tracking and profiling.
Of course, you can do more, such as running only trusted software (i.e., free software) on your devices, not using Internet-of-Shit devices anywhere in your home, and making sure your car is not snooping on you through it's own cellular modem.
It's a bit crazy how much we look back at that time and what people thought was tin foil haty. But that was written in 2007, still 6 years before Snowden. 7 years before the Director of the NSA (Hayden) told Congress they kill people based on metadata.
The invasion of privacy has been slow, creeping, and just waiting for that Turnkey Tyrant. We fooled ourselves into thinking we'd never elect someone who would turn that key. But in reality the key has been slowly turning, until finally it opened the latch
I can’t respond directly to octoclaw’s dead comment (edit: embarrassingly this was an LLM), but I will just say I agree, it is ridiculous both how cheap this data is and how many people aren’t aware of it. It’s not just governments who can get access, either.
This is another reason why you should not be carrying a phone everywhere except for times where you absolutely need one.
Is this something European style privacy laws would protect against? Though given the US political situation we are far from being able to enact any kind of anti-authoritarian protections...
You can increase your chances by crafting the laws differently, at least.
A law that says the government can't ask for this stuff doesn't help very much. They'll ignore it when it suits them.
A law that says it's illegal for private companies to hand it over would be better. When caught between a request from the government and a law that says they're not allowed to honor that request, there's a good chance they'll obey the law rather than the rogue agency.
A law that says it's illegal for private companies to collect this data in the first place would be even better. It could still be worked around, but it's more likely to be uncovered, and they'd only get data after the point where they convinced a company to start collecting it.
- .. including any hidden legitimate interest sections that are being treated as a second, opt-out "consent" for things that really don't actually qualify as legitimate interest
- and the companies actually followed it
Then in theory the companies won't have that data. But doing 1 is tedious, companies exercise dark patterns to avoid you doing 2, and it's hard to audit if they've done 3, so most people are probably in those data sets.
Also, a government likely to buy this data for purposes like in the original article, is unlikely to be the type of government that goes around slapping companies for not complying with privacy regulation on that data.
“Would European-style privacy laws protect against this?” is the kind of question that sounds more clarifying than it actually is, because it collapses about five separate problems into one vague gesture at “Europe.”
The issue here isn’t simply “lack of privacy law.” It’s:
1. apps collecting precise location data in the first place,
2. adtech infrastructure broadcasting that data through RTB,
3. brokers aggregating and reselling it,
4. government agencies buying it to avoid the constraints that would apply if they tried to collect it directly, and
5. regulators failing to stop any of the above in a meaningful way.
European law is relevant to some of that, but not as a magic shield. GDPR and ePrivacy principles are obviously more restrictive on paper than the US free-for-all, especially around consent, purpose limitation, data minimization, and downstream reuse. But “on paper” is doing a lot of work there. Europe has had years of complaints about RTB specifically, and yet the adtech ecosystem did not exactly disappear. That should tell you something.
So the real answer is: yes, a stronger privacy regime can help, but no, this is not a problem that gets solved by vaguely importing “European-style privacy laws” as a concept. If the underlying business model still allows mass collection, opaque sharing, and resale of location data, then state access is a policy choice away. Governments don’t need to build a panopticon if the commercial sector already did it for them.
Also, the most important legal question here is not just whether private companies should be allowed to collect/sell this data. It’s whether the government should be allowed to buy commercially available data to do an end-run around constitutional and statutory limits. That is a distinct issue. You need rules for both the commercial market and state procurement, otherwise the state just shops where the Fourth Amendment doesn’t reach.
In other words, the contrast is not “Europe = protected, US = authoritarian.” The contrast is between systems that at least attempt to constrain collection and reuse, and systems that let surveillance markets mature first and ask questions later. Even in Europe, enforcement gaps, law-enforcement carveouts, and institutional incentives matter enormously.
So if the goal is to understand the story, the useful question isn’t “would Europe stop this?” It’s “what combination of collection limits, resale bans, procurement bans, audit requirements, and enforcement would actually make this impossible in practice?” Anything short of that is mostly aesthetics.
Very clearly put, and I'd only emphasise that without the final "enforcement" point of that, the other points become entirely irrelevant. While European regulators have imposed some significant sounding fines on prominent entities, they generally work out to be "less than the value gained by doing the thing in the first place" - or at least close enough to that for the entity to not consider it too negative/a future deterrent.
Unless you have some body which is a) serious about enforcement, b) sufficiently toothful to make a dent and c) not undermined by wider geopolitical posturing or economic neutering, you can have all of the regulation you might want and still end up in the same place. I'm not arguing that we shouldn't try and control this, but that we have some extremely large genies to stuff back into bottles along the way.
I worked closely to some of this. There were strict policies in place to never monitor US Citizens. That said i was focused in more kinetic warfare domains and not sure what would've extended past the borders by local law enforcements (DHS typically dictated no-us-soil policies). But, this is a money-hungry data pipeline of resellers and aggregators and they were always eager to sell more.
How do they determine if the person is a US citizen? I've sometimes wondered if my Google account is caught up in mass surveillance of non-Americans because I created my main email address while living in Australia, though I am a US citizen and only a US citizen. I haven't checked in a while, but I know that even in the US, checking my email on the web it would show that it was connecting to an Australian domain.
There are multiple cues in the data stream that let you tag the person with a country of residence even when traveling internationally. It isn't perfect but it is likely more than adequate in most cases.
The US government contracts with commercial data providers stipulate that all US data must be removed. There are quite a few regulatory controls that are adhered to.
I am not sure that ad blocking is enough now or in the future as fingerprinting is extremely hard to fight while keeping a convenient web experience. Of course, continue blocking for convenience, but for privacy, more robust solutions are needed. Try to beat this: https://fingerprint.com
Beginning to wonder if convenience is the root of all evil, and not money. Money's just a proxy for convenience.
More of us should learn to do things the hard way more often, and to be familiar with less-convenient things. There are life-changing advantages to doing things the hard way at least some of the time.
The root of all evil is that we don't have a functioning micro transaction network and we don't know how to build one.
For the user there is no way to pay the 0.0000001c that it takes to load a web page, for the web master there is no way to get paid the $10,000 it takes to serve the users. So we settled on advertising which can somewhat cover those costs since each individual add is basically worthless but an add campaign isn't.
And how do you actually identify who should pay that $0.000713? And who should receive it? How do you make the process effortless, so the user doesn't have to spend 5 minutes registering on a website, just to send $0.000713?
Now make it work 10,000 times per day, for every page you visit, posts, news, short form content you scroll, long form video you watch. And multiply this by billions of users.
And once you've done that, how do you deal with spam, bots? How do you prevent invalid traffic? Fraudulent chargebacks? And how do you take quality into consideration (NYT prob want to charge more than my crappy personal blog)?
Transferring money is one small element of large and complex equation.
Advertising is not perfect, but it's the best alternative for a free and open web I have seen in my 30+ years online. Subscription works for large ticket items (and for the affluent minority), but it doesn't solve the other 95% of cases.
I know it's a cliché, but the road to hell is paved with good intentions. People forget, most evil is created by good people trying to do good. The biggest trick the devil played was making us all believe evil is (always) easy to identify. But all the sayings are about how the devil is sly, tricks you, and sneaks up on you. All of that is to remind us how hard it is to do good. You don't have to be an evil person to create evil. Often you don't have to do anything at all, as inaction is still an action. Pull the lever or not, you've still made a decision.
The problem is so complex that every action you take compounds and extends far beyond what you realize. Especially as we're living in such a connected world. Those ripples propagate through all the ponds we've connected together.
I don't think it's money, convenience, or any of that. I think it's just that the world is getting more and more complicated. That our actions and inactions have larger and larger effects. We've done a lot of good, but we've also made it a lot easier to feel the flapping of a butterfly's wings on the other side of the planet.
Yeah I have been doing that for years now. I do most things the hard way. I forgot exactly how it started. I think it started when I decided I wanted to develop my own sense of discipline. I think right after I read the constructive living book by David K. Reynolds. The premise, as I understand it, is that depression is a direct result of not taking full responsibility and immediate action in your life.
Looking back, I realize that started me on the path of not doing things the easy way. It was really hard a first, but over time it got easier. Most people in my line of work don't take accurate notes of what has transpired, don't keep a proper history of business exchanges and don't have clear agreements and contracts in place that spell out what is expected. Once I started this process of improving my life, I realized the more I made the effort to keep detailed track of everything I do/did, my life and business started to improve. I think you are right, taking to the most convenient path in life is a sure way to bring about pain and suffering.
Convenience is how we describe efficiency when it applies to non-classically “productive” endeavors. (Analogous to how we rebrand efficiency as sustainability when it applies to material and energy inputs.)
I don’t know, but it seems like it’s overselling its capabilities. I tried with Firefox Focus and it said I’m using incognito (private mode) and assigned a unique visitor ID. Immediately tried with a private tab in Safari on iOS and it said I’m not using incognito (private mode) and assigned a new unique visitor ID. Then I switched networks and tried. One more unique visitor ID.
I’m not claiming that fingerprinting is not possible, but this website is not good at it. Seems like it uses plain cookies.
You quickly discover how difficult it really is to avoid a unique fingerprint.
Lots of folks in this thread are focusing on DNS and VPN to avoid detection, which of course can help, but a huge number of identifiable bits come from your browser's APIs:
The real test is whether the site believes you to be unique, which is listed separately. It reports me as "Our tests indicate that you have strong protection against Web tracking.", but I'm still uniquely identifiable.
Same thing here (Firefox + Arkenfox + uBlock Origin). Need to change the IP to beat the fingerprinter, but that is just how the Internet works and the browser itself cannot do anything about it.
But, yeah, anti-fingerprinting is still a useful signal if less people do it. So more people should do it; especially if they're less likely to be targeted.
i feel like this is the same as voting independant. it's the right idea in theory, but given the fact that 99% of people don't do it , righteousness is decreased. in this case very literally as having a unique fingerprint is entirely counter intuitive to the idea of privacy
Use Mullvad Browser or Brave (both require no extensions to block ads, with mullvad browser being modelled off of tor. Use data traffic fingerprint obfuscation even behind vpn (yes they can tell if you're messaging, watching a video, torrenting, etc 90% of the time even behind vpn) use mullvads daita (makes packets the same size) or nymvpn (mixnet with tor like routing and in built delays). Tor doesn't protect against traffic analysis at all.
I cant see how people use the net without it.. My wife gets all these ad popups and she is so use to it that it doesn't even register until I point it out.
Honestly, ublock isn't even enough anymore. DNS sinkholes are the next layer, since they work device-wide. I use nextdns.io, and it's good enough that I just keep ublock around in case I need to disable nextdns for some reason.
uBlock Origin does not protect you from this, this is a fingerprinting problem. You need to use a fingerprinting resistant browser. And even then, there are new fingerprinting methods emerging frequently and you can't prevent fingerprinting from inside apps on android/iOs..
Most slop mobile applications, that many people have on their phones are basically spyware pretending to be games/whatever.
Programatic advertising technology was created for intelligence purposes, these companies and their methods are very sophisticated.
I am surprised the article does not mention obvious mitigation strategies, including network-wide DNS blacklists, browser ad blockers, and not using proprietary apps on phones.
I run as few apps as possible, use Firefox / Ublock on my phone. I do play the odd card game (ad-supported), but only 1 or 2 times a month. I may just buy the app outright at some point.
Does sharing location with family (Android) leak any data?
> 2. Review apps you’ve granted location permissions to.
I'm surprised they missed the most important step, which is blocking the advertisers from collecting your data in the first place. This is easily done in the browser with uBlock Origin and system-wide with DNS filtering.
There’s literally a flock camera at basically every street location that one suburb borders another where I live.
There’s really not any legal practical way to avoid ALPRs.
I’m pretty sure the government knows where I am 24/7. I’m not going to worry about targeted advertising by the government anymore and just worry about it the people reselling it to non-governments for use.
So they say to turn of location permissions and stuff, but what about the network carrier? Any privacy focused cell services that are reasonably priced?
Don't think so - they're all very expensive because cell networks are expensive. You can get a burner phone, only use it as a tethered internet connection for your laptop which runs VPN software.
Phreeli seems to be the privacy promoting MVNO with the cheapest options. Not sure if it’s been audited or what its guarantees are, but anything is probably better than the big carriers.
If you cover your phone with an antielectrostatic bag it can't communicate; that is a Faraday cage.
Since people around you will think you are also wearing a tinfoil hard, you had better stick to the phones with hardware switches as sibling comment mentions
I get that anything emitting can be tracked and stuff. I'm looking to take a baby step where I'm at least not having every possible detail recorded and sold. That Phreeli recommendation from another user seems like exactly what I want (paired with other things like a VPN of course).
Duh, what do you think we were building for the last 10 years? Does anyone with two brain cells think that corporate surveillance wasn't going to be co-opted by authoritarianism?
The only people who didn't understand this were either delusional or being paid not to.
I’m not sure that’s fair, the majority of the American population are pretty dumb due to the poor education system. Most weren’t alive for WW2 so they’ve not come very close to an authoritarian threat in the past either.
It always kinda amazes me how people panic about gov data use but barely blink at the private sector doing the exact same thing… except way less transparently.
Like yeah, sure, governments collecting data deserves scrutiny. 100%. But at least in most democracies there are audits, oversight bodies, privacy commissioners, courts, access to information laws, etc. There are actual mechanisms where someone can ask “why are you doing this?” and force an answer.
Meanwhile we hand over our location, browsing habits, shopping patterns, sleep schedule, and probably our favorite pizza topping to dozens of private companies every day. Those companies can aggregate it, sell it, profile you, feed it into ad markets, train models with it, or ship it across borders… and most of the time nobody outside the company even knows it’s happening.
So yeah, data collection in general is worth debating. But the irony is wild when people lose their minds over the one place that at least has some governance and accountability, while the entire private ad-tech ecosystem is basically “trust us bro” with a 40-page terms of service nobody reads.
I always thought these massive surveillance systems private companies are building will eventually used by governments. The Nazis, Stalin or now North Korea would be supper happy to access the data companies are accumulating aggressively.
We can not trust many "governments". The financial incentives are just too powerful. There are cases of people becoming millionaires after they left politics. Post-retirement payback and kickbacks.
Yep, former prime ministers of Australia Kevin Rudd bought a house for $17 million. Do have to wonder were they got all that cash. And that is nothing exceptional, we see this in all manners of governments the world over.
Yet another reminder that everyone everywhere should be blocking all ads all the time. I don't say that lightly as absolutes tend to not be the appropriate solution, but an absolute stance of blocking ads is appropriate.
People here complain that programmers aren’t engineers because real engineers can accidentally kill people and get sued if they mess an equation up. Instead of just breaking a build or something.
I think it’s more concerning that programmers seem to have no care or shame about designing systems that works against the users’ interests. Did you share something intimate in our chat? Well it’s not E2E, moron, we have that now. How could you be this stupid?
I can’t think of another profession (except pure value extraction types) which revels in exploiting people for not having the time or care to arrange their digital lives around the booby traps that nerds set for them.
As an old-school programmer who thought computers would improve people's lives back in the 80s when I was a wide-eyed teenager.. I am constantly appalled by the current generation of SV people who are very right-leaning and are happy to steal anything and everything they can. It didn't seem like this 20 years ago when I started. I hate the advertising industry with a passion.
Anecdotally, it feels like it fits right in with the "if there's no cop around to give me a ticket, I can drive however I want" attitude I've seen post-Covid. People entering two-way turn lanes or HOV merge lanes to PASS people in the main lane. People going through stop signs without any stopping while I'm waiting for my turn. Using the HOV on-ramp lane with only the driver to merge onto the freeway where it's clearly marked "24 hour HOV lane", etc.
It's as if the entire social compact evaporated during/after Covid, and "everyone only out for themselves" is the norm now.
Or maybe I'm just more aware of it and more cynical.
I’m afraid you don’t understand humans. Yeah, if you completely strip every detail you get a picture like that, a very convenient one to blow all the righteous steam on some amorphous homogeneous “programmers” mass. World is not simple, it’s the opposite of that.
When a poor lad comes on a work visa and is elevated from a literal poverty to a somewhat decent standard of living, would you expect them to stand up and make sure some camera recordings can’t be used in a way they aren’t supposed to be used? Do you expect them to even consider if their management may abuse that some years in the future (when the code is an unholy mess of duct tape and all the effort goes into making it work for the stated purpose), when their mind is all busy thinking about bills, health, family abroad, and the general sense of doom impending with pandemics and wars and extreme corruption all around? Nah, that lad’s also being exploited here, not exploiting others. Not that any sins are absolved but he’s a lot less of a monster than your comment paints. And there are corporations with tens of thousands of such lads and lasses and other folks. And that’s just one of myriad of possible nuances that break the trope of evil programmers screwing the world up.
Blame the rot that starts at the head, it’d be at least a bit more accurate.
> I can’t think of another profession
That’s because you framed the criteria so narrowly that it includes almost only programmers. And even then you still confused between management and implementors. And even then you’re forgetting the management, who’s definitely more to blame than workers.
It really cannot be both ways--the tech industry cannot both be producing critical infrastructure and be immune from liability. We've tried this experiment before, and millions suffered and died needlessly. We have electrical codes, building codes, automotive safety standards, etc., because many, many people died preventable deaths. With the amount of leverage tech has over the economy I don't think it's reasonable that we don't have software engineering codes and professional accountability. But I have absolutely no confidence we'll get there until there are multiple deadly catastrophes over a series of decades.
The location data in these networks is very inaccurate. Your OS and browser actually do a pretty good job of locking down your location data unless you give explicit permission. It's in the ad network's interests to lie about the quality of their data - so a lot of the "location" data is going to be a vaguely accurate guess based on your IP address.
But also, location data is really important to ads right now because, contrary to common perception, per user tracking is very, very hard. Each SDK might be tattling on you, but unless you give them a key to match you across apps, each signal from each app is unique. Which is why you are often served advertisements based on what other people on your network is searching - it's much easier to just blast everyone at that IP address than it is to find that specific user or device again in the data stream.
Bidstream data in particular is very fraught. You're only getting the active data at the point the add is served, but it's not easy to aggregate in any way. You'll be counting the same person separately dozens or hundreds of times with different identifiers for each. The data you get from something like Mobilewalla is not useful for tracking individuals so much as it's useful for finding patterns.
I think it's pretty telling from the few examples shared about how agencies actually use the data:
>"CBP uses the information to “look for cellphone activity in unusual places,” including unpopulated portions of the US-Mexico border."
>According to the Wall Street Journal, the IRS tried to use Venntel’s data to track individual suspects, but gave up when it couldn’t locate its targets in the company’s dataset.
>In March 2021, SOCOM told Vice that the purpose of the contract was to “evaluate” the feasibility of using A6 services in an “overseas operating environment,” and that the government was no longer executing the contract
Something is going to have to be figured out about this data - realistically the only way is a sunset on customized advertisements. However, I would personally not be worried (yet) that the government is going to be able to identify an individual and track them down using these public sources as they currently are.
Let me share a thing:
Factual, a company that specializes in hyperlocal geofencing, uses geofencing much smaller than the self-regulation that their industry allows in their own rules. I learned this after a coworker quit because our company was allowing ad targeting to people using these smaller geofences. The whole company had an all-hands about it where the CEO of the company told everyone that we were not going to stop using Factual nor the smaller-than-allowed geofences because we, ourselves, were not the ones to produce those geofences. We were just a man in the middle helping to build a system to track people at high resolution.
Please try to reconcile with what your industry has and continues to destroy.
I don't see anything contradictory between your comment and the OP. Having an amoral CEO who condones breaking geotargeting self-regulation doesn't contradict OP's claim that it's hard to tie geotargeting data in bidstreams back to a particular person.
For example, it was very hard for me to identify myself in an anonymized public dataset of vehicle trips, but I did. It was also hard to FOIA for the documents showing them writing SQL to spot my trip.. but I did.
Hard doesn't mean impossible.
You'd be surprised what can be done when data from different source is fused together.
Large-Scale Online Deanonymization with LLMs: https://news.ycombinator.com/item?id=47139716
Robust De-anonymization of Large Sparse Datasets: https://www.cs.cornell.edu/~shmat/shmat_oak08netflix.pdf
Also, people who post under their real name are likely to write with their real voice:
> Any deanonymization setup with ground truth introduces distributional biases. In our cross-platform datasets, the pro-files are likely easier to deanonymize than an average profile: the very fact that ground truth exists implies that the user may not have cared about anonymity in the first place. Similarly, two split-profiles of a single user are inherently alike, whereas two pseudonymous accounts of the same person (e.g., an official and a pseudonymous alt account) might expose more heterogeneous micro-data.
The problem is that we have markets where we: - Incentivize organizations to pursue profits at the expense of everything else, which includes social good and civic rights - Rarely hold bad actors accountable (and almost never in a timely manner)
Which means, given enough time, we're always going to trend to whatever makes the most money. Targeted advertising makes money, and will continue to do so unless or until we collectively decide to make it a greater risk to profits than it is today.
Many devices, when running, and in some cases even if turned off but connected to their battery, will ping cell towers (maybe even BLE/Wifi) and get triangulated by the network infrastructure (such as cell towers) without actively broadcasting the GPS location.
That's why I don't quite understand why the gubernment needs to have finer grained data (esp around the US/Mexican border). Precision location info would only be needed if you need to track people in densely populated areas.
If the government wants to tap your phone they need a warrant. If they want to buy it from a willing seller like Verizon they don’t.
But it is necessary to send it somewhere, otherwise the internet wouldn't work.
Unfortunately it seems to have become accepted for our devices to communicate constantly and often with services we never explicitly started communication with (like Ad networks used in Apps).
Permission systems on devices should care about Network connections just as much as Location. Ideally when installing an app you'd get the list of domains it requests to communicate with, and you could toggle them. Bonus points if the app store made it a requirement to identify which Domains are third parties and the category like an Ad service.
There is an ethical framework for handling personal data collected and maintained by the US govt called the Fair Information Practice Principles (https://www.fpc.gov/resources/fipps/).
It really is too bad that "any legal purpose" is the stated boundary for our elected govt rather than a more noble appeal to public service.
There are services out their that help you with the data that is already out there on you.
Whatever you are doing is meaningless privacy theatre
Of course, you can do more, such as running only trusted software (i.e., free software) on your devices, not using Internet-of-Shit devices anywhere in your home, and making sure your car is not snooping on you through it's own cellular modem.
https://web.archive.org/web/20070920193501/http://www.radaro...
The invasion of privacy has been slow, creeping, and just waiting for that Turnkey Tyrant. We fooled ourselves into thinking we'd never elect someone who would turn that key. But in reality the key has been slowly turning, until finally it opened the latch
This is another reason why you should not be carrying a phone everywhere except for times where you absolutely need one.
And it's a pretty new account.
A law that says the government can't ask for this stuff doesn't help very much. They'll ignore it when it suits them.
A law that says it's illegal for private companies to hand it over would be better. When caught between a request from the government and a law that says they're not allowed to honor that request, there's a good chance they'll obey the law rather than the rogue agency.
A law that says it's illegal for private companies to collect this data in the first place would be even better. It could still be worked around, but it's more likely to be uncovered, and they'd only get data after the point where they convinced a company to start collecting it.
What demand did DoD make of Anthropic that the latter thought would put it in legal jeopardy?
- you always denied those popups
- .. including any hidden legitimate interest sections that are being treated as a second, opt-out "consent" for things that really don't actually qualify as legitimate interest
- and the companies actually followed it
Then in theory the companies won't have that data. But doing 1 is tedious, companies exercise dark patterns to avoid you doing 2, and it's hard to audit if they've done 3, so most people are probably in those data sets.
Also, a government likely to buy this data for purposes like in the original article, is unlikely to be the type of government that goes around slapping companies for not complying with privacy regulation on that data.
The issue here isn’t simply “lack of privacy law.” It’s:
1. apps collecting precise location data in the first place,
2. adtech infrastructure broadcasting that data through RTB,
3. brokers aggregating and reselling it,
4. government agencies buying it to avoid the constraints that would apply if they tried to collect it directly, and
5. regulators failing to stop any of the above in a meaningful way.
European law is relevant to some of that, but not as a magic shield. GDPR and ePrivacy principles are obviously more restrictive on paper than the US free-for-all, especially around consent, purpose limitation, data minimization, and downstream reuse. But “on paper” is doing a lot of work there. Europe has had years of complaints about RTB specifically, and yet the adtech ecosystem did not exactly disappear. That should tell you something.
So the real answer is: yes, a stronger privacy regime can help, but no, this is not a problem that gets solved by vaguely importing “European-style privacy laws” as a concept. If the underlying business model still allows mass collection, opaque sharing, and resale of location data, then state access is a policy choice away. Governments don’t need to build a panopticon if the commercial sector already did it for them.
Also, the most important legal question here is not just whether private companies should be allowed to collect/sell this data. It’s whether the government should be allowed to buy commercially available data to do an end-run around constitutional and statutory limits. That is a distinct issue. You need rules for both the commercial market and state procurement, otherwise the state just shops where the Fourth Amendment doesn’t reach.
In other words, the contrast is not “Europe = protected, US = authoritarian.” The contrast is between systems that at least attempt to constrain collection and reuse, and systems that let surveillance markets mature first and ask questions later. Even in Europe, enforcement gaps, law-enforcement carveouts, and institutional incentives matter enormously.
So if the goal is to understand the story, the useful question isn’t “would Europe stop this?” It’s “what combination of collection limits, resale bans, procurement bans, audit requirements, and enforcement would actually make this impossible in practice?” Anything short of that is mostly aesthetics.
Unless you have some body which is a) serious about enforcement, b) sufficiently toothful to make a dent and c) not undermined by wider geopolitical posturing or economic neutering, you can have all of the regulation you might want and still end up in the same place. I'm not arguing that we shouldn't try and control this, but that we have some extremely large genies to stuff back into bottles along the way.
The US government contracts with commercial data providers stipulate that all US data must be removed. There are quite a few regulatory controls that are adhered to.
More of us should learn to do things the hard way more often, and to be familiar with less-convenient things. There are life-changing advantages to doing things the hard way at least some of the time.
For the user there is no way to pay the 0.0000001c that it takes to load a web page, for the web master there is no way to get paid the $10,000 it takes to serve the users. So we settled on advertising which can somewhat cover those costs since each individual add is basically worthless but an add campaign isn't.
One Satoshi is currently worth $0.000713.
Now make it work 10,000 times per day, for every page you visit, posts, news, short form content you scroll, long form video you watch. And multiply this by billions of users.
And once you've done that, how do you deal with spam, bots? How do you prevent invalid traffic? Fraudulent chargebacks? And how do you take quality into consideration (NYT prob want to charge more than my crappy personal blog)?
Transferring money is one small element of large and complex equation.
Advertising is not perfect, but it's the best alternative for a free and open web I have seen in my 30+ years online. Subscription works for large ticket items (and for the affluent minority), but it doesn't solve the other 95% of cases.
The problem is so complex that every action you take compounds and extends far beyond what you realize. Especially as we're living in such a connected world. Those ripples propagate through all the ponds we've connected together.
I don't think it's money, convenience, or any of that. I think it's just that the world is getting more and more complicated. That our actions and inactions have larger and larger effects. We've done a lot of good, but we've also made it a lot easier to feel the flapping of a butterfly's wings on the other side of the planet.
Citation needed.
Looking back, I realize that started me on the path of not doing things the easy way. It was really hard a first, but over time it got easier. Most people in my line of work don't take accurate notes of what has transpired, don't keep a proper history of business exchanges and don't have clear agreements and contracts in place that spell out what is expected. Once I started this process of improving my life, I realized the more I made the effort to keep detailed track of everything I do/did, my life and business started to improve. I think you are right, taking to the most convenient path in life is a sure way to bring about pain and suffering.
"Kindly let me help you, or you will drown, said the monkey as it put the fish safely up a tree"
—Alan Watts
Convenience is how we describe efficiency when it applies to non-classically “productive” endeavors. (Analogous to how we rebrand efficiency as sustainability when it applies to material and energy inputs.)
Self-deception is actually the root of all evil, not money nor convenience.
I don’t know, but it seems like it’s overselling its capabilities. I tried with Firefox Focus and it said I’m using incognito (private mode) and assigned a unique visitor ID. Immediately tried with a private tab in Safari on iOS and it said I’m not using incognito (private mode) and assigned a new unique visitor ID. Then I switched networks and tried. One more unique visitor ID.
I’m not claiming that fingerprinting is not possible, but this website is not good at it. Seems like it uses plain cookies.
> https://coveryourtracks.eff.org/
You quickly discover how difficult it really is to avoid a unique fingerprint.
Lots of folks in this thread are focusing on DNS and VPN to avoid detection, which of course can help, but a huge number of identifiable bits come from your browser's APIs:
User Agent
Screen Size and Color Depth
System Fonts
Hash of canvas fingerprint
Hash of WebGL fingerprint
WebGL Vendor & Renderer
Touch Support
AudioContext fingerprint
Hardware Concurrency
Device Memory
Platform
Language
Timezone
Timezone offset
Browser Plugin Details
etc etc
I get "Our tests indicate that you have some protection against Web tracking, but it has some gaps." but nothing of too much importance I think.
I use a VPN and NextDNS.io.
In normal Firefox: "uBlock Origin has prevented the following page from loading:
https://eviltracker.net/kcarter-reporting-nojs?a="
In normal Firefox with 'real tracking company' ON (default): "uBlock Origin has prevented the following page from loading:
https://trackersimulator.org/kcarter-reporting-nojs"
Sort of failed?
It was able to track me as long as my IP address didn't change, but as soon as I switched VPN endpoints, it gave me a new identifier.
It's similar to when you use Linux or an obscure privacy-preserving browser. You've made yourself way more unique just by doing that.
(I'm not sure how the math works out though, vs. actually running all that nasty tracking stuff.)
But, yeah, anti-fingerprinting is still a useful signal if less people do it. So more people should do it; especially if they're less likely to be targeted.
"More haystack" makes their job harder.
I just opened it in another browser and got another ID. Did I win?
For some reason using Microsoft Edge is deemed suspicious.
But depending on the data tied to the fingerprints, identifiers can be linked together.
I beat it, I think... nothing much there. I use a VPN and NextDNS.io.
Most slop mobile applications, that many people have on their phones are basically spyware pretending to be games/whatever.
Programatic advertising technology was created for intelligence purposes, these companies and their methods are very sophisticated.
Another good reason to run Graphene without proprietary apps.
Does sharing location with family (Android) leak any data?
> 1. Disable your mobile advertising ID
> 2. Review apps you’ve granted location permissions to.
I'm surprised they missed the most important step, which is blocking the advertisers from collecting your data in the first place. This is easily done in the browser with uBlock Origin and system-wide with DNS filtering.
There’s really not any legal practical way to avoid ALPRs.
I’m pretty sure the government knows where I am 24/7. I’m not going to worry about targeted advertising by the government anymore and just worry about it the people reselling it to non-governments for use.
Since people around you will think you are also wearing a tinfoil hard, you had better stick to the phones with hardware switches as sibling comment mentions
The only people who didn't understand this were either delusional or being paid not to.
https://securitylab.amnesty.org/latest/2025/12/intellexa-lea...
The fact that we still just allow arbitrary 3rd party code to run through ad networks is bizarre.
It's interesting to imagine how things would change if those ad-networks were legally liable for their role in spreading scams and malware.
Like yeah, sure, governments collecting data deserves scrutiny. 100%. But at least in most democracies there are audits, oversight bodies, privacy commissioners, courts, access to information laws, etc. There are actual mechanisms where someone can ask “why are you doing this?” and force an answer.
Meanwhile we hand over our location, browsing habits, shopping patterns, sleep schedule, and probably our favorite pizza topping to dozens of private companies every day. Those companies can aggregate it, sell it, profile you, feed it into ad markets, train models with it, or ship it across borders… and most of the time nobody outside the company even knows it’s happening.
So yeah, data collection in general is worth debating. But the irony is wild when people lose their minds over the one place that at least has some governance and accountability, while the entire private ad-tech ecosystem is basically “trust us bro” with a 40-page terms of service nobody reads.
"Jeffrey Epstein’s Island Visitors Exposed by Data Broker" - https://www.wired.com/story/jeffrey-epstein-island-visitors-...
A very easy, effective, multi-layer setup:
1. Browser adblocker
2. Pi hole running locally
3. Pi hole at your home network router level
And 4, not as easy but effective, a firewall like Little Snitch
Edit: the other good news is your old data loses value quickly, so starting today is still very effective: you haven’t missed the boat yet!
1. Adblocking via private DNS (e.g. https://mullvad.net/en/help/dns-over-https-and-dns-over-tls)
2. Prefer websites over native apps wherever possible
3. Browser adblocker
Hosts file adblocking is also possible on a phone where you have root.
For years, people have been sharing everything they do, what they do, people they spent time with, where they live.
Advertisement industry just adds more info to complete your profile, what you buy, what you watch, what you speak online, etc.
I think it’s more concerning that programmers seem to have no care or shame about designing systems that works against the users’ interests. Did you share something intimate in our chat? Well it’s not E2E, moron, we have that now. How could you be this stupid?
I can’t think of another profession (except pure value extraction types) which revels in exploiting people for not having the time or care to arrange their digital lives around the booby traps that nerds set for them.
Anecdotally, it feels like it fits right in with the "if there's no cop around to give me a ticket, I can drive however I want" attitude I've seen post-Covid. People entering two-way turn lanes or HOV merge lanes to PASS people in the main lane. People going through stop signs without any stopping while I'm waiting for my turn. Using the HOV on-ramp lane with only the driver to merge onto the freeway where it's clearly marked "24 hour HOV lane", etc.
It's as if the entire social compact evaporated during/after Covid, and "everyone only out for themselves" is the norm now.
Or maybe I'm just more aware of it and more cynical.
I concur on missing the turn of the century optimism that tech could make a brighter future.
When a poor lad comes on a work visa and is elevated from a literal poverty to a somewhat decent standard of living, would you expect them to stand up and make sure some camera recordings can’t be used in a way they aren’t supposed to be used? Do you expect them to even consider if their management may abuse that some years in the future (when the code is an unholy mess of duct tape and all the effort goes into making it work for the stated purpose), when their mind is all busy thinking about bills, health, family abroad, and the general sense of doom impending with pandemics and wars and extreme corruption all around? Nah, that lad’s also being exploited here, not exploiting others. Not that any sins are absolved but he’s a lot less of a monster than your comment paints. And there are corporations with tens of thousands of such lads and lasses and other folks. And that’s just one of myriad of possible nuances that break the trope of evil programmers screwing the world up.
Blame the rot that starts at the head, it’d be at least a bit more accurate.
> I can’t think of another profession
That’s because you framed the criteria so narrowly that it includes almost only programmers. And even then you still confused between management and implementors. And even then you’re forgetting the management, who’s definitely more to blame than workers.