alt Hacker NewsCBP tapped into the online advertising ecosystem to track peoples’ movements
Comments
I work with Ad Data a lot in my job, and there's a lot of misconceptions about what this data that journalists love to propogate:
The location data in these networks is very inaccurate. Your OS and browser actually do a pretty good job of locking down your location data unless you give explicit permission. It's in the ad network's interests to lie about the quality of their data - so a lot of the "location" data is going to be a vaguely accurate guess based on your IP address.
But also, location data is really important to ads right now because, contrary to common perception, per user tracking is very, very hard. Each SDK might be tattling on you, but unless you give them a key to match you across apps, each signal from each app is unique. Which is why you are often served advertisements based on what other people on your network is searching - it's much easier to just blast everyone at that IP address than it is to find that specific user or device again in the data stream.
Bidstream data in particular is very fraught. You're only getting the active data at the point the add is served, but it's not easy to aggregate in any way. You'll be counting the same person separately dozens or hundreds of times with different identifiers for each. The data you get from something like Mobilewalla is not useful for tracking individuals so much as it's useful for finding patterns.
I think it's pretty telling from the few examples shared about how agencies actually use the data:
>"CBP uses the information to “look for cellphone activity in unusual places,” including unpopulated portions of the US-Mexico border."
>According to the Wall Street Journal, the IRS tried to use Venntel’s data to track individual suspects, but gave up when it couldn’t locate its targets in the company’s dataset.
>In March 2021, SOCOM told Vice that the purpose of the contract was to “evaluate” the feasibility of using A6 services in an “overseas operating environment,” and that the government was no longer executing the contract
Something is going to have to be figured out about this data - realistically the only way is a sunset on customized advertisements. However, I would personally not be worried (yet) that the government is going to be able to identify an individual and track them down using these public sources as they currently are.
A week after I started doing OSINT research, I realized how much very personal data I had online. Much more than I wanted. Years ago I went down the privacy rabbit hole and realized how bad all of this was. And that was before it took off around 2019 and really ramped up a year ago.
It's not uncommon, but always disappointing to me, to see how out of touch most HN folks are when it comes to privacy and data. Usually privacy is dismissed as hyperbole, or tinfoil hat stuff, or only for people selling drugs on the darknet. It's not anymore. The minimum barrier to entry for simply not having your every thought and whim and search catalogued is high: Masking your IP address, masking your browser fingerprint, and simply not participating in a lot of parts of the internet.
These are your thoughts, your personal life, being dissected and catalogued and sold in an attempt to, at BEST, shape your behavior. At worst, see exactly when you cross the line into becoming "an agitator." It's the step you need before getting to "thoughtcrime." Why is this acceptable to anyone??? In exchange for free email?
We're all in the pot and the water is already starting to bubble. And I'm sure that the only replies I might get will be "Oh, but no, it's not anything like that." Sure.
This is simply the first time you're seeing it on US soil. https://www.wired.com/story/how-pentagon-learned-targeted-ad...
Yet two years ago, look how many people were incredulous, doubtful, or simply didn't care. https://news.ycombinator.com/item?id=39540738
Maybe now is a good time to bring up KOSA? Or maybe we should discuss that two years from now when it's too late to change anything.
https://www.eff.org/document/kids-online-safety-act-kosa https://www.eff.org/deeplinks/2025/05/kids-online-safety-act...
I am evolving my views on personal privacy. I am, like many people, trying to passively defend myself. However, the environment today is more akin to people coming up and punching you than it is to just avoiding door to door sales people. We are being actively attacked, and real harm is being caused. People are loosing their entire livelihoods, or worse, to attacks on their privacy like this. At the moment all I see out there is sit there and take it. Nothing I do will keep my life private in a meaningful way. The best I can hope for is that companies wont tell me too loudly that they know when I go to the bathroom and how heavy I am, they will just show me targeted ads that prove they know those things and sell my data so corrupt agencies can decide how best to abuse it, legally. So, what options are left if the only tool you are given is sit there and take it but nobody is actually defending you?
Taxpayers' money used to track taxpayers and finance the advertising industry.
I have 26 apps on my phone. Of those, four are Safari extensions, one is a PWA and another I wrote myself. I use a restrictive nextDNS profile that also blocks Apple's native tracking (as best they can) and don't use social media. I feel like that's the best I can realistically do.
That's Scroogled (2007) by Cory Doctorow! Life imitates art, again.
https://web.archive.org/web/20070920193501/http://www.radaro...
I can’t respond directly to octoclaw’s dead comment (edit: embarrassingly this was an LLM), but I will just say I agree, it is ridiculous both how cheap this data is and how many people aren’t aware of it. It’s not just governments who can get access, either.
This is another reason why you should not be carrying a phone everywhere except for times where you absolutely need one.
It's unfortunate the Privacy Act included an exception for law enforcement. I imagine at the time it wasn't clear that every action taken by the govt would be called law enforcement.
There is an ethical framework for handling personal data collected and maintained by the US govt called the Fair Information Practice Principles (https://www.fpc.gov/resources/fipps/).
It really is too bad that "any legal purpose" is the stated boundary for our elected govt rather than a more noble appeal to public service.
PSA: Firefox + uBlock origin (uBO is neutered in chromium and chrome now), along with NextDNS for your other devices blocks the vast majority of ads everywhere.
the whole point of buying ad-tech data is that purchasing doesn't have the legal requirements that collecting does
I worked closely to some of this. There were strict policies in place to never monitor US Citizens. That said i was focused in more kinetic warfare domains and not sure what would've extended past the borders by local law enforcements (DHS typically dictated no-us-soil policies). But, this is a money-hungry data pipeline of resellers and aggregators and they were always eager to sell more.
There’s literally a flock camera at basically every street location that one suburb borders another where I live.
There’s really not any legal practical way to avoid ALPRs.
I’m pretty sure the government knows where I am 24/7. I’m not going to worry about targeted advertising by the government anymore and just worry about it the people reselling it to non-governments for use.
> What You Can Do To Protect Yourself
> 1. Disable your mobile advertising ID
> 2. Review apps you’ve granted location permissions to.
I'm surprised they missed the most important step, which is blocking the advertisers from collecting your data in the first place. This is easily done in the browser with uBlock Origin and system-wide with DNS filtering.
Is this something European style privacy laws would protect against? Though given the US political situation we are far from being able to enact any kind of anti-authoritarian protections...
I am surprised the article does not mention obvious mitigation strategies, including network-wide DNS blacklists, browser ad blockers, and not using proprietary apps on phones.
I have never regretted my decision to aggressively block ads on every device I use, and to shun devices where I can't.
If you build it, they'll come.
I run as few apps as possible, use Firefox / Ublock on my phone. I do play the odd card game (ad-supported), but only 1 or 2 times a month. I may just buy the app outright at some point.
Does sharing location with family (Android) leak any data?
So they say to turn of location permissions and stuff, but what about the network carrier? Any privacy focused cell services that are reasonably priced?
Why we need to use pihole more aggressively.
Israeli malware companies also use targeted ads to use drive-by exploits to infect people's devices using ad networks based on IP addresses:
https://securitylab.amnesty.org/latest/2025/12/intellexa-lea...
The fact that we still just allow arbitrary 3rd party code to run through ad networks is bizarre.
Duh, what do you think we were building for the last 10 years? Does anyone with two brain cells think that corporate surveillance wasn't going to be co-opted by authoritarianism?
The only people who didn't understand this were either delusional or being paid not to.
>For years, the internet advertising industry has been sucking up our data, including our location data
For years, people have been sharing everything they do, what they do, people they spent time with, where they live.
Advertisement industry just adds more info to complete your profile, what you buy, what you watch, what you speak online, etc.
It always kinda amazes me how people panic about gov data use but barely blink at the private sector doing the exact same thing… except way less transparently.
Like yeah, sure, governments collecting data deserves scrutiny. 100%. But at least in most democracies there are audits, oversight bodies, privacy commissioners, courts, access to information laws, etc. There are actual mechanisms where someone can ask “why are you doing this?” and force an answer.
Meanwhile we hand over our location, browsing habits, shopping patterns, sleep schedule, and probably our favorite pizza topping to dozens of private companies every day. Those companies can aggregate it, sell it, profile you, feed it into ad markets, train models with it, or ship it across borders… and most of the time nobody outside the company even knows it’s happening.
So yeah, data collection in general is worth debating. But the irony is wild when people lose their minds over the one place that at least has some governance and accountability, while the entire private ad-tech ecosystem is basically “trust us bro” with a 40-page terms of service nobody reads.
I can't help but wonder how much is being spent.
You can also use the ecosystem for useful stuff:
"Jeffrey Epstein’s Island Visitors Exposed by Data Broker" - https://www.wired.com/story/jeffrey-epstein-island-visitors-...
I always thought these massive surveillance systems private companies are building will eventually used by governments. The Nazis, Stalin or now North Korea would be supper happy to access the data companies are accumulating aggressively.
We can not trust many "governments". The financial incentives are just too powerful. There are cases of people becoming millionaires after they left politics. Post-retirement payback and kickbacks.
Just another confirmation that everyone should be blocking ads as aggressively as humanly (and AI-ly) as possible
Yet another reminder that everyone everywhere should be blocking all ads all the time. I don't say that lightly as absolutes tend to not be the appropriate solution, but an absolute stance of blocking ads is appropriate.
[dead]
I wonder how many people upset about this have ring cameras on their houses?
Good, they should use everything at their disposal
https://archive.md/N3BZV