How Ad Tech Became Americas Biggest Surveillance Network
US Customs and Border Protection has been purchasing commercial advertising data to track the real-time locations of millions of phones inside the United States, a practice that reveals something far more consequential than one agency's surveillance habits. It exposes the fact that the $600 billion digital advertising industry has, over the past decade, quietly constructed the most comprehensive population tracking system ever built, and that the US government has figured out it can simply buy access instead of building its own.
The Accidental Surveillance Machine
To understand how we got here, you need to understand how a banner ad for running shoes creates a government-grade surveillance record. Every time a mobile app requests an ad, it broadcasts a bid request to dozens of ad exchanges. That bid request contains, at minimum, a Mobile Advertising ID (MAID), a GPS coordinate accurate to roughly 10 meters, a timestamp, the app name, device model, and often the IP address. This happens between 50 and 200 times per day per device, depending on how many ad-supported apps a person uses.
The bid request system was designed so advertisers could decide, in the 100 milliseconds before an ad loads, whether showing you that ad is worth the price. But the bid request itself is the product. Companies participating in the real-time bidding (RTB) ecosystem, and there are thousands of them, collect and store these bid requests regardless of whether they win the auction. The result is a global dataset of human movement that dwarfs anything the NSA was revealed to have built during the Snowden disclosures.
The scale is staggering. A single data broker can ingest billions of location pings per day from the United States alone. Venntel, the company CBP contracted with starting in 2018, sourced its data from Gravy Analytics (now Unacast), which aggregated location signals from ordinary apps: weather widgets, games, coupon apps, navigation tools. None of these apps told users their location data would end up in a government surveillance database. Most of them buried location sharing in a Terms of Service document that functionally no one reads.
The Fourth Amendment Workaround
In 2018, the Supreme Court ruled in Carpenter v. United States that the government needs a warrant to access historical cell-site location information from carriers. The decision was hailed as a landmark privacy victory. Chief Justice Roberts wrote that an individual maintains a legitimate expectation of privacy in the record of their physical movements. The logic seemed clear: the government cannot track where you go without judicial oversight.
What happened next was predictable to anyone who understands how Washington actually works. Rather than accept the constraint, agencies found a different pipe. Cell tower records require a warrant? Fine. Commercial location data purchased from a willing seller does not, according to the government's interpretation. CBP, ICE, the IRS, the FBI, the Secret Service, and the Defense Intelligence Agency all began purchasing location data from commercial brokers. The legal theory is simple: if the data is commercially available, buying it is just a purchase, not a search.
This is not a loophole. It is a canyon. The Carpenter decision specifically addressed data held by a telecommunications provider under a business relationship with the subscriber. Commercial location data flows through a chain of SDK providers, aggregators, and brokers where no direct relationship with the phone's owner exists. Courts have been slow to extend Carpenter's logic to this commercial chain, and the government has exploited that gap aggressively.
The timeline tells the story. In 2017, CBP began exploring commercial telemetry tools. By 2018, it had signed contracts with Venntel. By 2020, the DHS Inspector General confirmed that CBP, ICE, and the Secret Service had all used commercial location data, and that CBP had done so without conducting a required privacy impact assessment. In 2021, the ACLU and other organizations filed lawsuits. In 2024, the FTC took enforcement action against Venntel's parent company for selling sensitive location data. And yet the practice continues because no court has definitively ruled it unconstitutional, and Congress has not passed legislation to stop it.
Who Profits From the Pipeline
The commercial surveillance pipeline has created an entire industry layer that most people do not know exists. At the bottom are the apps. Developers integrate free SDKs from companies like Predicio, X-Mode (now Outlogic), or SafeGraph's predecessors. These SDKs collect location data and transmit it back to the SDK provider. In exchange, the app developer gets analytics, crash reporting, or a small per-device payment. For a free app with millions of installs, this can mean tens of thousands of dollars per month, enough to keep a small development team funded.
In the middle are the aggregators. Companies like Gravy Analytics, Near Intelligence, Placer.ai, and dozens of others buy or license raw location streams from SDK providers, clean the data, resolve device identities, and package it into usable products. These products range from foot traffic analytics for retail investors to "pattern of life" analysis tools for government clients. The same dataset powers both a hedge fund's bet on Walmart foot traffic and CBP's tracking of movement near the southern border.
At the top are the government contractors. Venntel, Babel Street, and Locate X are the names that appear most frequently in federal procurement records. These companies build interfaces that let analysts query commercial location data as if it were an intelligence database. Type in a geographic area and a time window, get back every device that was present. Select a device, see everywhere it has been for months. Draw a polygon around a protest, a mosque, an abortion clinic, or a border crossing, and extract every phone that entered.
The financial incentives are aligned in exactly the wrong direction. App developers need revenue. SDK providers need data. Aggregators need scale. Government contractors need product. And federal agencies need surveillance capabilities without the friction of warrants. Every participant in the chain can claim they are just doing business, and technically they are. The market for location data is estimated at $14 billion annually and growing.
What Everyone Gets Wrong About Consent
The standard defense of commercial location data collection is consent. Users agreed to share their location when they installed the app and tapped "Allow." This framing is both technically accurate and profoundly misleading.
First, the consent is not informed. No reasonable person tapping "Allow Location" on a weather app understands that their precise GPS coordinates will be sold through a chain of four intermediaries to a federal law enforcement agency. The information asymmetry is total. Users think they are sharing location with the app. They are actually contributing to a global surveillance dataset.
Second, the consent is not meaningful. In a 2023 study by Carnegie Mellon, researchers found that the average smartphone user would need approximately 76 working days per year to actually read the privacy policies of the apps and services they use. Consent regimes that require superhuman effort to exercise are not consent regimes. They are legal fictions maintained for the benefit of data collectors.
Third, and most critically, individual consent cannot authorize collective surveillance. When enough people in a population share their location, the resulting dataset enables tracking of people who never consented at all. If 30% of attendees at a political rally have ad-supported apps broadcasting location, analysts can identify the rally, estimate attendance, map arrival and departure patterns, and potentially de-anonymize individuals through home location analysis, even for devices they do not have direct pings from. Consent is an individual concept being applied to justify a population-level surveillance infrastructure.
The contrarian reality is this: the debate over whether CBP should be allowed to buy this data is the wrong debate. The real question is whether this data should exist in the form it does at all. As long as the RTB ecosystem broadcasts precise location to thousands of companies with every ad request, government purchase is just one of dozens of abuse vectors. Foreign intelligence services, stalkers, corporate espionage operators, and criminal organizations can all access the same data through the same commercial channels.
What Builders and Founders Should Do Now
If you are building mobile applications, the era of frictionless location data monetization is ending, slowly and unevenly, but ending. The FTC's 2024 enforcement actions against data brokers signal a new regulatory posture. Apple's App Tracking Transparency framework has already reduced the availability of IDFA on iOS. Google's Privacy Sandbox for Android is moving toward limiting GAID access, though the timeline keeps slipping.
Practical steps for developers: audit every SDK in your app for location data collection. Many SDKs collect location even when your app does not request location permissions, by inferring it from IP geolocation or Wi-Fi signals. Remove any SDK you do not actively use. If you use location-based advertising, switch to cohort-based or contextual targeting that does not require precise coordinates. The revenue hit is real but smaller than most developers expect, typically 15-30% for location-dependent ad formats, and it eliminates existential regulatory risk.
For founders building in the data and analytics space: the market is bifurcating. Privacy-preserving analytics tools that deliver business insights without exposing individual location trails are gaining traction with enterprise buyers who understand the liability landscape. Differential privacy, on-device processing, and aggregated-only data products are not just ethical choices. They are increasingly the only defensible business models as enforcement catches up.
For security and privacy engineers: treat advertising SDKs as potential surveillance vectors in your threat models. A "free" analytics SDK that phones home with location data is functionally equivalent to spyware, regardless of what the marketing page says. Your app's privacy posture is only as strong as your least trusted dependency.
Where This Goes Next
Three predictions for the next 24 months.
First, at least one federal appellate court will extend Carpenter logic to commercial location data purchases, creating a circuit split that forces the Supreme Court to revisit the question. The Fifth or Ninth Circuit are the most likely venues. The government will argue that a purchase from a willing commercial seller is fundamentally different from a compelled disclosure by a carrier. The court will likely disagree, at least in cases involving sustained tracking of identified individuals.
Second, Congress will pass narrow legislation restricting government purchase of commercially available location data, but it will be weaker than advocates want. The most probable outcome is a requirement for a court order (not a full warrant) for sustained tracking, with broad national security and border enforcement exceptions that preserve most of CBP's current capabilities. The bill will be framed as a privacy victory while changing relatively little in practice.
Third, the commercial location data market will consolidate and go underground. As public scrutiny increases and the FTC continues enforcement, the largest data brokers will acquire smaller competitors, rebrand, and move sensitive government contracts into subsidiary entities with lower public profiles. The data flows will not stop. They will become harder to trace. This is the pattern from every previous cycle of surveillance exposure: public outrage, cosmetic reform, structural persistence.
The deeper structural problem remains untouched. The real-time bidding system that powers digital advertising was designed to broadcast personal data to the maximum number of recipients with the minimum possible friction. That architecture is fundamentally incompatible with privacy. Until the ad-tech industry restructures RTB to stop spraying precise location coordinates across thousands of servers with every bid request, every other intervention is a patch on a system that was built, from the ground up, to leak.