I am not sure that ad blocking is enough now or in the future as fingerprinting is extremely hard to fight while keeping a convenient web experience. Of course, continue blocking for convenience, but for privacy, more robust solutions are needed. Try to beat this: https://fingerprint.com
Beginning to wonder if convenience is the root of all evil, and not money. Money's just a proxy for convenience.
More of us should learn to do things the hard way more often, and to be familiar with less-convenient things. There are life-changing advantages to doing things the hard way at least some of the time.
I know it's a cliché, but the road to hell is paved with good intentions. People forget, most evil is created by good people trying to do good. The biggest trick the devil played was making us all believe evil is (always) easy to identify. But all the sayings are about how the devil is sly, tricks you, and sneaks up on you. All of that is to remind us how hard it is to do good. You don't have to be an evil person to create evil. Often you don't have to do anything at all, as inaction is still an action. Pull the lever or not, you've still made a decision.
The problem is so complex that every action you take compounds and extends far beyond what you realize. Especially as we're living in such a connected world. Those ripples propagate through all the ponds we've connected together.
I don't think it's money, convenience, or any of that. I think it's just that the world is getting more and more complicated. That our actions and inactions have larger and larger effects. We've done a lot of good, but we've also made it a lot easier to feel the flapping of a butterfly's wings on the other side of the planet.
The root of all evil is that we don't have a functioning micro transaction network and we don't know how to build one.
For the user there is no way to pay the 0.0000001c that it takes to load a web page, for the web master there is no way to get paid the $10,000 it takes to serve the users. So we settled on advertising which can somewhat cover those costs since each individual add is basically worthless but an add campaign isn't.
Same thing here (Firefox + Arkenfox + uBlock Origin). Need to change the IP to beat the fingerprinter, but that is just how the Internet works and the browser itself cannot do anything about it.
But, yeah, anti-fingerprinting is still a useful signal if less people do it. So more people should do it; especially if they're less likely to be targeted.
It's a bit crazy how much we look back at that time and what people thought was tin foil haty. But that was written in 2007, still 6 years before Snowden. 7 years before the Director of the NSA (Hayden) told Congress they kill people based on metadata.
The invasion of privacy has been slow, creeping, and just waiting for that Turnkey Tyrant. We fooled ourselves into thinking we'd never elect someone who would turn that key. But in reality the key has been slowly turning, until finally it opened the latch
I work with Ad Data a lot in my job, and there's a lot of misconceptions about what this data that journalists love to propogate:
The location data in these networks is very inaccurate. Your OS and browser actually do a pretty good job of locking down your location data unless you give explicit permission. It's in the ad network's interests to lie about the quality of their data - so a lot of the "location" data is going to be a vaguely accurate guess based on your IP address.
But also, location data is really important to ads right now because, contrary to common perception, per user tracking is very, very hard. Each SDK might be tattling on you, but unless you give them a key to match you across apps, each signal from each app is unique. Which is why you are often served advertisements based on what other people on your network is searching - it's much easier to just blast everyone at that IP address than it is to find that specific user or device again in the data stream.
Bidstream data in particular is very fraught. You're only getting the active data at the point the add is served, but it's not easy to aggregate in any way. You'll be counting the same person separately dozens or hundreds of times with different identifiers for each. The data you get from something like Mobilewalla is not useful for tracking individuals so much as it's useful for finding patterns.
I think it's pretty telling from the few examples shared about how agencies actually use the data:
>"CBP uses the information to “look for cellphone activity in unusual places,” including unpopulated portions of the US-Mexico border."
>According to the Wall Street Journal, the IRS tried to use Venntel’s data to track individual suspects, but gave up when it couldn’t locate its targets in the company’s dataset.
>In March 2021, SOCOM told Vice that the purpose of the contract was to “evaluate” the feasibility of using A6 services in an “overseas operating environment,” and that the government was no longer executing the contract
Something is going to have to be figured out about this data - realistically the only way is a sunset on customized advertisements. However, I would personally not be worried (yet) that the government is going to be able to identify an individual and track them down using these public sources as they currently are.
I worked in ad-tech for a year before I left the tech industry as a whole. I've also done a fair bit of investigative journalism.
Let me share a thing:
Factual, a company that specializes in hyperlocal geofencing, uses geofencing much smaller than the self-regulation that their industry allows in their own rules. I learned this after a coworker quit because our company was allowing ad targeting to people using these smaller geofences. The whole company had an all-hands about it where the CEO of the company told everyone that we were not going to stop using Factual nor the smaller-than-allowed geofences because we, ourselves, were not the ones to produce those geofences. We were just a man in the middle helping to build a system to track people at high resolution.
Please try to reconcile with what your industry has and continues to destroy.
But dude... just think of all the optimal personalized mattres sales they can do with that data. I mean, people that use the bathroom at 3:57pm for seven minutes are 0.00138% more likely to buy a new mattress within the next six months. They need that data. Think of all the unsold mattresses.
Well, in the case of a company trying to market to you, it literally _is_ their business. It makes them money.
The problem is that we have markets where we:
- Incentivize organizations to pursue profits at the expense of everything else, which includes social good and civic rights
- Rarely hold bad actors accountable (and almost never in a timely manner)
Which means, given enough time, we're always going to trend to whatever makes the most money. Targeted advertising makes money, and will continue to do so unless or until we collectively decide to make it a greater risk to profits than it is today.
At this point, your device is not giving anyone your location without explicit permission. So it really just comes down to your IP Address, which services do need.
I think your is statement is inaccurate to the point of being intentionally misleading:
Many devices, when running, and in some cases even if turned off but connected to their battery, will ping cell towers (maybe even BLE/Wifi) and get triangulated by the network infrastructure (such as cell towers) without actively broadcasting the GPS location.
That's why I don't quite understand why the gubernment needs to have finer grained data (esp around the US/Mexican border). Precision location info would only be needed if you need to track people in densely populated areas.
That location information is not available to apps or ad networks without user consent. The government can access it from the carrier with a warrant, but that's not what we're discussing here.
Carriers have also sold customer location data, no search warrant required. Though we can rest assured that the FCC has slapped the carriers' wrists with the utmost seriousness.
If you use Google Location Services, which is stock install on basically all Android devices, it absolutely is uploading "anonymized" GPS data all the time.
IP Address is all you need to get fairly accurate (town or neighborhood) location for most of North America.
But it is necessary to send it somewhere, otherwise the internet wouldn't work.
Unfortunately it seems to have become accepted for our devices to communicate constantly and often with services we never explicitly started communication with (like Ad networks used in Apps).
Permission systems on devices should care about Network connections just as much as Location. Ideally when installing an app you'd get the list of domains it requests to communicate with, and you could toggle them. Bonus points if the app store made it a requirement to identify which Domains are third parties and the category like an Ad service.
I think the issue here is one of informed consent. You might say, "OK, this makes sense" when agreeing to location data for a weather app. In the context of whether it's going to hail soon, location is reasonable. What you only see in those GDPR-type banners is that the data is being re-sold off to 1001 "partners", none of whom are important for my hail-to-head concerns. Never mind all the cases where it's re-sold on to all the governments and personal-level creeps through aggregators.
I have 26 apps on my phone. Of those, four are Safari extensions, one is a PWA and another I wrote myself. I use a restrictive nextDNS profile that also blocks Apple's native tracking (as best they can) and don't use social media. I feel like that's the best I can realistically do.
And you do realize your cellphone is constantly sharing your location with your cell phone company which is more than willing to give it to the government without a warrant.
Whatever you are doing is meaningless privacy theatre
Is this something European style privacy laws would protect against? Though given the US political situation we are far from being able to enact any kind of anti-authoritarian protections...
You can increase your chances by crafting the laws differently, at least.
A law that says the government can't ask for this stuff doesn't help very much. They'll ignore it when it suits them.
A law that says it's illegal for private companies to hand it over would be better. When caught between a request from the government and a law that says they're not allowed to honor that request, there's a good chance they'll obey the law rather than the rogue agency.
A law that says it's illegal for private companies to collect this data in the first place would be even better. It could still be worked around, but it's more likely to be uncovered, and they'd only get data after the point where they convinced a company to start collecting it.
“Would European-style privacy laws protect against this?” is the kind of question that sounds more clarifying than it actually is, because it collapses about five separate problems into one vague gesture at “Europe.”
The issue here isn’t simply “lack of privacy law.” It’s:
1. apps collecting precise location data in the first place,
2. adtech infrastructure broadcasting that data through RTB,
3. brokers aggregating and reselling it,
4. government agencies buying it to avoid the constraints that would apply if they tried to collect it directly, and
5. regulators failing to stop any of the above in a meaningful way.
European law is relevant to some of that, but not as a magic shield. GDPR and ePrivacy principles are obviously more restrictive on paper than the US free-for-all, especially around consent, purpose limitation, data minimization, and downstream reuse. But “on paper” is doing a lot of work there. Europe has had years of complaints about RTB specifically, and yet the adtech ecosystem did not exactly disappear. That should tell you something.
So the real answer is: yes, a stronger privacy regime can help, but no, this is not a problem that gets solved by vaguely importing “European-style privacy laws” as a concept. If the underlying business model still allows mass collection, opaque sharing, and resale of location data, then state access is a policy choice away. Governments don’t need to build a panopticon if the commercial sector already did it for them.
Also, the most important legal question here is not just whether private companies should be allowed to collect/sell this data. It’s whether the government should be allowed to buy commercially available data to do an end-run around constitutional and statutory limits. That is a distinct issue. You need rules for both the commercial market and state procurement, otherwise the state just shops where the Fourth Amendment doesn’t reach.
In other words, the contrast is not “Europe = protected, US = authoritarian.” The contrast is between systems that at least attempt to constrain collection and reuse, and systems that let surveillance markets mature first and ask questions later. Even in Europe, enforcement gaps, law-enforcement carveouts, and institutional incentives matter enormously.
So if the goal is to understand the story, the useful question isn’t “would Europe stop this?” It’s “what combination of collection limits, resale bans, procurement bans, audit requirements, and enforcement would actually make this impossible in practice?” Anything short of that is mostly aesthetics.
Very clearly put, and I'd only emphasise that without the final "enforcement" point of that, the other points become entirely irrelevant. While European regulators have imposed some significant sounding fines on prominent entities, they generally work out to be "less than the value gained by doing the thing in the first place" - or at least close enough to that for the entity to not consider it too negative/a future deterrent.
Unless you have some body which is a) serious about enforcement, b) sufficiently toothful to make a dent and c) not undermined by wider geopolitical posturing or economic neutering, you can have all of the regulation you might want and still end up in the same place. I'm not arguing that we shouldn't try and control this, but that we have some extremely large genies to stuff back into bottles along the way.
- .. including any hidden legitimate interest sections that are being treated as a second, opt-out "consent" for things that really don't actually qualify as legitimate interest
- and the companies actually followed it
Then in theory the companies won't have that data. But doing 1 is tedious, companies exercise dark patterns to avoid you doing 2, and it's hard to audit if they've done 3, so most people are probably in those data sets.
Also, a government likely to buy this data for purposes like in the original article, is unlikely to be the type of government that goes around slapping companies for not complying with privacy regulation on that data.
I can’t respond directly to octoclaw’s dead comment (edit: embarrassingly this was an LLM), but I will just say I agree, it is ridiculous both how cheap this data is and how many people aren’t aware of it. It’s not just governments who can get access, either.
This is another reason why you should not be carrying a phone everywhere except for times where you absolutely need one.
I run as few apps as possible, use Firefox / Ublock on my phone. I do play the odd card game (ad-supported), but only 1 or 2 times a month. I may just buy the app outright at some point.
Does sharing location with family (Android) leak any data?
I am surprised the article does not mention obvious mitigation strategies, including network-wide DNS blacklists, browser ad blockers, and not using proprietary apps on phones.
There’s literally a flock camera at basically every street location that one suburb borders another where I live.
There’s really not any legal practical way to avoid ALPRs.
I’m pretty sure the government knows where I am 24/7. I’m not going to worry about targeted advertising by the government anymore and just worry about it the people reselling it to non-governments for use.
People here complain that programmers aren’t engineers because real engineers can accidentally kill people and get sued if they mess an equation up. Instead of just breaking a build or something.
I think it’s more concerning that programmers seem to have no care or shame about designing systems that works against the users’ interests. Did you share something intimate in our chat? Well it’s not E2E, moron, we have that now. How could you be this stupid?
I can’t think of another profession (except pure value extraction types) which revels in exploiting people for not having the time or care to arrange their digital lives around the booby traps that nerds set for them.
I’m afraid you don’t understand humans. Yeah, if you completely strip every detail you get a picture like that, a very convenient one to blow all the righteous steam on some amorphous homogeneous “programmers” mass. World is not simple, it’s the opposite of that.
When a poor lad comes on a work visa and is elevated from a literal poverty to a somewhat decent standard of living, would you expect them to stand up and make sure some camera recordings can’t be used in a way they aren’t supposed to be used? Do you expect them to even consider if their management may abuse that some years in the future (when the code is an unholy mess of duct tape and all the effort goes into making it work for the stated purpose), when their mind is all busy thinking about bills, health, family abroad, and the general sense of doom impending with pandemics and wars and extreme corruption all around? Nah, that lad’s also being exploited here, not exploiting others. Not that any sins are absolved but he’s a lot less of a monster than your comment paints. And there are corporations with tens of thousands of such lads and lasses and other folks. And that’s just one of myriad of possible nuances that break the trope of evil programmers screwing the world up.
Blame the rot that starts at the head, it’d be at least a bit more accurate.
> I can’t think of another profession
That’s because you framed the criteria so narrowly that it includes almost only programmers. And even then you still confused between management and implementors. And even then you’re forgetting the management, who’s definitely more to blame than workers.
As an old-school programmer who thought computers would improve people's lives back in the 80s when I was a wide-eyed teenager.. I am constantly appalled by the current generation of SV people who are very right-leaning and are happy to steal anything and everything they can. It didn't seem like this 20 years ago when I started. I hate the advertising industry with a passion.
Anecdotally, it feels like it fits right in with the "if there's no cop around to give me a ticket, I can drive however I want" attitude I've seen post-Covid. People entering two-way turn lanes or HOV merge lanes to PASS people in the main lane. People going through stop signs without any stopping while I'm waiting for my turn. Using the HOV on-ramp lane with only the driver to merge onto the freeway where it's clearly marked "24 hour HOV lane", etc.
It's as if the entire social compact evaporated during/after Covid, and "everyone only out for themselves" is the norm now.
Or maybe I'm just more aware of it and more cynical.
It really cannot be both ways--the tech industry cannot both be producing critical infrastructure and be immune from liability. We've tried this experiment before, and millions suffered and died needlessly. We have electrical codes, building codes, automotive safety standards, etc., because many, many people died preventable deaths. With the amount of leverage tech has over the economy I don't think it's reasonable that we don't have software engineering codes and professional accountability. But I have absolutely no confidence we'll get there until there are multiple deadly catastrophes over a series of decades.
I worked closely to some of this. There were strict policies in place to never monitor US Citizens. That said i was focused in more kinetic warfare domains and not sure what would've extended past the borders by local law enforcements (DHS typically dictated no-us-soil policies). But, this is a money-hungry data pipeline of resellers and aggregators and they were always eager to sell more.
How do they determine if the person is a US citizen? I've sometimes wondered if my Google account is caught up in mass surveillance of non-Americans because I created my main email address while living in Australia, though I am a US citizen and only a US citizen. I haven't checked in a while, but I know that even in the US, checking my email on the web it would show that it was connecting to an Australian domain.
There are multiple cues in the data stream that let you tag the person with a country of residence even when traveling internationally. It isn't perfect but it is likely more than adequate in most cases.
The US government contracts with commercial data providers stipulate that all US data must be removed. There are quite a few regulatory controls that are adhered to.
> 2. Review apps you’ve granted location permissions to.
I'm surprised they missed the most important step, which is blocking the advertisers from collecting your data in the first place. This is easily done in the browser with uBlock Origin and system-wide with DNS filtering.
So they say to turn of location permissions and stuff, but what about the network carrier? Any privacy focused cell services that are reasonably priced?
Don't think so - they're all very expensive because cell networks are expensive. You can get a burner phone, only use it as a tethered internet connection for your laptop which runs VPN software.
Phreeli seems to be the privacy promoting MVNO with the cheapest options. Not sure if it’s been audited or what its guarantees are, but anything is probably better than the big carriers.
If you cover your phone with an antielectrostatic bag it can't communicate; that is a Faraday cage.
Since people around you will think you are also wearing a tinfoil hard, you had better stick to the phones with hardware switches as sibling comment mentions
I get that anything emitting can be tracked and stuff. I'm looking to take a baby step where I'm at least not having every possible detail recorded and sold. That Phreeli recommendation from another user seems like exactly what I want (paired with other things like a VPN of course).
I always thought these massive surveillance systems private companies are building will eventually used by governments. The Nazis, Stalin or now North Korea would be supper happy to access the data companies are accumulating aggressively.
Duh, what do you think we were building for the last 10 years? Does anyone with two brain cells think that corporate surveillance wasn't going to be co-opted by authoritarianism?
The only people who didn't understand this were either delusional or being paid not to.
I’m not sure that’s fair, the majority of the American population are pretty dumb due to the poor education system. Most weren’t alive for WW2 so they’ve not come very close to an authoritarian threat in the past either.
It always kinda amazes me how people panic about gov data use but barely blink at the private sector doing the exact same thing… except way less transparently.
Like yeah, sure, governments collecting data deserves scrutiny. 100%. But at least in most democracies there are audits, oversight bodies, privacy commissioners, courts, access to information laws, etc. There are actual mechanisms where someone can ask “why are you doing this?” and force an answer.
Meanwhile we hand over our location, browsing habits, shopping patterns, sleep schedule, and probably our favorite pizza topping to dozens of private companies every day. Those companies can aggregate it, sell it, profile you, feed it into ad markets, train models with it, or ship it across borders… and most of the time nobody outside the company even knows it’s happening.
So yeah, data collection in general is worth debating. But the irony is wild when people lose their minds over the one place that at least has some governance and accountability, while the entire private ad-tech ecosystem is basically “trust us bro” with a 40-page terms of service nobody reads.
We can not trust many "governments". The financial incentives are just too powerful. There are cases of people becoming millionaires after they left politics. Post-retirement payback and kickbacks.
Yep, former prime ministers of Australia Kevin Rudd bought a house for $17 million. Do have to wonder were they got all that cash. And that is nothing exceptional, we see this in all manners of governments the world over.
Yet another reminder that everyone everywhere should be blocking all ads all the time. I don't say that lightly as absolutes tend to not be the appropriate solution, but an absolute stance of blocking ads is appropriate.
More of us should learn to do things the hard way more often, and to be familiar with less-convenient things. There are life-changing advantages to doing things the hard way at least some of the time.
The problem is so complex that every action you take compounds and extends far beyond what you realize. Especially as we're living in such a connected world. Those ripples propagate through all the ponds we've connected together.
I don't think it's money, convenience, or any of that. I think it's just that the world is getting more and more complicated. That our actions and inactions have larger and larger effects. We've done a lot of good, but we've also made it a lot easier to feel the flapping of a butterfly's wings on the other side of the planet.
For the user there is no way to pay the 0.0000001c that it takes to load a web page, for the web master there is no way to get paid the $10,000 it takes to serve the users. So we settled on advertising which can somewhat cover those costs since each individual add is basically worthless but an add campaign isn't.
It was able to track me as long as my IP address didn't change, but as soon as I switched VPN endpoints, it gave me a new identifier.
It's similar to when you use Linux or an obscure privacy-preserving browser. You've made yourself way more unique just by doing that.
(I'm not sure how the math works out though, vs. actually running all that nasty tracking stuff.)
But, yeah, anti-fingerprinting is still a useful signal if less people do it. So more people should do it; especially if they're less likely to be targeted.
"More haystack" makes their job harder.
https://web.archive.org/web/20070920193501/http://www.radaro...
The invasion of privacy has been slow, creeping, and just waiting for that Turnkey Tyrant. We fooled ourselves into thinking we'd never elect someone who would turn that key. But in reality the key has been slowly turning, until finally it opened the latch
The location data in these networks is very inaccurate. Your OS and browser actually do a pretty good job of locking down your location data unless you give explicit permission. It's in the ad network's interests to lie about the quality of their data - so a lot of the "location" data is going to be a vaguely accurate guess based on your IP address.
But also, location data is really important to ads right now because, contrary to common perception, per user tracking is very, very hard. Each SDK might be tattling on you, but unless you give them a key to match you across apps, each signal from each app is unique. Which is why you are often served advertisements based on what other people on your network is searching - it's much easier to just blast everyone at that IP address than it is to find that specific user or device again in the data stream.
Bidstream data in particular is very fraught. You're only getting the active data at the point the add is served, but it's not easy to aggregate in any way. You'll be counting the same person separately dozens or hundreds of times with different identifiers for each. The data you get from something like Mobilewalla is not useful for tracking individuals so much as it's useful for finding patterns.
I think it's pretty telling from the few examples shared about how agencies actually use the data:
>"CBP uses the information to “look for cellphone activity in unusual places,” including unpopulated portions of the US-Mexico border."
>According to the Wall Street Journal, the IRS tried to use Venntel’s data to track individual suspects, but gave up when it couldn’t locate its targets in the company’s dataset.
>In March 2021, SOCOM told Vice that the purpose of the contract was to “evaluate” the feasibility of using A6 services in an “overseas operating environment,” and that the government was no longer executing the contract
Something is going to have to be figured out about this data - realistically the only way is a sunset on customized advertisements. However, I would personally not be worried (yet) that the government is going to be able to identify an individual and track them down using these public sources as they currently are.
Let me share a thing:
Factual, a company that specializes in hyperlocal geofencing, uses geofencing much smaller than the self-regulation that their industry allows in their own rules. I learned this after a coworker quit because our company was allowing ad targeting to people using these smaller geofences. The whole company had an all-hands about it where the CEO of the company told everyone that we were not going to stop using Factual nor the smaller-than-allowed geofences because we, ourselves, were not the ones to produce those geofences. We were just a man in the middle helping to build a system to track people at high resolution.
Please try to reconcile with what your industry has and continues to destroy.
I don't see anything contradictory between your comment and the OP.
You'd be surprised what can be done when data from different source is fused together.
Large-Scale Online Deanonymization with LLMs: https://news.ycombinator.com/item?id=47139716
Robust De-anonymization of Large Sparse Datasets: https://www.cs.cornell.edu/~shmat/shmat_oak08netflix.pdf
The problem is that we have markets where we: - Incentivize organizations to pursue profits at the expense of everything else, which includes social good and civic rights - Rarely hold bad actors accountable (and almost never in a timely manner)
Which means, given enough time, we're always going to trend to whatever makes the most money. Targeted advertising makes money, and will continue to do so unless or until we collectively decide to make it a greater risk to profits than it is today.
Many devices, when running, and in some cases even if turned off but connected to their battery, will ping cell towers (maybe even BLE/Wifi) and get triangulated by the network infrastructure (such as cell towers) without actively broadcasting the GPS location.
That's why I don't quite understand why the gubernment needs to have finer grained data (esp around the US/Mexican border). Precision location info would only be needed if you need to track people in densely populated areas.
But it is necessary to send it somewhere, otherwise the internet wouldn't work.
Unfortunately it seems to have become accepted for our devices to communicate constantly and often with services we never explicitly started communication with (like Ad networks used in Apps).
Permission systems on devices should care about Network connections just as much as Location. Ideally when installing an app you'd get the list of domains it requests to communicate with, and you could toggle them. Bonus points if the app store made it a requirement to identify which Domains are third parties and the category like an Ad service.
Whatever you are doing is meaningless privacy theatre
A law that says the government can't ask for this stuff doesn't help very much. They'll ignore it when it suits them.
A law that says it's illegal for private companies to hand it over would be better. When caught between a request from the government and a law that says they're not allowed to honor that request, there's a good chance they'll obey the law rather than the rogue agency.
A law that says it's illegal for private companies to collect this data in the first place would be even better. It could still be worked around, but it's more likely to be uncovered, and they'd only get data after the point where they convinced a company to start collecting it.
The issue here isn’t simply “lack of privacy law.” It’s:
1. apps collecting precise location data in the first place,
2. adtech infrastructure broadcasting that data through RTB,
3. brokers aggregating and reselling it,
4. government agencies buying it to avoid the constraints that would apply if they tried to collect it directly, and
5. regulators failing to stop any of the above in a meaningful way.
European law is relevant to some of that, but not as a magic shield. GDPR and ePrivacy principles are obviously more restrictive on paper than the US free-for-all, especially around consent, purpose limitation, data minimization, and downstream reuse. But “on paper” is doing a lot of work there. Europe has had years of complaints about RTB specifically, and yet the adtech ecosystem did not exactly disappear. That should tell you something.
So the real answer is: yes, a stronger privacy regime can help, but no, this is not a problem that gets solved by vaguely importing “European-style privacy laws” as a concept. If the underlying business model still allows mass collection, opaque sharing, and resale of location data, then state access is a policy choice away. Governments don’t need to build a panopticon if the commercial sector already did it for them.
Also, the most important legal question here is not just whether private companies should be allowed to collect/sell this data. It’s whether the government should be allowed to buy commercially available data to do an end-run around constitutional and statutory limits. That is a distinct issue. You need rules for both the commercial market and state procurement, otherwise the state just shops where the Fourth Amendment doesn’t reach.
In other words, the contrast is not “Europe = protected, US = authoritarian.” The contrast is between systems that at least attempt to constrain collection and reuse, and systems that let surveillance markets mature first and ask questions later. Even in Europe, enforcement gaps, law-enforcement carveouts, and institutional incentives matter enormously.
So if the goal is to understand the story, the useful question isn’t “would Europe stop this?” It’s “what combination of collection limits, resale bans, procurement bans, audit requirements, and enforcement would actually make this impossible in practice?” Anything short of that is mostly aesthetics.
Unless you have some body which is a) serious about enforcement, b) sufficiently toothful to make a dent and c) not undermined by wider geopolitical posturing or economic neutering, you can have all of the regulation you might want and still end up in the same place. I'm not arguing that we shouldn't try and control this, but that we have some extremely large genies to stuff back into bottles along the way.
- you always denied those popups
- .. including any hidden legitimate interest sections that are being treated as a second, opt-out "consent" for things that really don't actually qualify as legitimate interest
- and the companies actually followed it
Then in theory the companies won't have that data. But doing 1 is tedious, companies exercise dark patterns to avoid you doing 2, and it's hard to audit if they've done 3, so most people are probably in those data sets.
Also, a government likely to buy this data for purposes like in the original article, is unlikely to be the type of government that goes around slapping companies for not complying with privacy regulation on that data.
This is another reason why you should not be carrying a phone everywhere except for times where you absolutely need one.
And it's a pretty new account.
Does sharing location with family (Android) leak any data?
There’s really not any legal practical way to avoid ALPRs.
I’m pretty sure the government knows where I am 24/7. I’m not going to worry about targeted advertising by the government anymore and just worry about it the people reselling it to non-governments for use.
For years, people have been sharing everything they do, what they do, people they spent time with, where they live.
Advertisement industry just adds more info to complete your profile, what you buy, what you watch, what you speak online, etc.
I think it’s more concerning that programmers seem to have no care or shame about designing systems that works against the users’ interests. Did you share something intimate in our chat? Well it’s not E2E, moron, we have that now. How could you be this stupid?
I can’t think of another profession (except pure value extraction types) which revels in exploiting people for not having the time or care to arrange their digital lives around the booby traps that nerds set for them.
When a poor lad comes on a work visa and is elevated from a literal poverty to a somewhat decent standard of living, would you expect them to stand up and make sure some camera recordings can’t be used in a way they aren’t supposed to be used? Do you expect them to even consider if their management may abuse that some years in the future (when the code is an unholy mess of duct tape and all the effort goes into making it work for the stated purpose), when their mind is all busy thinking about bills, health, family abroad, and the general sense of doom impending with pandemics and wars and extreme corruption all around? Nah, that lad’s also being exploited here, not exploiting others. Not that any sins are absolved but he’s a lot less of a monster than your comment paints. And there are corporations with tens of thousands of such lads and lasses and other folks. And that’s just one of myriad of possible nuances that break the trope of evil programmers screwing the world up.
Blame the rot that starts at the head, it’d be at least a bit more accurate.
> I can’t think of another profession
That’s because you framed the criteria so narrowly that it includes almost only programmers. And even then you still confused between management and implementors. And even then you’re forgetting the management, who’s definitely more to blame than workers.
Anecdotally, it feels like it fits right in with the "if there's no cop around to give me a ticket, I can drive however I want" attitude I've seen post-Covid. People entering two-way turn lanes or HOV merge lanes to PASS people in the main lane. People going through stop signs without any stopping while I'm waiting for my turn. Using the HOV on-ramp lane with only the driver to merge onto the freeway where it's clearly marked "24 hour HOV lane", etc.
It's as if the entire social compact evaporated during/after Covid, and "everyone only out for themselves" is the norm now.
Or maybe I'm just more aware of it and more cynical.
I concur on missing the turn of the century optimism that tech could make a brighter future.
The US government contracts with commercial data providers stipulate that all US data must be removed. There are quite a few regulatory controls that are adhered to.
> 1. Disable your mobile advertising ID
> 2. Review apps you’ve granted location permissions to.
I'm surprised they missed the most important step, which is blocking the advertisers from collecting your data in the first place. This is easily done in the browser with uBlock Origin and system-wide with DNS filtering.
Since people around you will think you are also wearing a tinfoil hard, you had better stick to the phones with hardware switches as sibling comment mentions
The only people who didn't understand this were either delusional or being paid not to.
Like yeah, sure, governments collecting data deserves scrutiny. 100%. But at least in most democracies there are audits, oversight bodies, privacy commissioners, courts, access to information laws, etc. There are actual mechanisms where someone can ask “why are you doing this?” and force an answer.
Meanwhile we hand over our location, browsing habits, shopping patterns, sleep schedule, and probably our favorite pizza topping to dozens of private companies every day. Those companies can aggregate it, sell it, profile you, feed it into ad markets, train models with it, or ship it across borders… and most of the time nobody outside the company even knows it’s happening.
So yeah, data collection in general is worth debating. But the irony is wild when people lose their minds over the one place that at least has some governance and accountability, while the entire private ad-tech ecosystem is basically “trust us bro” with a 40-page terms of service nobody reads.
"Jeffrey Epstein’s Island Visitors Exposed by Data Broker" - https://www.wired.com/story/jeffrey-epstein-island-visitors-...
https://securitylab.amnesty.org/latest/2025/12/intellexa-lea...
The fact that we still just allow arbitrary 3rd party code to run through ad networks is bizarre.
It's interesting to imagine how things would change if those ad-networks were legally liable for their role in spreading scams and malware.
A very easy, effective, multi-layer setup:
1. Browser adblocker
2. Pi hole running locally
3. Pi hole at your home network router level
And 4, not as easy but effective, a firewall like Little Snitch
Edit: the other good news is your old data loses value quickly, so starting today is still very effective: you haven’t missed the boat yet!
1. Adblocking via private DNS (e.g. https://mullvad.net/en/help/dns-over-https-and-dns-over-tls)
2. Prefer websites over native apps wherever possible
3. Browser adblocker
Hosts file adblocking is also possible on a phone where you have root.