Who's selling the data is the far more serious issue here. Behind this is a remarkably well-structured syndicate.
The supply chain looks something like this: consumer apps embed ad SDKs → those SDKs feed location signals into RTB ad exchanges → surveillance-oriented firms sit in the RTB pipeline and harvest bid request data even without winning auctions → that data flows to aggregators who don't have any direct relationship with consumers → and from there it's sold to government agencies, among others.
The genius of this structure is that accountability dissolves at every layer. Each intermediary can claim they're just passing along "commercially available data." Nobody verifies whether consumers actually consented to their location data being collected and resold. The consent verification is always someone else's job.
The real problem is that this data is buyable at all, by anyone, through an opaque multi-layered supply chain specifically designed so that no single entity bears responsibility for the end result.
Specifically, these big companies revenue share with app companies who in turn increase monetization via selling your private information, esp via free apps. In exchange for Apple etc super high app store rake percentage fees, they claim to run security vetting programs and ToS that vet who they do business with and tell users & courts that things are safe, even when they know they're not.
It's not rocket science for phone OS's to figure out who these companies are and, as iOS / android os users already get tracked by apple/google/etc, triangulate to which apps are participating
I'm game for throwing rocks at Apple and Google, but I don't get this one.
> consumer apps embed ad SDKs → those SDKs feed location signals into RTB ad exchanges → surveillance-oriented firms sit in the RTB pipeline and harvest bid request data even without winning auctions
Would you ban ad supported apps? Assuming the comment you're responding to is realistic, I'm not sure how the OS is to blame.
I think the pipeline needs to be plugged at both ends. We shouldnt allow this data to be sold without express consent. And we shouldnt allow the government to purchase this sort of data regardless of consent, protected under the 4th amendment. unless, iguess, express consent is given to be used by the government for investigative purposes, which no one would give since they dont have to under the 5th amendment
Don't forget the initial collection. Nobody is forcing these app developer to link the HarvestCustomerLocation.lib module to their app. They're doing it voluntarily, likely financially incentivized. Don't let them off the hook.
> And we shouldnt allow the government to purchase this sort of data regardless of consent
Fine, we'll force companies to allow a small little box to be added to their data center. Don't worry about what it does, but you cannot disconnect network/power to it once it is installed. Once it is operational, you'll no longer need to think about it ever again, and we recommend that you don't. You should also not talk about this box to users/customers/clients. In fact, you'd be better off if you didn't talk to your employees about it either.
I think the user should be paid for the data that is being gathered up. If we want a source of UBI for the future where AI is replacing every job, well here is a potential source to fund it.
I find myself uninstalling every app unless I really need it and use it. It's amazing how many apps just sit around in your life over time. get them off your phone
The greatest part of reading HN is finding out that my distrust of apps and their developers is not weird. It does make me question my abilities as a dev for refusing to partake in these reindeer games. Clearly, I am not the right type of person to do well in big tech.
Same here. I use Firefox for everything, and uninstall all the junk via adb. Also low power mode not only for battery efficiency, but to prevent most background services from running.
> I find myself uninstalling every app unless I really need it and use it. It's amazing how many apps just sit around in your life over time. get them off your phone
That's the thing they don't just sit around, they all have run at start up and for Android I blame Google for not giving users the ability to block run at start up.
I am mostly back to my phone being with ironfox and using it for everything instead of apps. My bank works fine with it still and so far no issues with other things I need.
The RTB thing has been around for over a decade at this point. What I’m not sure about is what’s being sold by car companies. I know they sell the data to insurance companies. I’m curious if the government can manage to get it as well commercially.
I wouldn't be surprised if we saw a headline in a few years when we find out other actors (e.g. China, Russia) have been buying this data en-masse too.
That stupid game you installed a year ago, that's what gets you.
If you have a smartphone keep a very sharp eye on your location services, and whether they're in the state you expect them to be in. Also a great way to save your battery.
> Who's selling the data is the far more serious issue here.
Everyone who has it is selling that info, and nearly everyone who collects it is selling it. Until there are laws that actually protect us, we should stop giving companies our location data every chance we get and push for laws that prevent it from being unnecessarily collected in the first place.
"FBI is buying location data to track US citizens" ... "Until there are laws that actually protect us"
I don't see how we overcome that massive hurdle. It's not like those who ostensibly make the laws don't know and approve, and probably intentionally implemented that.
We now have full scale mass tracking and surveillance of the kind no one pre-9/11 would believe would have been allowed to exist in the form of the Flock cameras (of course it was an enemy Brit implementing surveillance in the USA) making anonymity quite literally as challenging as Winston Smith trying to move around without being detected to meet his love interest.
How are we going to get the de facto tyrants in the government to pass laws that materially disempower them by being unable to mass surveil everyone at any given time if they don't like what you are saying or thinking?
The problem with all the naysayers for all those decades is that once you have given up control over your own life and you have given away your rights protected by the Constitution, your enemies in the government are unlikely to simply give them back because you ask nicely. In fact, they will most likely aggressively move against anyone that even suggests that you nicely ask for your rights back.
US companies don't even care if something is illegal as long as they know the slap on the wrist they get will be a small fraction of they money they made with crime. Most of the time the US government just wants a cut of the action. Google alone has spent billions in fines.
I don't think either issue is above one or another. Its problematic to build such databases, and it is problematic that the government is buying these services despite being forbidden from doing it themselves. Being able to buy it is a huge loophole and they all know it is a loophole and is breaking the spirit of the law.
Its like saying murder is illegal but hiring a hitman perfectly legal. Its bullshit and everyone involved in these decisions should be in jail. There is no way anybody working for the FBI can claim ignorance to the constitution.
We can hold both accountable actually, its a workaround of our fourth amendment rights and also it should be illegal to do this for the companies involved.
Explicitly outlawing the practice is good, but since they've already been participating in the violation of our rights and knowingly profiting from it there should be consequences.
I'd be perfectly fine with going after companies that sell data to the government, but I don't think it would be fair to go after companies who were forced to hand data over unwillingly, even if they didn't inform the public it was going on out of fear of reproductions.
For example you can have a truthful statement: “all of the apps that you have are constantly spying on you”
And the rejoinder is “ any given app is not specifically selling my data to specifically the FBI and so therefore it is not spying”
To which the response would be: “that is correct however the aggregate data is bundled and sold off to specifically the FBI or intelligence agencies and so there cannot be a logical differentiation between apps.”
By that point the person has downloaded another rewards app and added their drivers license to it.
I'd really like to just have legislation to treat location data like audio or video under wiretapping provisions. If you collect my location info and convey it to a third party without my consent or a reasonable good-faith belief that I would consent, that ought to be treated similarly to recording without consent.
And consent needs to be granted explicitly for each party that might get access to my location, you can't just get blanket consent to sell my location to anyone, especially not with real-time identifiable location data.
Fair enough, but the wiretap laws are all phrased in terms of "conversation participant" -- a listener who every speaker is aware is listening. Some states require consent of all participants, others require consent of one participant.
In one-party states the consenting party has to be the one who makes the recording. In all-party-consent states, the verbal declaration that a recording is happening has to be part of the recording. It has to be verbal, so there is no "fine print loophole" -- you have to waste 2-3 seconds of everybody's time saying it out loud.
I like your idea, but the wiretap laws work so smoothly because they bootstrap off of things like "conversation participant" and "verbally granted in the recording itself" that don't carry over to location data.
Good-faith is pretty narrow, mainly talking about emergencies where I implicitly could be said to have given consent, like when calling 911, or services that are close to 911 but privately administered.
> Carpenter v. United States (2018) was a landmark Supreme Court case that held the government generally needs a warrant to access historical cell-site location information (CSLI) from cell phone carriers, as its acquisition constitutes a Fourth Amendment search
This is very different from buying your data from a company especially when the user consented to their location being tracked.
Too many people in these threads jumping to anti-Trump when the real issue is how quick we are to give up our our privacy to use technology and then quickly turn to shock in anger when it’s used against us.
> This is very different from buying your data from a company especially when the user consented to their location being tracked.
No, it's not 'very different'. When you sign a cellular contract you consent to all sorts of tracking and data collection, but it still requires a warrant for government to obtain.
Modern vehicles make disabling data collection fairly difficult. And even if it is disabled, there is no guarantee data is not being sent despite your user settings.
I would love for investigative groups to target the auto industry’s data collection practices and have meaningful legislation created and implemented as a result.
If the SCOTUS case merely said "needs a warrant to access historical data"... it didn't say "only if acquired via specific means" (like a subpoena), right?
The three letter agencies have a long history of ignoring the constitution, long before the Trump administration, going back to their inception, including as recent as the Biden administration [1].
edit: downvoters, is this not true? this is a historic problem with the agencies. This doesn't mean it's not also a problem with this administration. Two things can be true at once. I like pancakes and waffles.
Perhaps we could overturn the third party doctrine. With legislation, preferably. And while we are at it, solve the underlying issue of pervasive data collection and sharing in the first place.
Another angle I think worth attention is product developers should build tools / platforms that don't even touch user data and be open about that so consumers can choose those more. I believe people will choose privacy when given the choice more often if the product is just as good or better.
Law enforcement should require a subpoena if they want to have location data for anyone. It really isnt a third party loophole issue.
Law enforcement should only be accessing location data if they have probable cause to believe a crime is happening. This invalidates the third party doctrine loophole and becomes an unreasonable search (and seizure of your privacy) under the 4th amendment.
Location data specifically should be treated as the most private data about a person. It should have the highest scrutiny for any access. It is more important than your financial records and medical records.
There was a great talk at the Chaos Computer Conference a few years ago how to diy this, sadly cant find it because web search seems dead nowaydays. If anyone knows, please chip in. It was a german researcher following german politicians who hilariously(scandalously?) related travel patterns
That's the job of the FBI - to investigate domestic crimes. But, why do private organizations so willingly participate in the tracking ecosystem? I suppose they're in the, "you have nothing to worry about if you're not doing anything illegal" camp! Hopefully they understand that they have the most to lose.
It's just business. Buy (your data) for a dollar, sell for two. It's all legal and the data brokers are mostly unknown or already-hated companies so I'd say they have nothing to lose.
What if an investigation is based on finding the same specific people near another specific person that they're tracking, but they only know about the one person, not the others.
And by doing this they stop a terror attack?
One more thought - if they buy just data for specific people related to an investigation, the seller of the data is tipped off. If they just buy all the data, then there is no potential tip-off to the target.
For profit organizations are legally required to maximize shareholder value. Many of them will abuse the spirit of the law in order to squeeze profits where others won’t.
The FBI is violating the spirit and original intent of the 4A by creating an entire industry out of the “3rd party doctrine” bypass to the 4A. That doctrine was whole cloth created by SCOTUS and Congress has been too happy to avoid credit or blame for it to not enshrine it in statute.
It's also not new. The FBI has kept dossiers on people of interest and people in positions of power since it was founded. Easier now of course, which is a concern.
> But, why do private organizations so willingly participate in the tracking ecosystem?
Because it makes them money and that's literally the only thing they care about. They'd do anything for money and the only reason they ever don't do something is because it either wouldn't make them money at all, or it would cost them more money than they'd make.
Many retail sites have a "find a nearby" store function. They often outsource this to a third party...for something as silly as geolocation and geographical lookups. This third party is the one that offers its services for a discount but also siphons up your location data to sell.
How Legal Punishment Affects Crime: An Integrated Understanding of the Law's Punitive Behavioral Mechanisms (2025)
"This article explains what these 13 potential effects of punishment are and how they have been theorized. It further reviews the body of available empirical evidence for each of these mechanisms."
Am all for it if law enforcement were held to the same standards. Plenty of cases where LE murder is simply not enforced. Thus LE becomes a haven for those seeking impunity and ability to nefariously track anyone.
A lot of them don't know they're doing it. The tracking itself is embedded in dependencies of dependencies. SDKs you add for legitimate purposes. Along the way it's sent from platform to platform. Analytics, add targets, and eventually data brokers. Data brokers then sell it to other data brokers or the government.
If you're lucky, it's pseudo-anonymous. Of course it's actually not - aggregated location data is inherently not anonymous.
Yes. The french newspaper Le Monde recently did a piece on how easy it was to find every moves and the home adress of sensitive people (elite special forces, nucleat submarine engineers, president bodyguards, etc) by exploiting the free sample of a data broker.
They were stunned to see lemonde's app appeared as sources inside that excel file because of SDKs in their app.
Because capitalism would happily burn the world to ash if the capitalists thought it would make them richer. It makes them think they are winning at life.
A generation ago our leaders derided China (and Russia) for this kind of pervasive spying on it's citizens. In the US we did the same thing just increasing costs by enriching the private sector on the way. That's not better. That's worse.
I still remember people asking, "why people in [China], don't protest more actively against it?" as if they would do much better, some others arguing that it was in their "culture" not to protest, as if it would be in the US, they would do anything different: we now have our answer.
Kinda reminds me of when I saw footage online of a group of teens raiding a 7/11 store -- maybe during the BLM riots --, and a top comment was "heh, come try that in Texas ;)". Fantasizing, of course, that Texas has a unique bulwark against that behavior, probably having to do with gun ownership.
And then it turns out the video took place in Dallas.
We like to think there are all these barriers to bad things happening where we live. "I'm sure someone (not me) would stop that." But it turns out there isn't as much bulwark as we think. Or we're the bulwark, so if it isn't us, then there is nobody else.
It’s that sort of behavior— groups of perpetrators committing crimes— that allow people to justify enhanced surveillance tactics.
I think in years past people would have objected to sale of personal location data. But that was before people had videos of groups of lawbreakers overwhelming laws through organized efforts.
Nobody has explained to me how iOS ad SDKs across different apps can track individual users given that there hasn't been an accessible GUID on iOS for many years now.
Enough location data becomes effectively unique: There is likely only one phone in the world that averages over X nighttime hours in my apartment-complex and averages over Y workday-hours in the the same office block where I work.
That kind of pattern can be used to determine that two or more different app-identities are the same person, and anybody buying that data has a strong incentive to try it.
Fingerprinting devices once you’re installed on them isn’t much harder than doing so in a web browser.
Have Instagram installed on your phone? Great, now every Meta-owned app _or advertiser running on their platform_ has a pretty good shot at identifying you based on IP, location, app usage, etc.
There is a ton of signal about identity available just by virtue of running alongside other apps. Screen size, OS version, and IP are pretty good proxies for unique identity, especially if all you care about is _probable_ matches.
In the US we live in a bizarre world of dual expectations.
The government is supposed to follow the law, be accountable, transparent, and must operate within a constrained, circumscribed zone of activity which is debated and discussed. That's at least how it's supposed to work.
Private companies are understood as amoral sharks who have no obligation to do anything other than operate in their narrowest self-interest, and the law is used as a club to beat them back from what they so clearly want to do, and will do if at all possible. They are unaccountable to anything other than the legal system and their share price. Suggesting that they might have any further obligation is tantamount to questioning whether capitalism should exist. It happens all the time on HN.
So of course the FBI would like to keep their hands mostly clean by having one of those accepted-to-be-horrible companies gather this data and then buy the resulting trove.
The US is SUPPOSE to do that, but I have yet to see it do any of those things with anything close to regularity or consistency at any point in living memory.
We criticize the government bitterly, but when a company does the same thing we seem to say “oh well of course they did that, what can you do, it’s capitalism and the free market knows best, ho hum.”
What would you like them to do? They already force apps to ask for permission, give user control over when the app can even access the location (including just once), tell the user when the app has been accessing the location repeatedly over time, and allow the user the shut off location services for each app individually whenever they want. So aside from shutting off more and more possible sideband sources of location information, what else are they supposed to do?
Unless you're saying Apple is selling the location information they may have directly?
Answering my own question, they need a way for users to grant location permission only to the primary app and not any of its dependencies, as once you grant it, it's available to all code in the app. It would be great if there was some way to separate those.
They could also better enable network traffic inspection on device, so we could tell where data is going. LittleSnitch on iOS would be great.
The government shouldn’t be able to contract out anything it isn’t permitted to do directly itself. We should have this in the law, get rid of qualified immunity for everyone including lawmakers, and reign in the government.
Yes. But AFAIK, not an unconstitutional one. Wyden agrees with you:
> Wyden said buying information on Americans without obtaining a warrant was an “outrageous end-run around the Fourth Amendment,”
America needs privacy laws for this reason (or an amendment, but good luck). Vote when November rolls around; the other piece is finding Democrats that will take an actual stance on privacy closer to Wyden's.
I think that the problem is that it absolutely does violate the constitution, we just have judges willing to defend it and say otherwise even when it clearly allows for exactly what the fourth amendment was intended to prevent.
Some citizens are exempt. Wired magazine got cell phone movement data to and from Little Saint James and found a lot of visitor locations. The FBI is not interested:
This is the reason why every company is collecting all the data they can. They can sell it to the government, which is likely still cheaper than having a bureaucratic behemoth collect that data.
I don’t thinks there’s any person who doesn’t know this information already, yet you keep seeing the same empty articles of “oh yes they collect your data using commercial apps”.. list all these apps to consumers, list the services too, list the companies that are selling them, so people will stop using them or at least limit its access. I know most social media are, but there are far more companies and apps that are willing to sell such data.
The companies handing your data over to the government are apple, google, microsoft, and every ISP, every social media platform, and every cell phone provider in the country. What now? You going to throw out every computer you own and never use the internet? When the problem exists in everything we use and depend on there is no avoiding it.
Buying it just clears up the chain of custody as opposed to the NSA stealing it and reverse engineering your warrant -- OR -- using the good ole stingray.
Who's selling the data is the far more serious issue here. Behind this is a remarkably well-structured syndicate. The supply chain looks something like this: consumer apps embed ad SDKs → those SDKs feed location signals into RTB ad exchanges → surveillance-oriented firms sit in the RTB pipeline and harvest bid request data even without winning auctions → that data flows to aggregators who don't have any direct relationship with consumers → and from there it's sold to government agencies, among others. The genius of this structure is that accountability dissolves at every layer. Each intermediary can claim they're just passing along "commercially available data." Nobody verifies whether consumers actually consented to their location data being collected and resold. The consent verification is always someone else's job. The real problem is that this data is buyable at all, by anyone, through an opaque multi-layered supply chain specifically designed so that no single entity bears responsibility for the end result.
Apple and Google are facilitating the data sales
Specifically, these big companies revenue share with app companies who in turn increase monetization via selling your private information, esp via free apps. In exchange for Apple etc super high app store rake percentage fees, they claim to run security vetting programs and ToS that vet who they do business with and tell users & courts that things are safe, even when they know they're not.
It's not rocket science for phone OS's to figure out who these companies are and, as iOS / android os users already get tracked by apple/google/etc, triangulate to which apps are participating
I'm game for throwing rocks at Apple and Google, but I don't get this one.
> consumer apps embed ad SDKs → those SDKs feed location signals into RTB ad exchanges → surveillance-oriented firms sit in the RTB pipeline and harvest bid request data even without winning auctions
Would you ban ad supported apps? Assuming the comment you're responding to is realistic, I'm not sure how the OS is to blame.
23 replies →
If I have a free app that hits location services on the device and I sell this data, how does Apple and Google make money from me?
1 reply →
Apple doesn't even allow apps to know whose device they are running on without the user's explicit opt-in permission.
Just as importantly, apps aren't allowed to remove functionality if the user says no.
You need additional permissions to do things like access location data or scan local networks for device fingerprinting.
And Facebook/Meta. Their trackers are everywhere.
4 replies →
Not Experian, TransUnion, and Equifax?
Or for location, the cellular providers?
1 reply →
I think the pipeline needs to be plugged at both ends. We shouldnt allow this data to be sold without express consent. And we shouldnt allow the government to purchase this sort of data regardless of consent, protected under the 4th amendment. unless, iguess, express consent is given to be used by the government for investigative purposes, which no one would give since they dont have to under the 5th amendment
Don't forget the initial collection. Nobody is forcing these app developer to link the HarvestCustomerLocation.lib module to their app. They're doing it voluntarily, likely financially incentivized. Don't let them off the hook.
> And we shouldnt allow the government to purchase this sort of data regardless of consent
Fine, we'll force companies to allow a small little box to be added to their data center. Don't worry about what it does, but you cannot disconnect network/power to it once it is installed. Once it is operational, you'll no longer need to think about it ever again, and we recommend that you don't. You should also not talk about this box to users/customers/clients. In fact, you'd be better off if you didn't talk to your employees about it either.
2 replies →
I think sale and purchase are too hard to police. Possession of data should be illegal, with a level of statutory damages that invites litigation.
I think the user should be paid for the data that is being gathered up. If we want a source of UBI for the future where AI is replacing every job, well here is a potential source to fund it.
1 reply →
I find myself uninstalling every app unless I really need it and use it. It's amazing how many apps just sit around in your life over time. get them off your phone
The greatest part of reading HN is finding out that my distrust of apps and their developers is not weird. It does make me question my abilities as a dev for refusing to partake in these reindeer games. Clearly, I am not the right type of person to do well in big tech.
1 reply →
Same here. I use Firefox for everything, and uninstall all the junk via adb. Also low power mode not only for battery efficiency, but to prevent most background services from running.
> I find myself uninstalling every app unless I really need it and use it. It's amazing how many apps just sit around in your life over time. get them off your phone
That's the thing they don't just sit around, they all have run at start up and for Android I blame Google for not giving users the ability to block run at start up.
I do this as well — I also have DNS level blocking via a NextDNS profile and prefer PWAs if possible.
I am mostly back to my phone being with ironfox and using it for everything instead of apps. My bank works fine with it still and so far no issues with other things I need.
I do this. I also block the ad ecosystems on the device (root, adaway).
I’m not opening it… can it do anything on iOS?
The RTB thing has been around for over a decade at this point. What I’m not sure about is what’s being sold by car companies. I know they sell the data to insurance companies. I’m curious if the government can manage to get it as well commercially.
> What I’m not sure about is what’s being sold by car companies... if the government can manage to get it as well commercially.
General Motors sold driving data to data brokers including LexisNexus. Anyone, private or government can buy data from LexisNexus.
I wouldn't be surprised if we saw a headline in a few years when we find out other actors (e.g. China, Russia) have been buying this data en-masse too.
The CIA buys this data to track Putin's chef so of course China and Russia are doing the same to us.
3 replies →
That's a very accurate summary.
That stupid game you installed a year ago, that's what gets you.
If you have a smartphone keep a very sharp eye on your location services, and whether they're in the state you expect them to be in. Also a great way to save your battery.
Not sure about now, but geolocation data used to be available for purchase from: https://en.wikipedia.org/wiki/Skyhook_Wireless
> Who's selling the data is the far more serious issue here.
Everyone who has it is selling that info, and nearly everyone who collects it is selling it. Until there are laws that actually protect us, we should stop giving companies our location data every chance we get and push for laws that prevent it from being unnecessarily collected in the first place.
"FBI is buying location data to track US citizens" ... "Until there are laws that actually protect us"
I don't see how we overcome that massive hurdle. It's not like those who ostensibly make the laws don't know and approve, and probably intentionally implemented that.
We now have full scale mass tracking and surveillance of the kind no one pre-9/11 would believe would have been allowed to exist in the form of the Flock cameras (of course it was an enemy Brit implementing surveillance in the USA) making anonymity quite literally as challenging as Winston Smith trying to move around without being detected to meet his love interest.
How are we going to get the de facto tyrants in the government to pass laws that materially disempower them by being unable to mass surveil everyone at any given time if they don't like what you are saying or thinking?
The problem with all the naysayers for all those decades is that once you have given up control over your own life and you have given away your rights protected by the Constitution, your enemies in the government are unlikely to simply give them back because you ask nicely. In fact, they will most likely aggressively move against anyone that even suggests that you nicely ask for your rights back.
1 reply →
There probably was a consent, buried on page 12 in the terms of use of the app they installed at the front of your chain.
I think that practice should be illegal... they know nobody reads those.
Even the "reasonable person" standard for court would probably conclude that most people would never read it.
All of it is legal, and incentivised. Is it any surprise?
US companies don't even care if something is illegal as long as they know the slap on the wrist they get will be a small fraction of they money they made with crime. Most of the time the US government just wants a cut of the action. Google alone has spent billions in fines.
*legal in the US
I don't think either issue is above one or another. Its problematic to build such databases, and it is problematic that the government is buying these services despite being forbidden from doing it themselves. Being able to buy it is a huge loophole and they all know it is a loophole and is breaking the spirit of the law.
Its like saying murder is illegal but hiring a hitman perfectly legal. Its bullshit and everyone involved in these decisions should be in jail. There is no way anybody working for the FBI can claim ignorance to the constitution.
We can hold both accountable actually, its a workaround of our fourth amendment rights and also it should be illegal to do this for the companies involved.
Explicitly outlawing the practice is good, but since they've already been participating in the violation of our rights and knowingly profiting from it there should be consequences.
I'd be perfectly fine with going after companies that sell data to the government, but I don't think it would be fair to go after companies who were forced to hand data over unwillingly, even if they didn't inform the public it was going on out of fear of reproductions.
And it’s working precisely as designed
For example you can have a truthful statement: “all of the apps that you have are constantly spying on you”
And the rejoinder is “ any given app is not specifically selling my data to specifically the FBI and so therefore it is not spying”
To which the response would be: “that is correct however the aggregate data is bundled and sold off to specifically the FBI or intelligence agencies and so there cannot be a logical differentiation between apps.”
By that point the person has downloaded another rewards app and added their drivers license to it.
[dead]
I'd really like to just have legislation to treat location data like audio or video under wiretapping provisions. If you collect my location info and convey it to a third party without my consent or a reasonable good-faith belief that I would consent, that ought to be treated similarly to recording without consent.
And consent needs to be granted explicitly for each party that might get access to my location, you can't just get blanket consent to sell my location to anyone, especially not with real-time identifiable location data.
Fair enough, but the wiretap laws are all phrased in terms of "conversation participant" -- a listener who every speaker is aware is listening. Some states require consent of all participants, others require consent of one participant.
In one-party states the consenting party has to be the one who makes the recording. In all-party-consent states, the verbal declaration that a recording is happening has to be part of the recording. It has to be verbal, so there is no "fine print loophole" -- you have to waste 2-3 seconds of everybody's time saying it out loud.
I like your idea, but the wiretap laws work so smoothly because they bootstrap off of things like "conversation participant" and "verbally granted in the recording itself" that don't carry over to location data.
> or a reasonable good-faith belief that I would consent
Don't deliberately write a loophole. No need for this part.
Good-faith is pretty narrow, mainly talking about emergencies where I implicitly could be said to have given consent, like when calling 911, or services that are close to 911 but privately administered.
The supreme court had a 5-4 decision related to this [1]. Was there something specific, in that decision, that leaves a loophole open?
[1] https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf
> Carpenter v. United States (2018) was a landmark Supreme Court case that held the government generally needs a warrant to access historical cell-site location information (CSLI) from cell phone carriers, as its acquisition constitutes a Fourth Amendment search
This is very different from buying your data from a company especially when the user consented to their location being tracked.
Too many people in these threads jumping to anti-Trump when the real issue is how quick we are to give up our our privacy to use technology and then quickly turn to shock in anger when it’s used against us.
> This is very different from buying your data from a company especially when the user consented to their location being tracked.
No, it's not 'very different'. When you sign a cellular contract you consent to all sorts of tracking and data collection, but it still requires a warrant for government to obtain.
8 replies →
Modern vehicles make disabling data collection fairly difficult. And even if it is disabled, there is no guarantee data is not being sent despite your user settings.
I would love for investigative groups to target the auto industry’s data collection practices and have meaningful legislation created and implemented as a result.
> Too many people in these threads jumping to anti-Trump when the real issue is how quick we are to give up our our privacy
Both things are very real problems.
Why is it different though? Who gets to say so?
If the SCOTUS case merely said "needs a warrant to access historical data"... it didn't say "only if acquired via specific means" (like a subpoena), right?
1 reply →
Yeah, the loophole is always "national security" and SCOTUS doesn't enforce the law.
[flagged]
The three letter agencies have a long history of ignoring the constitution, long before the Trump administration, going back to their inception, including as recent as the Biden administration [1].
[1] https://ij.org/press-release/fbi-caught-trying-to-sweep-its-...
edit: downvoters, is this not true? this is a historic problem with the agencies. This doesn't mean it's not also a problem with this administration. Two things can be true at once. I like pancakes and waffles.
1 reply →
[flagged]
9 replies →
Perhaps we could overturn the third party doctrine. With legislation, preferably. And while we are at it, solve the underlying issue of pervasive data collection and sharing in the first place.
Another angle I think worth attention is product developers should build tools / platforms that don't even touch user data and be open about that so consumers can choose those more. I believe people will choose privacy when given the choice more often if the product is just as good or better.
This is what F-Droid does. However Apple doesn't allow you to use it, and Google is slowly following their lead, too.
Law enforcement should require a subpoena if they want to have location data for anyone. It really isnt a third party loophole issue.
Law enforcement should only be accessing location data if they have probable cause to believe a crime is happening. This invalidates the third party doctrine loophole and becomes an unreasonable search (and seizure of your privacy) under the 4th amendment.
Location data specifically should be treated as the most private data about a person. It should have the highest scrutiny for any access. It is more important than your financial records and medical records.
There was a great talk at the Chaos Computer Conference a few years ago how to diy this, sadly cant find it because web search seems dead nowaydays. If anyone knows, please chip in. It was a german researcher following german politicians who hilariously(scandalously?) related travel patterns
https://arstechnica.com/cars/2024/12/whistleblower-finds-une...
https://www.youtube.com/watch?v=iHsz6jzjbRc
direct from the media server
https://media.ccc.de/v/38c3-wir-wissen-wo-dein-auto-steht-vo...
Good. If before the OS masters permitted this ad tracking—-a dirty secret of smaller developer revenue.
Now the FBI shows up to free lunch and blows up the spot. Now _everyone_ knows the ads in “free” apps are tracking you.
That's the job of the FBI - to investigate domestic crimes. But, why do private organizations so willingly participate in the tracking ecosystem? I suppose they're in the, "you have nothing to worry about if you're not doing anything illegal" camp! Hopefully they understand that they have the most to lose.
It's just business. Buy (your data) for a dollar, sell for two. It's all legal and the data brokers are mostly unknown or already-hated companies so I'd say they have nothing to lose.
I wonder if we can still buy burner phones for cash at Mondo Mart
10 replies →
No it is not the job of the FBI to to conduct mass surveillance of citizens.
The purpose of a system is what it does.
What if an investigation is based on finding the same specific people near another specific person that they're tracking, but they only know about the one person, not the others.
And by doing this they stop a terror attack?
One more thought - if they buy just data for specific people related to an investigation, the seller of the data is tipped off. If they just buy all the data, then there is no potential tip-off to the target.
6 replies →
For profit organizations are legally required to maximize shareholder value. Many of them will abuse the spirit of the law in order to squeeze profits where others won’t.
The FBI is violating the spirit and original intent of the 4A by creating an entire industry out of the “3rd party doctrine” bypass to the 4A. That doctrine was whole cloth created by SCOTUS and Congress has been too happy to avoid credit or blame for it to not enshrine it in statute.
>For profit organizations are legally required to maximize shareholder value.
No:
https://www.nytimes.com/roomfordebate/2015/04/16/what-are-co...
If something is bad when it's done illegally, it's worse when it's done legally, and even worse than that when it's done dutifully.
It's also not new. The FBI has kept dossiers on people of interest and people in positions of power since it was founded. Easier now of course, which is a concern.
> But, why do private organizations so willingly participate in the tracking ecosystem?
Because it makes them money and that's literally the only thing they care about. They'd do anything for money and the only reason they ever don't do something is because it either wouldn't make them money at all, or it would cost them more money than they'd make.
If this kind of surveillance is part of their job, why are they constitutionally forbidden from doing the surveillance themselves?
Haven't they been tapping phones since their conception?
Lemme give you an example.
Many retail sites have a "find a nearby" store function. They often outsource this to a third party...for something as silly as geolocation and geographical lookups. This third party is the one that offers its services for a discount but also siphons up your location data to sell.
[dead]
[flagged]
How Legal Punishment Affects Crime: An Integrated Understanding of the Law's Punitive Behavioral Mechanisms (2025)
"This article explains what these 13 potential effects of punishment are and how they have been theorized. It further reviews the body of available empirical evidence for each of these mechanisms."
https://news.ycombinator.com/item?id=47266997
Am all for it if law enforcement were held to the same standards. Plenty of cases where LE murder is simply not enforced. Thus LE becomes a haven for those seeking impunity and ability to nefariously track anyone.
Yikes. Why are private organizations so happy to participate in mass surveillance.
A lot of them don't know they're doing it. The tracking itself is embedded in dependencies of dependencies. SDKs you add for legitimate purposes. Along the way it's sent from platform to platform. Analytics, add targets, and eventually data brokers. Data brokers then sell it to other data brokers or the government.
If you're lucky, it's pseudo-anonymous. Of course it's actually not - aggregated location data is inherently not anonymous.
Yes. The french newspaper Le Monde recently did a piece on how easy it was to find every moves and the home adress of sensitive people (elite special forces, nucleat submarine engineers, president bodyguards, etc) by exploiting the free sample of a data broker.
They were stunned to see lemonde's app appeared as sources inside that excel file because of SDKs in their app.
Should be obvious: lots of money in that. Corporations are amoral psychopaths.
Because capitalism would happily burn the world to ash if the capitalists thought it would make them richer. It makes them think they are winning at life.
I have to give my age to my OS.
Yet they can't write a law to make this basic practice illegal.
Why do I feel like I'm not being represented _at all_?
[dead]
A generation ago our leaders derided China (and Russia) for this kind of pervasive spying on it's citizens. In the US we did the same thing just increasing costs by enriching the private sector on the way. That's not better. That's worse.
I still remember people asking, "why people in [China], don't protest more actively against it?" as if they would do much better, some others arguing that it was in their "culture" not to protest, as if it would be in the US, they would do anything different: we now have our answer.
Kinda reminds me of when I saw footage online of a group of teens raiding a 7/11 store -- maybe during the BLM riots --, and a top comment was "heh, come try that in Texas ;)". Fantasizing, of course, that Texas has a unique bulwark against that behavior, probably having to do with gun ownership.
And then it turns out the video took place in Dallas.
We like to think there are all these barriers to bad things happening where we live. "I'm sure someone (not me) would stop that." But it turns out there isn't as much bulwark as we think. Or we're the bulwark, so if it isn't us, then there is nobody else.
It’s that sort of behavior— groups of perpetrators committing crimes— that allow people to justify enhanced surveillance tactics.
I think in years past people would have objected to sale of personal location data. But that was before people had videos of groups of lawbreakers overwhelming laws through organized efforts.
1 reply →
People still say the same thing today. They just claim "its different" when it is used against them because scary China bad.
Nobody has explained to me how iOS ad SDKs across different apps can track individual users given that there hasn't been an accessible GUID on iOS for many years now.
Enough location data becomes effectively unique: There is likely only one phone in the world that averages over X nighttime hours in my apartment-complex and averages over Y workday-hours in the the same office block where I work.
That kind of pattern can be used to determine that two or more different app-identities are the same person, and anybody buying that data has a strong incentive to try it.
Which I guess is what iCloud private relay solves. But only if you pay.
1 reply →
Fingerprinting devices once you’re installed on them isn’t much harder than doing so in a web browser.
Have Instagram installed on your phone? Great, now every Meta-owned app _or advertiser running on their platform_ has a pretty good shot at identifying you based on IP, location, app usage, etc.
There is a ton of signal about identity available just by virtue of running alongside other apps. Screen size, OS version, and IP are pretty good proxies for unique identity, especially if all you care about is _probable_ matches.
In the US we live in a bizarre world of dual expectations.
The government is supposed to follow the law, be accountable, transparent, and must operate within a constrained, circumscribed zone of activity which is debated and discussed. That's at least how it's supposed to work.
Private companies are understood as amoral sharks who have no obligation to do anything other than operate in their narrowest self-interest, and the law is used as a club to beat them back from what they so clearly want to do, and will do if at all possible. They are unaccountable to anything other than the legal system and their share price. Suggesting that they might have any further obligation is tantamount to questioning whether capitalism should exist. It happens all the time on HN.
So of course the FBI would like to keep their hands mostly clean by having one of those accepted-to-be-horrible companies gather this data and then buy the resulting trove.
The US is SUPPOSE to do that, but I have yet to see it do any of those things with anything close to regularity or consistency at any point in living memory.
We criticize the government bitterly, but when a company does the same thing we seem to say “oh well of course they did that, what can you do, it’s capitalism and the free market knows best, ho hum.”
See: the US healthcare system.
Apple should take care of this. I would pay. Sadly it has gotten to this point
What would you like them to do? They already force apps to ask for permission, give user control over when the app can even access the location (including just once), tell the user when the app has been accessing the location repeatedly over time, and allow the user the shut off location services for each app individually whenever they want. So aside from shutting off more and more possible sideband sources of location information, what else are they supposed to do?
Unless you're saying Apple is selling the location information they may have directly?
Answering my own question, they need a way for users to grant location permission only to the primary app and not any of its dependencies, as once you grant it, it's available to all code in the app. It would be great if there was some way to separate those.
They could also better enable network traffic inspection on device, so we could tell where data is going. LittleSnitch on iOS would be great.
2 replies →
The government shouldn’t be able to contract out anything it isn’t permitted to do directly itself. We should have this in the law, get rid of qualified immunity for everyone including lawmakers, and reign in the government.
Isn't this is just a naked reach around the 4th amendment?!
Yes. But AFAIK, not an unconstitutional one. Wyden agrees with you:
> Wyden said buying information on Americans without obtaining a warrant was an “outrageous end-run around the Fourth Amendment,”
America needs privacy laws for this reason (or an amendment, but good luck). Vote when November rolls around; the other piece is finding Democrats that will take an actual stance on privacy closer to Wyden's.
I think that the problem is that it absolutely does violate the constitution, we just have judges willing to defend it and say otherwise even when it clearly allows for exactly what the fourth amendment was intended to prevent.
1 reply →
Some citizens are exempt. Wired magazine got cell phone movement data to and from Little Saint James and found a lot of visitor locations. The FBI is not interested:
https://www.wired.com/story/jeffrey-epstein-island-visitors-...
This should be a surprise to absolutely no one. I think it sucks, but I also don't think it's anything new.
Yeah, if you had any faith in these private companies to not bend over backwards for the feds, I have a bridge in San Francisco to sell you
This is the reason why every company is collecting all the data they can. They can sell it to the government, which is likely still cheaper than having a bureaucratic behemoth collect that data.
I don’t thinks there’s any person who doesn’t know this information already, yet you keep seeing the same empty articles of “oh yes they collect your data using commercial apps”.. list all these apps to consumers, list the services too, list the companies that are selling them, so people will stop using them or at least limit its access. I know most social media are, but there are far more companies and apps that are willing to sell such data.
The companies handing your data over to the government are apple, google, microsoft, and every ISP, every social media platform, and every cell phone provider in the country. What now? You going to throw out every computer you own and never use the internet? When the problem exists in everything we use and depend on there is no avoiding it.
To be fair they are only doing that in order to track if his honeypot brib^de isnt cheating on him.
Might be cheaper than round the clock SWAT teams https://www.nytimes.com/2025/11/23/us/politics/kash-patel-gi...
[dead]
[dead]
[dead]
[dead]
[dead]
[dead]
They hate us for our freedom.
Also, isn't this breaking the constitution? It bypasses needing a warrant respectively having a objective suspicion.
> Also, isn't this breaking the constitution?
I don't think that's been of much concern as of late.
> Also, isn't this breaking the constitution? It bypasses needing a warrant respectively having a objective suspicion.
Nope.
Your personal information, when given to others, is now trash on the curb (in a literal sense, see: https://en.wikipedia.org/wiki/California_v._Greenwood )
Buying it just clears up the chain of custody as opposed to the NSA stealing it and reverse engineering your warrant -- OR -- using the good ole stingray.
Anti Pinkerton act: gov can't buy services it isn't legally allowed to do themselves