Comment by FL4TLiN3
2 days ago
Who's selling the data is the far more serious issue here. Behind this is a remarkably well-structured syndicate. The supply chain looks something like this: consumer apps embed ad SDKs → those SDKs feed location signals into RTB ad exchanges → surveillance-oriented firms sit in the RTB pipeline and harvest bid request data even without winning auctions → that data flows to aggregators who don't have any direct relationship with consumers → and from there it's sold to government agencies, among others. The genius of this structure is that accountability dissolves at every layer. Each intermediary can claim they're just passing along "commercially available data." Nobody verifies whether consumers actually consented to their location data being collected and resold. The consent verification is always someone else's job. The real problem is that this data is buyable at all, by anyone, through an opaque multi-layered supply chain specifically designed so that no single entity bears responsibility for the end result.
Apple and Google are facilitating the data sales
Specifically, these big companies revenue share with app companies who in turn increase monetization via selling your private information, esp via free apps. In exchange for Apple etc super high app store rake percentage fees, they claim to run security vetting programs and ToS that vet who they do business with and tell users & courts that things are safe, even when they know they're not.
It's not rocket science for phone OS's to figure out who these companies are and, as iOS / android os users already get tracked by apple/google/etc, triangulate to which apps are participating
I'm game for throwing rocks at Apple and Google, but I don't get this one.
> consumer apps embed ad SDKs → those SDKs feed location signals into RTB ad exchanges → surveillance-oriented firms sit in the RTB pipeline and harvest bid request data even without winning auctions
Would you ban ad supported apps? Assuming the comment you're responding to is realistic, I'm not sure how the OS is to blame.
Neither big players have refined enough permissions. These set users up for giving away more data than they think.
Maybe one clear example is needing a permission once for setup and then it remaining persistent.
An easy demonstration is just looking at what Graphene has done. It's open source and you wana say Google can't protect their users better? Certainly Graphene has some advanced features but not everything can be dismissed so easily. Besides, just throw advanced features behind a hidden menu (which they already have!). There's no reason you can't many most users happy while also catering to power users (they'll always complain, but that's their job)
https://grapheneos.org/features
> Would you ban ad supported apps?
There's no need to ban ad supported apps when you can just ban the practice of using ads targeting users based on individual characteristics.
5 replies →
I would ban apps using unsafe ad platforms
If I was simultaneously also the owner of the ad platform, I'd fix it & knock out the bad players, or get ready to be sued for a decade+ of knowing malpractice
And if I was a US citizen seeing the companies being involved be sued for being monopolies and abusing their position, and then seeing them cry security in court yet knowingly do this for a decade+, I'd feel frustrated by successive left + right US administrations & voters
1 reply →
This is really simple to explain:
Apple does not let you restrict app network access[1]
You have no ability to know who your app is connecting to, and you cannot select or prevent it.
[1] except maybe the cellular data toggle
3 replies →
You can trace the big players
If Google & Apple & friends refused to take a rake and opened distribution, then I'd agree, net neutrality etc, not their problem
But they own so much, and so deep into the pipeline, and explain their fees to courts because "security"... and then don't do investigations. They employ some of the best security analysts in the world and have $10-30B/yr revenue tied to just the app store fees, so they very much can take a big bite out of this if they wanted.
2 replies →
Apple supposedly does this with the privacy report cards.
However, I'd be shocked if a cursory audit comparing SDKs embedded in apps and disclosed data sales showed they were effectively enforcing anything at all.
> Would you ban ad supported apps?
Yes, I absolutely would. Advertisements are a scourge upon people's wellbeing on top of being ugly and intrusive.
If you want to build a free product, that's great. Build a free product.
If you want to make money from your product, then charge for your product.
4 replies →
Ultimately the fact that ad sdks have such wide access to location information is a choice by the platforms. I've long wanted meaningful process isolation between the app and its ad sdks, but right now there's oodles of them that just squat on location data when the app requests it.
> I'm not sure how the OS is to blame.
Read the TOS.
If I have a free app that hits location services on the device and I sell this data, how does Apple and Google make money from me?
[dead]
Apple doesn't even allow apps to know whose device they are running on without the user's explicit opt-in permission.
Just as importantly, apps aren't allowed to remove functionality if the user says no.
You need additional permissions to do things like access location data or scan local networks for device fingerprinting.
And Facebook/Meta. Their trackers are everywhere.
It's everyone. Especially google, but all the big tech companies play in the same pool. Amazon, Google, Apple, Meta etc make money selling ads, which ultimate enables the tools that result data harvesting from everyone across the internet. I wrote a little data investigation [1] (mostly finished) that show cases how every major news organization across the globe I scanned had some level of data collection integrated. This is just one industry, but its important (as it connects back to the incentives these media organizations have, which is to make money by selling ads at any cost). The eff also released an angle in how the bidding process to buy ads is itself a massive privacy nightmare[2]
[1] https://quickthoughts.ca/autotracko/ [2] https://www.eff.org/deeplinks/2026/03/targeted-advertising-g...
cloudflare is more everywhere than facebook
2 replies →
Not Experian, TransUnion, and Equifax?
Or for location, the cellular providers?
There are plenty of bad actors
The interesting part is Google & Apple, as part of explaining to courts why their large app store fees are legit and not proof of monopoly positions, hid behind the security argument that they need to be the clearing house of what software runs on the devices. Except... they've knowingly punted on this one for 10+ years.
I would 100% agree that losing privacy through any utility-level carrier (credit cards, phone, OS provider, etc) should be default disallowed, and any opt-ins have a clear transparency mode with easy opt-out. At least two areas the US can learn from the EU on digital policy is digital marketplaces and consumer privacy protection, and this topic is at the intersection of both.
I think the pipeline needs to be plugged at both ends. We shouldnt allow this data to be sold without express consent. And we shouldnt allow the government to purchase this sort of data regardless of consent, protected under the 4th amendment. unless, iguess, express consent is given to be used by the government for investigative purposes, which no one would give since they dont have to under the 5th amendment
Don't forget the initial collection. Nobody is forcing these app developer to link the HarvestCustomerLocation.lib module to their app. They're doing it voluntarily, likely financially incentivized. Don't let them off the hook.
> And we shouldnt allow the government to purchase this sort of data regardless of consent
Fine, we'll force companies to allow a small little box to be added to their data center. Don't worry about what it does, but you cannot disconnect network/power to it once it is installed. Once it is operational, you'll no longer need to think about it ever again, and we recommend that you don't. You should also not talk about this box to users/customers/clients. In fact, you'd be better off if you didn't talk to your employees about it either.
There's no reason to think that this doesn't regularly happen by at least one three letter agency. It's something they've done for a very long time (https://en.wikipedia.org/wiki/Room_641A). They were willing and able to secretly redirect every last bit of data going over AT&Ts backbone into their systems back in 2003 you can bet that they have at least that much capability in place today.
1 reply →
I think sale and purchase are too hard to police. Possession of data should be illegal, with a level of statutory damages that invites litigation.
I think the user should be paid for the data that is being gathered up. If we want a source of UBI for the future where AI is replacing every job, well here is a potential source to fund it.
dynamic/discriminatory pricing driven by AI leveraging all this data would just ensure that any money people got from UBI was funneled into the pockets of corporations anyway.
I find myself uninstalling every app unless I really need it and use it. It's amazing how many apps just sit around in your life over time. get them off your phone
The greatest part of reading HN is finding out that my distrust of apps and their developers is not weird. It does make me question my abilities as a dev for refusing to partake in these reindeer games. Clearly, I am not the right type of person to do well in big tech.
The problem is that it is weird. It's the smart/right thing to do, but countless people mindlessly install whatever they're told to install or whatever looks fun. We hand mobile devices over to children who have no idea why they shouldn't, but honestly many adults are just as ignorant and trusting.
Most people I've spoken with are either thinking "Apple/Google/Government would never allow apps to do something like that!" or they think "Everyone is already doing it so why bother trying to fight it. I'd only be inconveniencing myself for nothing"
Same here. I use Firefox for everything, and uninstall all the junk via adb. Also low power mode not only for battery efficiency, but to prevent most background services from running.
> I find myself uninstalling every app unless I really need it and use it. It's amazing how many apps just sit around in your life over time. get them off your phone
That's the thing they don't just sit around, they all have run at start up and for Android I blame Google for not giving users the ability to block run at start up.
I do this as well — I also have DNS level blocking via a NextDNS profile and prefer PWAs if possible.
I am mostly back to my phone being with ironfox and using it for everything instead of apps. My bank works fine with it still and so far no issues with other things I need.
I do this. I also block the ad ecosystems on the device (root, adaway).
I’m not opening it… can it do anything on iOS?
The RTB thing has been around for over a decade at this point. What I’m not sure about is what’s being sold by car companies. I know they sell the data to insurance companies. I’m curious if the government can manage to get it as well commercially.
> What I’m not sure about is what’s being sold by car companies... if the government can manage to get it as well commercially.
General Motors sold driving data to data brokers including LexisNexus. Anyone, private or government can buy data from LexisNexus.
I wouldn't be surprised if we saw a headline in a few years when we find out other actors (e.g. China, Russia) have been buying this data en-masse too.
The CIA buys this data to track Putin's chef so of course China and Russia are doing the same to us.
I'd much rather be tracked by China than by anything at all with a USA presence.
As if I had a choice.
As if politicians of any party care now, in a meaningful way.
As if news orgs were ever interested in security experts who sounded the klaxons (for years and years and years).
Do you have a source for this claim?
1 reply →
That's a very accurate summary.
That stupid game you installed a year ago, that's what gets you.
If you have a smartphone keep a very sharp eye on your location services, and whether they're in the state you expect them to be in. Also a great way to save your battery.
Not sure about now, but geolocation data used to be available for purchase from: https://en.wikipedia.org/wiki/Skyhook_Wireless
We can hold both accountable actually, its a workaround of our fourth amendment rights and also it should be illegal to do this for the companies involved.
Explicitly outlawing the practice is good, but since they've already been participating in the violation of our rights and knowingly profiting from it there should be consequences.
I'd be perfectly fine with going after companies that sell data to the government, but I don't think it would be fair to go after companies who were forced to hand data over unwillingly, even if they didn't inform the public it was going on out of fear of reproductions.
> Who's selling the data is the far more serious issue here.
Everyone who has it is selling that info, and nearly everyone who collects it is selling it. Until there are laws that actually protect us, we should stop giving companies our location data every chance we get and push for laws that prevent it from being unnecessarily collected in the first place.
"FBI is buying location data to track US citizens" ... "Until there are laws that actually protect us"
I don't see how we overcome that massive hurdle. It's not like those who ostensibly make the laws don't know and approve, and probably intentionally implemented that.
We now have full scale mass tracking and surveillance of the kind no one pre-9/11 would believe would have been allowed to exist in the form of the Flock cameras (of course it was an enemy Brit implementing surveillance in the USA) making anonymity quite literally as challenging as Winston Smith trying to move around without being detected to meet his love interest.
How are we going to get the de facto tyrants in the government to pass laws that materially disempower them by being unable to mass surveil everyone at any given time if they don't like what you are saying or thinking?
The problem with all the naysayers for all those decades is that once you have given up control over your own life and you have given away your rights protected by the Constitution, your enemies in the government are unlikely to simply give them back because you ask nicely. In fact, they will most likely aggressively move against anyone that even suggests that you nicely ask for your rights back.
> It's not like those who ostensibly make the laws don't know and approve, and probably intentionally implemented that.
In theory we should have to power to vote out those lawmakers and elect new ones who will pass the laws we want enacted and uphold the constitution. If we no longer have that power the founding fathers were pretty open about what was expected from us, but it isn't pretty.
There probably was a consent, buried on page 12 in the terms of use of the app they installed at the front of your chain.
I think that practice should be illegal... they know nobody reads those.
Even the "reasonable person" standard for court would probably conclude that most people would never read it.
All of it is legal, and incentivised. Is it any surprise?
US companies don't even care if something is illegal as long as they know the slap on the wrist they get will be a small fraction of they money they made with crime. Most of the time the US government just wants a cut of the action. Google alone has spent billions in fines.
*legal in the US
And it’s working precisely as designed
For example you can have a truthful statement: “all of the apps that you have are constantly spying on you”
And the rejoinder is “ any given app is not specifically selling my data to specifically the FBI and so therefore it is not spying”
To which the response would be: “that is correct however the aggregate data is bundled and sold off to specifically the FBI or intelligence agencies and so there cannot be a logical differentiation between apps.”
By that point the person has downloaded another rewards app and added their drivers license to it.
I don't think either issue is above one or another. Its problematic to build such databases, and it is problematic that the government is buying these services despite being forbidden from doing it themselves. Being able to buy it is a huge loophole and they all know it is a loophole and is breaking the spirit of the law.
Its like saying murder is illegal but hiring a hitman perfectly legal. Its bullshit and everyone involved in these decisions should be in jail. There is no way anybody working for the FBI can claim ignorance to the constitution.
[dead]