US border protection used online advertising data for mobile phone surveillance

Contents

The US Customs and Border Protection (CBP) has systematically used location data from everyday apps, originating from the real-time bidding (RTB) system of the online advertising industry. This is evidenced by an internal document from the Department of Homeland Security (DHS), which the investigative platform 404 Media published via a Freedom of Information Act request.

The document obtained by 404 Media is a so-called Privacy Threshold Analysis – a data protection assessment that the DHS must conduct when introducing new technologies. It states verbatim: “RTB-sourced location data is recorded when an advertisement is served.” In the past, there have been several cases where location data was sold, thus revealing clinic visits, among other things.

Data from Candy Crush, Tinder, and MyFitnessPal

In real-time bidding, an automatic auction takes place with every ad impression in an app, where advertisers bid for ad placements. Device data, including location, is transferred during this process. Surveillance companies can observe this process and skim the data – invisibly to the users.

The location data is assigned to a device via so-called Advertising IDs (AdIDs). While these unique identifiers, introduced by Apple and Google for personalized advertising, do not contain names or phone numbers, they enable precise movement tracking over extended periods.

404 Media was able to trace such data streams from Candy Crush, Tinder, Grindr, Tumblr, and MyFitnessPal, among others. In many cases, app developers are unaware that their applications serve as data sources, as the collection occurs through the embedded advertising infrastructure.

CBP described the use as a pilot project that ran from 2019 to 2021 and was intended to assist in analyzing cross-border crime. However, a later investigation by the DHS Inspector General concluded that CBP, the Immigration and Customs Enforcement (ICE), and the Secret Service had illegally used the data for operational purposes. A CBP official allegedly used the system to monitor colleagues without official justification.

As early as 2020, The Wall Street Journal first reported on the purchase of commercial location data by CBP and ICE. The FTC later prohibited the data provider Venntel from selling location data that had been collected without sufficient consent.

ICE continues to buy location data

Despite the documented violations, US authorities continue to purchase such data. ICE reportedly acquired a system called “Webloc,” which can scan entire neighborhoods for mobile phones and track devices back to alleged residential addresses. In public procurement documents, the agency is also actively seeking additional ad-tech data sources.

An earlier report by 404 Media indicated that such tools can also be used for particularly sensitive purposes: they can also be used to track visits to abortion clinics. A court order is not required for this, as the data is freely available on the market.

70 lawmakers call for new investigation

Around 70 US lawmakers, led by Senator Ron Wyden, recently urged the DHS Inspector General in a joint letter to conduct a new investigation. A recommendation issued in 2023 to create binding guidelines for handling commercial location data has not yet been implemented.

“By refusing to cut off surveillance companies and sleazy data brokers, Big Tech companies are effectively collaborating with ICE’s lawless campaign of violence and terror,” Wyden told 404 Media. ICE is also blocking congressional oversight efforts: a scheduled hearing on the Webloc purchase was canceled one day prior without explanation. Wyden recommends that all cell phone users install ad blockers, disable AdID (iOS: Settings, Privacy & Security, Disable Tracking; Android: Settings, Google, All Services, Advertising, Delete Advertising ID), and enable Global Privacy Control in their browser.

(vza)