Docs Expose CBP’s Use Of Ad Data To Track People’s Movements
Every phone is a narc whether you realize it or not. The private sector certainly knows what information a cell phone can divulge and has leveraged the always-on nature of these devices to maximize profitability.
The public sector — mainly law enforcement agencies, both local and federal — have caught onto this as well. With court decisions making it less than absolutely clear things like geofence warrants and long-term location tracking are actually lawful, they’re turning to third parties to give them the data they can’t easily obtain without trying to talk judges into approving their warrants.
Data brokers will sell to anyone willing to pay, which means plenty of federal agencies are obtaining location data this way, bypassing the restraints created by courts and the oversight Congress is supposed to provide. The DHS has been doing this for years, as have several other federal law enforcement agencies. It finally attracted enough attention on Capitol Hill that even CBP (Customs and Border Protection) pinky-promised Senator Ron Wyden and other lawmakers that it wouldn’t continue to bypass constitutional protections by throwing its money at private sector data brokers.
The extent of this surveillance hasn’t always been clear. 404 Media has obtained some information via FOIA requests that reduces a bit of the fog of war on privacy.
Customs and Border Protection (CBP) bought data from the online advertising ecosystem to track peoples’ precise movements over time, in a process that often involves siphoning data from ordinary apps like video games, dating services, and fitness trackers, according to an internal Department of Homeland Security (DHS) document obtained by 404 Media.
The document shows in stark terms the power, and potential risk, of online advertising data and how it can be leveraged by government agencies for surveillance purposes. The news comes after Immigration and Customs Enforcement (ICE) purchased similar tools that can monitor the movements of phones in entire neighbourhoods. ICE also recently said in public procurement documents it was interested in sourcing more “Ad Tech” data for its investigations.
CBP told Senator Wyden that it would stop purchasing location data from data brokers back in 2023. There’s no reason to believe this assertion is still true, now that Trump has made hunting down non-whites a prominent part of his domestic policy.
In fact, there’s every reason to believe CBP has gone back to buying up whatever it can from third-party data brokers. A letter signed by 58 Congressional members (including Sen. Wyden and author Rep. Adriano Espaillat) notes that the CBP has refused to discuss its current data broker-enabled location tracking efforts with Congressional oversight.
ICE is now stonewalling congressional oversight into its purchase of location data. Senator Wyden’s office requested a briefing from ICE soon after this contract was revealed in the press, in October, which was scheduled in December, for February 10, 2026. One day before that briefing was to take place, ICE cancelled it with no explanation and without any offer to reschedule.
It’s another DHS power move — albeit one put in play before Kristi Noem was sidelined by Trump. It’s one that says again, quite clearly, that federal agencies (under Trump) feel no compunction to answer to anyone, especially not their direct oversight.
What separates this reporting from earlier reporting on federal agency use of data brokers is this: prior efforts involved purchasing location data obtained via installed apps that tracked users’ locations with or without the explicit knowledge or permission of app users or even the developers of these apps. These efforts utilized built-in tracking tools contained in some SDK (software development kits) frequently used by developers.
This collection involves device information gathered and tracked by ad brokers and their customers. AdID (advertising identification) tracks unique device info to serve up targeted advertising to users, which obviously includes nudging them towards goods and services in their area.
While it doesn’t link device info specifically to the people using these devices, it does allow the government to buy data generated by these ad RTB (real-time bidding) markets to collect location info. This can be used to track people’s movements because it only takes a little extra effort (some of that already being performed for the government by companies like Palantir) to tie a device to a person.
404 Media’s reporting is first to show federal agencies have moved past data brokers to directly collect information that’s perpetually generated multiple times per minute to generate information these companies can sell to marketing firms… or, apparently, the government itself. Here’s how this works:
In essence, the AdID acts as the digital glue between a person’s device and their location data, allowing marketers—or a surveillance contractor or DHS—to attribute a set of movements to a specific device. From there, investigators can draw geofences to see all phones at a particular area over a period of time. Many smartphone location data tools then let officials see where else those devices went, potentially revealing where their owners live or work, or other sensitive locations.
While this information is drawn from a DHS-produced PTA (Privacy Threshold Analysis), the PTA generated after the “pilot program” closed in 2021, CBP has yet to produce the PIA (Privacy Impact Assessment) that is supposed to precede rollouts of programs like this, whether they’re “pilots” or not.
That report still doesn’t seem to exist. And while this report claims this was only a “pilot” program that was not used to engage in any actual surveillance, the facts on the ground say otherwise:
Although CBP described the move as a pilot, the DHS Office of the Inspector General (OIG) later found both CBP and ICE did not limit themselves to non-operational use. The OIG found that CBP, ICE, and the Secret Service all illegally used the smartphone location data, and found a CBP official used the data to track coworkers with no investigative purpose. CBP and ICE went on to repeatedly purchase access to location data.
So… business as usual. The government says it’s just test-driving something but then we found out it was used to actually engage in surveillance. The government says it will stop buying data from data brokers in contravention of Supreme Court rulings on location data and then it just keeps doing it. And when the government is told by a co-equal branch to explain itself, it ghosts its oversight and goes back to doing the extremely dirty business of being a rogue administration that openly embraces any bit of authoritarianism it can hammer into place while the system of checks and balances sputters in disbelief.
There are solutions still available to stem the authoritarian tide. We just need a few GOP representatives to care more about the country they’re supposed to be serving than the guy who’s blundering around the Oval Office in hopes of being next-gen Hitler, albeit one that includes Israel in his genocidal plans, rather than making it a target.