Not long ago, the ability to digitally track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a dangerous power that should remain only within the purview of nation states. But a new lawsuit in a likely constitutional battle over a New Jersey privacy law shows that anyone can now access this capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites.
Image: Shutterstock, Arthimides.
Delaware-based Atlas Data Privacy Corp. helps its users remove their personal information from the clutches of consumer data brokers, and from people-search services online. Backed by millions of dollars in litigation financing, Atlas so far this year has sued 151 consumer data brokers on behalf of a class that includes more than 20,000 New Jersey law enforcement officers who are signed up for Atlas services.
Atlas alleges all of these data brokers have ignored repeated warnings that they are violating Daniel’s Law, a New Jersey statute allowing law enforcement, government personnel, judges and their families to have their information completely removed from commercial data brokers. Daniel’s Law was passed in 2020 after the death of 20-year-old Daniel Anderl, who was killed in a violent attack targeting a federal judge — his mother.
Last week, Atlas invoked Daniel’s Law in a lawsuit (PDF) against Babel Street, a little-known technology company incorporated in Reston, Va. Babel Street’s core product allows customers to draw a digital polygon around nearly any location on a map of the world, and view a slightly dated (by a few days) time-lapse history of the mobile devices seen coming in and out of the specified area.
Babel Street’s LocateX platform also allows customers to track individual mobile users by their Mobile Advertising ID or MAID, a unique, alphanumeric identifier built into all Google Android and Apple mobile devices.
Babel Street can offer this tracking capability by consuming location data and other identifying information that is collected by many websites and broadcast to dozens and sometimes hundreds of ad networks that may wish to bid on showing their ad to a particular user.
This image, taken from a video recording Atlas made of its private investigator using Babel Street to show all of the unique mobile IDs seen over time at a mosque in Dearborn, Michigan. Each red dot represents one mobile device.
In an interview, Atlas said a private investigator they hired was offered a free trial of Babel Street, which the investigator was able to use to determine the home address and daily movements of mobile devices belonging to multiple New Jersey police officers whose families have already faced significant harassment and death threats.
Atlas said the investigator encountered Babel Street while testing hundreds of data broker tools and services to see if personal information on its users was being sold. They soon discovered Babel Street also bundles people-search services with its platform, to make it easier for customers to zero in on a specific device.
The investigator contacted Babel Street about possibly buying home addresses in certain areas of New Jersey. After listening to a sales pitch for Babel Street and expressing interest, the investigator was told Babel Street only offers their service to the government or to “contractors of the government.”
“The investigator (truthfully) mentioned that he was contemplating some government contract work in the future and was told by the Babel Street salesperson that ‘that’s good enough’ and that ‘they don’t actually check,’” Atlas shared in an email with reporters.
KrebsOnSecurity was one of five media outlets invited to review screen recordings that Atlas made while its investigator used a two-week trial version of Babel Street’s LocateX service. References and links to reporting by other publications, including 404 Media, Haaretz, NOTUS, and The New York Times, will appear throughout this story.
Collectively, these stories expose how the broad availability of mobile advertising data has created a market in which virtually anyone can build a sophisticated spying apparatus capable of tracking the daily movements of hundreds of millions of people globally.
The findings outlined in Atlas’s lawsuit against Babel Street also illustrate how mobile location data is set to massively complicate several hot-button issues, from the tracking of suspected illegal immigrants or women seeking abortions, to harassing public servants who are already in the crosshairs over baseless conspiracy theories and increasingly hostile political rhetoric against government employees.
WARRANTLESS SURVEILLANCE
Atlas says the Babel Street trial period allowed its investigator to find information about visitors to high-risk targets such as mosques, synagogues, courtrooms and abortion clinics. In one video, an Atlas investigator showed how they isolated mobile devices seen in a New Jersey courtroom parking lot that was reserved for jurors, and then tracked one likely juror’s phone to their home address over several days.
While the Atlas investigator had access to its trial account at Babel Street, they were able to successfully track devices belonging to several plaintiffs named or referenced in the lawsuit. They did so by drawing a digital polygon around the home address or workplace of each person in Babel Street’s platform, which focused exclusively on the devices that passed through those addresses each day.
Each red dot in this Babel Street map represents a unique mobile device that has been seen since April 2022 at a Jewish synagogue in Los Angeles, Calif. Image: Atlas Data Privacy Corp.
One unique feature of Babel Street is the ability to toggle a “night” mode, which makes it relatively easy to determine within a few meters where a target typically lays their head each night (because their phone is usually not far away).
Atlas plaintiffs Scott and Justyna Maloney are both veteran officers with the Rahway, NJ police department who live together with their two young children. In April 2023, Scott and Justyna became the target of intense harassment and death threats after Officer Justyna responded to a routine call about a man filming people outside of the Motor Vehicle Commission in Rahway.
The man filming the Motor Vehicle Commission that day is a social media personality who often solicits police contact and then records himself arguing about constitutional rights with the responding officers.
Officer Justyna’s interaction with the man was entirely peaceful, and the episode appeared to end without incident. But after a selectively edited video of that encounter went viral, their home address and unpublished phone numbers were posted online. When their tormentors figured out that Scott was also a cop (a sergeant), the couple began receiving dozens of threatening text messages, including specific death threats.
According to the Atlas lawsuit, one of the messages to Mr. Maloney demanded money, and warned that his family would “pay in blood” if he didn’t comply. Sgt. Maloney said he then received a video in which a masked individual pointed a rifle at the camera and told him that his family was “going to get [their] heads cut off.”
Maloney said a few weeks later, one of their neighbors saw two suspicious individuals in ski masks parked one block away from the home and alerted police. Atlas’s complaint says video surveillance from neighboring homes shows the masked individuals circling the Maloney’s home. The responding officers arrested two men, who were armed, for unlawful possession of a firearm.
According to Google Maps, Babel Street shares a corporate address with Google and the consumer credit reporting bureau TransUnion.
Atlas said their investigator was not able to conclusively find Scott Maloney’s iPhone in the Babel Street platform, but they did find Justyna’s. Babel Street had nearly 100,000 hits for her phone over several months, allowing Atlas to piece together an intimate picture of Justyna’s daily movements and meetings with others.
An Atlas investigator visited the Maloneys and inspected Justyna’s iPhone, and determined the only app that used her device’s location data was from the department store Macy’s.
In a written response to questions, Macy’s said its app includes an opt-in feature for geo-location, “which allows customers to receive an enhanced shopping experience based on their location.”
“We do not store any customer location information,” Macy’s wrote. “We share geo-location data with a limited number of partners who help us deliver this enhanced app experience. Furthermore, we have no connection with Babel Street” [link added for context].
Justyna’s experience highlights a stark reality about the broad availability of mobile location data: Even if the person you’re looking for isn’t directly identifiable in platforms like Babel Street, it is likely that at least some of that person’s family members are. In other words, it’s often trivial to infer the location of one device by successfully locating another.
The terms of service for Babel Street’s Locate X service state that the product “may not be used as the basis for any legal process in any country, including as the basis for a warrant, subpoena, or any other legal or administrative action.” But Scott Maloney said he’s convinced by their experience that not even law enforcement agencies should have access to this capability without a warrant.
“As a law enforcement officer, in order for me to track someone I need a judge to sign a warrant – and that’s for a criminal investigation after we’ve developed probable cause,” Mr. Maloney said in an interview. “Data brokers tracking me and my family just to sell that information for profit, without our consent, and even after we’ve explicitly asked them not to is deeply disturbing.”
Mr. Maloney’s law enforcement colleagues in other states may see things differently. In August, The Texas Observer reported that state police plan to spend more than $5 million on a contract for a controversial surveillance tool called Tangles from the tech firm PenLink. Tangles is an AI-based web platform that scrapes information from the open, deep and dark web, and it has a premier feature called WebLoc that can be used to geofence mobile devices.
The Associated Press reported last month that law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cell phone tracking tool called Fog Reveal — at times without warrants — that gives them the ability to follow people’s movements going back many months.
It remains unclear precisely how Babel Street is obtaining the abundance of mobile location data made available to users of its platform. The company did not respond to multiple requests for comment.
But according to a document (PDF) obtained under a Freedom of Information Act request with the Department of Homeland Security’s Science and Technology directorate, Babel Street re-hosts data from the commercial phone tracking firm Venntel.
On Monday, the Substack newsletter All-Source Intelligence unearthed documents indicating that the U.S. Federal Trade Commission has opened an inquiry into Venntel and its parent company Gravy Analytics.
“Venntel has also been a data partner of the police surveillance contractor Fog Data Science, whose product has been described as ‘mass surveillance on a budget,'” All-Source’s Jack Poulson wrote. “Venntel was also reported to have been a primary data source of the controversial ‘Locate X’ phone tracking product of the American data fusion company Babel Street.”
MAID IN HELL
The Mobile Advertising ID or MAID — the unique alphanumeric identifier assigned to each mobile device — was originally envisioned as a way to distinguish individual mobile customers without relying on personally identifiable information such as phone numbers or email addresses.
However, there is now a robust industry of marketing and advertising companies that specialize in assembling enormous lists of MAIDs that are “enriched” with historical and personal information about the individual behind each MAID.
One of many vendors that “enrich” MAID data with other identifying information, including name, address, email address and phone number.
Atlas said its investigator wanted to know whether they could find enriched MAID records on their New Jersey law enforcement customers, and soon found plenty of ad data brokers willing to sell it.
Some vendors offered only a handful of data fields, such as first and last name, MAID and email address. Other brokers sold far more detailed histories along with their MAID, including each subject’s social media profiles, precise GPS coordinates, and even likely consumer category.
How are advertisers and data brokers gaining access to so much information? Some sources of MAID data can be apps on your phone such as AccuWeather, GasBuddy, Grindr, and MyFitnessPal that collect your MAID and location and sell that to brokers.
A user’s MAID profile and location data also is commonly shared as a consequence of simply using a smartphone to visit a web page that features ads. In the few milliseconds before those ads load, the website will send a “bid request” to various ad exchanges, where advertisers can bid on the chance to place their ad in front of users who match the consumer profiles they’re seeking. A great deal of data can be included in a bid request, including the user’s precise location (the current open standard for bid requests is detailed here).
The trouble is that virtually anyone can access the “bidstream” data flowing through these so-called “realtime bidding” networks, because the information is simultaneously broadcast in the clear to hundreds of entities around the world.
The result is that there are a number of marketing companies that now enrich and broker access to this mobile location information. Earlier this year, the German news outlet netzpolitik.org purchased a bidstream data set containing more than 3.6 billion data points, and shared the information with the German daily BR24. They concluded that the data they obtained (through a free trial, no less) made it possible to establish movement profiles — some of them quite precise — of several million people across Germany.
A screenshot from the BR24/Netzpolitik story about their ability to track millions of Germans, including many employees of the German Federal Police and Interior Ministry.
Politico recently covered startling research from universities in New Hampshire, Kentucky and St. Louis that showed how the mobile advertising data they acquired allowed them to link visits from investigators with the U.S. Securities and Exchange Commission (SEC) to insiders selling stock before the investigations became public knowledge.
The researchers in that study said they didn’t attempt to use the same methods to track regulators from other agencies, but that virtually anyone could do it.
Justin Sherman, a distinguished fellow at Georgetown Law’s Center for Privacy and Technology, called the research a “shocking demonstration of what happens when companies can freely harvest Americans’ geolocation data and sell it for their chosen price.”
“Politicians should understand how they, their staff, and public servants are threatened by the sale of personal data—and constituent groups should realize that talk of data broker ‘controls’ or ‘best practices” is designed by companies to distract from the underlying problems and the comprehensive privacy and security solutions,” Sherman wrote for Lawfare this week.
A BIDSTREAM DRAGNET?
The Orwellian nature of modern mobile advertising networks may soon have far-reaching implications for women’s reproductive rights, as more states move to outlaw abortion within their borders. The 2022 Dobbs decision by the U.S. Supreme Court discarded the federal right to abortion, and 14 states have since enacted strict abortion bans.
Anti-abortion groups are already using mobile advertising data to advance their cause. In May 2023, The Wall Street Journal reported that an anti-abortion group in Wisconsin used precise geolocation data to direct ads to women it suspected of seeking abortions.
As it stands, there is little to stop anti-abortion groups from purchasing bidstream data (or renting access to a platform like Babel Street) and using it to geofence abortion clinics, potentially revealing all mobile devices transiting through these locations.
Atlas said its investigator geofenced an abortion clinic and was able to identify a likely employee at that clinic, following their daily route to and from that individual’s home address.
A still shot from a video Atlas shared of its use of Babel Street to identify and track an employee traveling each day between their home and the clinic.
Last year, Idaho became the first state to outlaw “abortion trafficking,” which the Idaho Capital Sun reports is defined as “recruiting, harboring or transporting a pregnant minor to get an abortion or abortion medication without parental permission.” Tennessee now has a similar law, and GOP lawmakers in five other states introduced abortion trafficking bills that failed to advance this year, the Sun reports.
Atlas said its investigator used Babel Street to identify and track a person traveling from their home in Alabama — where abortion is now illegal — to an abortion clinic just over the border in Tallahassee, Fla. — and back home again within a few hours. Abortion rights advocates and providers are currently suing Alabama Attorney General Steve Marshall, seeking to block him from prosecuting people who help patients travel out-of-state to end pregnancies.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), a non-profit digital rights group, said she’s extremely concerned about dragnet surveillance of people crossing state lines in order to get abortions.
“Specifically, Republican officials from states that have outlawed abortion have made it clear that they are interested in targeting people who have gone to neighboring states in order to get abortions, and to make it more difficult for people who are seeking abortions to go to neighboring states,” Galperin said. “It’s not a great leap to imagine that states will do this.”
APPLES AND GOOGLES
Atlas found that for the right price (typically $10-50k a year), brokers can provide access to tens of billions of data points covering large swaths of the US population and the rest of the world.
Based on the data sets Atlas acquired — many of which included older MAID records — they estimate they could locate roughly 80 percent of Android-based devices, and about 25 percent of Apple phones. Google refers to its MAID as the “Android Advertising ID,” (AAID) while Apple calls it the “Identifier for Advertisers” (IDFA).
What accounts for the disparity between the number of Android and Apple devices that can be found in mobile advertising data? In April 2021, Apple shipped version 14.5 of its iOS operating system, which introduced a technology called App Tracking Transparency (ATT) that requires apps to get affirmative consent before they can track users by their IDFA or any other identifier.
Apple’s introduction of ATT had a swift and profound impact on the advertising market: Less than a year later Facebook disclosed that the iPhone privacy feature would decrease the company’s 2022 revenues by about $10 billion.
Source: cnbc.com.
Google runs by far the world’s largest ad exchange, known as AdX. The U.S. Department of Justice, which has accused Google of building a monopoly over the technology that places ads on websites, estimates that Google’s ad exchange controls 47 percent of the U.S. market and 56 percent globally.
Google’s Android is also the dominant mobile operating system worldwide, with more than 72 percent of the market. In the U.S., however, iPhone users claim approximately 55 percent of the market, according to TechRepublic.
In response to requests for comment, Google said it does not send real time bidding requests to Babel Street, nor does it share precise location data in bid requests. The company added that its policies explicitly prohibit the sale of data from real-time bidding, or its use for any purpose other than advertising.
Google said its MAIDs are randomly generated and do not contain IP addresses, GPS coordinates, or any other location data, and that its ad systems do not share anyone’s precise location data.
“Android has clear controls for users to manage app access to device location, and reset or delete their advertising ID,” Google’s written statement reads. “If we learn that someone, whether an app developer, ad tech company or anyone else, is violating our policies, we take appropriate action. Beyond that, we support legislation and industry collaboration to address these types of data practices that negatively affect the entire mobile ecosystem, including all operating systems.”
In a written statement shared with reporters, Apple said Location Services is not on by default in its devices. Rather, users must enable Location Services and must give permission to each app or website to use location data. Users can turn Location Services off at any time, and can change whether apps have access to location at any time. The user’s choices include precise vs. approximate location, as well as a one-time grant of location access by the app.
“We believe that privacy is a fundamental human right, and build privacy protections into each of our products and services to put the user in control of their data,” an Apple spokesperson said. “We minimize personal data collection, and where possible, process data only on users’ devices.”
Zach Edwards is a senior threat analyst at the cybersecurity firm SilentPush who has studied the location data industry closely. Edwards said Google and Apple can’t keep pretending like the MAIDs being broadcast into the bidstream from hundreds of millions of American devices aren’t making most people trivially trackable.
“The privacy risks here will remain until Apple and Google permanently turn off their mobile advertising ID schemes and admit to the American public that this is the technology that has been supporting the global data broker ecosystem,” he said.
STATES ACT, WHILE CONGRESS DITHERS
According to Bloomberg Law, between 2019 and 2023, threats against federal judges have more than doubled. Amid increasingly hostile political rhetoric and conspiracy theories against government officials, a growing number of states are seeking to pass their own versions of Daniel’s Law.
Last month, a retired West Virginia police officer filed a class action lawsuit against the people-search service Whitepages for listing their personal information in violation of a statute the state passed in 2021 that largely mirrors Daniel’s Law.
In May 2024, Maryland passed the Judge Andrew F. Wilkinson Judicial Security Act — named after a county circuit court judge who was murdered by an individual involved in a divorce proceeding over which he was presiding. The law allows current and former members of the Maryland judiciary to request their personal information not be made available to the public.
Under the Maryland law, personal information can include a home address; telephone number, email address; Social Security number or federal tax ID number; bank account or payment card number; a license plate or other unique vehicle identifier; a birth or marital record; a child’s name, school, or daycare; place of worship; place of employment for a spouse, child, or dependent.
The law firm Troutman Pepper writes that “so far in 2024, 37 states have begun considering or have adopted similar privacy-based legislation designed to protect members of the judiciary and, in some states, other government officials involved in law enforcement.”
Atlas alleges that in response to requests to have data on its New Jersey law enforcement clients scrubbed from consumer records sold by LexisNexis, the data broker retaliated by freezing the credit of approximately 18,500 people, and falsely reporting them as identity theft victims.
In addition, Atlas said LexisNexis started returning failure codes indicating they had no record of these individuals, resulting in denials when officers attempted to refinance loans or open new bank accounts.
The data broker industry has responded by having at least 70 of the Atlas lawsuits moved to federal court, and challenging the constitutionality of the New Jersey statute as overly broad and a violation of the First Amendment.
Attorneys for the data broker industry argued in their motion to dismiss that there is “no First Amendment doctrine that exempts a content-based restriction from strict scrutiny just because it has some nexus with a privacy interest.”
Atlas’s lawyers responded that data covered under Daniel’s Law — personal information of New Jersey law enforcement officers — is not free speech. Atlas notes that while defending against comparable lawsuits, the data broker industry has argued that home address and phone number data are not “communications.”
“Data brokers should not be allowed to argue that information like addresses are not ‘communications’ in one context, only to turn around and claim that addresses are protectable communications,” Atlas argued (PDF). “Nor can their change of course alter the reality that the data at issue is not speech.”
The judge overseeing the challenge is expected to rule on the motion to dismiss within the next few weeks. Regardless of the outcome, the decision is likely to be appealed all the way to the U.S. Supreme Court.
Meanwhile, media law experts say they’re concerned that enacting Daniel’s Law in other states could limit the ability of journalists to hold public officials accountable, and allow authorities to pursue criminal charges against media outlets that publish the same type of public and government records that fuel the people-search industry.
Sen. Ron Wyden (D-Ore.) said Congress’ failure to regulate data brokers, and the administration’s continued opposition to bipartisan legislation that would limit data sales to law enforcement, have created this current privacy crisis.
“Whether location data is being used to identify and expose closeted gay Americans, or to track people as they cross state lines to seek reproductive health care, data brokers are selling Americans’ deepest secrets and exposing them to serious harm, all for a few bucks,” Wyden said in a statement shared with KrebsOnSecurity, 404 Media, Haaretz, NOTUS, and The New York Times.
Sen. Wyden said Google also deserves blame for refusing to follow Apple’s lead by removing companies’ ability to track phones.
“Google’s insistence on uniquely tracking Android users – and allowing ad companies to do so as well – has created the technical foundations for the surveillance economy and the abuses stemming from it,” Wyden said.
Georgetown Law’s Justin Sherman said the data broker and mobile ad industries claim there are protections in place to anonymize mobile location data and restrict access to it, and that there are limits to the kinds of invasive inferences one can make from location data. The data broker industry also likes to tout the usefulness of mobile location data in fighting retail fraud, he said.
“All kinds of things can be inferred from this data, including people being targeted by abusers, or people with a particular health condition or religious belief,” Sherman said. “You can track jurors, law enforcement officers visiting the homes of suspects, or military intelligence people meeting with their contacts. The notion that the sale of all this data is preventing harm and fraud is hilarious in light of all the harm it causes enabling people to better target their cyber operations, or learning about people’s extramarital affairs and extorting public officials.”
WHAT CAN YOU DO?
Privacy experts say disabling or deleting your device’s MAID will have no effect on how your phone operates, except that you may begin to see far less targeted ads on that device.
Any Android apps with permission to use your location should appear when you navigate to the Settings app, Location, and then App Permissions. “Allowed all the time” is the most permissive setting, followed by “Allowed only while in use,” “Ask every time,” and “Not allowed.”
Android users can delete their ad ID permanently, by opening the Settings app and navigating to Privacy > Ads. Tap “Delete advertising ID,” then tap it again on the next page to confirm. According to the EFF, this will prevent any app on your phone from accessing the ad ID in the future. Google’s documentation on this is here.
Image: eff.org
By default, Apple’s iOS requires apps to ask permission before they can access your device’s IDFA. When you install a new app, it may ask for permission to track you. When prompted to do so by an app, select the “Ask App Not to Track” option. Apple users also can set the “Allow apps to request to track” switch to the “off” position, which will block apps from asking to track you.
Apple’s Privacy and Ad Tracking Settings.
Apple also has its own targeted advertising system which is separate from third-party tracking enabled by the IDFA. To disable it, go to Settings, Privacy, and Apple Advertising, and ensure that the “Personalized Ads” setting is set to “off.”
Finally, if you’re the type of reader who’s the default IT support person for a small group of family or friends (bless your heart), it would be a good idea to set their devices not to track them, and to disable any apps that may have location data sharing turned on 24/7.
There is a dual benefit to this altruism, which is clearly in the device owner’s best interests. Because while your device may not be directly trackable via advertising data, making sure they’re opted out of said tracking also can reduce the likelihood that you are trackable simply by being physically close to those who are.
Amazing information I never knew about just wow…!
Apologies for hijacking your post John, however Brian’s article has shone a bright light on a topic, that, has come as no surprise of many of us in IT and as this story has gained traction in mainstream news outlets recently, I felt the need to make some relevant comments and share some useful resources for future readers concerning online privacy.
If a platform has a website DO NOT install the app. A browser has many security and privacy protections that no longer exist when you install a platforms app.
A perfect example is the Macy’s app mentioned in the article; when analysed, includes 7 trackers and 46 permissions!! Why?
https://reports.exodus-privacy.eu.org/en/reports/com.macys.android/latest/
The Electronic Frontier Foundation is an independent non-profit organisation that has been working to protect online privacy for over thirty years. They host an excellent resource; Surveillance Self-Defense: an expert guide to protecting you and your friends from online spying.
https://ssd.eff.org/
Exodus Privacy is a European non-profit organisation led by hacktivists. Its purpose is to help people get a better understanding of Android applications and their tracking issues.
https://exodus-privacy.eu.org/en/
Privacy Tools and Prism-Break are 2 popular websites dedicated to providing services, tools and privacy guides to counter global mass surveillance.
https://www.privacytools.io/
https://prism-break.org/en/
The Mozilla Foundation’s *Privacy Not Included website. Their goal is to help you shop smart and safe for any products that connect to the internet. A guide about the privacy and security of connected toys, gadgets, and smart home products.
https://foundation.mozilla.org/en/privacynotincluded/
Always remember if something is advertised as FREE online; YOU are the product.
Government and legislators are notoriously slow at catching up with technology and corporations and their underhanded techniques of squeezing every last cent out of it’s citizens, all in the name of convenience. Stop. Take a step back and inform yourself.
Good morning Brian,
Thank you very much for this published in depth research! I just finished a CSIRT with a SOHO, smart home and connected car client who had hired a forensics firm to determine root cause of the cyberattack which resulted in a 60 day outage. I was hired on day 50 and was able to resume service after installation of many security controls. The outage caused him to lose some marketing clients, impacted his children’s ability to do homework etc. Everyone thought he was crazy for stating someone was following him, that previous efforts to resume service were subsequently subject to reinfection etc. This article shows the vulnerability of all mobile phone owners and what we must do to protect the public who are not as conversant in cybersecurity, mobile technology and more!
Agree 100%. IMO default settings on mobile privacy and IoT security are 2 of the biggest risk factors, besides the cyber skills gap, affecting the average home user today. Sharing that knowledge with those you care about is in everyone’s best interests.
Kudos to your success.
Small typo in 3rd paragraph:
“view a slighted dated” – should be “view a slightly dated”
Love all of your posts, but this was really great! Thanks for posting this!
This was the scariest Krebs yet.
My ios 17.7 has no Privacy setting; only Privacy & Security, which has no Allow Apps to Request to Track
On IOS 17.7 the toggle for “Allow Apps to Request to Track” is under “Privacy & Security” > “Tracking” (yellow icon, 2nd option from the top).
Brian,
Recent Android V15 system update seems to have changed the “Privacy” menu. There is no longer an “Ad” selection.
Can you share a screenshot of what you see there? The instructions were a combination of EFF’s advice and documentation recently shared by Google: https://policies.google.com/technologies/ads?hl=en-US&ref=404media.co
In settings, its almost easier to simply search for ‘Privacy” using the search bar. This eliminates the cat and mouse game of trying to find these buried settings. They always seem to move stuff around, like grocery markets.
It’s there, but now buried under Security and Privacy —> More Privacy Settings —> Ads. However, there is no longer a Delete option. Doing so requires further digging. I was able to delete mine by disabling ALL targeted advertising and ALL “personalization” shenanigans. That leaves only an option to request a new advertising ID.
Same here, I had done this long ago, no option to delete, only to get a new one. The EFF screenshot seems outdated.
Occam’s razor dictates that I probably just missed it when I first looked, but I didn’t see ‘ads’ show up under settings – > security & privacy -> privacy until I went in and searched for ‘ads’ under the search menu. After having deleted my advertising ID, the option for Ads is pretty obvious under the privacy menu. This was on my Pixel 9.
Settings > Security & Privacy > Privacy > Ads
Cheers!
I just removed the Ad ID on my Google Pixel phone, but had to take a different route than the previously stated method of Settings>Privacy > Ads. instead, I had to navigate to: Settings>Google(services & preferences)>All Services>Privacy & Security>Ads. Once there, I was offered the option to delete the Ad ID.
Great article. This is such a blatant intrusion on our personal information. I wish there was a way to get more people to realize how invasive the industry is and to stand up and gain full control of your own private information. Articles like this and linking to it in other forums is just a start. The NJ law is a good, but needs to be strengthened so that individuals don’t have to sue to get it enforced.
Thanks for the excellent journalism, Brian.
Chilling article. Thank you for posting such an in-depth explanation of this issue.
S**t like this is why:
_I use a degoogled custom ROM on my Android, limit location access, and enable additional privacy settings, in conjunction with a tracker blocking application
_I’ve expended a lot of effort getting references to my name, addresses, and phone numbers removed from databroker sites
_I’ve frozen my credit files (after numerous data breaches!)
_I use Pi-hole on my home network to block trackers
_I use a paid VPN service with multiple server locations to obscure my IP address
_I use LibreWolf browser (privacy-reinforced Firefox) with privacy extensions like NoScript, Privacy Badger, and uBlockOrigin
_I pay for a privacy-respecting email service
_I will never use a product/service owned by Meta/Facebook, or similar company
_I never visit any website owned by Google/ABC
_I won’t allow any ads to run on any website until such ads become non-targeted and non-associated with Google or Facebook
_I won’t allow any “analytics” scripts to run on my devices
_I won’t allow remote fonts to run in my browser.
_I try to avoid any website that uses Google’s reCAPTCHA for gatekeeping instead of a more privacy-respecting alternative
_etc.
This is an excellent checklist for obtaining a decent level of privacy online, some may even say it is overkill but it all depends on your level of paranoia. I am a big believer of zero trust as much in corporate entities as malicious actors.
Fortunately I am not a US citizen, so I don’t have resort to these extremes to maintain a safe level of cyber hygiene but at the bare minimum a VPN, Pi-Hole, those Firefox extensions and a free email masking and tracker removal service like DuckDuckGo are options the average home user can easily implement with a modicum of effort.
For those without a custom Android ROM, Adguard offers a free DNS resolver that blacklists known ad servers;
Settings > Network & Internet > Private DNS
Select ‘Private DNS provider hostname’
Enter ‘dns.adguard.com’
Reboot your phone.
This will change will behave like a Pi-Hole device. It will block ads before they reach your phone. Cleaner browser AND apps.
You say,
“…some may even say it is overkill but it all depends on your level of paranoia.”
There is the old joke about you are not paranoid if they are out to get you.
Well this article indicates they are most definitely out to get you.
But… Consider I used to say turn off JavaScript, Java and a few other things. Over on the Schneier On Security site I was called paranoid by many “full stacks” of the time.
Now what was considered paranoid back then is considered sensible if not wise behaviour.
So rather than having “paranoia” you are merely showing “fore sight”. Because when it comes to squeezing people unlawfully US Mega-Corps and their covert buddies do it every which way because US legislators do not do what the voting tax paying citizens want, which is to not live their lives like ants under a magnifying glass on a sunny day.
Oh one thing all those that jump in line to the dog whistle “think of the children” nonsense, you can be sure that those uttering it have you or someone like you in mind for 100% 24×365.25 surveillance.
Because even if you do no wrong, you may well be a useful patsy some day to be used as an example to frighten others (such is modern politics these days).
That seems like an awful lot of effort for something that can be accomplished using a simple hosts file to block the trackers at the source, your own network. Just a fun fact, Ublock doesn’t block anything. It simply eats your ads and makes a note of it. They sell your information. No script will break most (if not all) functioning websites. Taking you back to the days of dialup style internet. If you can see the facebook likes or comments or anything like a share button related to social media, then you are visiting their sites. Remote fonts are not the enemy, but fonts installed on microsoft windows can be used in a malicious mannerism. Your DNS queries are public so if you are using the default isp provided DNS server you can be assured that your internet provider is selling that data. While I don’t like promoting a specific service, in this case I’d suggest you try out NextDNS. It has a lot of guides and options that will familiarize you with DNS and how to block your computer from ever being able to communicate with the offenders. The tools and resources they provide can be adapted and you can get the DNS lists for free and implement them into your hosts file for no cost, forever. The captcha is a DDoS feature that allows websites to use their nameservers to verify if a human is at the helm. It’s for DDoS protection.
uBlock has a privacy policy that contradicts what you say about it: “uBlock never has and never will sell your personal information to any third party without your consent.” https://ublock.org/en/privacy
uBlock Origin “does not collect any data of any kind.” https://github.com/gorhill/uBlock/wiki/Privacy-policy
Makes me wonder about your other comments.
Perhaps you could be more specific about your claim when you say they “sell your information.”
uBlock is different from uBlock Origin. uBlock’s text kinda says it all there “without your consent”. Standard text for any tools that does collect data… also the usual text about the data being “anonymized and only sold in aggregate”, but this article points out of the aggregate data can be used to completely destroy it’s anonymity. uBlock Origin is the original creator’s splintered off open-source project, which obviously has a completely different policy of “does not collect any data of any kind”.
First this: “…constituent groups should realize that talk of data broker ‘controls’ or ‘best practices” is designed by companies to distract from the underlying problems and the comprehensive privacy and security solutions, Sherman wrote for Lawfare this week.” (Sherman)
Then this further on in your excellent report: “Android has clear controls for users to manage app access to device location, and reset or delete their advertising ID,” Google’s written statement reads. “If we learn that someone, whether an app developer, ad tech company or anyone else, is violating our policies, we take appropriate action. Beyond that, we support legislation and industry collaboration to address these types of data practices that negatively affect the entire mobile ecosystem, including all operating systems.” (Android/Google)
The case in point is so illustrated by these two statements where it’s in the latter’s interest to muddy the waters and exploit the vacuum of weak to non existent regulation of our device manufacturers and data brokers in so far as our privacy and security is concerned.
Thank you for bringing this post to light! I unfortunately have felt crazy at times feeling like I was being followed into various places when shopping of all things. I felt violated and to this day still have no idea why I was being followed in state of NC. I later learned how geo-fencing can be used to identify a person’s location and how user data is sold. Clearly the boundaries and restrictions need to be drawn clearly on where privacy is addressed especially with harm that has been done to people repeatedly. I am very certain these tools are being abused for various agendas that do more harm than good as stated above. I hope this article helps bring attention to lawmakers the dangers this kind of tracking can put an individual in. Huge fan! Keep up the good work!
I went in and completed the different setting changes and began receiving “mature” ads on my device. So warning on that.
Wow, thanks. Although my first thought was what the expletive?
It is getting really hard to push back against apps and avoid having to use them. I’m a trustee on my condo board and we are replacing our access control system. One of the trustees was all for a smartphone based system. I actually bothered to read the privacy policy and the app grabs the entire contact list of the device to make it ‘easier’ to grant someone access.
I said no way. As a trustee I shouldn’t be forcing someone to get an app to get into the expletive building. The other creepy thing was as an admin I could track everyone’s movements in and out of the building (and who they are giving access to). Combined with our camera system that’s too much creepiness.
Again, I can’t believe people are just allowing all this access into their lives without question. As the saying goes, in the land of the blind, the one eyed admin is the creepy king.
This technology has political implications as well. Tom Seruga has used these services to shed light on Kamala Harris rally attendees. More than half of them are from out of state and have attended 2+ rally’s.
Adds credence to the “she’s bussing people in to inflate crowd size” lines you hear from people.
https://x.com/TonySeruga/status/1834357902146241010
Additionally – The PA shooter cell phone was at a shooting range the same time as an individual who worked at the FBI was there + that same FBI phone was geolocated at the shooters house
This is a security site NOT a conspiracy blog!
Can we please keep political division out of the commentary?
Kale’s comment is sharing a recent example (potential or real, do you know?) use/abuse of the technology that this article is talking about, just because the tech is being used by/for political uses doesn’t mean we should be silent of it. Stop crying. (I dislike both parties, so bla)
“sharing a recent example (potential or real, do you know?) use/abuse of technology”
NO ONE knows and THAT is the point. That is what makes it a conspiracy theory. OP needs to substantiate their comments with solid facts, otherwise it did not happen. Sharing a random post from a comedian on social media, that triggered your emotions enough that you have broadcast it as gospel, is how misinformation/disinformation spreads like wildfire online and malicious actors thrive on it. Which, given this sites regular content, is even more relevant to the topic of conversation.
Whilst I agree that political institutions are not innocent when it comes to technology abuses, OP clearly had a political axe to grind when they posted their comment, hence my reply. I am not a US citizen and don’t give a s**t about your politics. Misinformation however, that is a different story and well sourced investigative journalism like Brian Krebs’ does not need to be tarnished by it and I will call it out when I see it.
…and Orange Tiberius has paid “Clappers” to fill his events, and, once paid, walk away.
Shove off, troll. It won’t work.
“Orange Tiberius”
And calls someone else a troll…
Some people have NO self awareness.
Bk you ought to interview on the shawn ryan show. Excellent reporting as always!
Don’t forget bluetooth, many businesses, transport companies and retail outlets now have tracking systems that not only flag every BT device in-store, where you walk, where you linger, where you avoid, but also tracks every person walking by the store.
This data amalgamated with all the other troves can provide an incredible privacy threat.
When not using your bluetooth or wifi, turn it off, it’s literally a beacon on your head telling data brokers where you are.
This is the problem with using third party api calls with apps in this case, Macy’s was the only app yet they have their third party vendors who supply all this information and from there its easy for the blame to get pushed around. Most of these tracking companies aren’t subtle about their intentions and they will do whatever it takes to get the numbers up and the users tracked. Even if the company, in this specific example, “Macy’s” doesn’t hold the same viewpoints. Most likely the data opt out just appends a tag that says opt out. The information is usually still collected just tagged with an extra field that displays an opt out so they can filter it. Amazing and in depth article. Such a great piece of writing as usual from krebs. Thank you for this read!
For years I’ve had discussions with fellow info sec peeps about this type of tracking- in discussions of the possibility of Xi starting a global war with the first attack being millions+ of mini missiles targeting primary targets – by tracking their phones. Remember the gov insurance files hacked, all phone numbers of agents and family members names were leaked – anyone with a documented phone number, or has proximity to primary targets and their general locations would be a target too. Fully automated, all missiles launch from thousands of locations at the same time, hitting targets before a comm can go out. That is the abridged version. Once you see the big picture it gets worse. The next world war needs to be prevented, there will be no winners. This tech is the main enable tool for the attack. Although I am sure it is to late, I’d like to hope it can be stopped.
That sounds more like something Israel would employ than China TBPH.
We’ve considered it’s one of the reasons multiple telecom companies have been denied deployment to some countries.
Sounded plausible UNTIL you got to the mini missiles.
What range do you really think those mini missiles have?
They are most certainly not going to be launched from china.
Smuggle tens of thousand of missiles with explosive warheads in to the United States? Or even within its territorial waters?
Yea, no.
That’s one thing US Customs and Border Patrol definitely will not allow in as opposed to the millions of illegals immigrants they do let in.
Not going to happen, like ever.
Try again.
Brian, Amazing reporting. Thank you very much.
On an Android phone, what prevents an app from recording the original MAID that was present when the app was initially installed, and subsequently report this MAID for eternity, regardless if the user resets or deletes the MAID? Seems like a simple thing any app could do.
Police want to purge their records because they’re scared, yet they want an increased surveillance-state. Pigs.
Its startling to learn how accurately someone can track your every move with access to the right data and data analytics tools. I believe that it is commonly understood by most that at least aspects of your life such as your favorite brands and entertainment were farmed for data, and while only some might be bothered by this, more would want some type of change if they learned the extent as shown in this article. I wonder how you think this might evolve especially with advancements in AI and how useful they are in processing data.
Thank you for reporting on this. Top notch as always. MAID deleted !
Great & informative article Brian, thanks. Do you have any thoughts on whether browser ‘fingerprinting’ makes the use of MAID or AAID irrelevant? It’s my understanding from EFF and their fingerprint checking tool (coveryourtracks.eff.org), that they can largely track you from a combination of os/browser settings and don’t need a UID. Would that make privacy settings above moot?
John
Krebs, it might be interesting to see a similar story about medical information brokers. There was a company at a job fair I went to who sold this stuff. It’s unclear what the source of the data was, but I’ve noticed a lot of industries who collect medical information have a pretty liberal view of HIPA rules.
Isn’t it nice that there are laws to protect judges and police officers from this sort of thing, but the general public is left hung out to dry?