The Invisible Auction

You looked.

Good. I know that wasn’t easy. Some of you are still sitting with it — every doctor’s visit, every late-night drive, every address you thought was private, logged and timestamped and waiting for anyone who asks.

The location history on your phone is the least of it.

When I started researching what ordinary people actually need to understand about surveillance, this is where everything converged. I’m not a surveillance specialist — I’m an evaluation researcher with a unique insight into these systems. I spent two weeks reading court filings, congressional testimony, and investigative reports, and what I found is that the most dangerous pipeline isn’t some classified government program. It’s a commercial system that runs on your phone right now, and nobody explains how it works.

Here’s what happens to your location data after it leaves your phone.

You open a weather app. The app has a piece of code embedded in it — an SDK, a software development kit — put there by a data company you’ve never heard of. The moment the app checks your location to show you tomorrow’s forecast, the SDK copies that location data and sends it somewhere else. Not to the weather company. To a data aggregator.

The aggregator bundles your location with millions of others and feeds it into a real-time bidding exchange — the same system that decides which ads you see. Hundreds of times per day, your phone’s location is broadcast to dozens of companies in the time it takes the ad to load. That’s not a metaphor. The auction literally happens in milliseconds while you’re waiting for a webpage to finish rendering.

From the bidding exchange, your data flows to a data broker. The broker doesn’t just have your location from the weather app. It has your location from every app on your phone that runs an SDK — your games, your period tracker, your meditation app, your news reader. It correlates all of it using a single identifier your phone broadcasts to every app you’ve installed.

That identifier is called your advertising ID. On Android it’s called your MAID. On iOS it’s your IDFA. Think of it as a serial number for your entire digital life — and it was on by default when you set up your phone. Every app can read it. Every SDK can copy it. Every data broker can use it to stitch together a pattern of your movements, your habits, your relationships, your health conditions, your beliefs, into a profile attached to a persistent unique number.

---
title: The Commercial Surveillance Pipeline
---
flowchart TD
    A["YOUR PHONE"]
    B["APP SDK"]
    C["DATA AGGREGATOR"]
    D["REAL-TIME BIDDING EXCHANGE"]
    E["DATA BROKER"]
    F["LAW ENFORCEMENT"]
    G["GOVERNMENT AGENCIES"]
    H["ANYONE WHO PAYS"]

    A --> B
    B --> C
    C --> D
    D --> E
    E --> F
    E --> G
    E --> H

Now here’s where it stops being abstract.

The data broker sells that profile. Not to advertisers. To anyone who pays. A company called Fog Data Science sold location data to local law enforcement agencies across the country — no warrant, no subpoena, no judicial oversight. The police bought access the way you’d buy a software subscription. A company called Babel Street built a product called Locate X that lets federal investigators track device movements using commercially harvested location data — no warrant required. Contracts show it’s been purchased by CBP, ICE, the Secret Service, and the Treasury Department.

I need you to see the shape of this, because it’s not what most people think government surveillance looks like. There’s no wiretap order. There’s no judge. The government doesn’t need to surveil you — it just buys the data that your phone already gave away for free. The pipeline runs from your weather app to a government database, and every link in the chain is technically legal because you clicked “I agree” on a terms of service document that was designed to be unreadable.

This is the single vulnerability you can most effectively address right now. Not because it’s the scariest thing out there. It’s not. Because it’s the one open hole you can partially close in five minutes.

Let’s take two more steps, together.

First: delete your advertising ID.

On Android: Settings → Privacy → Ads → Delete advertising ID. Google made this option available in Android 12. If you don’t see it, search your settings for “advertising.”

On iPhone: Settings → Privacy & Security → Tracking → turn off “Allow Apps to Request to Track.” Then go to Settings → Privacy & Security → Apple Advertising → turn off Personalized Ads.

This doesn’t make you invisible. Apps can still use other fingerprinting techniques. But it removes the one persistent identifier that makes it trivially easy for brokers to correlate your activity across every app on your phone. You just pulled the thread that held the profile together.

Second: audit your app permissions.

Go to your location permissions. On both platforms it’s under Settings → Privacy → Location Services (or Location on Android). Look at every app that has “Always” access to your location. Change it to “While Using App” or “Never” for anything that doesn’t need to know where you are in real time. Your weather app does not need “Always.” Your shopping app does not need “Always.” Your social media app does not need “Always.”

Be aggressive. If an app stops working without location access, you can always turn it back on. Most won’t even notice.

That’s it. That’s today’s work. Two changes, five minutes, and you’ve closed the cheapest, most efficient pipeline between your daily life and a government procurement database.

---

Before the next chapter, I need you to start keeping a record.

If you’re going to keep reading, you need somewhere to track what you’ve done and what you’re learning. Not on Google Docs. Not on Notion. Not on anything that stores your data on someone else’s server. I’ll explain why that matters in detail later. For now, trust the principle: a record of your security posture should be stored the way you’d store anything you want to keep private.

A paper notebook works. If you’re more comfortable with software, look at Obsidian or Logseq — both are free, both store everything locally on your device. Nothing leaves your machine unless you choose to sync it.

Start your record with what you’ve done so far. Checked your location history. Deleted your advertising ID. Audited your app permissions. Write down what you found and what you changed. This is your field journal. It will serve you at every step along the path.

---

In 2021, a Catholic monsignor — the top administrator of the US Conference of Catholic Bishops — was identified as a user of a dating app by a Catholic publication that purchased commercially available location data. Not hacked. Purchased. They bought app signal data from a broker, correlated the “anonymized” location patterns with the monsignor’s known addresses — his office, his home, the conference hotel during a bishops’ meeting — and reconstructed his private behavior from commercially available records.

He was forced to resign. He wasn’t a spy. He wasn’t a criminal. He was a private person whose private life was reconstructed because his phone’s advertising ID connected his app usage to his physical locations, and a data broker sold that connection to anyone who wanted it.

I’m not going to name him in this chapter. Look it up. The sources are public — Washington Post, Time, NBC News all covered it. Find the name. Read what happened. Then come back for the next chapter.

This is the first exercise in a skill you’re going to need: lateral research. Finding information that’s public but not handed to you. Verifying it through multiple sources. Following a thread. You have everything you need.

---