Smartphone Data Tracking - Mechanisms, Infrastructure, and Government Procurement

Executive Summary

Smartphone location tracking operates through two fundamentally distinct infrastructural layers: the cellular/SIM network itself, and the app-level data collection ecosystem built atop the advertising industry. The first layer is intrinsic to how mobile telephony functions—carriers must track which tower serves a phone for the network to operate, and there is no subscriber opt-out [1]. The second layer is a commercial construction: apps collect location data through software development kits (SDKs) or the real-time bidding (RTB) advertising auction process, feed it into a multi-layered chain of data brokers, and ultimately make it available for purchase by anyone with money—including government agencies seeking to bypass warrant requirements [2][3].

These two layers converge in a single device but operate through entirely different technical mechanisms, legal regimes, and commercial incentive structures. This analysis examines both.

Part 1: Carrier/SIM Network Tracking

The cellular network itself generates location data as a structural byproduct of its operation. Six distinct mechanisms exploit this infrastructure, as detailed in the companion document “Tracking Over the SIM Network.” They are summarized here to establish the baseline.

1.1 SS7 Protocol Exploitation

Signaling System No. 7, developed in the 1970s, underpins call routing and subscriber authentication across the global telephone network. Because the protocol was designed as a closed, trusted system between cooperating carriers, it lacks authentication between network operators [4]. Anyone with SS7 network access can query another operator’s Home Location Register to determine which cell tower a subscriber’s phone is connected to. As recently as late 2024, Enea’s Threat Intelligence Unit detected a surveillance vendor in the Middle East exploiting a novel SS7 bypass technique to locate subscribers to the nearest cell tower [5]. The successor protocol for 4G, Diameter, inherits many of the same vulnerabilities because LTE networks frequently interwork with SS7 for fallback services [6].

1.2 Cell-Site Simulators (IMSI Catchers)

Devices that impersonate legitimate cell towers force nearby phones to connect and reveal their IMSI numbers, IMEI device identifiers, and location [7]. Modern variants can force protocol downgrades from 4G to less-secure 2G, enabling communication interception [8]. In the United States, the FBI, U.S. Marshals Service, ICE, DHS, and the Secret Service have all deployed these devices, often without warrants [7][9]. The EFF released Rayhunter, an open-source detection tool, in March 2025 [10].

1.3 Cell-Site Location Information (CSLI)

Whenever a phone is powered on, it generates time-stamped cell-site location information stored by carriers for billing and network management [11]. In Carpenter v. United States (2018), the Supreme Court ruled 5-4 that obtaining seven or more days of historical CSLI constitutes a Fourth Amendment search requiring a warrant [12]. The government had obtained 12,898 location points over 127 days—an average of 101 data points per day [13]. The decision, however, explicitly did not address real-time CSLI, tower dumps, or national security contexts [12].

1.4 Carrier Data Sales to Aggregators

AT&T, Verizon, T-Mobile, and Sprint sold real-time subscriber location data to aggregation companies LocationSmart and Zumigo, who resold it downstream [14][15]. A Carnegie Mellon researcher discovered that LocationSmart’s public demo website had an API vulnerability allowing anyone to geolocate any phone on the major U.S. networks using only a phone number [14]. In April 2024, the FCC fined the carriers a combined approximately $200 million [16].

1.5 SIM Card Software Exploitation (Simjacker)

The Simjacker exploit targets the S@T Browser, a legacy application on SIM cards in at least 29 countries. A specially crafted binary SMS instructs the SIM to query the handset for its IMEI and location, then exfiltrate this via a second SMS. The user receives no notification at any stage [17][18]. EU-CERT assessed up to one billion devices globally could be affected [19]. Unlike SS7 attacks, Simjacker requires only a phone number and a $10 GSM modem [20].

1.6 SIM Swapping

A fraudster convinces a carrier to transfer a victim’s phone number to a SIM under the attacker’s control, enabling interception of all calls and SMS—including 2FA codes [21]. The FBI received 1,600 complaints in 2021 with $68 million in losses, and UK reports rose over 1,000% from 2023 to 2024 [21].

Key point across all six mechanisms: the user has no technical ability to prevent the tracking short of powering off the phone, and in most cases receives no indication that tracking is occurring.

Part 2: App-Level Data Collection and the Advertising Ecosystem

The second tracking layer operates entirely above the carrier network, through the apps installed on the phone and the advertising infrastructure that monetizes them. This layer is far larger in scale and far more commercially accessible than carrier-level tracking.

2.1 Software Development Kits (SDKs)

Apps frequently embed third-party SDKs from data brokers or advertising companies. These SDKs collect location data from the device’s GPS, Wi-Fi positioning, and Bluetooth beacons, then transmit it to the SDK provider [2]. The SDK provider typically pays app developers for the privilege of embedding its code—a direct financial incentive for location sharing. The company X-Mode (now Outlogic), for example, paid app developers to integrate its SDK and tracked 25 million devices per month inside the United States [22]. The most popular apps sharing data through X-Mode’s SDK included a Muslim prayer app and a Quran app with over 98 million downloads worldwide [22]. Google banned the data broker Predicio from its Play Store in 2021 after investigations revealed it was part of the supply chain feeding data to Venntel, which sold to ICE [22].

2.2 Real-Time Bidding (RTB) and Bidstream Data

The second—and arguably more insidious—mechanism is the real-time bidding process that powers nearly all online advertising. RTB operates as follows [23][24][25]:

  1. A user opens an app or loads a webpage with ad space.
  2. The app/site sends the user’s information to a Supply Side Platform (SSP), which forwards it to an Advertising Exchange as a “bid request.”
  3. The bid request contains the user’s device identifier, IP address, GPS coordinates, browsing history, and other data—collectively called “bidstream data.”
  4. The Exchange broadcasts this bid request to potentially dozens of Demand Side Platforms (DSPs), each representing advertisers.
  5. DSPs bid on the impression. The winning bidder’s ad is displayed. The entire process takes under 100 milliseconds.

The critical vulnerability: while only one advertiser wins the auction, all participants receive the data [25]. Any entity posing as an ad buyer can access a stream of location and behavioral data about billions of individuals [25]. Companies have been documented participating in RTB auctions with no intention of placing ads, solely to harvest bidstream data [24][26].

The scale is staggering. EPIC estimates 178 trillion RTB auctions occur annually in the U.S. and Europe [25]. Each auction broadcasts data to potentially dozens of bidders. The FTC found that data broker Mobilewalla collected approximately 60% of its consumer data from RTB exchanges between 2018 and mid-2020, including more than 2 billion unique mobile advertising identifiers (MAIDs) paired with location data—without ever placing ads [24].

In 2017, researchers demonstrated that $1,000 worth of ad-targeting data was sufficient to track an individual’s location and infer sensitive information including religion and sexual orientation [27].

2.3 Mobile Advertising Identifiers (MAIDs)

Both Apple (IDFA) and Google (GAID) assign unique alphanumeric advertising identifiers to each mobile device [28]. Originally designed to facilitate ad targeting, these identifiers have become the primary mechanism by which data brokers link location records from different sources into unified tracking profiles. Because the MAID persists across apps and sessions, a single identifier can tie together location data collected via SDKs, RTB auctions, and other sources into a comprehensive movement history [28].

Part 3: The Data Broker Supply Chain

Location data collected through SDKs and RTB feeds into a layered supply chain of data brokers, aggregators, and analytics firms before reaching government purchasers. The EFF has documented this chain in detail [2][29].

3.1 Gravy Analytics / Venntel

Gravy Analytics is a commercial data broker; Venntel is its government-facing subsidiary. Together they reported gathering more than 17 billion signals from approximately one billion smartphones daily [30]. Gravy does not embed SDKs directly into apps; it acquires data indirectly through other data brokers, including Complementics, Predicio, and Mobilewalla [29]. Government clients of Venntel have included, at minimum, the IRS, DHS (including ICE and CBP), the DEA, and the FBI [2][29].

In December 2024, the FTC took enforcement action against Gravy Analytics and Venntel, finding they violated the FTC Act by selling sensitive consumer location data and collecting location data without obtaining verifiable user consent. The FTC order bars the companies from selling sensitive location data except in limited national security and law enforcement circumstances, and requires them to delete or de-identify three years of historical sensitive location data [30].

3.2 Babel Street / Locate X

Babel Street, incorporated in Reston, Virginia, sells the Locate X product—a tool that allows customers to draw a digital polygon around any location on a map and view a time-lapse history of mobile devices seen entering and exiting that area [28]. Locate X also allows individual device tracking by MAID [28].

A Department of Homeland Security document obtained through FOIA revealed that Babel Street “re-hosts” data from Venntel [29][31]. The same document described Venntel as offering “broad and uncontrolled access to the underlying dataset” of data from 80,000 mobile applications [31]. In 2022, the FBI signed a contract worth up to $27 million with Babel Street for 5,000 licenses to use its software [30]. The Secret Service, CBP, and Treasury Department’s OFAC have also purchased Locate X [32][33].

3.3 Penlink / Cobwebs / Tangles / Webloc

Penlink, a digital intelligence company founded in Lincoln, Nebraska in the 1980s, acquired Cobwebs Technologies in 2023. Cobwebs was founded in 2014 by three former members of special units in the Israeli military [34][35]. The acquisition, backed by private equity firm Spire Capital’s $200 million deal, added two products to Penlink’s portfolio [35]:

Tangles is an AI-powered open-source intelligence tool that scrapes the open, deep, and dark web. It can detect faces in images, perform sentiment analysis on posts, add social media accounts to watch lists, and build dossiers combining a person’s posting history, location history, social graph, and photos [34][36]. Meta banned Cobwebs from its platforms in 2021, characterizing it as a “surveillance-for-hire” outfit [37].

Webloc is a cellphone location database that compiles, processes, and validates “billions of daily location signals from hundreds of millions of mobile devices, providing both forensic and predictive analytics” [36]. Users can search a specific geographic area for all mobile phones present during a given time period, identify a device of interest, track where it has traveled locally and nationally, and infer the owner’s home and workplace based on nighttime and daytime locations [34][38].

Part 4: Recent Government Purchases of Location Data

4.1 FBI (March 2026)

On March 18, 2026, FBI Director Kash Patel testified before the Senate Intelligence Committee that the FBI purchases “commercially available information that is consistent with the Constitution and the laws under the Electronic Communications Privacy Act” [39][40]. This was the first confirmation since 2023 that the FBI was actively buying location data from data brokers. In 2023, then-Director Christopher Wray had told senators that the FBI had purchased such data in the past for “a specific national security pilot project” but was no longer doing so [39][40].

Senator Ron Wyden characterized the practice as “an outrageous end-run around the Fourth Amendment” and warned it was “particularly dangerous given the use of artificial intelligence to comb through massive amounts of private information” [40][41].

The Defense Intelligence Agency Director Lt. Gen. James Adams confirmed at the same hearing that the DIA also purchases commercially available information [41].

4.2 ICE / Penlink (2025–2026)

In September 2025, ICE signed a no-bid contract worth approximately $2 million for access to Penlink’s Tangles tool [34][42]. In December 2025, ICE spent an additional $312,500 on further licenses [34]. Reporting by 404 Media, based on internal ICE documents, revealed that Webloc can be queried without a warrant according to an internal ICE legal analysis [38]. ICE chose Penlink over competitors because it provides an “all-in-one” platform combining location and social media data searches [36].

The EFF reported in January 2026 that ICE’s 2025 surveillance budget was 10 times the size of the agency’s total surveillance spending over the preceding 13 years [42]. ICE has deployed these tools during its immigration enforcement operations, including high-profile crackdowns in cities like Minneapolis [35].

Separately, the DEA committed more than $10 million to Penlink products during the same timeframe [37]. A notable feature of the procurement relationship: Derek Maltz, a former DEA agent, served as Penlink’s executive director of government relations from 2014 to 2025. During that period, the DEA awarded over $100 million in contracts to Penlink. Maltz then served briefly as the DEA’s acting director after the second Trump inauguration before returning to Penlink as senior vice president of global business growth [37].

4.3 CBP and the RTB Revelation

In March 2026, the EFF reported on a document obtained by 404 Media confirming for the first time that CBP’s location surveillance program drew data partially sourced from real-time bidding—the advertising auction system [3]. This represents the first official acknowledgment that a government agency’s location tracking capability is fed by the online advertising ecosystem itself.

4.4 Scale of Government Data Purchasing

The known universe of government location data purchases includes [2][30][32][33][43]:

  • FBI: Venntel data (historical); Babel Street $27M contract (2022); confirmed resumed purchases (March 2026)
  • ICE: Venntel data; Penlink/Webloc/Tangles $5M+ (2025)
  • CBP: Venntel data; RTB-sourced data
  • DEA: Penlink $100M+ in contracts (cumulative over Maltz tenure); $10M+ (2025)
  • IRS Criminal Investigation: Venntel data; Babel Street Locate X
  • DIA: Confirmed purchasing commercially available location data (March 2026)
  • Secret Service: Babel Street Locate X (2017–2018); LocationSmart data
  • Treasury/OFAC: Babel Street Locate X
  • National Guard (Iowa 132d Wing): Babel Street Locate X—a unit that flies MQ-9 Reaper drones

5.1 Carpenter v. United States (2018)

The Supreme Court held that obtaining seven or more days of historical cell-site location information from a wireless carrier constitutes a Fourth Amendment search requiring a warrant [12]. Chief Justice Roberts wrote that CSLI provides the government with something akin to an ankle monitor [44]. The decision established that the third-party doctrine—which holds that people have no reasonable expectation of privacy in information voluntarily shared with third parties—has limits in the digital age.

5.2 The Data Broker Loophole

Government agencies have treated Carpenter as applying only to data compelled from carriers, not to data purchased from commercial brokers [39][43]. The reasoning: if the data is commercially available for purchase by anyone, acquiring it does not constitute a “search” under the Fourth Amendment. Senator Wyden has argued that the government should not be able to buy from a broker what it could not lawfully compel from a carrier without judicial oversight [40].

A 2024 report from the Office of the Director of National Intelligence, declassified after pressure from lawmakers, acknowledged that commercially available information could be used to “identify every person who attended a protest or a rally,” “track the pattern of an individual’s movements,” or “identify every person who visited a particular location” [43]. The report further acknowledged that broad government access to this data “may exceed constitutional traditions or public expectations” [43].

5.3 FTC Enforcement

The FTC has taken enforcement action against multiple data brokers:

  • Gravy Analytics / Venntel (December 2024): Barred from selling sensitive location data; required to delete three years of historical data [30].
  • Mobilewalla (December 2024): Found to have collected consumer data from RTB auctions for non-advertising purposes. Approximately 60% of its consumer data originated from RTB exchanges [24].
  • Other actions: The FTC has previously acted against at least three other location data brokers [30].

5.4 Legislative Responses

The Fourth Amendment Is Not For Sale Act passed the House 219-199 in April 2024 with bipartisan support [45]. It would prohibit law enforcement and intelligence agencies from purchasing personal information—including location data—from data brokers without first obtaining a court order [45][46]. The bill has not passed the Senate.

On March 13, 2026, Senator Wyden and colleagues introduced the Government Surveillance Reform Act, a bicameral bill that would, among other things, require a court-authorized warrant before federal agencies can buy Americans’ information from data brokers [39].

Neither bill has become law. The practice of warrantless data purchases remains legal.

Structural Observations

Two points emerge from this analysis that bear on the broader project of cataloguing phone-mediated harms independent of content.

First, the tracking described here is a structural property of carrying a smartphone, not a consequence of what one does with it. Both the carrier-level tracking (which is intrinsic to network operation) and the app-level tracking (which is embedded in the advertising infrastructure that subsidizes most free apps) operate regardless of the user’s behavior, choices, or content consumption. A phone sitting in a pocket, doing nothing, is still broadcasting location to cell towers and—through any app with location permissions—feeding data into the advertising ecosystem that government agencies can purchase.

Second, the two tracking layers create different accountability problems. Carrier-level tracking at least operates within a framework where Carpenter imposes warrant requirements for historical data. The app/advertising layer has effectively constructed a parallel surveillance infrastructure that operates outside this framework entirely. The data broker ecosystem is not a bug in the system—it is the system working as designed, generating revenue from the routine collection and sale of location data at a scale (17 billion signals per day from one billion phones, per Gravy Analytics’ own claims [30]) that no government surveillance program has historically achieved.

Bibliography

[1] Marketplace/Krebs on Security. “Why privacy settings can’t keep your location secret.” May 2018. [Snippet] https://www.marketplace.org/story/2018/05/22/why-privacy-settings-cant-keep-your-location-secret

[2] Electronic Frontier Foundation. “How the Federal Government Buys Our Cell Phone Location Data.” June 2022. [Snippet] https://www.eff.org/deeplinks/2022/06/how-federal-government-buys-our-cell-phone-location-data

[3] Electronic Frontier Foundation. “The Government Uses Targeted Advertising to Track Your Location. Here’s What We Need to Do.” March 2026. [Snippet] https://www.eff.org/deeplinks/2026/03/targeted-advertising-gives-your-location-government-just-ask-cbp

[4] TechTarget. “What is SS7 Attack?” [Snippet] https://www.techtarget.com/whatis/definition/SS7-attack

[5] TechCrunch. “A surveillance vendor was caught exploiting a new SS7 attack to track people’s phone locations.” July 18, 2025. [Snippet] https://techcrunch.com/2025/07/18/a-surveillance-vendor-was-caught-exploiting-a-new-ss7-attack-to-track-peoples-phone-locations/

[6] P1 Security. “Location Tracking Attacks in Mobile Networks: SS7, Diameter, and 5G Security Risks.” December 2025. [Snippet] https://www.p1sec.com/blog/location-tracking-attacks-how-adversaries-exploit-mobile-networks-to-follow-you

[7] Electronic Frontier Foundation. “Cell-Site Simulators / IMSI Catchers.” [Snippet] https://sls.eff.org/technologies/cell-site-simulators-imsi-catchers

[8] GoDark Bags. “How IMSI Catchers, Like Stingrays, Track Your Location.” [Snippet] https://godarkbags.com/blogs/post/imsi-catchers

[9] Project on Government Oversight. “Issue Brief: The Cell-Site Simulator Warrant Act.” [Snippet] https://www.pogo.org/fact-sheets/issue-brief-the-cell-site-simulator-warrant-act

[10] Electronic Frontier Foundation. “Meet Rayhunter: A New Open Source Tool from EFF to Detect Cellular Spying.” March 2025. [Snippet] https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying

[11] UC Berkeley Law. “Cell Phone Location Tracking.” [Snippet] https://www.law.berkeley.edu/wp-content/uploads/2015/04/2016-06-07_Cell-Tracking-Primer_Final.pdf

[12] Wikipedia. “Carpenter v. United States.” [Snippet] https://en.wikipedia.org/wiki/Carpenter_v._United_States

[13] ACLU. “Carpenter v. United States.” [Snippet] https://www.aclu.org/cases/carpenter-v-united-states

[14] Krebs on Security. “Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers.” May 2018. [Snippet] https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/

[15] CBS News/AP. “Mobile Phone Carriers Say They’ll Stop Selling Your Location Data To Data Brokers.” June 2018. [Snippet] https://www.cbsnews.com/sacramento/news/mobile-phone-tracking-data/

[16] FCC. “FCC Fines AT&T, Sprint, T-Mobile, and Verizon Nearly $200 Million for Illegally Sharing Access to Customers’ Location Data.” April 29, 2024. [Snippet] https://docs.fcc.gov/public/attachments/DOC-402213A1.pdf

[17] Wikipedia. “Simjacker.” [Snippet] https://en.wikipedia.org/wiki/Simjacker

[18] Kaspersky Blog. “Simjacker opens SIM cards to spying.” November 2019. [Snippet] https://www.kaspersky.com/blog/simjacker-sim-espionage/28832/

[19] CERT-EU. “Security Advisory 2019-020: Simjacker Vulnerability.” [Snippet] https://cert.europa.eu/publications/security-advisories/2019-020/

[20] SecurityWeek. “Simjacker: SIM Card Attack Used to Spy on Mobile Phone Users.” [Snippet] https://www.securityweek.com/simjacker-sim-card-attack-used-spy-mobile-phone-users/

[21] Wikipedia. “SIM swap attack.” [Snippet] https://en.wikipedia.org/wiki/SIM_swap_scam

[22] CyberGhost Privacy Hub. “The US Military Buys Location Data Generated by Commonly-Used Apps.” [Snippet] https://www.cyberghostvpn.com/privacyhub/the-us-military-buys-location-data-generated-by-commonly-used-apps/

[23] Wikipedia. “Real-time bidding.” [Snippet] https://en.wikipedia.org/wiki/Real-time_bidding

[24] Federal Trade Commission. “Unpacking Real Time Bidding through FTC’s case on Mobilewalla.” December 2024. [Verified] https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/12/unpacking-real-time-bidding-through-ftcs-case-mobilewalla

[25] EPIC. “What is Real Time Bidding?” [Snippet] https://epic.org/what-is-real-time-bidding/

[26] TrustArc. “Privacy Concerns in Real-Time Bidding.” July 2025. [Snippet] https://trustarc.com/resource/privacy-concerns-real-time-bidding/

[27] Electronic Frontier Foundation. “Online Behavioral Ads Fuel the Surveillance Industry—Here’s How.” January 2025. [Snippet] https://www.eff.org/deeplinks/2025/01/online-behavioral-ads-fuel-surveillance-industry-heres-how

[28] Krebs on Security. “The Global Surveillance Free-for-All in Mobile Ad Data.” October 2024. [Snippet] https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/

[29] Electronic Frontier Foundation. “How the Federal Government Buys Our Cell Phone Location Data.” June 2022. [Snippet] https://www.eff.org/deeplinks/2022/06/how-federal-government-buys-our-cell-phone-location-data Note: Same source as [2]; cited separately here for the specific claim about data broker supply chain layering.

[30] The Record / Recorded Future News. “FTC targets companies that collected and sold sensitive location data.” December 2024. [Snippet] https://therecord.media/ftc-location-data-brokers-gravy-venntel-mobilewalla

[31] Vice/Motherboard. “Homeland Security Uses AI Tool to Analyze Social Media of U.S. Citizens and Refugees.” [Snippet] https://www.vice.com/en/article/dhs-uses-ai-tool-babel-x-babel-street-social-media-citizens-refugees/

[32] Vice/Motherboard. “Secret Service Bought Phone Location Data from Apps, Contract Confirms.” [Snippet] https://www.vice.com/en/article/secret-service-phone-location-data-babel-street/

[33] The Intercept. “The U.S. Treasury Is Buying Private App Data to Target and Investigate People.” November 2021. [Snippet] https://theintercept.com/2021/11/04/treasury-surveillance-location-data-babel-street/

[34] Business and Human Rights Resource Centre. “Penlink named as one of the tech companies allegedly supporting ICE’s mass surveillance and deportation efforts.” [Snippet] https://www.business-humanrights.org/en/latest-news/penlink-named-as-one-of-the-tech-companies-allegedly-supporting-ices-deportation-efforts/

[35] Flatwater Free Press. “This Nebraska company is supplying ICE with surveillance tech.” February 20, 2026. [Snippet] https://flatwaterfreepress.org/this-nebraska-company-is-supplying-ice-with-surveillance-tech/

[36] TechCrunch. “Here’s the tech powering ICE’s deportation crackdown.” Updated January 26, 2026. [Snippet] https://techcrunch.com/2026/01/26/heres-the-tech-powering-ices-deportation-crackdown/

[37] Texas Observer. “Texas Police Invested Millions in a Shadowy Phone-Tracking Software.” February 2, 2026. [Snippet] https://www.texasobserver.org/texas-police-invest-tangles-sheriff-surveillance/

[38] 404 Media. “Inside ICE’s Tool to Monitor Phones in Entire Neighborhoods.” January 9, 2026. [Snippet] https://www.404media.co/inside-ices-tool-to-monitor-phones-in-entire-neighborhoods/

[39] TechCrunch. “FBI is buying location data to track US citizens, director confirms.” March 18, 2026. [Verified] https://techcrunch.com/2026/03/18/fbi-is-buying-location-data-to-track-us-citizens-kash-patel-wyden/

[40] Biometric Update. “FBI, DIA pressed on purchases of Americans’ phone location data.” March 2026. [Snippet] https://www.biometricupdate.com/202603/fbi-dia-pressed-on-purchases-of-americans-phone-location-data

[41] 9to5Mac. “FBI and DIA are buying location data of US citizens from data brokers.” March 19, 2026. [Snippet] https://9to5mac.com/2026/03/19/fbi-and-dia-are-buying-location-data-of-us-citizens-from-data-brokers/

[42] Electronic Frontier Foundation. “ICE Is Going on a Surveillance Shopping Spree.” January 15, 2026. [Snippet] https://www.eff.org/deeplinks/2026/01/ice-going-surveillance-shopping-spree

[43] Brennan Center for Justice. “Federal Agencies Are Secretly Buying Consumer Data.” [Snippet] https://www.brennancenter.org/our-work/analysis-opinion/federal-agencies-are-secretly-buying-consumer-data

[44] SCOTUSblog. “Opinion analysis: Court holds that police will generally need a warrant for sustained cellphone location information.” June 2018. [Snippet] https://www.scotusblog.com/2018/06/opinion-analysis-court-holds-that-police-will-generally-need-a-warrant-for-sustained-cellphone-location-information/

[45] ACLU. “After House Passes Fourth Amendment Is Not For Sale Act, ACLU Urges Senate to Stop Government from Spying on Americans Without a Warrant.” April 2024. [Snippet] https://www.aclu.org/press-releases/house-passes-fourth-amendment-is-not-for-sale-act

[46] CyberScoop. “House passes bill to limit personal data purchases by law enforcement, intelligence agencies.” April 2024. [Snippet] https://cyberscoop.com/house-passes-4th-amendment-is-not-for-sale-act/

Prev