By REBECCA RUTHERFORD
Los Alamos
For the Los Alamos Daily Post

If you have ever wondered how your phone seems to know exactly which coffee shop you just walked past, the answer is simple. Your phone is constantly sharing little pieces of information about you.

Location. Apps you open. What ads you look at. All those cat videos you watch.

Most of that data is collected by the online advertising industry. But according to a recent report, it may also be ending up in the hands of federal law enforcement. Yikes!

An internal government document obtained through a Freedom of Information Act request by 404 media shows that U.S. Customs and Border Protection tested using location data gathered through mobile advertising systems. The program ran from 2019 through 2021.

The idea is fairly straightforward. When an app loads an advertisement, your phone participates in something called “real time bidding”. That is the lightning-fast auction that decides which ad appears on your screen. During that process, advertising networks can gather data from your phone, including its approximate location.

Now imagine billions of those little data points being collected every day from weather apps, games, shopping apps, and social media.

Those records get bundled up and sold by data brokers. In this case, government agencies reportedly purchased access to that data to support investigations and analysis related to crime networks and border enforcement.

The key detail here is that the government did not need a warrant. The argument is that because the information is already available commercially, it can simply be purchased like any other dataset.

Privacy advocates have been warning about this loophole for years.

Technically the data is supposed to be anonymous. Instead of your name, it is tied to an advertising ID assigned to your device. But researchers have repeatedly shown that “anonymous” location data is often easy to re-identify by looking at patterns like where a phone spends the night or where it goes to work.

In other words, it does not take much detective work to figure out which device belongs to which person.

The bigger lesson here is something cybersecurity professionals already know. Your phone is not just a phone. It is a sensor that records pieces of your life all day long.

Every app that asks for location access is collecting something. Every free service needs a business model, and that business model is usually advertising. The world runs on money, and advertising is one of the best ways to generate that.

And advertising runs on data.

So, if your phone knows where you sleep, where you work, where you eat lunch, your favorite cat videos, and which bars you visit on Friday night, there is a decent chance someone else knows it too.

Check your app permissions. Turn off location sharing for apps that do not actually need it. Delete apps you never use. Reduce your attack surface and increase your privacy protections. Because sometimes the biggest cybersecurity risk is not hackers…It is the apps we installed ourselves.

Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.