CBP Tapped Into the Online Advertising Ecosystem To Track Peoples’ Movements (404 Media)

[Posted March 3, 2026 by corbet]

This 404 Media article looks at how the US Customs and Border Protection agency (CBP) is using location data from phones to track the location of people of interest.

Specifically, CBP says the data was in part sourced via real-time bidding, or RTB. Whenever an advertisement is displayed inside an app, a near instantaneous bidding process happens with companies vying to have their advert served to a certain demographic. A side effect of this is that surveillance firms, or rogue advertising companies working on their behalf, can observe this process and siphon information about mobile phones, including their location. All of this is essentially invisible to an ordinary phone user, but happens constantly.

We should note that the minimal advertising shown on LWN is not delivered via this bidding system.

to post comments

I love to see it

Posted Mar 3, 2026 20:47 UTC (Tue) by bmur (guest, #52954) [Link] (8 responses)

This is an ingenious use of technology. Good for them. I'm happy to see them use every tool at their disposal to deport illegal aliens out of our country.

I hope Customs also use the ad networks to advertise their CBP One app. CBP One is the safest and friendliest way for illegals to arrange their departure.

I love to see it

Posted Mar 3, 2026 21:15 UTC (Tue) by corbet (editor, #1) [Link] (2 responses)

Even if it were limited to "illegal aliens", which it quite clearly is not, you really love to see that a government has constant access to your location, without a warrant, as the result of software on your phone that is ratting you out to anybody with the funds to ask? I posted the item because I see this access as a severe security and freedom risk regardless of the alleged merits of the current operation.

I love to see it

Posted Mar 3, 2026 22:05 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

Want to be scared even more? Most immigration violations in the US are _civil_ violations, and even re-entry after deportation is just a misdemeanor.

So technically, CBP and ICE have the same powers as court marshals. They merely ensure the attendance for court hearings and enforce the court decisions. That's also how they can sidestep so many rules. Civil cases have far weaker protections against illegal searches and seizures.

So who's to say that this kind of "vigorous" enforcement can't be brought against other civil violations in the future? Say, for unpaid traffic tickets sent to a wrong address?

I love to see it

Posted Mar 9, 2026 7:20 UTC (Mon) by cpitrat (subscriber, #116459) [Link]

I personally read this comment as a joke (I post a comment saying this is great because I know everything I say and do is tracked and don't want to get in trouble). I may be wrong, but it seems way too enthusiastic to be genuine.

I love to see it

Posted Mar 3, 2026 21:26 UTC (Tue) by dskoll (subscriber, #1630) [Link]

It's all fun and games until the party you don't like gets into power and can use this capability.

I love to see it

Posted Mar 3, 2026 21:46 UTC (Tue) by ptime (subscriber, #168171) [Link]

It’s only a matter of time until the government’s gun is pointed at you. Your skin color will not save you.

I love to see it

Posted Mar 3, 2026 22:08 UTC (Tue) by ttuttle (subscriber, #51118) [Link] (1 responses)

Okay, but, forget the immigration angle for a sec.

Do you think *anyone* should be able to do what they’re doing, privacy-wise?

I love to see it

Posted Mar 5, 2026 16:53 UTC (Thu) by ferringb (subscriber, #20752) [Link]

You'll not get an answer from the OP, but...

> Do you think *anyone* should be able to do what they’re doing, privacy-wise?

SCOTUS already said "nope" on this one due to 4th "reasonable expectation of privacy" back in '18. https://en.wikipedia.org/wiki/Carpenter_v._United_States

The same reason that ruling exists- trying to loophole through technology expanding beyond previous "reasonable expectation of privacy" rulings- is this. This one is just legal weaselery and "do it until courts step in". Assuming the SCOTUS will.

This whole thing is daft for people supporting it since they're assuming this doesn't include their history, which it explicitly will as part of linkage.

I love to see it

Posted Mar 5, 2026 1:07 UTC (Thu) by motk (subscriber, #51120) [Link]

Pyscho shit.

A new direction for LWN?

Posted Mar 3, 2026 21:51 UTC (Tue) by Trelane (subscriber, #56877) [Link] (8 responses)

I had to look and see if this was some other site.

Is political content where LWN is headed now?

A new direction for LWN?

Posted Mar 3, 2026 22:02 UTC (Tue) by corbet (editor, #1) [Link] (7 responses)

"Political" is a broad brush; much of what we have done has been "political" all along.

I see this as a security issue, and security is well within our remit.

A new direction for LWN?

Posted Mar 3, 2026 22:13 UTC (Tue) by Trelane (subscriber, #56877) [Link]

Good to know.

Thanks for the heads up.

A new direction for LWN?

Posted Mar 4, 2026 5:43 UTC (Wed) by egorovv (subscriber, #102560) [Link] (5 responses)

I have to agree that this feels below the usually excellent LWN standards.

The topic of RTB as tool to track identity and location very much deserves attention by itself IMO.

However the whole post pretty much points to a paywalled article with a very distinct political angle.
As it asks for either subscription or registration to follow the actual content - it makes it look like the publication itself is involved in the tracking business the article describes, and word "clickbait" comes to mind.

So far LWN quality has been exceptional and I hope it stays this way, Thanks!

A new direction for LWN?

Posted Mar 4, 2026 11:28 UTC (Wed) by excors (subscriber, #95769) [Link]

> As it asks for either subscription or registration to follow the actual content - it makes it look like the publication itself is involved in the tracking business the article describes, and word "clickbait" comes to mind.

I think it's the exact opposite: publications that give you all their content for free are having to make all their money from ads, and it seems ads pay so poorly nowadays that they have to use the most annoying and most invasive ad systems if they want to stay afloat and keep paying their writers. (Or reduce their costs by firing all their writers and replacing them with AI, I suppose). And their revenue is tied directly to page views, so SEO and clickbait headlines are much more important than reader retention.

Subscriptions are an attempt to break away from that model, making them less dependent on ads and SEO, and creating a strong incentive to build a deeper relationship with readers by consistently publishing high-quality articles with original research and analysis that can't be found anywhere else. 404 Media and LWN both appear to be doing that successfully.

And in 404 Media's case, the free email-based registration wall is explicitly to let them promote themselves to you without being entirely dependent on Google and social media algorithms, in the hope you will eventually decide their work is worth paying for, as well as making it slightly harder for AI-generated sites to steal all their content: https://www.404media.co/why-404-media-needs-your-email-ad...

A new direction for LWN?

Posted Mar 4, 2026 22:22 UTC (Wed) by himi (subscriber, #340) [Link] (3 responses)

For a quick link article like this I don't see it as a major issue - it would be "best practise" to mention that a (free) subscription is required to read the article, but other than that it seems reasonable.

A full article on the topic may or may not be something LWN would do - the security aspects of this are certainly interesting, but they're some way outside LWN's usual remit. For that kind of article the expectations would obviously be higher, with multiple publicly citeable sources being a baseline requirement. Given that's the kind of thing we see regularly from LWN I'd be very surprised if such an article didn't meet our quality expectations . . .

Subscription

Posted Mar 4, 2026 22:30 UTC (Wed) by corbet (editor, #1) [Link] (2 responses)

One little detail: the site did not put up any sort of subscription barrier for me; I would have hesitated (even more) to post the article had I seen that.

Subscription

Posted Mar 5, 2026 12:11 UTC (Thu) by himi (subscriber, #340) [Link] (1 responses)

Interesting - it definitely comes up with restrictions for me, though as I said it's a free subscription rather than a genuine paywall. Maybe because I'm coming to it from outside the US . . .

Subscription

Posted Mar 5, 2026 16:43 UTC (Thu) by Trelane (subscriber, #56877) [Link]

No, I get that too from the US.

> Sign up for free access to this post
> Free members get access to posts like this one along with an email round-up of our week's stories.
> Subscribe
> Already have an account? Sign in

Got it.

Posted Mar 3, 2026 22:30 UTC (Tue) by Cardinal_Bill (subscriber, #23688) [Link]

If it's your rights being affected it's political.
If it's their rights being affected it's civil.

Don't limit solutions to the technical

Posted Mar 3, 2026 22:32 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link] (7 responses)

One tempting but wrong idea is to treat this as primarily a technical problem of phones (or any other device) leaking information they shouldn't be leaking and trying to solve it by blocking those information leaks. We can't count on being able to close information leaks faster than snoops can find them. Also, very importantly, many devices are made by companies that have baked spying on their customers into their business models, and those companies are going to fight attempts to prevent their devices from sharing information. Even if the manufacturers could be trusted with that information, it's going to be very difficult to keep third parties from snooping on it. Technical measures to prevent information leaks may be useful in the short term, but they're not a practical long term strategy.

The only strategy with any hope of long-term success is legal. We have to make gathering this kind of information illegal. Probably more important, we have to make sure that the government can't buy information from a third party if they would need a warrant to gather that data themselves. Ditto for subpoenaing information from cloud providers, bullying big tech companies, etc. The warrant requirement should be as much about restricting the kinds of information the government can get as it is about restricting the means by which it can get it.

Don't limit solutions to the technical

Posted Mar 3, 2026 22:43 UTC (Tue) by Trelane (subscriber, #56877) [Link] (6 responses)

if the government would require a warrant to get data, why should corporations or private citizens be able to get at it?

Seems like the things a government should be able to get should be a strict superset of the things private citizens and corporations should be able to.

Don't limit solutions to the technical

Posted Mar 3, 2026 22:58 UTC (Tue) by ttuttle (subscriber, #51118) [Link] (3 responses)

Because it should still be possible for us to share data with companies?

The ad market is a bad example of this, because they have basically zero notion of consent.

But consider hosted email — you should be able to *choose* to pay a company to host your email, even though they would need a warrant to get at your email messages otherwise. Ditto for cloud storage, limited-visibility location data in fitness apps, etc..

Don't limit solutions to the technical

Posted Mar 3, 2026 23:05 UTC (Tue) by Trelane (subscriber, #56877) [Link] (2 responses)

So you believe that data that is subject to warrant for the government to obtain is fine for companies or billionaires to buy and sell, from other companies, possibly via brokers?

> email, even though they would need a warrant to get at your email messages otherwise.

I don't get how an email host is relevant, unless you believe the government should never provide email? I would be shocked if the government ISPs didn't also provide email, but I don't know for sure that they don't.

Don't limit solutions to the technical

Posted Mar 3, 2026 23:12 UTC (Tue) by ttuttle (subscriber, #51118) [Link] (1 responses)

Sorry, I think there’s a miscommunication here.

I don’t think random private people or companies should be able to read your email, and I think we need *much* harsher regulation on how companies collect and share it — but preventing them from collecting it *at all* would prevent a whole host of online services.

For example, I use Garmin’s smartwatches, and occasionally record bike rides with GPS data. If they weren’t allowed to collect location data, I wouldn’t be able to share ride maps with other people on their servers, and I’d be responsible for storing and backing up that data myself. All I’m saying is that, while we should restrict what companies use our data for *without* consent, any restrictions would need to accommodate the “actually i’m okay with them holding that data for me” and *maybe* “I have made a very clear decision to allow location-based ads in exchange for some non-trivial benefit” use cases.

Don't limit solutions to the technical

Posted Mar 6, 2026 8:35 UTC (Fri) by anton (subscriber, #25547) [Link]

I think the relevant concept is Informational self-determination, i.e., that you should determine what happens with data about you. If you want to give data about your location to a third party, that is your right; even if you do so, that third party can only distribute that data to others as you have determined.

Don't limit solutions to the technical

Posted Mar 4, 2026 1:00 UTC (Wed) by rgmoore (✭ supporter ✭, #75) [Link] (1 responses)

if the government would require a warrant to get data, why should corporations or private citizens be able to get at it?

I don't think private businesses should be able to collect a lot of this information. That's why I said, "We have to make gathering this kind of information illegal." They obviously need to be able to collect some information to be able to provide their services- they need a delivery address to send a customer their purchase- but how they deal with the data they collect should be strictly regulated. They should only be able to ask for necessary information and should only be allowed to use it for necessary purposes. If they have to give the data to a third party- like giving a delivery address to a shipping company- that third party should have to be just as careful with it. They certainly shouldn't be allowed to sell it to anyone who wants it.

My bigger point is that the government should have to get a warrant to access a lot of this information. I don't have a huge problem with the government getting access to just about any information as long as it can get a warrant. Warrants are how we balance people's need for privacy with the needs of law enforcement. I just think the government shouldn't be able to bypass warrant requirements by dealing with third parties. If they want to get your email from your email provider, your search history from a search engine, or your location history from your mapping app, they should have to get a warrant, the same as if they were coming to your house.

Don't limit solutions to the technical

Posted Mar 4, 2026 9:53 UTC (Wed) by taladar (subscriber, #68407) [Link]

We should also be careful what governments (and for that matter corporations) do without disclosure, even with a warrant we can not audit at all what they do with our data if they don't disclose that they have the warrant and did take the data.

FOSS privacy issues

Posted Mar 4, 2026 1:06 UTC (Wed) by pabs (subscriber, #43278) [Link] (3 responses)

I'd love to see an article about the numerous privacy issues that FOSS developers have deliberately/inadvertently added over the years. Some examples from Debian:

https://wiki.debian.org/PrivacyIssues

FOSS privacy issues

Posted Mar 4, 2026 3:38 UTC (Wed) by dskoll (subscriber, #1630) [Link] (2 responses)

At least with FOSS, it's theoretically possible to mitigate them by patching them out.

FOSS privacy issues

Posted Mar 4, 2026 23:38 UTC (Wed) by NightMonkey (subscriber, #23051) [Link] (1 responses)

Yes. And, you can actually see them because... it is open source and an open community, unlike closed software. The transparency part is really, really good to have.

FOSS privacy issues

Posted Mar 5, 2026 1:40 UTC (Thu) by pabs (subscriber, #43278) [Link]

FOSS is of limited use here because:

1) the cultural group that says its OK for devs to add telemetry and other privacy issues is still here, is larger than the old-school FOSS/hacker community that respects privacy, is bleeding into the FOSS community and isn't going away
2) approximately no-one is doing systematic auditing to detect the privacy issues and fix them
3) the fixes likely wouldn't go upstream even if they were added, limiting their reach
4) mitigation tools like OpenSnitch aren't installed by default on most distros
5) FOSS is basically non-existent anyway outside of the tech community

I think only the EU/California/etc laws can have a real impact on the privacy issues inherent in modern digital technology, it will be slow going to achieve though.

Device-specific identifiers

Posted Mar 4, 2026 6:37 UTC (Wed) by CChittleborough (subscriber, #60775) [Link] (6 responses)

The key technology CBP took advantage of (starting before 2023, BTW) is the Advertising IDs, or AdIDs, that Apple and Google create. These unique identifiers that are assigned to each device and allow app developers to still track and report a device’s consumer activity, to include date/time and locational information, without connecting to or using any personally identifiable information (PII) associated with the device.

Commercial organizations are selling this location data. Who to, I wonder? Bah. Not happy.

Device-specific identifiers

Posted Mar 4, 2026 12:07 UTC (Wed) by pizza (subscriber, #46) [Link] (2 responses)

> without connecting to or using any personally identifiable information (PII) associated with the device.

Nevermind that a sufficient quantity of time+location information provides all the information needed to definitively tie you to an actual real-world identity, all of your activities, and associates.

(And from there it takes just one public database lookup to tie that to one's legal name)

Device-specific identifiers

Posted Mar 4, 2026 12:37 UTC (Wed) by CChittleborough (subscriber, #60775) [Link] (1 responses)

Yes. It's now just a question of whether anybody cares enough about a particular person.

Device-specific identifiers

Posted Mar 4, 2026 13:22 UTC (Wed) by pizza (subscriber, #46) [Link]

> Yes. It's now just a question of whether anybody cares enough about a particular person.

They don't... until they do. At which point it's already too late for said particular person to do anything about it.

"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him"

Device-specific identifiers

Posted Mar 4, 2026 12:51 UTC (Wed) by Techneolikon (subscriber, #182516) [Link] (2 responses)

Note that if you use FOSS mobile operating systems based on AOSP such as LineageOS or GrapheneOS, and don't install any Google apps, you don't have to suffer an OS-level advertising ID. People need to be aware that it remains possible to own a phone that is not actively hostile to your privacy.

Device-specific identifiers

Posted Mar 4, 2026 15:23 UTC (Wed) by ms (subscriber, #41272) [Link] (1 responses)

Even on stock Android, you can delete your advertising ID.

However, it seems this is pointless (an expression about relieving yourself into the wind comes to mind), given that LLMs are apparently pretty good at identifying you from anything you post online. https://arxiv.org/abs/2602.16800

Device-specific identifiers

Posted Mar 5, 2026 12:58 UTC (Thu) by davecb (subscriber, #1574) [Link]

RTB advertising didn't initially have unique person-ids, so it was designed to use approximations and age them out with some regularity.
Removing per-phone IDs is desirable, perhaps even necessary, but not sufficient.