Discussion

CBP Tapped Into the Online Advertising Ecosystem To Track Peoples’ Movements

tototrains: Duh, what do you think we were building for the last 10 years? Does anyone with two brain cells think that corporate surveillance wasn't going to be co-opted by authoritarianism?The only people who didn't understand this were either delusional or being paid not to.

hsbauauvhabzb: I’m not sure that’s fair, the majority of the American population are pretty dumb due to the poor education system. Most weren’t alive for WW2 so they’ve not come very close to an authoritarian threat in the past either.

coliveira: The poor education system is correct, but that is by design.

legitster: Cell-site location information (CSLI) is not available to apps or adware and is protected by the Fourth Amendment.

coliveira: Yes, some people really didn't expect that billionaires without any moral compass would do this...

dzdt: Is this something European style privacy laws would protect against? Though given the US political situation we are far from being able to enact any kind of anti-authoritarian protections...

orthoxerox: That's Scroogled (2007) by Cory Doctorow! Life imitates art, again.https://web.archive.org/web/20070920193501/http://www.radaro...

GaryBluto: Thanks for that. Good story.

hightrix: Yet another reminder that everyone everywhere should be blocking all ads all the time. I don't say that lightly as absolutes tend to not be the appropriate solution, but an absolute stance of blocking ads is appropriate.

derwiki: 100%, this has been my soap box for years.A very easy, effective, multi-layer setup:1. Browser adblocker2. Pi hole running locally3. Pi hole at your home network router levelAnd 4, not as easy but effective, a firewall like Little SnitchEdit: the other good news is your old data loses value quickly, so starting today is still very effective: you haven’t missed the boat yet!

unethical_ban: IPv6 addresses, particularly hardlines, are often accurate down to the block.

nine_k: Not imitates but implements maybe.

refulgentis: “Would European-style privacy laws protect against this?” is the kind of question that sounds more clarifying than it actually is, because it collapses about five separate problems into one vague gesture at “Europe.”The issue here isn’t simply “lack of privacy law.” It’s:1. apps collecting precise location data in the first place,2. adtech infrastructure broadcasting that data through RTB,3. brokers aggregating and reselling it,4. government agencies buying it to avoid the constraints that would apply if they tried to collect it directly, and5. regulators failing to stop any of the above in a meaningful way.European law is relevant to some of that, but not as a magic shield. GDPR and ePrivacy principles are obviously more restrictive on paper than the US free-for-all, especially around consent, purpose limitation, data minimization, and downstream reuse. But “on paper” is doing a lot of work there. Europe has had years of complaints about RTB specifically, and yet the adtech ecosystem did not exactly disappear. That should tell you something.So the real answer is: yes, a stronger privacy regime can help, but no, this is not a problem that gets solved by vaguely importing “European-style privacy laws” as a concept. If the underlying business model still allows mass collection, opaque sharing, and resale of location data, then state access is a policy choice away. Governments don’t need to build a panopticon if the commercial sector already did it for them.Also, the most important legal question here is not just whether private companies should be allowed to collect/sell this data. It’s whether the government should be allowed to buy commercially available data to do an end-run around constitutional and statutory limits. That is a distinct issue. You need rules for both the commercial market and state procurement, otherwise the state just shops where the Fourth Amendment doesn’t reach.In other words, the contrast is not “Europe = protected, US = authoritarian.” The contrast is between systems that at least attempt to constrain collection and reuse, and systems that let surveillance markets mature first and ask questions later. Even in Europe, enforcement gaps, law-enforcement carveouts, and institutional incentives matter enormously.So if the goal is to understand the story, the useful question isn’t “would Europe stop this?” It’s “what combination of collection limits, resale bans, procurement bans, audit requirements, and enforcement would actually make this impossible in practice?” Anything short of that is mostly aesthetics.

cm2012: 1000% agreed with this

paxys: You can enact all the laws you want, but what do you do when the government in charge just ignores them?

Zak: I have never regretted my decision to aggressively block ads on every device I use, and to shun devices where I can't.

bigbuppo: But dude... just think of all the optimal personalized mattres sales they can do with that data. I mean, people that use the bathroom at 3:57pm for seven minutes are 0.00138% more likely to buy a new mattress within the next six months. They need that data. Think of all the unsold mattresses.

jcgrillo: It really cannot be both ways--the tech industry cannot both be producing critical infrastructure and be immune from liability. We've tried this experiment before, and millions suffered and died needlessly. We have electrical codes, building codes, automotive safety standards, etc., because many, many people died preventable deaths. With the amount of leverage tech has over the economy I don't think it's reasonable that we don't have software engineering codes and professional accountability. But I have absolutely no confidence we'll get there until there are multiple deadly catastrophes over a series of decades.

Zak: This doesn't cover in-app adds on phones over mobile data, which is probably the main vector for the tracking discussed in the article. For that:1. Adblocking via private DNS (e.g. https://mullvad.net/en/help/dns-over-https-and-dns-over-tls)2. Prefer websites over native apps wherever possible3. Browser adblockerHosts file adblocking is also possible on a phone where you have root.

consumer451: Agreed, here is one use case where I love my phone being location aware: when I walk into Lidl, swipe for my apps, Lidl pops up so I can check the significant coupons. It's a tiny convenience, I know how it works at a high level, and it's great.This is on iOS, and Apple gets all kinds of crap, but if there were some kind of Nobel/Oscars for privacy, Apple would be a consistent winner. I kinda trust them.I am relatively paranoid, I have location turned off for all apps, except while in use for GMaps, Uber/Bolt, etc.. I use the only decent VPN all the time, but I do have location services enabled in general, as ever since our mom had a health scare, we like to give her peace of mind with Find My.If you have read all that, I am looking for a sanity check. Would you agree that I drew the line in the correct place? Can we at least have some nice things, or best not to?

dygd: > Each SDK might be tattling on you, but unless you give them a key to match you across apps, each signal from each app is uniqueYou'd be surprised what can be done when data from different source is fused together.Large-Scale Online Deanonymization with LLMs: https://news.ycombinator.com/item?id=47139716Robust De-anonymization of Large Sparse Datasets: https://www.cs.cornell.edu/~shmat/shmat_oak08netflix.pdf

Cider9986: I am not sure that ad blocking is enough now or in the future as fingerprinting is extremely hard to fight while keeping a convenient web experience. Of course, continue blocking for convenience, but for privacy, more robust solutions are needed. Try to beat this: https://fingerprint.com

andai: Doesn't this just identify you as "that one guy who blocks fingerprinting"?It's similar to when you use Linux or an obscure privacy-preserving browser. You've made yourself way more unique just by doing that.(I'm not sure how the math works out though, vs. actually running all that nasty tracking stuff.)

some_furry: There are dozens of us!But, yeah, anti-fingerprinting is still a useful signal if less people do it. So more people should do it; especially if they're less likely to be targeted."More haystack" makes their job harder.

hn_acc1: As an old-school programmer who thought computers would improve people's lives back in the 80s when I was a wide-eyed teenager.. I am constantly appalled by the current generation of SV people who are very right-leaning and are happy to steal anything and everything they can. It didn't seem like this 20 years ago when I started. I hate the advertising industry with a passion.Anecdotally, it feels like it fits right in with the "if there's no cop around to give me a ticket, I can drive however I want" attitude I've seen post-Covid. People entering two-way turn lanes or HOV merge lanes to PASS people in the main lane. People going through stop signs without any stopping while I'm waiting for my turn. Using the HOV on-ramp lane with only the driver to merge onto the freeway where it's clearly marked "24 hour HOV lane", etc.It's as if the entire social compact evaporated during/after Covid, and "everyone only out for themselves" is the norm now.Or maybe I'm just more aware of it and more cynical.

techdmn: They say the fish rots from the head. I think the U.S. has been rewarding lawlessness at the top for quite a while now.I concur on missing the turn of the century optimism that tech could make a brighter future.

vjvjvjvjghv: [delayed]

jonas21: That location information is not available to apps or ad networks without user consent. The government can access it from the carrier with a warrant, but that's not what we're discussing here.

techdmn: Carriers have also sold customer location data, no search warrant required. Though we can rest assured that the FCC has slapped the carriers' wrists with the utmost seriousness.

lesuorac: And sold it to not just the government but anybody _claiming_ to be a bounty hunter (and some other professions).

kube-system: Cape is another option, supposedly a more complete tech stack of their own

drdaeman: I’m afraid you don’t understand humans. Yeah, if you completely strip every detail you get a picture like that, a very convenient one to blow all the righteous steam on some amorphous homogeneous “programmers” mass.> I can’t think of another professionThat’s because you framed the criteria so narrowly that it only includes programmers. And even then you still confused between management and implementors. And even then you’re forgetting the management, who’s definitely more to blame than workers.

tempaccount5050: Couldn't you just maintain a list of cell tower IPs and figure it out with traceroute?

kube-system: It was freely sold up until a handful of years ago

LPisGood: iPhone with private relay seems to defeat that

Zak: I beat it with Firefox, UBO, standard Firefox advanced tracking protection, and a VPN.It was able to track me as long as my IP address didn't change, but as soon as I switched VPN endpoints, it gave me a new identifier.

catlikesshrimp: If you cover your phone with an antielectrostatic bag it can't communicate; that is a Faraday cage.Since people around you will think you are also wearing a tinfoil hard, you had better stick to the phones with hardware switches as sibling comment mentions

kube-system: Most of those bags are total BS

golem14: I think that's very much what is discussed in this whole thread.

PostOnce: Beginning to wonder if convenience is the root of all evil, and not money. Money's just a proxy for convenience.More of us should learn to do things the hard way more often, and to be familiar with less-convenient things. There are life-changing advantages to doing things the hard way at least some of the time.

UltraSane: The Web is utterly unusable without uBlock Origin.

golem14: Yes, but it is available to the gubernment ? Especially this gubernment?

raw_anon_1111: And you do realize your cellphone is constantly sharing your location with your cell phone company which is more than willing to give it to the government without a warrant.Whatever you are doing is meaningless privacy theatre

Computer0: They are probably actively providing that information. At AT&T we still are working very closely with the NSA.

chaps: I worked in ad-tech for a year before I left the tech industry as a whole. I've also done a fair bit of investigative journalism.Let me share a thing:Factual, a company that specializes in hyperlocal geofencing, uses geofencing much smaller than the self-regulation that their industry allows in their own rules. I learned this after a coworker quit because our company was allowing ad targeting to people using these smaller geofences. The whole company had an all-hands about it where the CEO of the company told everyone that we were not going to stop using Factual nor the smaller-than-allowed geofences because we, ourselves, were not the ones to produce those geofences. We were just a man in the middle helping to build a system to track people at high resolution.Please try to reconcile with what your industry has and continues to destroy.

noosphr: The root of all evil is that we don't have a functioning micro transaction network and we don't know how to build one.For the user there is no way to pay the 0.0000001c that it takes to load a web page, for the web master there is no way to get paid the $10,000 it takes to serve the users. So we settled on advertising which can somewhat cover those costs since each individual add is basically worthless but an add campaign isn't.

jandrewrogers: There are multiple cues in the data stream that let you tag the person with a country of residence even when traveling internationally. It isn't perfect but it is likely more than adequate in most cases.The US government contracts with commercial data providers stipulate that all US data must be removed. There are quite a few regulatory controls that are adhered to.

titzer: If you use Google Location Services, which is stock install on basically all Android devices, it absolutely is uploading "anonymized" GPS data all the time.

godelski: It's a bit crazy how much we look back at that time and what people thought was tin foil haty. But that was written in 2007, still 6 years before Snowden. 7 years before the Director of the NSA (Hayden) told Congress they kill people based on metadata.The invasion of privacy has been slow, creeping, and just waiting for that Turnkey Tyrant. We fooled ourselves into thinking we'd never elect someone who would turn that key. But in reality the key has been slowly turning, until finally it opened the latch