Your Phone Reports Its Location Up to 12 Times a Day – And Foreign Intelligence Can Buy It
TL;DR A single commercial product can access precise location records from up to 500 million devices worldwide, letting buyers track individuals with 5-30 meter accuracy while four location points are enough to re-identify 95% of people, creating both privacy disasters and national security holes that a federal ban could close.
- Virginia became the first state to ban the sale of precise geolocation data in 2024
- Federal agencies including ICE, DHS, and military units have been customers alongside state police
- 76 of 100 popular apps leak precise location to third parties, often without real consent
In 2018 the Supreme Court ruled in Carpenter v. United States that police need a warrant for historical cell-site location data. Yet since then, agencies have simply pivoted to buying far more precise GPS and Wi-Fi data from commercial brokers who collect it through ordinary apps. The global location intelligence market was worth $23.9 billion in 2023 and is heading for $58.8 billion by 2030, turning your phone into a 24/7 tracking device whose data is available to almost anyone with a credit card. This isn’t hypothetical: one tool has been used to follow a man in Abu Dhabi up to 12 times daily and to link devices across Romania and Italy with pinpoint timing.
How a Single Device Led Tucson Police to a Cigarette Thief
Tucson police pulled data showing one device near every robbery, then watched it return to the same address after each incident. That address belonged to the partner of an employee at the first store hit, closing the case without traditional warrants. The same platform lists DHS, ICE, U.S. military units, Bureau of Indian Affairs Police, and departments in California, Texas, New York and Arizona as past or current customers. Before this commercial route existed, investigators had to subpoena carriers and live within the limits of cell-tower accuracy. Now the data arrives pre-packaged, often linked to advertising IDs, app profiles and social media accounts through integrated OSINT tools. This is precisely why the national security problem is unavoidable: data this useful to Tucson detectives is equally useful to intelligence services in Hungary or El Salvador, and naive to assume China or Russia aren’t building their own versions.
Four Location Pings Are Enough to Unmask 95% of People
A 2013 Nature study by Yves-Alexandre de Montjoye showed that four spatiotemporal points uniquely re-identify 95% of individuals in a 1.5-million-person dataset. Follow-up Stanford research using 2017 mobile records found 90% re-identification rates with just four points per day. The reason is brutally simple: our routines create unique fingerprints, whether it’s the specific clinic you visit, the mosque you attend, or the union hall you frequent. App-based precise geolocation fuses GPS, Wi-Fi and Bluetooth for 5-30 meter accuracy, beating cell-site data by an order of magnitude and bypassing Carpenter protections through the third-party doctrine. Mozilla’s 2022 audit of 100 popular apps found 76 still transmitted precise location to outsiders even when users thought they’d restricted permissions. Unlike aggregated mobility statistics used for city planning, these individual traces resist meaningful anonymization.
Why Virginia’s Ban Won’t Be Enough Without Federal Action
Virginia’s 2024 law banning the sale of precise geolocation data is the first concrete state-level move, while California and New York have tightened consent rules and Senator Wyden has repeatedly pushed the STOP Location Data Sales Act. Law enforcement rightly points out these tools solve real cases faster than older methods, especially human trafficking and terrorism where time matters. Yet the GAO’s 2024 report documented continued federal purchases from brokers despite the privacy and counterintelligence risks. The bigger obstacle is the global adtech pipeline: SDKs embedded in weather, prayer and shopping apps keep feeding the stream regardless of U.S. state laws. Industry argues regulation hurts innovation and advertising revenue, but repeated voluntary “clean room” pledges have failed to stop documented breaches and re-identification.
The core tension is that the same dataset powering legitimate investigations also creates permanent surveillance infrastructure available to adversaries. As AI tools get better at fusing these traces with other OSINT, the gap between what law enforcement needs and what privacy protections can survive keeps widening. What if the only practical solution is to treat precise geolocation the same way we treat other sensitive biometric data and simply stop its commercial sale?
References
[1] It Is Time to Ban the Sale of Precise Geolocation - https://www.lawfaremedia.org/article/it-is-time-to-ban-the-sale-of-precise-geolocation
[2] Citizen Lab: Webloc - Location Data for Sale (2024)
[3] de Montjoye et al., Unique in the Crowd: The privacy bounds of human mobility, Scientific Reports (2013) - https://www.nature.com/articles/srep01376
[4] Mozilla Foundation: Location Data Study of 100 Popular Apps (2022)
[5] GAO-24-106273: Data Brokers - Federal Agencies’ Use of Third-Party Data (2024)