"the U.S. needs to clamp down on the collection and sale of geolocation data"
@lawfaremedia.org / @tom.risky.biz on our report on ad-based surveillance, highlighting the "national security and privacy risks of pervasive and easily obtainable geolocation data":
www.lawfaremedia.org/article/it-i...
This might all be the case yep, thx! There are other possible explanations for the light-weight footprint however, whether with or without corruption. In any case, the concerns about security protocols and extensive amounts of sensitive PI remain.
I think it may rely on data from digital advertising, mobile apps or other commercial sources because the 'statement of work' mentions data from 'mobile IoT devices', 'Wi-Fi access points and network identifiers', real-time and historical geolocation.
The Lever:
www.levernews.com/inside-ices-...
The ICE contractor, a defense firm called Edge Ops, promotes 'Project SAFE HAVEN' as an AI system to "map illegal migrants" and "identify, locate, and map both illegal migrants and the criminals who have crossed into the U.S. over the past several years" based on "years" of "non-traditional" data.
ICE entered into another 1-year $12.2m contract for a system that looks a lot like surveillance tech based on advertising/app data, according to public records reported by The Lever.
The system/program, called 'SAFE HAVEN', aims to track, locate and profile migrants and 'extremists', among others.
A leaked document obtained by @citizenlab.ca says Webloc sells data/identifiers including geolocation from "up to 500 million mobile devices across the globe” to U.S. and foreign security agencies (including ICE) and military. H/t @rondeibert.bsky.social
www.lawfaremedia.org/article/it-i...
Last week, we published a @citizenlab.ca report on the ad-based location surveillance system Webloc, its capabilities and its customers.
Webloc obtains data from consumer apps installed on phones. How? We don't know. But the ad targeting segments shown in this 2021 Webloc screenshot caught my eye:
A great first step. I hope Hungary's new government secures the mandate and independence of its regulator.
Other European data protection authorities must follow and proactively investigate ad-based surveillance firms and their data supply chains, from apps to data brokers:
bsky.app/profile/wchr...
Last week, we at @citizenlab.ca and @vsquare.bsky.social exposed Hungarian intelligence’s use of Webloc, an ad-based surveillance system that relies on mobile app data.
Update: The Hungarian GDPR regulator told @szabolcspanyi.bsky.social it has launched an ex officio investigation into the matter.
Here's what start .io offered via the German data broker Datarade until 2025:
* 10bn daily location records plus audience/profile data harvested from 2.4bn mobile devices ("MAU") harvested via 500k apps
...obtained from its "private in-app SDK and direct integrations", according to a sub page.
The advertising ecosystem upon which surveillance vendors like Penlink draw their data is a toxic, poorly regulated and exploitative swamp
My @citizenlab.ca colleague @wchr.bsky.social with some follow-on observations about this swamp related to our "Uncovering Webloc" report published last week 👇
I bet almost nobody using apps that contain Startapp's tracking code has ever heard of the company, let alone consented to how it exploits their data.
Whether it has ever provided data to Webloc or not (we don't know), GDPR regulators, the FTC, Google and Apple must investigate its data practices.
In a nutshell, Startapp/start.io is a major third-party tracking vendor harvesting data from up to a billion smartphone users via mobile apps.
According to Exodus Privacy, its SDK is currently embedded in 4,266 mobile apps: reports.exodus-privacy.eu.org/en/trackers/...
According to its website, it delivers “hundreds of millions of ads per day across thousands of global leading apps” and has access to “more than 100 billion first-party data signals per day across the globe”. Marketers can "use these anonymized signals to understand and predict consumer behavior”.
Startapp, renamed start.io in 2021 (www.newswire.ca/news-release... ), was founded in Israel (en.globes.co.il/en/article-1...).
It operates a software system for digital advertising and data collection that is embedded in thousands of mobile apps (www.start.io/about-us/), a so-called mobile SDK.
We can draw only very limited conclusions from these findings, which is why we didn't include them in the report:
The segments shown in a Webloc screenshot from a 2021 document are related to segments sold by Startapp via Xandr in 2021.
We don't know whether Startapp ever provided data to Webloc.
Also, a person who previously headed Startapp's partner network and ad exchange, built on data about 1 billion mobile users, joined Cobwebs Technologies in 2020 to launch "big data intelligence products for the public sector", according to his LinkedIn. Since 2023, he has been Penlink's VP Product.
My analysis of segment names and taxonomies shows that there's only a single data provider in that 2021 file that provided ad targeting segments identical to the ones shown in the 2021 Webloc screenshot: start.io, formerly Startapp, a company that harvests data from thousands of apps via its SDK.
Our report: citizenlab.ca/research/ana...
In 2023, I discovered a file that contains metadata on 650k segments sold by hundreds of commercial data providers via the ad platform Xandr in 2021, probably the largest public resource on global consumer data brokerage:
wolfie.crackedlabs.org/en/xandrfile
Last week, we published a @citizenlab.ca report on the ad-based location surveillance system Webloc, its capabilities and its customers.
Webloc obtains data from consumer apps installed on phones. How? We don't know. But the ad targeting segments shown in this 2021 Webloc screenshot caught my eye:
So, Google and Microsoft track users despite opting out via GPC 87% and 50% of the time, Meta's pixel doesn't even check. 194 of 242 adtech firms and 55% of websites ignore GPC opt outs.
I mean, 'opting out' is a meaningless compliance placebo anyway, but.
globalprivacyaudit.org/2026/califor...
The Hungarian data protection agency and other European GDPR regulators must proactively investigate ad-based surveillance firms and their data supply chains, from apps to data brokers and intermediaries.
I hope the new Hungarian government secures the mandate and independence of its regulator.
Reports suggest that its lawfulness is questionable and that it lacks adequate oversight in several European countries:
www.interface-eu.org/publications...
www.ftm.nl/artikelen/to...
netzpolitik.org/2025/sicherh...
While data processing by app vendors, intermediaries and surveillance tech firms is regulated by the GDPR, the use of the data by governments for public safety and national security purposes is subject to separate and varying national legislation in Europe and the UK.
More broadly:
- The consumer data ecosystem, from mobile apps to digital advertising, is out of control, and needs to be fixed (rather than the law, as suggested by deregulation advocates)
- GDPR enforcement is broken at several levels and needs to be improved (rather than abandoned)
The Hungarian data protection agency and other European GDPR regulators must proactively investigate ad-based surveillance firms and their data supply chains, from apps to data brokers and intermediaries.
I hope the new Hungarian government secures the mandate and independence of its regulator.
In my personal view, the above analysis suggests a blatant violation of the rights and freedoms of many Europeans who use a phone with apps installed.
The systematic misuse of consumer data for ad targeting is already bad. Misusing it for government surveillance is another level of disastrous.
The system we examined in our report was used by the Hungarian government at least since 2022 and is still being used today.
Screenshots from leaked docs that describe the system suggest that unknown parties used it to track people in Germany, Austria, Hungary, Italy and Romania already in 2021.
- It is unlikely that apps, intermediaries and surveillance tech vendors can rely on any other legal basis than consent under the GDPR. The only other way to legitimize their processing would require governments introducing far-reaching legal obligations to share the data for surveillance purposes.
- Our report shows that customers use such a system for identification. Location records reveal homes, workplaces, associates and more. The use of pseudonymous identifiers doesn't mitigate the risks; quite the opposite, as mobile ad IDs are widely linked to names, email etc across the data industry.