Surveillance & Data Trade¶
The programmatic advertising ecosystem, government procurement channels, and data broker marketplaces form a surveillance supply chain that operates entirely within legal boundaries in most jurisdictions. Data flows from mobile devices through ad auctions and SDK pipelines into the hands of intelligence agencies, law enforcement, and commercial buyers at industrial scale.
Real-Time Bidding as Surveillance¶
The programmatic advertising ecosystem leaks granular user data at industrial scale -- not through SDK abuse, but through the normal functioning of the ad auction system. Every time an ad loads in an Android app, the device broadcasts a bid request containing device identifiers, GPS coordinates, IP address, app name, device model, carrier information, and more. This data reaches hundreds of demand-side platforms (DSPs) in milliseconds, most of which do not win the auction but retain the data.
How RTB Data Leaks Work¶
The OpenRTB protocol defines the bid request format. When an app displays an ad, the supply-side platform (SSP) sends a bid request to potentially hundreds of DSPs. Each bid request contains:
| Field | Data | Privacy Impact |
|---|---|---|
device.geo.lat/lon |
GPS coordinates (often to 6 decimal places) | Meter-level location tracking |
device.ifa |
Advertising ID (GAID/IDFA) | Persistent cross-app identifier |
device.ip |
IP address | Approximate location, ISP identification |
device.model |
Device model + manufacturer | Device fingerprinting |
device.carrier |
Mobile carrier name | Network identification |
app.bundle |
App package name | Activity inference (health, dating, political apps) |
user.data |
Interest segments, demographics | Behavioral profiling |
The Irish Council for Civil Liberties (ICCL) reported that US users' online activity and location are broadcast 747 times per day on average through RTB, and European users 376 times per day. This data reaches thousands of companies per broadcast.
Intelligence Agencies Buying Bid Stream Data¶
RTB data is commercially available for purchase without a warrant. Senator Ron Wyden's investigation confirmed that the NSA purchased internet metadata and phone location data commercially. The data pipeline enables what privacy researchers call a "Fourth Amendment workaround" -- agencies buy commercially what they would need a warrant to collect directly.
Rayzone Group (Israel): Operates a DSP called "Echo" that participates in RTB auctions not to buy ads, but to harvest bid stream data for surveillance purposes. Revealed by Haaretz in 2020, Rayzone could geolocate any device whose apps participate in RTB auctions.
Intellexa "Aladdin": Leaked internal documents from the December 2025 Intellexa breach revealed a system called Aladdin that uses the ad ecosystem to deliver zero-click spyware infections. The system places a "bid" in the ad auction, wins, and delivers an exploit payload disguised as ad creative. This weaponizes the entire RTB infrastructure as a spyware delivery mechanism.
Government Purchases of Location Data¶
Government agencies purchase commercially available location data from brokers, bypassing the warrant requirements established in Carpenter v. United States (2018) where the Supreme Court ruled that accessing historical cell-site location records requires a warrant.
| Agency / Company | Data Source | Scale | Source |
|---|---|---|---|
| Fog Data Science | Commercial apps via brokers | Billions of data points, sold to 18+ US law enforcement agencies | EFF, AP |
| Venntel (Gravy Analytics subsidiary) | Location data brokers | Sold to IRS-CI, CBP, ICE | WSJ |
| Babel Street / Locate X | Ad ecosystem location data | Used by DHS, CBP, Secret Service | EFF |
| NSA | Internet metadata + phone location | Bulk purchasing confirmed by Wyden inquiry | Wyden press release |
Fog Data Science is notable for its low price point: subscriptions start under $10,000, making mass surveillance accessible to local police departments. The Wyden letter to DOJ questioned whether these purchases constitute a Fourth Amendment workaround, but no court has definitively ruled on the practice.
Data Broker Industry Economics¶
Market Size¶
The global data broker market was estimated at USD 278 billion in 2024, projected to reach USD 512 billion by 2033 at 7.3% CAGR. North America holds 41.2% revenue share. Mobile apps and SDKs account for 35.74% of data acquisition. An estimated 5,000 data brokers operate globally.
The Supply Chain¶
Per-device revenue for app developers: $0.01-$0.05 per device per month for location data. The average cost of an individual data profile (ages 18-25): $0.36. Fog Data Science law enforcement subscriptions start under $10,000 -- making mass surveillance accessible to local police.
Major Consolidation Events¶
Oracle's data broker empire (built 2014-2018, collapsed 2024): Oracle acquired BlueKai (~$400M, 2014), Datalogix (~$1.2B, 2014), and AddThis for web tracking. Combined Oracle Advertising revenue peaked at $2B (2022). GDPR enforcement destroyed the model -- BlueKai lost 85% of European revenue overnight. Facebook pulled its third-party data marketplace. Oracle exited advertising entirely as of October 2024, revenue having fallen to $300M.
Foursquare acquired Placed (attribution) and Factual (location data), consolidating location intelligence under one roof.
The Gravy Analytics hack (January 2025) exposed the fragility of the entire ecosystem: a single compromised key to an Amazon cloud environment potentially exposed 17 terabytes of location data including coordinates at the White House, the Kremlin, Vatican City, and military bases worldwide.