An internal US Customs and Border Protection document reveals the agency bought online advertising data that could track mobile phone locations over time.The Department of Homeland Security obtained a Privacy Threshold Analysis through a Freedom of Information Act request, a document tied to a CBP pilot programme that ran from 2019 to 2021.
CBP was testing commercially available marketing location data tied to mobile Advertising IDs for its operations, with the stated goal of using that data to support the agency's targeting, vetting, analysis, and illicit network discovery processes.Journalists traced such data streams from apps including Candy Crush, Tinder, Grindr, Tumblr, and MyFitnessPal.
The mechanics of the system lie in how online advertising works.The system relies on Advertising IDs, digital IDs assigned to mobile devices that function similarly to web cookies. While they don't contain a person's name or phone number, they provide a way for advertisers to track devices. Every time a smartphone displays an advertisement,data was in part sourced via real-time bidding, or RTB. Whenever an advertisement is displayed inside an app, a near instantaneous bidding process happens with companies vying to have their advert served to a certain demographic.
An internal DHS document obtained by 404 Media shows for the first time CBP used location data sourced from the online advertising industry to track phone locations.A later investigation by the DHS Inspector General concluded that CBP, the Immigration and Customs Enforcement (ICE), and the Secret Service had illegally used the data for operational purposes.
This discovery highlights a fundamental gap in how US privacy law applies to modern technology. In 2018,the Supreme Court case Carpenter v. United States determined that government entities violate the Fourth Amendment when accessing historical cell site location information without a search warrant. However,the ACLU has released documents showing that DHS agencies have purchased large quantities of cellphone location data from data brokers, information they would otherwise need a warrant to obtain directly from phone companies.
The critical distinction is this:CBP admits what civil liberties groups have argued for years: the technical systems powering targeted ads also allow federal agencies to track your location. Because the data is commercially purchased rather than obtained directly from telephone companies, law enforcement has argued it falls outside Carpenter's warrant requirement.
Civil liberties advocates see this as an end-run around constitutional protections.Law enforcement agencies take advantage of the advertising system to buy information about citizens that they would normally need a warrant for, like location data. They rely on the multi-billion-dollar data broker industry to buy location data harvested from people's smartphones.Tools like these can track visits to abortion clinics. A court order is not required, as the data is freely available on the market.
Around 70 US lawmakers, led by Senator Ron Wyden, recently urged the DHS Inspector General in a joint letter to conduct a new investigation.The House passed the "Fourth Amendment Is Not For Sale Act" introduced by Rep. Warren Davidson and seven bipartisan co-sponsors.This bill would prohibit law enforcement and intelligence agencies from purchasing information that the government would otherwise need a warrant, court order, or subpoena to obtain.
Yet critics argue the legislative path faces obstacles.The EFF and other civil liberties organisations have pushed for the bill's passage, but momentum stalls against national security arguments and industry lobbying. Some security hawks contend that restricting government access to commercial data would hobble law enforcement capabilities without addressing the underlying collection practices of the advertising industry itself.
The CBP case exposes a genuine tension in American privacy law. The Fourth Amendment protects citizens against government overreach, but it was written for an era before smartphones and programmatic advertising. Citizens who download apps often accept location permissions without realising the data flows through ad-tech networks available for purchase by government agencies. The Supreme Court has tried to update doctrine for the digital age in Carpenter, but the decision's scope remains contested.Google has moved to restrict advertising IDs on Android, and Apple's App Tracking Transparency framework, introduced in 2021, gave iPhone users the ability to opt out of cross-app tracking. Yetopting out isn't the default everywhere, and plenty of apps still collect and transmit location data through SDKs embedded deep in their code.
For Australian readers following US privacy developments, the CBP case underscores how different jurisdictions handle data governance.The United States lacks a comprehensive data privacy law. Meanwhile, Australian regulators operate under the Privacy Act and increasingly scrutinise data flows. The US debate over whether to legislate around data brokers reflects questions that will eventually reach Australian policymakers as well.