This article is part of EFF’s investigation of location data brokers and Fog Data Science. Be sure to check out our issue page on Location Data Brokers.

If a company wants to advertise something to you on the internet, it first has to know who you are and what you like to buy. There are many different approaches to gathering this data, but all generally have one goal in common: they link you with the data generated by your devices.

If law enforcement wants to track you via data generated by your devices, it first has to know where to find that data and how it links to you. As it turns out, these goals align quite strongly with the advertisers.

You can probably guess where this is going.

A multi-billion dollar industry of advertising data brokers sells sensitive data gathered from people’s phones to a wide range of clientele, including the U.S. military, federal law enforcement agencies and, as EFF has learned, state and local law enforcement. This is especially problematic because many law enforcement agencies have argued, erroneously, that they don’t need a warrant to buy people’s location data from data brokers.

And there’s one key digital advertising technology that Fog and other data brokers have turned into a police surveillance technology: the ad ID. Although Android and iOS call it different things, an advertiser identifier (ad ID for short) is a random string of letters and numbers generated for your device and attached to bundles of data generated by the apps and websites you use. These bundles of data often include private information about you, such as your year of birth, gender, what search terms you use, and perhaps most importantly for law enforcement, your location. When your device sends this data along, it’s often bought by data brokers to be repackaged and resold.

Since each of these bundles of data has your unique ad ID attached to it, data brokers can later group them together to form a more complete picture of your behavior. Without an ad ID, the data brokers and their law enforcement customers would have a much harder time tracking individuals in the sea of datapoints.

Because ad IDs are randomly generated, data brokers like Fog Data Science like to claim that the data they sell doesn’t contain personally identifiable information (PII). This, as multiple studies have shown, is bogus. Ad IDs, because they allow disparate data points to be grouped into an individual’s pattern of movement, can make it trivially easy to identify where a person sleeps at night, goes to work during the day, which bars they frequent, and much more. It takes just a few location hits to identify a person. Police know this. For example, in documents obtained by EFF, a police officer in St. Louis wrote regarding Fog: “There is no PI [personal information] linked to the [device ID]. (But, if we are good at what we do, we should be able to figure out the owner).”

Ad IDs are a crucial part of the online advertising ecosystem. Without them (or a similar technique for fingerprinting devices), it’s hard to imagine the data brokers’ current business model continuing to function. Certainly, companies like Fog and Venntel would find it much harder to sell individual device’s location data to law enforcement, which would be a huge win for people’s privacy.

A world without ad IDs isn’t hard to imagine, either. Starting in iOS 10.0, Apple began providing an option to “zero out” a device’s ad ID, and recently this option was enabled by default for all iOS users. Analytics data suggests that in the wake of iOS 14.5, 96% of U.S. users opt-out of tracking, effectively disabling ad IDs for iOS altogether. Google’s Android also has an option to remove your ad ID, but it’s still not enabled by default. Until all phone manufacturers disable this pernicious feature for good, there are some easy steps you can take to disable your ad ID.

Additionally, we need new laws that limit how corporations process our data, and how police acquire that data from businesses.

Read more about Fog Data Science:

Related Issues