A recent investigation(neues Fenster) by Le Monde showed how data linked to advertising on smartphones can expose the identities and daily movements of French police, military, and intelligence personnel (including members of elite units).
Crucially, this was not the result of hacking or a blunder. This highly sensitive information was harvested from publicly available and widely traded consumer datasets. Ordinary apps with embedded ad-tracking technology collected their location and sold it to data brokers.
In addition to the obvious national security concerns raised by this investigation, it shows just how much intimate data about all of our daily lives is readily available to advertisers via a consumer ad ecosystem that has no privacy protections and no oversight.
Your apps are quietly sharing where you go
This “hack” exploits passive data your devices send all the time. Here’s how it works:
Most “free” ads make money from small bits of code provided by ad networks, known as advertising software development kits (SDKs) that collect data each time you open an app or load an ad. The data they collect can include:
- Your phone’s advertising ID (a unique tracker)
- Your IP address(neues Fenster)
- Location information (we’ll discus this below)
- Which app you’re using
- When you’re using it
Apps share this data constantly in the background (even when you’re not doing anything), typically sending it to the SDK’s servers (not the app developer’s). From here, it’s sold on to data brokers who combine information from thousands of apps into a detailed history of your location.
This data is not anonymous
Your IP address uniquely identifies your phone, and can be used to roughly estimate your location (approximately to within the distance of a city). However, your IP address is a widely known privacy danger and can be easily hidden using a VPN(neues Fenster). More insidious are technologies that claim to track you “anonymously”.
Location information
Both Android and iOS include granular privacy controls that allow you to deny apps access to your location (which mainly means direct access to your GPS data). However, apps can use data from other data-points on your phone that they can access to infer your location with surprising accuracy:
- Nearby WiFi networks (which are mapped in global databases)
- Bluetooth beacons (often located in shops, events, and transit systems)
- Sensors (including motion patterns and cell tower hops)
Advertising ID
Your phone’s advertising ID (AAID on Android, IDFA on iOS) is a persistent and unique device identifier that was specifically created to allow cross-app tracking. In theory, it’s not tied to your name, but because the advertising SDK has access to your location data:
- It knows where you sleep
- It knows where you work
- It can track the gym, bar, shops, and friends you visit, and combine this with other information it has access to (such as your social media presence) to infer your identity from your daily routines.
This is called mobility-pattern deanonymization(neues Fenster), and its ability to uniquely identify you has been proven repeatedly in research(neues Fenster). Indeed, this is exactly what Le Monde did.
Data brokers buy this data in bulk
Advertising SDK vendors and ad-tech companies sell or share this telemetry with data brokers, who:
- Aggregate it from millions of apps
- Build device-level movement histories
- Resell datasets to advertisers, hedge funds, political campaigns, and anyone else willing to pay
These datasets can include billions of precise location pings tied to Advertising IDs.
The Le Monde investigation
Le Monde journalists simply purchased these publicly available datasets from data brokers and used them to look for devices that spent nights at one address (likely the user’s home) and regularly visited a location during the day (likely the user’s workplace). If these workplaces were known sensitive facilities, such as DGSE (the French equivalent of the CIA) HQ, a military base, or a nuclear site, it was easy to infer the owner’s role in a government organization.
They were then able to cross-reference their movement patterns with publicly available information, such social media activity, LinkedIn profiles, and property records, to determine the individual’s identities. Using this technique, Le Monde deanonymized and tracked the intimate daily movements of:
- Intelligence officers from French services
- Elite police units and protective services
- Members of intervention forces like the GIGN
- Military personnel stationed at key bases (including nuclear deterrence facilities)
- Defense industry executives
- Prison staff
- Nuclear power plant employees
Le Monde’s investigation closely echoes a 2017 report by the Institute for United Conflict Analysts, which was able to pinpoint the location and staffing of US military bases(neues Fenster) and spy outposts around the world using publicly available exercise data that soldiers had uploaded to the Strava fitness tracking company.
Why this matters
The national security implications of how this public data can be abused are clear. However, it also shows how much of all of our everyday digital lives are quietly monitored and monetized. Ad-tracking data can reveal:
- Where you live
- Where you work
- Your routines and habits
- Your relationships
- Your political or religious affiliations
- Your doctor appointments
- Everywhere you go (hour by hour and with a precision of a few meters)
With such pervasive ad-driven surveillance and data sharing, it becomes inevitable that sensitive information will eventually fall into the hands of people who want to abuse it. For example, criminals could use it to make social engineering attacks more credible, or stalkers could use it to track you down. Surveillance-based advertising creates a direct threat to your identity, finances, and physical safety.
What can you do about it?
The following actions can reduce the granularity of the datasets collected, but there’s no way to stop all kinds of tracking:
- Turn GPS off when not using it and deny apps location permissions.
- Use a VPN(neues Fenster) to hide your real IP address (DNS filtering features such as Proton VPN’s NetShield Ad-blocker(neues Fenster) can also help bock ad and tracker scripts).
- Delete your advertising ID on Android (Settings → Google → All services → Ads → Privacy and security → Ads → Delete advertising ID). iPhone’s don’t provide this option.
If elite security units can be exposed, anyone can
Le Monde’s investigation shows that the dangers of pervasive and unregulated advertising are not just a theoretical concern. The individuals identified in the investigation hadn’t done anything careless: They were just using normal smartphones with normal apps. Like all of us.
The problem is structural. Ad companies collect too much data, app developers embed tracking tools they don’t fully understand (or simply prioritize profits over concern for their users’ safely), data brokers sell location datasets to almost anyone, and regulators are largely ineffective.
When an entire industry is built around constant location surveillance, even highly trained professionals can’t avoid being tracked. And neither can you.
