Everyone knows your location: tracking myself down through in-app ads

Original Article ↗ Hacker News Discussion ↗

Ethics of Adtech and Tech Work

  • Many see adtech as fundamentally unethical and shame those who build it, arguing talented engineers are diverted from clearly beneficial fields (medicine, infrastructure, research) by high salaries.
  • Others counter that “mission” rhetoric in corporations is mostly hollow; companies primarily enrich investors, so workers rationally optimize for their own pay.
  • Several lament the loss of non-monetary motivations (service, art, public good), replaced by “money over everything.”

Government, Law Enforcement, and Surveillance

  • Commenters link the ad-based tracking ecosystem to law-enforcement and intelligence use: police and agencies purchase location data, and adtech data is seen as a quasi-state surveillance layer.
  • There’s debate over whether agencies like NSA/FBI are “benevolent but misguided” vs. inherently untrustworthy, and whether internal factions (offense vs defense) explain contradictory stances on encryption and backdoors.

How Location and Identity Are Inferred

  • Even with OS location services off, apps can infer coarse location via IP geolocation, cell-network data, and WiFi SSID/MAC databases; accuracy ranges from ZIP/postal-code level to tens of meters depending on method.
  • Some question how “precise” lat/long appeared without explicit permissions; explanations include previous geolocation lookups or external services like Mozilla/Google location APIs.
  • Commenters note that one app with location or WiFi permission can help correlate many others via shared device identifiers and network data.

Financial, Retail, and Loyalty Program Surveillance

  • The Bilt–Walgreens example (rent platform receiving itemized receipts) sparks extensive discussion of “Level 3” card data: merchants can send per-item purchase details to card networks and partners in exchange for lower fees.
  • Many see cross-merchant loyalty programs and fintechs (Bilt, Method Financial) as highly intrusive, often opt‑out rather than opt‑in, with dark patterns and little realistic user control.
  • Concerns include: pharmacies and health purchases, HSA/FSA data, and the idea that merchants think transaction data is “theirs,” not the customer’s.
  • Price discrimination enabled by loyalty and data is debated: some argue it can expand access for price-sensitive consumers, others call it economically harmful and fundamentally unfair.

Retail Tracking, Facial Recognition, and “Cash” Anonymity

  • Several note that paying cash no longer guarantees anonymity: stores may use CCTV, facial recognition, Bluetooth, and phone presence to link visits and purchases.
  • Others are skeptical that large-scale facial recognition is common or reliable for marketing (as opposed to loss prevention), and point to legal bans in some jurisdictions.

Apps vs Web and Technical Countermeasures

  • Some advocate “don’t use apps that could just be websites” and always use blockers in browsers, but others respond that browsers themselves have extensive APIs enabling fingerprinting.
  • Technical tools mentioned: DNS-based blocking (NextDNS, AdGuard), Android firewalls (NetGuard, TrackerControl), packet capture/inspection (pcapdroid, mitmproxy), and hardened OSes like GrapheneOS with per-app network and storage scopes.
  • Limitations: DNS-over-HTTPS can bypass local DNS, some apps hard-code IPs, and fingerprinting-resistance tactics can themselves become identifiers if only a minority use them.

Fingerprinting and Over-Collection of Device Data

  • Many focus on seemingly unnecessary fields sent with ad bids (brightness, battery level, boot time, memory, volume, headphone status) and conclude they’re used for device fingerprinting and behavioral segmentation.
  • An adtech insider explains business incentives: SDKs over-collect “just in case,” because updating billions of devices takes months; preemptively having extra fields can be worth tens or hundreds of millions in potential campaigns (e.g., only show 10GB-game ads to devices with enough storage).
  • This is contrasted with platform privacy controls like Apple’s ATT: “Ask App Not to Track” zeroes the advertising ID but leaves all other fingerprintable data untouched; enforcement against cross-app correlation is hard and largely trust-based.

Attitudes Toward Privacy and “Nothing to Hide”

  • Multiple commenters push back on “I have nothing to hide,” citing: medical diagnoses, mental health, finances, sexuality, religion, and political views, plus economic harms like salary/insurance profiling and price steering.
  • Examples of database misuse by law enforcement are cited as evidence that abuse is not hypothetical.
  • Some express resignation (“I surrender; even if I’m careful, my friends’ devices leak my data”), while others argue that partial protections (better laws, tools, and habits) still matter.

Data Brokers, Contacts, and Escalation Tactics

  • A recurring theme: your privacy depends on the least-careful person in your social circle; once someone uploads their contacts, your phone/email may enter data-broker systems regardless of your choices.
  • People describe using services (e.g., corporate-contact brokers) to buy executives’ phone numbers or emails for pennies to bypass broken customer support; others warn this can lead to account termination or be construed as harassment.

Regulation and Platform Responsibility

  • GDPR is viewed ambivalently: cookie banners are hated, but some report real audits and enforcement in parts of Europe; others say non‑EU firms simply ignore it.
  • US privacy law is seen as weak and fragmented; there are calls to ban the sale of personal data or behavioral advertising outright, similar to how some hazardous materials are simply prohibited.
  • Apple’s privacy posture is debated: some see it as mostly marketing and rent-extraction from competitors (e.g., Facebook), while others credit it with at least reducing certain tracking vectors.