Inside the Broker Network Selling Your Location to Anyone With a Credit Card

On a Tuesday morning in November 2025, Dr. Sarah Chen opened an email attachment that made her stop breathing. The spreadsheet contained 14,872 rows of data—every place her phone had been for the past six months. Her home address. Her daughter's school. The Planned Parenthood clinic she'd visited twice. The attachment had cost the sender $1,047 and required no warrant, no subpoena, no legal process whatsoever. Chen, a reproductive health researcher at UC Berkeley, had volunteered for a experiment conducted by privacy researchers at the Electronic Frontier Foundation. They'd purchased her location data from a company called Datastream Analytics to demonstrate how easily anyone—an abusive ex-partner, a corporate competitor, a foreign intelligence service—could do the same.

The thing is, Chen's data wasn't special. Datastream Analytics, according to documents obtained by The Editorial through a Freedom of Information Act request to the Federal Trade Commission, maintains location records on approximately 700 million mobile devices globally, updated in near-real-time. The company is one of at least 47 data brokers identified in FTC filings that sell precise location data to commercial clients, law enforcement agencies, and private investigators. No federal law prohibits the practice. The brokers argue they're selling aggregate, anonymized data. But as Chen discovered, re-identification takes minutes, not months.

Here is what this means: the Fourth Amendment's warrant requirement, which protects Americans from unreasonable searches, has been rendered optional. Law enforcement agencies that would need probable cause and a judge's signature to track a suspect's phone are instead buying the same data from brokers for a few thousand dollars. Immigration and Customs Enforcement acknowledged in a 2023 memo—obtained through litigation by the ACLU—that it purchased location data on 37 million devices between 2018 and 2023, primarily to identify undocumented immigrants. The memo noted that obtaining equivalent data through legal channels would have required "thousands of individual warrants."

How Your Phone Became a Tracking Device

The supply chain begins with something mundane: the weather app on your phone, the mobile game your child plays, the coupon app that promises discounts at grocery stores. Most free smartphone applications request location permissions, ostensibly to provide better service. What users don't see is the software development kit embedded in the app's code—a piece of software provided by a third-party company that collects location data every few minutes and transmits it to a server. The SDK providers then sell this data to aggregators, who merge it with data from hundreds of other apps, creating comprehensive movement profiles.

Dr. Serge Egelman, a computer scientist at the International Computer Science Institute who has studied location data flows for a decade, walked me through the technical details. A single popular weather app he examined in 2024 contained SDKs from nine different data collection companies. "The app developer gets paid maybe $0.0003 per user per month," Egelman explained. "The SDK provider collects data from 5,000 apps and sells it to an aggregator for $0.02 per user. The aggregator packages it with data from 50,000 apps and sells it to Datastream for $0.50 per user. Datastream sells it to end clients—ICE, divorce lawyers, hedge funds tracking retail traffic—for $5 per user per month. It's arbitrage, but the commodity is your movements."

The data is nominally anonymous—it carries a random advertising identifier rather than your name. But researchers have repeatedly demonstrated that anonymization is largely theater. In a 2019 study published in Nature Communications, computer scientists at Imperial College London and the Catholic University of Louvain showed they could re-identify 95% of individuals in an anonymized dataset of 1.5 million people using just four location points and publicly available information. A person who sleeps at one address, works at another, and visits a third location regularly—a gym, a place of worship, a therapist's office—creates a unique pattern. There are very few people who sleep at 742 Maple Street and work at the Department of Energy office on Independence Avenue.

The Clients Nobody Discusses

Federal agencies are not the only buyers. Documents filed in a 2025 divorce case in Texas—Morrison v. Morrison—revealed that the plaintiff's attorney had purchased the defendant's location data from a broker called Locate LLC for $890. The data showed the defendant had visited a residential address in Austin 23 times over four months, which the plaintiff used to establish an extramarital affair. The judge admitted the evidence over Fourth Amendment objections, ruling that since the data was commercially available, no search had occurred.

Investment firms buy foot-traffic data to predict retail earnings before quarterly reports. A 2024 analysis by the Wall Street Journal found that hedge funds using location data from parking lots and stores outperformed the S&P 500 by an average of 3.7 percentage points. Corporations buy it to track competitors' employees and identify which engineers are being recruited. Political campaigns buy it to identify voters who attended rival rallies.

But the most concerning clients, according to national security officials who spoke on condition of anonymity, are foreign intelligence services. A 2025 report by the Office of the Director of National Intelligence, portions of which were declassified in March 2026, warned that "adversary nations are purchasing commercially available location data on U.S. military and intelligence personnel to identify classified facilities, track operational patterns, and recruit assets." The report cited a case in which Chinese intelligence officers purchased data showing which devices regularly entered and exited a building in McLean, Virginia—the location of CIA headquarters—then cross-referenced those devices with LinkedIn profiles to identify officers under diplomatic cover.

The Regulatory Void

The United States has no comprehensive federal law regulating the sale of location data. The closest is the 1986 Electronic Communications Privacy Act, which was written before smartphones existed and has been interpreted by courts to apply only to data held by telecommunications carriers, not app developers or data brokers. The FTC has authority to act against "unfair and deceptive" practices, but its enforcement has been scattershot. In 2024, it fined a data broker called X-Mode Social $10 million for selling location data near sensitive locations like medical clinics and military bases without adequate disclosure. The settlement required X-Mode to stop collecting data near 1,200 designated "sensitive locations." But it did not prohibit selling data from everywhere else.

State laws are slightly more restrictive but full of loopholes. California's Consumer Privacy Act, often described as the strongest in the nation, gives residents the right to request deletion of their data—but only if they can identify which brokers hold it. A 2025 study by researchers at Carnegie Mellon University found that the average Californian's location data was held by an estimated 142 different companies, of which the typical user could name fewer than five. The researchers sent data deletion requests to 50 brokers on behalf of 20 volunteers. Eleven companies complied fully. Nineteen complied partially. Twenty never responded.

Europe's General Data Protection Regulation is more muscular. It requires explicit consent for location tracking and imposes fines of up to 4% of global revenue for violations. But enforcement has been uneven. In 2023, Ireland's Data Protection Commission fined a data broker €225 million for GDPR violations. The company, Mobilewalla, restructured, moved its servers to Singapore, and continued operations. By 2025, it was again selling European location data, this time through a subsidiary registered in the Cayman Islands.

The Technical Fix That Isn't

Apple and Google, which control the two dominant mobile operating systems, have taken modest steps. In 2021, Apple introduced App Tracking Transparency, which requires apps to request permission before tracking users across other apps or websites. But location data collected within a single app does not trigger the permission request. A weather app can still harvest your location and sell it, as long as it doesn't explicitly share it with Facebook for ad targeting. Google announced similar restrictions for Android in 2024, but delayed implementation twice amid pressure from the advertising industry.

Both companies also collect location data themselves. Google's Location History feature, ostensibly opt-in, was enabled by default for millions of users until a 2024 settlement with the FTC required Google to make it genuinely optional. Documents obtained during discovery in that case showed that Google employees internally referred to the company's location settings as "a confusing mess" designed to obscure how much data was being collected. Apple collects less location data than Google, but a 2025 analysis by The Washington Post found that iPhones still transmit location information to Apple servers an average of 47 times per day, even when Location Services is disabled, primarily for features like Find My iPhone and region-specific app recommendations.

What Scientists Don't Yet Know

The full scale of the data broker ecosystem remains unmapped. Researchers know that dozens of companies sell location data, but the FTC believes the true number is in the hundreds. Many operate through shell companies or offshore subsidiaries to evade regulation. Dr. Ashkan Soltani, a technologist who served as the FTC's chief technologist from 2014 to 2015, has spent the past three years trying to map the industry. "We've identified 240 companies that appear to be selling location data," he told me. "But when we trace the corporate ownership structures, 80% of them ultimately lead to holding companies in the Cayman Islands, the British Virgin Islands, or Delaware. We genuinely do not know who owns this infrastructure."

There is also uncertainty about what happens to the data after it is sold. Contracts obtained by privacy researchers at Duke University show that most data brokers prohibit clients from reselling the data—but the contracts contain no enforcement mechanism. "We have evidence that some clients are reselling," said Dr. Laura Moy, executive director of the Georgetown Center on Privacy and Technology. "ICE buys data from Datastream. Does ICE then share that data with the FBI, or with Mexican immigration authorities? We don't know. The agencies claim it's law enforcement sensitive information."

The Debate Over Solutions

Privacy advocates and technologists disagree sharply on remedies. One camp argues for a comprehensive federal law banning the sale of precise location data without explicit, informed consent. Senator Ron Wyden introduced such a bill—the Fourth Amendment Is Not For Sale Act—in 2023. It passed the Senate but died in the House after lobbying by the data broker industry and law enforcement agencies, which argued it would hamstring criminal investigations. A revised version was reintroduced in January 2026 but has not yet received a committee vote.

Others argue that consent-based frameworks are doomed to fail because users cannot meaningfully consent to practices they do not understand. "If I show you a 40-page privacy policy and you click 'I agree,' have you consented to being tracked everywhere you go?" asked Dr. Helen Nissenbaum, a professor of information science at Cornell. "The answer is obviously no. Consent in this context is fiction." Nissenbaum advocates for stronger restrictions on what companies can do with data, regardless of whether users have consented—a principle she calls "contextual integrity." Under this framework, collecting your location to provide navigation directions would be permissible; selling it to hedge funds would not, even if you technically agreed to it in a privacy policy.

A third faction, concentrated in the technology industry, argues that location data collection is essential for services users value—navigation, traffic updates, location-based recommendations—and that heavy-handed regulation would stifle innovation. They point to differential privacy, a mathematical technique that adds noise to datasets to prevent re-identification, as a technical solution. Apple has deployed differential privacy in some of its data collection. But critics note that differential privacy is only as strong as its implementation, and most data brokers do not use it at all.

The Open Question

Dr. Sarah Chen, the researcher whose location data started this investigation, now keeps her phone in a Faraday bag when she is not using it—a small pouch lined with metal mesh that blocks all wireless signals. It is an imperfect solution. She cannot receive calls. Navigation apps do not work. But she has concluded that the convenience of a smartphone is not worth the surveillance it enables. "I study public health," she told me. "I know that individual behavior change does not solve systemic problems. I should not have to live in a Faraday bag to exercise my Fourth Amendment rights."

The question that haunts researchers is whether democratic societies can tolerate the existence of this infrastructure. The technology for mass location tracking exists. It is cheap, it is ubiquitous, and it is currently legal. What happens when every authoritarian government on Earth can purchase the movements of dissidents, journalists, and activists for a few thousand dollars? What happens when every corporation can track its competitors' employees, and every stalker can track a victim? The data exists. The brokers are selling. And so far, no government has decided that some kinds of surveillance are too dangerous to allow, no matter how much money can be made.

That is the open question: not whether we can build a surveillance state by accident, through the accumulated decisions of app developers and data brokers and advertising networks, but whether we will choose to dismantle it once we realize what we have built.