Before government can buy your location data, private apps have to collect it
When Everything Becomes Searchable Safety, Privacy and Freedom in the Digital Era
The Redemption Project Newsroom
Before a government agency can buy Americans’ location data, someone has to collect it.
That is the larger lesson behind the ATF’s canceled Webloc contract. The public story begins with law enforcement access, but the deeper system begins earlier, inside ordinary apps, advertising networks, analytics tools and data brokers that can turn daily movement into a commercial product.
The government may be the buyer.
But private apps and ad networks often build the shelf.
That matters because the privacy debate is too often framed as if the government is the only actor capable of tracking people. Government power deserves scrutiny. It always does. But in the digital era, private companies can collect, package, analyze and sell location-linked data before a warrant, subpoena, court order or criminal investigation ever enters the picture.
That is where this part of the series begins.
Not with a judge.
Not with a detective.
Not with a warrant.
With an app.
A person downloads a weather app, a coupon app, a game, a navigation tool, a fitness tracker or some other free service. The app asks for permission. The person taps “Allow” because the app works better with location access, or because the prompt appears in the middle of whatever the person was trying to do.
That moment may feel small.
It may not feel like a civic decision.
But location permission can open the door to a much larger system. The app itself may collect location data. Embedded advertising or analytics code may collect device or location signals. Those signals may move through ad networks, real-time bidding systems, analytics firms, brokers or other commercial partners. A vendor may later package that information into a searchable product.
Then a government agency, private company or other customer may buy access.
That is the pipeline.
User downloads app.
App requests permission.
App or embedded code collects location or device data.
Data moves through advertising networks, analytics firms or brokers.
Vendor packages the trail.
Customer buys access.
The user saw an app.
The market saw inventory.
This is why the ATF/Webloc story matters beyond one agency. The Associated Press reported that Webloc, a Penlink tool canceled by ATF after lawmakers raised privacy and legal concerns, used commercial location data from consumer apps and advertising networks. Citizen Lab, a research group at the University of Toronto, described Webloc as an ad-based geolocation surveillance system using data from consumer apps and digital advertising to monitor hundreds of millions of people globally.
Those facts point to the deeper issue. The government did not create the entire location-tracking economy by itself. It found one already operating.
That does not mean every app sells precise location data. It does not mean every company is malicious. It does not mean every government purchase is illegal. It does not mean law enforcement can never use commercial data in an emergency or under proper legal controls.
The clean claim is narrower and more important: ordinary consumer technology can help create a market where location trails are collected for one purpose, moved through other systems and sold or searched for purposes the user may never have reasonably understood.
That is the civic problem.
Americans often consent to tracking in the legal sense, but not always in the meaningful civic sense.
A person may click “Allow” so a weather app can show the local forecast. That does not mean the person understands that location signals may move through advertising systems, brokered datasets or vendor platforms far removed from the original app. A person may accept a privacy policy. That does not mean the person read it, understood it or could realistically negotiate its terms.
Consent is thin when the pipeline is hidden.
This is not just common sense. Research has repeatedly shown that privacy controls and disclosures often do not work the way ordinary users expect. A 2024 study of 1,811 top free Android apps found that neither Android’s advertising ID setting nor Global Privacy Control had a substantial impact on apps’ data selling and sharing practices. Other research has found gaps between what apps disclose and what they collect, and studies of third-party software development kits have identified privacy leakage and compliance concerns inside code that ordinary users never see.
That is one of the hardest parts of the modern privacy problem.
The user may interact with one app.
The data may interact with an ecosystem.
Ad tech is the hidden plumbing behind digital advertising. Apps and websites use advertising networks, analytics tools and software kits to deliver ads, measure users, target audiences and sell marketing access. That ecosystem can involve device identifiers, approximate or precise location, IP addresses, app usage, browsing signals, ad interactions, device models, time stamps and movement patterns.
In plain English, the phone may not only know where a person is.
The market may learn where a person goes.
That is why location data is different.
Location data is not just a dot on a map. It can reveal where someone sleeps, works, worships, receives medical care, attends school, visits family, seeks counseling, meets a lawyer, goes to addiction treatment, enters a shelter, attends a protest, visits a gun store or spends time in a private moment.
It can reveal the rhythm of a life.
That is not ordinary consumer information.
It is intimate behavioral evidence.
The Federal Trade Commission has treated sensitive location data as a serious consumer-protection issue. The agency has taken action against multiple data brokers over the collection, sale or use of sensitive location data, including data connected to health facilities, religious locations, military installations, private homes, political gatherings and other sensitive places. In 2026, the FTC announced a proposed order that would prohibit Kochava and a subsidiary from selling, sharing or disclosing sensitive location data without affirmative express consent.
Those enforcement actions show that the problem is not imaginary.
The location-data market became powerful before the law fully caught up.
Real-time bidding is one example of why the system is difficult for ordinary people to understand. In digital advertising, apps and websites may send information into automated ad auctions so advertisers can bid for the chance to show an ad. Those bidstreams can include device or location signals. A person may think they are using an ordinary app or browsing a normal website, while the advertising infrastructure underneath that moment is moving data through a commercial ecosystem.
The leak may not come from the obvious place.
It may come from the machinery underneath the free service.
That is the bargain many people do not see clearly. Many apps are free because users pay indirectly through ads, analytics, profiling, brokered attention and data collection. That does not make every free app bad. It does mean the business incentive often points toward collection.
The app may be free at download.
The bill comes due in data.
For ordinary readers, the most practical mistake is thinking location tracking is one switch.
Location Services: on or off.
It is not that simple.
There are phone-level location permissions. There are app-level permissions. There is precise location and approximate location. There is background location access. There are advertising identifiers. There are Bluetooth, Wi-Fi and IP-based inferences. There are browser cookies, pixels, app analytics tools, software development kits, ad networks, brokers and downstream customers.
That complexity makes meaningful consent difficult.
A person can make better choices and still not see the whole system.
That does not mean individual action is useless. It means individual action is harm reduction, not a complete fix.
Users can review app permissions. They can set most apps to “Never” or “Only while using.” They can turn off precise location for apps that do not need it. They can disable app tracking requests, reset or delete advertising identifiers, review background access, delete apps they do not use and be skeptical when random utilities, games or coupon apps ask for location.
Those steps matter.
But settings are not law.
A phone toggle cannot replace accountability.
A privacy menu cannot fix a market built around collection, sharing and resale.
That is why this issue belongs in a series about safety, privacy and freedom in the digital era. The ATF/Webloc story asks whether government should be able to buy access to location trails that would require a warrant if obtained directly from a phone company. This private-app story asks the question that comes before it: should commercial systems be allowed to collect and sell location trails in ways users do not reasonably understand?
Those are separate questions.
They are also connected.
If private apps and ad networks keep turning daily life into sellable location trails, the surveillance market will always have inventory. Government agencies may become buyers, but the shelf is stocked before they arrive.
That is why “I have nothing to hide” is not enough.
Privacy is not only about hiding wrongdoing. It is about preserving space for ordinary life. People should not have to assume that every trip to a doctor, church, school, counselor, lawyer, shelter, political meeting, gun store, treatment center or family home may someday become part of a commercial location product.
The question is not whether police can ever use digital evidence. They can, and sometimes they should.
The question is whether a free society can allow private markets to quietly build location trails around ordinary life, then let government or private customers buy access later with fewer rules than the sensitivity of the data demands.
Public safety does not require a data free-for-all.
Technology does not have to mean public surrender.
A healthy republic can use digital tools. It can support law enforcement. It can allow innovation. It can also insist that location data revealing the pattern of a person’s life should not move through hidden systems without meaningful consent, strong limits and real accountability.
The government may be the buyer.
But before government can buy your location data, private apps have to collect it.
And if the country wants to protect freedom in a searchable age, it has to govern the shelf, not just the sale.
I am a retired detective and criminal justice / government educator based in Tennessee. I am a commentary write for Tennessee Lookout and a weekly columnist with Knox TN Today. My work examines public policy, public safety systems and civic responsibility. My reporting and commentary have also appeared in Governing, The Arizona Capitol Times, South Florida Sun Sentinel, Police1, among other state and regional outlets.








