Footprint
The bidstream is a surveillance network

Your phone is broadcasting your location.

Every time an app loads an ad, a real-time auction shares your location, device ID, and app fingerprint with dozens of buyers in milliseconds. Most buyers don't win the auction. They all keep the data. This is the supply chain that targets soldiers, exposes their deployments, and gets sold by the terabyte to anyone with a credit card.

This page explains how it works, what gets leaked, what's been built on top of it, and what you can do, both as an individual and as a unit.

1 · How real-time bidding works

An ad auction runs in your phone every few seconds.

When an app needs to show you an ad (a banner in a weather app, a video in a game, an interstitial in a news reader), it doesn't pick the ad locally. It packages a bid request describing you and your phone, sends it to an ad exchange, and the exchange fans the request out to a few dozen ad-tech firms competing for the impression. The whole auction completes in 100–300 ms.

The winning bidder gets to serve the ad. The losing bidders get nothing. But every bidder who saw the request now has a record of your device, your location, your app, and your audience tags. They keep that record. They sell it.

Your appweather, game,news readerAd SDKGoogle AdMob,MoPub, AppLovinAd exchangeOpenRTB 2.6auction, 100–300 msBidders30–100 firmssee every requestBrokersstore, enrich,resell forever~100–300 ms · per ad impression · per device · per app session
Bid request fan-out. Most bidders don't win, but they all see the data and most keep it.

This is the part that surprises people: the leak isn't the ads themselves, it's the auction. Even apps with zero ads-shown-this-month still emit thousands of bid requests a day. And there's no consent dialog when your data fans out to 47 bidders the user has never heard of.

2 · What's in a bid request

One JSON object. Enough to put a name to a building.

Here's a bid request shaped like the real thing: schema per IAB OpenRTB 2.6, the open standard the entire industry uses. Field-by-field, this is what fans out to every bidder when an ad slot opens up.

{
  "id": "8f4b1c2e-2c3a-4d5e-6f7a-8b9c0d1e2f3a",
  "app": {
    "bundle": "com.weather.Weather",
    "name": "The Weather Channel",
    "publisher": { "id": "wcc-001", "name": "TWC" }
  },
  "device": {
    "ifa": "8f4b1c2e-2c3a-4d5e-6f7a-8b9c0d1e2f3a",
    "ifa_type": "idfa",
    "make": "Apple",
    "model": "iPhone 15",
    "os": "iOS",
    "osv": "17.6",
    "carrier": "AT&T",
    "connectiontype": 6,
    "geo": {
      "lat": 29.0405,
      "lon": 48.1310,
      "accuracy": 12.4,
      "country": "KW",
      "region": "Al Ahmadi",
      "city": "Shuaiba"
    }
  },
  "user": {
    "data": [
      { "id": "us_carrier_roaming_mena", "name": "audience_segment" },
      { "id": "us_government_affiliated", "name": "audience_segment" },
      { "id": "frequent_traveler", "name": "audience_segment" }
    ]
  },
  "tmax": 200
}

Why each field is dangerous

Mobile ad ID
device.ifa (idfa / aaid)
Persistent UUID that follows your phone across apps. Resets only if you do it manually.
Geolocation
device.geo.lat / .lon / .accuracy
Sub-10 m precision in most cases. Tied to the persistent ID above. Pattern of life falls out for free.
App bundle
app.bundle
Tells brokers what kind of person you are: dating apps, fitness trackers, military fitness, prayer times.
Carrier
device.carrier
AT&T or Verizon roaming abroad is a US-affiliation flag on its own.
Audience segments
user.data[].id
Broker-attached tags. They won't say 'active military' but they will say 'us_government_affiliated', same thing.
Device & UA
device.make / .model / .ua
Distinguishes US adult phone profiles from local-national patterns even without geo.

No single field is a smoking gun. The combination is. A persistent device ID + sub-10 m location + English-language app fingerprint + US-carrier roaming in MENA classifies the device as US-affiliated with no other source needed. The dispersal pattern from one location to another, across that same persistent ID, is the kill chain.

3 · Real-world cases

Eight years of warnings.

Every event below was visible in commercial data. Every one was reported publicly. The policy response, across two administrations and three FTC chairs, has not been sufficient to close the channel.

  1. Jan 2018
    Strava global heatmap reveals military bases
    Strava publishes an opt-out global heatmap of fitness routes. Within days, OSINT analysts identify CIA black sites, US forward operating bases in Syria, and Russian patrol routes by their distinctive jogging-loop signatures. Nothing leaked was secret in isolation. The aggregation was the breach.
    Foreign Policy, Jan 28 2018
  2. Apr 2020
    Babel Street's Locate X tracks devices to specific buildings
    A Vice / TechCrunch investigation reveals Locate X: a tool that pinpoints individual phones based on commercial bidstream data, sold by subscription to government and corporate customers. No warrant required — the data is on the open market.
    Joseph Cox, Vice / Motherboard
  3. Jul 2021
    Catholic priest outed via Grindr-derived data
    A US Catholic Substack obtains commercially-available location data tied to Grindr usage and matches it to a senior priest's phone. He resigns. The data was bought off the open market: same supply chain that touches every consumer-facing app.
    Religion News Service, Jul 21 2021
  4. Jan 2024
    Gravy Analytics breach exposes service members
    An attacker dumps 1.4 TB of Gravy / Unacast data publicly. Analyses of the leak show pattern-of-life traces for service members at Fort Bragg, JBLM, and US embassies overseas. The data was lawfully purchased commercial bidstream feeds. The breach just put it where everyone could see.
    404 Media, Jan 2024
  5. Dec 2024
    FTC v. Gravy Analytics settlement
    The FTC orders Gravy to delete sensitive location histories and bans the sale of location data tied to military bases, places of worship, and reproductive health clinics. The order is narrow. Most of the broker market continues unchanged.
    FTC release, Dec 2024
  6. Mar 2026
    Iranian drone strike on Port Shuaiba
    Six US Army Reserve soldiers from the 103rd ESC are killed in a drone strike on a logistics operations center inside Port Shuaiba, Kuwait. The Army's preliminary memo (per CBS News) reports that Iranian intelligence appears to have tracked the transfer of US personnel to the smaller installation in the week prior. Adtech is one of multiple vectors that would have been visible in the dispersal pattern.
    CBS News, AP, WSJ, March 2026
4 · Who buys this data

The customer list isn't a secret.

A handful of brokers aggregate raw bidstream into searchable products. Their customer lists span commercial advertising, intelligence and law-enforcement buyers, and (through cutouts) anyone with the budget and a willingness to clear it through a shell company.

Brokers
  • Gravy / Venntel
    FTC settlement Dec 2024
  • Babel Street
    Locate X / Berber Hunter
  • X-Mode → Outlogic
    FTC settlement Jan 2024
  • Near Intelligence
    bankrupt 2023, data still circulates
  • Cuebiq, SafeGraph, Kochava, Predicio, Huq
    long tail of resellers
Anyone with budget
  • Foreign intelligence services
    via shell companies
  • Hedge funds
    foot traffic to retailers
  • Private investigators
    domestic surveillance
  • Journalists
    rare, but legal
5 · What FOOTPRINT does

Two surfaces. One privacy boundary.

FOOTPRINT measures what an adversary with bidstream access can already see about your unit, and gives you the levers to close it. The architecture is intentional: a commander dashboard that shows facility-aggregate exposure (no MAIDs, no per-soldier rows), and a private personal audit that runs entirely on the soldier's device.

Adversary viewDEMO ONLY · NEVER SHIPPEDPer-MAID, per-device,with full pattern of life.Exists to demonstratethe threat is real,then deletes itself.PRIVACY BOUNDARYCommander / Site OPSECAGGREGATE ONLY · NO MAIDS · N<10 SUPPRESSEDTop leaky apps. Pattern signatures.Takedown templates. Unit guidance.Individual / Personal AuditLOCAL ONLY · NO TELEMETRY · STAYS WITH YOUYour installed apps scored against thebroker network. Output never aggregates back.
The adversary view is the threat demo. The two product surfaces sit on the safe side of the privacy boundary.

The harm-reduction principle here matters. If a commander's dashboard shows individual devices that are leaking, the predictable response is confiscation. Confiscation drives evasion (burners, second SIMs, lies on app submissions) and doesn't fix the underlying problem because the apps still leak from every other on-base device. Attacking the leakage at the source (apps, SDKs, broker contracts) actually reduces exposure. That's why the commander view is structurally aggregate-only.

6 · What you can do

Three layers, three sets of levers.

Individual
  • Reset your mobile ad ID
    iOS: Settings → Privacy → Tracking → Reset Ad Identifier. Android: Settings → Google → Ads → Reset / Delete advertising ID. Do this monthly.
  • Limit ad tracking
    iOS: turn off 'Allow Apps to Request to Track'. Android: turn off 'Ad personalization'. This kills the IDFA / AAID for most use cases.
  • Audit your app list
    Run the FOOTPRINT Personal Audit. Remove anything in the REMOVE tier. Sandbox the CONFIGURE tier.
  • Use airplane mode at sensitive times
    Or leave the phone behind. The bidstream has nothing to leak from a phone with no radio.
Unit / facility
  • Issue app guidance
    Push a removal/sandboxing list for known leaky apps. Make it part of pre-deployment briefings.
  • File broker takedown requests
    FOOTPRINT generates the templates for you. CCPA §1798.105, GDPR Art. 17, FTC v. Gravy precedent: the legal basis exists.
  • Stagger commute and shift schedules
    The synchronized arrival pattern is one of the loudest signals. Vary by ±15–30 min across cohorts.
  • Distribute lodging across multiple clusters
    A single hotel cluster is a single home_geohash. Three clusters dilute the signature substantially.
Policy
  • Fourth Amendment Is Not For Sale Act
    Bipartisan bill, would close the warrantless-purchase loophole for federal agencies. Has passed the House, stalled in the Senate.
  • FTC enforcement
    Existing actions against X-Mode, Gravy. Support broader rulemaking on location data sale.
  • DoD policy modernization
    Service-level OPSEC training has not caught up to the bidstream threat. Push for explicit guidance from the unit level upward.
7 · Further reading

Sources for everything above.

Public reporting only. No leaked broker data was used to build FOOTPRINT or to write this page.

  • How the U.S. Military Buys Location Data from Ordinary Apps· Joseph Cox
    Vice / Motherboard
  • Babel Street's Locate X: tracking phones to specific buildings· Joseph Cox
    404 Media
  • Inside the Gravy Analytics Breach· 404 Media (multiple authors)
    404 Media, Jan 2024
  • Hackers Claim Massive Breach of Location Data Giant Gravy Analytics· Brian Krebs
    Krebs on Security
  • In re Gravy Analytics, Inc.: Decision and Order· FTC
    Federal Trade Commission, Dec 2024
  • OpenRTB 2.6 specification· IAB Tech Lab
    iabtechlab.com
  • Analyses of the Gravy data leak· Atlas Privacy / Predicta Lab
    atlas.privacy / predicta-lab
  • Coverage of FTC v. X-Mode / Outlogic· Charlie Savage et al.
    New York Times, Jan 2024
  • Strava heatmap analysis (the original 2018 thread)· Foreign Policy / Nathan Ruser
    Foreign Policy, Jan 2018
  • The Port Shuaiba strike: imagery analysis· Kelly, Horton & Ley
    Washington Post, Mar 2026
  • Army memo on Iranian intelligence tracking of US personnel· LaPorta
    CBS News, Mar 2026
FOOTPRINT · pre-deployment adtech self-audit · educational primer