7 min read

Real-Time Bidding Leaks Your Location, Allows Profiling.

Real-Time Bidding Leaks Your Location, Allows Profiling.

You’re walking down the street, your phone in your pocket. What you don’t realize is that your location is being auctioned off to the highest bidder. Welcome to the world of Real-Time Bidding (RTB).

What is Real-Time Bidding? 

RTB is a digital advertising process where advertisers bid for ad space in the milliseconds it takes for a web page or app to load. But this isn't just about showing you ads—RTB often involves the exchange of detailed profiles built from your online and offline behavior, including your location.

The lists they build are often passed on to other spammers or scammers for targeted campaigns. And sometimes, they’re sold to data brokers who profit from your engagement.

20x the Risk

RTB doesn't just give your data to the advertiser who wins the bid. RTB gives your data to everyone who bids. That means on average 20 potential advertisers see your data for every ad you see. 

Your online activity and location is exposed 747 times every day by the RTB industry.  - ICCL / TechCrunch

How RTB Collects Your Data

Whenever you open an app or visit a website that supports ads, your data is sent to multiple advertisers in a fraction of a second. This data includes:

  • Location: Your precise GPS location, often accurate to within a few meters.
  • Device Information: Your phone’s make, model, and unique identifiers.
  • Browsing History: Websites you’ve visited, apps you’ve used, and more.

This data is used to create a profile of who you are, where you are, and what you’re likely to do next. The problem? These profiles are often sold, shared, or even leaked to various entities without your knowledge or consent.

Adversaries Can Buy Your Location Data

While RTB might seem like a harmless way to target ads, adversaries can exploit this data for more malicious purposes.

Well-funded bad actors can directly insert themselves into the ad-tech ecosystem.

Alternatively, they can simply purchase the data from others already collecting it. With thousands of data brokers available, at least one will likely have what a threat actor is looking for.

Collecting RTB data on an individual or organization might be difficult for a small-time adversary, but if you're a significant target with well-funded opponents, it's a risk you need to be aware of.
    • Stalking and Surveillance: By correlating location data over time, malicious actors can track your daily routines, learning where you live, work, and socialize.
    • Personalized Scams: Scammers can use your location data to craft highly personalized phishing attempts, making them more convincing.
    • Political Manipulation: During elections, your location data can be used to target you with tailored misinformation campaigns designed to influence your vote.

Who is Responsible?

The RTB ecosystem is vast, with many players involved—advertisers, data brokers, and ad networks. Unfortunately, the more entities that handle your data, the greater the risk of misuse.

We put the largest portion of the blame on organizations like Google and industry groups such as the Internet Advertising Bureau (IAB), who effectively set the standards for real-time bidding.

Our Recommendations to Reduce Risk

Take Precautions to Stop the Tracking

    • Location Sharing
      Turn off location services for apps that don’t absolutely need it. Avoid using apps that demand constant location access, especially those with a free-to-use model supported by ads.
    • Always Use a VPN
      A Virtual Private Network (VPN) can mask your IP address, making it harder for RTB networks to accurately pinpoint your location.
    • Review Ad Preferences
      Many platforms allow you to adjust your ad settings. Take the time to opt out of personalized ads and limit data sharing.
    • Use a Privacy-Focused Browser

Use a Privacy-Focused Browser

Consider using browsers like Brave or Firefox, which offer enhanced privacy features, including blocking third-party trackers.

Stop using the Chrome Browser. It's the only major browser that still allows invasive AdTech tracking by default. Chrome is increasingly hard to configure such that it does not track you. It now blocks many ad blockers intentionally. It's time to say goodbye.
Edge, based on Chrome, is moderately better, but still concerning. The default settings block trackers from sites you haven’t visited while still allowing tracking for personalized ads and some third party cookies. uBlock Origin-style ad blockers still work in Edge - for now.
We recommend Duck Duck Go Private Browser [Apple, Android] for mobile use and either Brave Browser or Mozilla's Firefox for desktop use.

Every Google Search feeds directly into the Real-Time Bid Stream. Great options exist that will make you happy and keep you safe. Sure, Google is easy and familiar, but everything is changing now with AI anyway. And do you really need all of those ads mixed in your results plus the hidden surveillance?

  • Avoid these Search Engines 🤢🤬
    • Google & Bing are both a part of the Real-Time Bid Stream
  • We recommend these Search Engines 🔥🔥
    • Startpage: It pulls search results from Google but loads them thru a proxy server to protect your identity. It doesn’t track or log any user information. Ads are contextual, not behavioral.
    • DuckDuckGo: Results from 400+ sources, including Bing, Wikipedia, and its own web crawlers. Lack some of Google's depth, but it's fast and accurate for most queries. Doesn’t track users, collect personal information, or store search history.

Is Searching via LLMs Actually Safer for Privacy?

The privacy policies of AI companies generally allow them to use your personal data and they will find a way to feed AdTech, if not already then eventually. Google has already accomplished this with its integration of AI directly into search results.

The use of chatbots without a live web connection offers more protection from the Real-Time Bidding (RTB) ad stream, as they aren’t directly transmitting data to advertisers in real-time. However, AI companies may still gather data on users to improve models or for other purposes. Open-source models running in a sandbox environment, fully offline, might be exceptions to this.

Commercial large language models (LLMs) like ChatGPT, Gemini, Perplexity, and CoPilot often have live components that could connect to AdTech systems. While they may not currently be serving ads from the RTB stream, this could potentially change as these systems evolve and advertising becomes more integrated with AI services.

Get Rid of Leaky Apps

Regularly review the apps on your device and uninstall any that collect excessive amounts of data or seem suspiciously invasive.

    • Avoid these Apps
      • Weather Apps: Many weather apps collect more data than they need, including your location, which they then sell to data brokers.
        • Avoid Apps like: 🤢🤬 The Weather Channel, AccuWeather, WeatherBug, Yahoo Weather, Weather Forecast, GO Weather
        • We like paid versions of weather apps that promised not to share your data. Nothing is completely safe, but if you need weather these are good choices:
          • 🔥 MyRadar Weather Radar (Paid Version)
            [Apple, Android]
            Strong tool. Even used by pilots.
          • 🔥 CARROT Weather (Paid Version)
            [Apple, Android]
            Awesome. Extensive features. Very customizable. But expensive.
      • Free-to-Play Games: These games often support themselves through ads and might be collecting your location data for RTB purposes.
      • Map Apps with Ads: Stick to trusted, ad-free navigation tools. Many map apps that display ads are deeply integrated with RTB networks.

Use an Anti-Tracking Apps

    • Exodus Privacy [Google Play]
      • Scans installed apps for permissions and embedded trackers. Helps identify apps that may be leaking location data
      • Functionality: Exodus scans your installed apps and provides a detailed report on the permissions they request, including location access. Reveals trackers embedded within apps, often responsible for location data leakage.
      • Usage: After install, Exodus will show which apps are accessing your location data, along with trackers collecting and sharing this info.
    • GlassWire [Google Play, Windows]
      • Monitors network activity and data usage on Android. Can help identify apps communicating with external servers
      • Usage: You can install GlassWire and review the traffic logs to identify unusual or frequent data transfers that might indicate location data leakage.
    • DuckDuckGo Private Browser [Google Play, Apple]
      • Blocks third-party trackers across apps to prevent location data leakage
      • Functionality: While primarily a privacy-focused web browser, DuckDuckGo’s mobile app also includes an "App Tracking Protection" feature.
      • Usage: You can enable App Tracking Protection to block trackers that might be trying to access your location data across your apps.
    • Lockdown Privacy [Apple]
      • Can prevent apps from sending location data to third parties
      • Functionality: Lockdown Privacy is a firewall app for iOS that blocks trackers and malicious connections at the system level.
      • Usage: After installation, you can activate the firewall to block location data trackers across your apps.

Be Location Safe

Check out our DIY guide to Location Data safety. Be Location Safe.

Our Final Thoughts and Advice

The RTB ecosystem is complex and often operates without your awareness.

By taking steps to limit your location data leakage, you can significantly reduce your risk of being profiled, tracked, or targeted by adversaries.

Small-time adversaries are unlikely to use RTB data against an individual. But if you are a big fish with well funded enemies, it is a risk you need to be aware of.

Turning off the spigot and stopping the leakage is crucial. Deleting the spill can be equally important if you are a large target, because location data brokers will have already harvested your past location data. We only know of one solution to that problem: wipe your location information from those third parties. ObscureIQ has a unique process called Location Purge. Reach out for more information.


Subscribe for weekly insights you won't find elsewhere. Not news. Not marketing. Just the juicy stuff we find as we research and operationalize the recovery of privacy for our clients.

What else are we thinking about? Private Search Engines.

Jeff's Interview with Startpage

Privacy in Action: Jeff Jockisch, Data Privacy Researcher