The conflict with Iran reframes the notion of “targeted ads” as something with real-world implications. As hostilities unfolded, the U.S. military pulled back from several bases and relocated personnel to hotels and civilian office spaces. A fresh examination in the Financial Times reveals the sophisticated methods by which Iran monitored these movements. In at least one location, Iraqi Kurdistan, the Iranian military is suspected of leveraging ad-tracking data to deduce which hotels were housing American troops.
“Any government with a reasonably capable cyber intelligence program is taking part in these [ad data] exchanges, because the data is such an exceptionally valuable resource,” Byron Tau, the author who exposed many of these practices, told Reason in 2024. At that time, it was already known that the U.S. government used ad data to circumvent the Fourth Amendment and track Americans without a warrant.
Now it appears that adversary governments have turned this instrument toward pursuing Americans. Iranian-backed militias struck several hotels in Iraqi Kurdistan with drones, and Iranian forces directly targeted the Crowne Plaza in Bahrain, injuring two Pentagon personnel. It remains unclear whether any of these assaults or other attacks on Americans were guided by ad-data analytics.
Ad-tracking is not the sole signals-intelligence method reportedly utilized by Iran. Much of the Financial Times report concentrates on Signalling System No. 7 (SS7), the international signaling framework used by telecoms to locate phones that roam beyond their home networks. An Iranian mobile operator circulated a sequence of SS7 “pings” to Arab nations, and Sen. Ron Wyden (D–Ore.) told the Times that Iran was known by the U.S. Department of Homeland Security to employ this technique to identify American devices.
And, of course, Tehran could still rely on less technologically advanced means, such as public posts on social media and old-fashioned informants. People across several Middle Eastern countries told me that there was a common understanding of which hotels U.S. troops were staying in. Arab states and Israel have detained many individuals accused of selling information to Iran.
Long before the war, mobile devices and other gadgets had become a notorious risk to the security of American troops. In 2017, while Strava’s global heatmap unintentionally exposed the locations of bases and even the exact routes soldiers ran, the Pentagon promptly prohibited fitness apps with geolocation from being used. By 2021, investigative outlet Bellingcat uncovered U.S. nuclear personnel studying on public flashcard apps, using that data to map U.S. nuclear weapons across Europe.
Nevertheless, other data streams can be even more insidious because users often share them without realizing it. Muslim Pro, a popular Islamic prayer clock app with a virtual compass pointing toward Mecca, was found to be selling user data to a broker until 2020, at which point it was revealed that the broker had been passing that data on to the U.S. military. Muslim Pro severed ties immediately after learning of the arrangement.
In many cases, data leaks occur during the process of selling advertisements. Apps participate in real-time bidding (RTB) exchanges to auction targeted ads, revealing a user’s location and other attributes. For example, when I watch a video about cameras, the RTB marketplace might propose reaching a 29-year-old American man in England who enjoys photography, along with other unique identifiers. Advertisers employ software known as a demand-side platform to automatically bid on these opportunities.
Even though many RTB exchanges prohibit using the auctions for non-advertising purposes, some data brokers ignore these rules. In the previous year, the Federal Trade Commission (FTC) sanctioned Mobilewalla for violating the terms of service on several RTB exchanges to harvest user data. Intriguingly, the settlement agreement contains a cryptic carve-out for location data “collected outside the United States and used for National Security purposes conducted by federal agencies.”
In response to a separate lawsuit from a customer alleging insufficient protection of user data, Google agreed this year to introduce a new option named RTB Control, which lets users constrain the information shared with ad auctions. This enhancement benefits not only those who dislike algorithms or who worry about government surveillance, but, as the recent conflict demonstrates, it could also bear on national security matters.