Weather Apps Turn Snitch — Guess Who Buys

The weather app on your phone almost certainly knows where you sleep, where you work, which clinic you visited last Tuesday, and which bar you stopped at on the way home — and there is a reasonable chance that information has already been sold to strangers you will never meet.

Key Points

  • Journalists obtained a dataset of 3.6 billion GPS points from millions of users and de-anonymized it within hours, tracing individuals to specific corners of specific buildings.
  • Popular everyday apps — weather, classifieds, flight-tracking — funnel precise location data to hundreds of advertising and data-broker companies, often without users’ meaningful knowledge.
  • The risks are not theoretical: Ukrainian soldiers’ positions, NSA facility visitors, and exiled dissidents all appeared in commercially available datasets accessible via simple purchase.
  • No federal law in the United States comprehensively regulates data brokers; even the EU’s GDPR has proven difficult to enforce against an opaque, fast-moving industry.

The Illusion of Anonymity

The data broker industry’s central promise — and its central deception — is anonymization. When a smartphone app transmits your location to an advertising network, the record that travels downstream carries a device identifier, not your name. The industry treats this substitution as a privacy safeguard. It is not. In late 2023, investigative journalists Ingo Dachwitz and Sebastian Meineck obtained a dataset from a Florida-based broker containing 3.6 billion GPS coordinates harvested from millions of smartphone users. Working with nothing more than the location records themselves, they re-identified individuals within hours by correlating the coordinates where a device spent nights — the home — with the coordinates where it spent weekday mornings — the workplace. The technique, known as de-anonymization through anchor-point correlation, is not exotic; it requires no hacking, no subpoena, no insider access. It requires only the data itself, which was commercially available.

The journalists demonstrated the method concretely with a subject they called Emma, device ID 86A5059B, an 18-year-old whose entire daily geography — school routes, social visits, late-night locations — reconstructed itself from the ostensibly anonymous record. The exercise makes a point that privacy researchers have made for years but that the advertising industry consistently minimizes: location data at sufficient granularity and duration is, for practical purposes, identity data. The Brennan Center for Justice puts it plainly — data brokers and their clients claim the data is anonymized, but it can often be reidentified when combined with other information. The DW investigation simply showed, in real time, how quickly “other information” reduces to almost nothing.

How the Pipeline Actually Works

Understanding why this problem is so durable requires understanding the mechanism. When you install a weather app and grant it location access, the app developer — a company whose core business is meteorology, not advertising — has nonetheless built a revenue model around that permission. The app integrates software development kits, SDKs, supplied by advertising technology companies. These SDKs, embedded invisibly in the app’s code, collect location data and transmit it to ad-tech platforms in real time, in exchange for a share of advertising revenue. The app developer may not even have a complete picture of where the data flows from there.

WetterOnline, a German weather service with 35 million users and a 27-year operating history, became a focal case in the DW investigation. North Rhine-Westphalia’s Data Protection Commissioner, Bettina Gayk, conducted an unannounced inspection in spring 2025 and found active data pipelines transmitting precise user locations to Amazon and Google — directly contradicting the company’s prior assurances to regulators that location data was not shared for advertising purposes. WetterOnline is not a rogue actor; it is a legitimate, registered German company. That is precisely the point. The data-sharing architecture is so normalized, so deeply embedded in the economics of free apps, that even companies operating in one of the world’s most stringent regulatory environments do it — and sometimes do it without their own compliance teams fully grasping the extent.

When Location Data Becomes a Weapon

The abstract privacy violation becomes concrete when you trace the data to its buyers. The DW investigation documented three categories of harm that move well beyond targeted advertising.

The national security dimension is perhaps the most alarming. The dataset contained movement records for personnel associated with the NSA and BND joint facility at Bad Aibling in Bavaria — a highly sensitive signals intelligence installation. A high-ranking individual’s routine travel between Bad Aibling, diplomatic sites, and residential addresses was fully reconstructed from commercially purchased data. Former U.S. National Security Advisor John Bolton, speaking to the investigation, described what intelligence analysts call “pattern of life” analysis: mapping a target’s habitual movements to identify vulnerabilities for surveillance, kidnapping, or assassination. The same dataset contained location records for thousands of German and American military personnel stationed in Germany. Ukrainian soldiers Dmytro and Svyat, interviewed at the front in Zaporizhzhia, identified their own brigade’s command post coordinates within the data — and connected a subsequent missile strike on that position to the possibility that Russian forces had accessed commercially available location intelligence. The causal link cannot be proven definitively, but the exposure itself is documented fact.

The threat to dissidents and vulnerable individuals is equally concrete. Basma Mostafa, an Egyptian journalist living in exile in Berlin after imprisonment and torture in Egypt, described movement patterns in the dataset that matched her daily life with disturbing precision. Intelligence experts consulted by the investigation considered it operationally plausible that foreign security services — including Egyptian intelligence — purchase location data from commercial brokers to monitor exiles abroad. In the United States, journalist Byron Tau documented how Babel Street’s LocateX software uses broker-sourced location data to identify devices that visited abortion clinics — data that, in states with criminal abortion statutes following the Dobbs decision, could expose patients and providers to legal jeopardy. The Electronic Privacy Information Center has noted that data brokers threaten national security specifically by compiling and selling profiles of military personnel and government officials, a concern that the Bad Aibling case illustrates with uncomfortable specificity.

What Individuals Can Actually Do

The honest answer is: less than the privacy industry’s marketing suggests, but more than nothing. Revoking location permissions for apps that have no operational need for them — a weather app can function on a manually entered zip code; a classifieds platform has no need for continuous GPS tracking — removes the primary data collection vector. On iOS, Apple’s App Tracking Transparency framework, introduced in 2021, requires apps to request explicit opt-in consent before tracking users across third-party apps and websites; enabling this and denying tracking requests meaningfully reduces the data that flows to ad-tech SDKs. Android offers similar controls under its privacy dashboard. Neither approach eliminates exposure entirely, because some data collection occurs at the network and operating system level, but both reduce the volume of data available for broker aggregation.

The more durable solution is structural, not behavioral. Individual consent frameworks — the “notice and choice” model that underlies most current privacy regulation — are inadequate to the scale and opacity of the data broker ecosystem. They place the burden of protection on the person least equipped to exercise it, against an industry whose entire business model depends on that person not exercising it. The American Data Privacy and Protection Act, which would require data brokers to register with the FTC, give individuals the right to demand deletion of their data, and restrict the collection of sensitive location information to strictly necessary purposes, has not yet passed. The Brennan Center and EPIC have both documented the legislative path to closing the broker loophole; the political will to walk it remains the binding constraint.

The Stakes Beyond Personal Privacy

It is tempting to frame the data broker problem as a consumer issue — an inconvenience for people who dislike targeted advertising. The DW investigation, and the broader body of evidence it fits into, argues for a different framing. When commercially available location data can expose a soldier’s position to an adversary, track a dissident for a foreign intelligence service, enable a cartel to identify and kill a law enforcement agent’s contacts, or allow a government to conduct mass surveillance without judicial oversight, the problem has moved decisively beyond the domain of consumer protection. It sits at the intersection of national security, civil liberties, and the basic question of whether democratic societies can maintain any meaningful boundary between public and private life.

The data exists. It is precise, it is abundant, and it is for sale. The industry that produces it is profitable, technically sophisticated, and structurally resistant to the kinds of transparency that regulation requires. The journalists who obtained 3.6 billion GPS points from a Florida broker did so through ordinary commercial channels — no special access, no legal process. That accessibility is the measure of the problem’s severity, and it is the reason that the answer, if one comes, will have to be legislative rather than technological.

Sources:

dw.com, x.com, leadiq.com, policyreview.info, stratcomcoe.org