The FBI Is Buying Your Location Data Without a Warrant — What You Can Do

In March 2026, FBI Director Kash Patel confirmed under oath what privacy advocates had warned about for years: the FBI purchases commercial location data to track Americans' movements without a warrant. The tool of choice is Babel Street's Locate X platform, funded through a $27 million contract providing roughly 5,000 licenses across federal agencies. Your phone's GPS data flows from everyday apps through advertising exchanges to government databases — and there's currently no law stopping it.

What Happened in March 2026

During a Senate Judiciary Committee hearing on March 12, 2026, FBI Director Kash Patel was asked directly whether the FBI purchases commercially available location data to track Americans. His answer was unequivocal: yes. Patel stated that the FBI uses "commercially available tools" including location data purchased through third-party vendors, and that this practice does not require a warrant because the data is bought from commercial companies rather than intercepted through traditional surveillance.

This confirmation wasn't entirely new. Investigative journalists and civil liberties organizations had documented the practice since at least 2020. But Patel's testimony was the first time an FBI director explicitly acknowledged it under oath, making it impossible to dismiss as speculation.

The legal reasoning is straightforward and, according to privacy advocates, deeply flawed: the Fourth Amendment protects against unreasonable government searches and seizures. When the government buys data on the commercial market, it argues this is neither a search nor a seizure — it's a purchase. The same location data that would require a warrant to obtain from your phone carrier can be purchased from a data broker with nothing more than a government credit card.

What Is Babel Street's Locate X?

Locate X is a geolocation intelligence platform developed by Babel Street, a government contracting firm headquartered in Reston, Virginia. It's the primary tool federal agencies use to access commercial location data, and understanding how it works reveals the scale of the surveillance infrastructure.

Locate X works by aggregating GPS coordinates collected from mobile advertising exchanges. When you open an app that shows ads, your phone broadcasts its precise location — often accurate to within a few meters — along with a unique advertising identifier. This data is sent to ad exchanges during a process called real-time bidding (RTB), where advertisers compete to show you targeted ads. Locate X intercepts this data stream and compiles it into a searchable database.

Government analysts using Locate X can draw a geographic boundary — a geofence — around any location on a map and see every mobile device that entered that area during a specified time period. They can then select an individual device and trace its complete movement history: where it went, when, how long it stayed, and what routes it took. This effectively creates a detailed surveillance record of a person's daily life without ever obtaining a warrant, serving a subpoena, or notifying the target.

How Your Phone Feeds the Pipeline

Understanding the data supply chain explains why this affects nearly every smartphone user, not just people who are under investigation.

1. You install an app and grant it location access — weather, navigation, food delivery, fitness tracking, games, or any app that requests GPS permissions.
2. The app sends your location to ad networks. Each time an ad loads, your phone's GPS coordinates and advertising ID are broadcast to advertising exchanges in a real-time bidding request. This happens hundreds of times per day for most people.
3. Data aggregators collect the bid stream. Companies like Babel Street, Venntel (a Babel Street subsidiary), Gravy Analytics, and Near Intelligence scrape advertising exchange data to build massive location databases. Gravy Analytics alone claimed to collect over 17 billion location signals per day before its 2025 data breach.
4. Government agencies buy access. Through contracts with companies like Babel Street, federal agencies get access to these databases without ever interfacing with the original app developer, the advertising exchange, or the consumer.

The key insight is that the data broker industry doesn't just sell your information to marketers and background check companies. The same pipelines that feed people-search sites and targeted advertising also feed government surveillance tools. Location data is one category, but the broader data broker ecosystem trades in phone numbers, email addresses, home addresses, social connections, purchase history, and browsing behavior — all of which can be and have been purchased by government agencies.

The Gravy Analytics Breach: A Warning

In January 2025, Gravy Analytics — one of the largest location data brokers in the world — suffered a massive data breach. Hackers accessed databases containing precise location data for billions of data points linked to popular apps including Candy Crush, Tinder, MyFitnessPal, Grindr, Flightradar24, and hundreds of others. The breach exposed not just the scale of commercial location tracking, but the specific apps that were feeding data into broker pipelines without most users' knowledge.

The Gravy Analytics breach demonstrated several alarming realities. Many app developers didn't even know their apps were contributing location data to Gravy — the data was collected through embedded advertising SDKs (software development kits) that app developers included to monetize their apps with ads. The advertising SDK would silently harvest location data and send it to data aggregators as part of the bid-stream process. This means that even privacy-conscious app developers may not have fully understood what data their apps were leaking.

For individual users, the breach proved that sensitive location visits — including religious sites, healthcare facilities, political rallies, and private residences — were being collected and stored by commercial companies with inadequate security protections. Data that the FBI could purchase for surveillance purposes was simultaneously accessible to hackers.

The Government Surveillance Reform Act

The bipartisan Government Surveillance Reform Act (GSRA), introduced by Senator Ron Wyden (D-OR) and Senator Mike Lee (R-UT), directly targets the warrantless data purchase loophole. The bill would:

• Require a warrant for federal agencies to purchase or access commercially available location data, web browsing data, search history, and other sensitive personal information.
• Close the data broker loophole by treating purchased data the same as data obtained through surveillance for Fourth Amendment purposes.
• Apply to all federal agencies, including the FBI, ICE, CBP, IRS, DEA, and military intelligence.
• Allow exceptions for genuine emergencies involving imminent threat to life, with mandatory judicial review within 72 hours.
• Create enforcement mechanisms including suppression of evidence obtained in violation of the act.

As of May 2026, the GSRA has bipartisan support in both chambers but has not yet been brought to a floor vote. Similar legislation — the Fourth Amendment Is Not For Sale Act — was introduced in previous congressional sessions but never passed. Privacy advocates are cautiously optimistic about the GSRA's prospects given the bipartisan sponsorship and the heightened public awareness following Patel's testimony.

However, even if the GSRA passes, it would only restrict federal agencies. State and local law enforcement agencies, which also purchase commercial location data, would not be covered unless states pass their own legislation. And the underlying data collection infrastructure — the apps, the advertising exchanges, the data brokers — would continue operating.

What You Can Do Right Now

You can't control whether Congress passes the GSRA. But you can dramatically reduce the amount of location data your phone generates and shares with the commercial data pipeline. Here's how.

1. Audit your app location permissions. On iPhone: Settings > Privacy & Security > Location Services. On Android: Settings > Location > App location permissions. Review every app that has location access. Change "Always" permissions to "While Using the App" or "Never." Most apps don't genuinely need your location. Weather apps can use a manually entered zip code. News apps don't need GPS at all.
2. Reset your advertising identifier. This is the unique ID that ties your location data to your device across apps. On iPhone: Settings > Privacy & Security > Tracking > toggle off "Allow Apps to Request to Track." On Android: Settings > Privacy > Ads > "Delete advertising ID." Resetting this ID breaks the historical connection between your past location data and future data.
3. Disable location services for apps that don't need them. Be aggressive. Social media apps, games, shopping apps, news apps — most of these function perfectly without GPS access. Only keep location enabled for navigation, rideshare, and weather (and even weather can work without it).
4. Turn off Wi-Fi and Bluetooth scanning. Both Android and iOS use Wi-Fi and Bluetooth signals to determine your location even when GPS is disabled. On Android: Settings > Location > Wi-Fi scanning and Bluetooth scanning > toggle both off. On iPhone, Wi-Fi scanning for location is more limited but disabling Wi-Fi when not actively using it helps.
5. Use a VPN. A VPN masks your IP address, which is another data point that location data brokers use to approximate your location. It won't prevent GPS-based tracking, but it removes one vector from the data pipeline.
6. Delete apps you don't use. Every app on your phone is a potential location data source. If you haven't opened an app in 30 days, delete it. You can always reinstall it later. While it sits on your phone, it may be silently transmitting location data through background processes and advertising SDKs.

The Bigger Legal Picture

The Supreme Court's 2018 decision in Carpenter v. United States ruled that the government needs a warrant to access cell-site location information (CSLI) from phone carriers. The Court recognized that location data reveals "the privacies of life" and that people have a reasonable expectation of privacy in their physical movements. But the Carpenter ruling specifically addressed carrier-held data — not commercially purchased data from third-party brokers.

This gap is the loophole that federal agencies exploit. The government argues that data sold on the commercial market is fundamentally different from data held by a phone carrier, because the user "voluntarily" shared their location with apps. Privacy advocates counter that no reasonable person understands that granting a weather app location access means their GPS coordinates will end up in an FBI surveillance database.

Several federal courts have issued conflicting rulings on whether commercially purchased location data requires a warrant. The issue will likely reach the Supreme Court eventually, but that could take years. In the meantime, the GSRA represents the legislative path to closing the loophole.

What This Means for You

You don't have to be under investigation for this to matter. The FBI's use of Locate X has included geofencing protests, tracking visitors to sensitive locations, and building movement profiles of people who were never charged with a crime. The infrastructure exists to track anyone with a smartphone, and the legal barriers to using it are currently nonexistent.

The practical response is reducing your data footprint. Audit your app permissions, reset your advertising ID, disable location services where they aren't needed, and address the broader data broker ecosystem that trades in your personal information. None of these steps require technical expertise. All of them meaningfully reduce the amount of your data flowing into commercial surveillance tools.

Frequently Asked Questions

Does the FBI really buy location data without a warrant?

Yes. FBI Director Kash Patel confirmed under oath in March 2026 that the FBI purchases commercial location data. The primary tool is Babel Street's Locate X platform, accessed through a $27 million contract providing approximately 5,000 user licenses across federal agencies. Because the data is purchased from commercial brokers rather than obtained through surveillance, the government argues that no warrant is required under current law.

What is Babel Street's Locate X?

Locate X is a geolocation intelligence platform sold by Babel Street, a government contractor based in Reston, Virginia. It aggregates location data from mobile advertising exchanges, which collect GPS coordinates from apps on your phone. Locate X allows government analysts to draw a geographic boundary (geofence) on a map and see every mobile device that has been in that area during a specified time period. It can track individual devices over time to build detailed movement histories.

How does my phone's location data end up with the FBI?

When you grant an app location permissions, many apps share that data with advertising networks through a process called real-time bidding. Your phone's GPS coordinates, along with a unique advertising identifier, are broadcast to ad exchanges every time an ad loads. Data aggregators like Babel Street, Venntel, and Gravy Analytics collect these bid-stream signals and compile them into databases that track billions of data points daily. Government agencies then purchase access to these databases.

Would the Government Surveillance Reform Act stop this?

The bipartisan Government Surveillance Reform Act, introduced by Senators Ron Wyden and Mike Lee, would require federal agencies to obtain a warrant before purchasing or accessing commercially available location data, web browsing history, and other sensitive personal information. If passed, it would close the legal loophole that currently allows warrantless data purchases. As of May 2026, the bill has bipartisan support but has not yet passed either chamber of Congress.

Can I completely prevent my location data from being collected?

You can dramatically reduce the amount of location data collected, but completely preventing it is extremely difficult. Disabling location services, resetting your advertising ID, auditing app permissions, and using a VPN will eliminate most commercial location data collection. However, cell towers still triangulate your approximate location when your phone is connected to a network, and your carrier retains that data. The goal is to cut off the commercial pipeline — the advertising exchanges and data brokers — that sell your data to government agencies.