A police detective in Moscow needed to find someone, but official channels required paperwork. It needed stamped, logged, audited and he would need to fill out the right forms which might be lost in the bureaucracy for weeks. Who has time for that?
Instead of that headache, the detective opened his phone. He found the right channel in Telegram, and an hour and $10 USD later, he had his targets details, courtesy of a traffic police clerk in Chertanovo, who has been supplementing his salary between shifts. It was faster, more accurate, and didn’t require paperwork.
Welcome to the Russian world of probiv. A shadow information economy, where underpaid civil servants could monetize on whatever data they had access to. A customer could obtain everything from passport scans to medical diagnoses. Bellingcat journalists used the probiv market to pull passenger manifests and phone records that eventually identified FSB agents responsible for the poisoning of Alexei Navalny.
A BBC correspondent purchased his own phone records and those of a family member for less than €110.
The buyers were everyone you would suspect. Jealous spouses, stalkers, organized crime, corporate spies obviously, and the police. Russian security services, and even the FSB were regular customers. It’s not like this was some big secret. In an authoritarian regime, having a shadow surveillance market is a boon. You can track dissidents and opposition leaders without the inconvenience of an embarrassing paper trail, should it ever leak.
Then Russia invaded Ukraine. The GUR, Ukraine’s intelligence arm, realized that not only could the probiv market track Russian dissidents and benefit the Russian system, but it also worked just fine in reverse. Reports began surfacing of Russian military figures being identified, located, and targeted using data sourced through the very market the Russian state had spent years tacitly accepting.
The police detective, the western reporter, the FSB agent, and the Ukrainian Intelligence officer were all shopping at the same store, they simply had different shopping carts, and different plans for dinner. The market didn’t care about customers’ intentions. It just cared how much they were willing to pay.
Of course, this sort of story is just what we westerners expect to hear coming out of Russia. It fits with all the classic tropes. Corruption, incompetence, lack of privacy, lack of oversight, the kind of stuff that happens in places that aren’t America.
Unless you happened to be paying attention to a US Senate hearing on March 18th, 2026.
Kash Patel, Director of the FBI was asked a simple question by Senator Ron Wyden (Oregon). Would the FBI commit to not buying American location data from commercial information brokers? Director Patel stated, “We do purchase commercially available information that is consistent with the Constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us.”
That is, the FBI told the senate that they don’t need a judge or a warrant. They don’t need a FISA order, and they don’t need a court order, they just need a purchase order.
Defense Intelligence Agency Director James Adams was present. His response wasn’t any better, nor was ICE’s. The practice of punching through the bureaucracy with some cash, is widespread throughout US federal agencies.
Senator Tom Cotton (Arkansas), chair of the committee, came to the defense of the feds. If anyone can buy this data commercially, he said, then the FBI buying it is no different from a police officer going through your trash once you’ve left it at the curb. You put it out there. You no longer own it.
Taken on its own, one might think that’s perhaps a reasonable argument. It isn’t a reasonable argument though; it’s a false equivalence.
Meet Sarah, a 34-year-old marketing manager from Columbus Ohio. She has never knowingly shared her location data with a data broker, a government agency or anyone else she didn’t explicitly choose. She certainly didn’t put her location data in a trash bag on the curb. She is careful about her privacy, or at least, she tries hard to be.
Sarah has a weather app on her phone, which she downloaded three years ago because it had a nice live radar feature. When she installed it, she absentmindedly tapped “Allow” on a permissions screen while she was making coffee. That app has been recording Sarah’s precise GPS location and selling it, along with data from millions of other users, into something called a real-time bidding auction.
Every time Sarah opens a webpage or an app that serves ads, an automated auction happens in milliseconds. Publishers broadcast a signal that includes Sarah’s device ID, her location at that moment, her browsing history, and dozens of other data points to thousands of companies simultaneously. Advertisers bid on that signal to show her a targeted ad. But the signal itself, containing Sarah’s location, gets received by every company in that auction, whether they win the bid or not. Surveillance firms sit in those auctions specifically to harvest that location data, package it up, and sell it to brokers. So, no its not exactly the public trash heap.
Taken together, Sarah is now a product on the shelf, ready to be bought and sold to everyone. It includes the location of the medical specialist she saw last week. It has a record of her church address and each time she attended. Then there was the protest location that was for or against something (you can fill this bit in based on the political cause you favor, dear reader) and the divorce attorney’s office she was at yesterday.
As Senator Cotton correctly notes, it’s all commercially available. The FBI can buy it. ICE can buy it. A foreign government’s intelligence service can buy it. Then of course, there’s the fraud ring that sent Sarah’s elderly mother a terrifying phone call about a family emergency. Remember the kind of social engineering I wrote about last November, well they’re shopping there too.
Same store. Same data. Same Sarah. Same product.
The Russian cop on Telegram paid $10 and used a corrupt clerk. It was a story about foreign corruption, far away from the land of the free. As usual, the American version costs more, is less efficient, and completely legal. For Sarah though, is there really any difference?
In Russia, there was basically nothing Sarah could have done. Here in the good old US of A though, well, Sarah has options, right?
There are, at minimum, 750 registered data brokers operating in the United States. That number comes from Privacy Rights Clearinghouse, which spent 2025 cross-referencing every state registry it could find. The actual number of companies that are aggregating and selling personal data is certainly higher and there aren’t any federal requirements to register or disclose or provide due care as someone who handles massive amounts of citizen’s private data. It’s an estimated $200 billion industry. That’s bigger than the NFL, the music industry and Hollywood combined. It’s an industry is built on data that people like Sarah never consciously chose to share, or to leave in storage for someone to review later. These aren’t fringe operations, either. They count Chase Bank, Unilever, and the federal government among their customers.
So then, back to our question, what are Sarah’s options? She could opt out. She could contact all 750 data brokers, figure out what their individual process is, which forms they require, what the terms are, and what timelines they’ve set for themselves. But, even if Sarah takes all the time and effort to opt out, she still has that weather app. Every time she opens it, it’s a brand-new auction, with brand new collections of her personal data. So, unless she is opting out weekly, all that effort will be for naught.
Even then, those brokers have been selling her information to people and organizations that she will never be able to identify. California’s state registry recently revealed that 33 registered data brokers reported selling Californians’ data to entities in North Korea, China, Russia, and Iran in 2025. Not hackers. Not criminals breaking into systems, not shadowy Chinese ByteDance execs with TikTok algorithms. Registered, legal American businesses, selling American citizens’ precise location data to US foreign adversaries, through entirely lawful commercial transactions. The new Bulk Data Rule enacted last year, written to address this, doesn’t appear to have staunched the flow, and it doesn’t address intermediary transactions.
Your personal data, regarding some of the most private parts of your life, is not yours. It’s collected without your knowledge; it’s sold without your consent and it’s available to anyone with the cash to buy it. It includes criminals, it includes foreign governments and it includes US government agencies who, likely, could never get a Judge to sign off on an invasive warrant targeting a law-abiding American citizen like Sarah.
There is no federal law that says this must stop. There are 20 states with some form of privacy legislation. There is a bipartisan Senate bill called the Government Surveillance Reform Act, introduced by Wyden and Lee in March, which would close the warrant loophole for government purchases.
Sarah would have some protection if she lived in Europe, thanks to GDPR. But let’s go one step further, what rights would Sarah have over her personal data in China?
The Personal Information Protection Law (PIPL), is, China’s version of GDPR. The whole law is available in English online. It’s in a clear and easily digested format, and it doesn’t use complicated terms. Companies must have a lawful reason to collect personal data. They must clearly state that purpose, in its entirety. They can collect only what is necessary and must delete it as soon as the purpose is fulfilled. Chinese citizens can access their data, correct their data, delete it and/or restrict access to it. Any use of it requires informed, specific and voluntary consent. China’s regulators, armed with this law and serious fines (up to 5% of annual revenue), spent most of last year targeting mobile apps, software development kits, terminals etc. for enforcement. They were shutting down the kind of pipeline that Sarah is trapped in, in the US.
Of course, I’m not saying that China is some privacy paradise, or a bastion of personal rights. The Chinese state uses levels of surveillance that make Kash Patel’s commercial purchase of PII seem more Inspector Gadget than 007. Their Great Firewall, social credit system and mass collection of biometric data is completely unconstrained by this law. It doesn’t apply to the State, as the law only constrains companies.
Still, that is no small thing, Chinese companies cannot legally do to their citizens what American data brokers are doing to all of us, every day…tens, hundreds, thousands… billions of times a day.
The RTB auction that’s selling “Sarah the Product” would need to have a lawful basis and would have to get Sarah’s explicit permission. The auction would need to inform her who saw the data she chose to allow, who bid on it and who won. Aggregation of that RTB auction with her past location history, the medical visit, the church attendance, the political protest, none of that could be correlated without explicit consent.
Sarah lives in a country that helped birth home computers and the modern internet. For 30 years, we in the US have been arguing that government regulation of data is a threat, and “information wants to be free”. That perspective has given rise to a $200 billion industry built on unauthorized commercial exploitation of Americans most private data. Twenty states worth of local privacy legislation hasn’t stemmed the tidal wave of brokers selling Sarah’s location to businesses, foreign adversaries and our own government sans any judicial oversight.
The detective in Moscow paid $10 and skipped the paperwork. Kash Patel’s FBI submits an expense report and calls it commercially available intelligence. The Chinese app developer who wants to harvest Beijing residents’ location, must explicitly ask permission.
Sarah just wanted to know when it was going to rain.