Senator Wyden Just Called Adtech a 'National Security Threat' — Here's the Architecture Question Every App on Your Phone Now Has to Answer

On May 28, the U.S. Department of Defense confirmed to Senator Ron Wyden that hostile actors are using commercial location data — the same kind of data brokers buy from the apps on regular consumer phones — to track and target U.S. servicemembers in theater. In a letter to Wyden's office, U.S. Central Command put it directly: "USCENTCOM has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater."

Wyden's response, per TechCrunch: it is time to "start treating the adtech industry as a national security threat."

This piece is not about the geopolitics. The story that breaks today and the story that affects you tomorrow are the same story, and the lesson lives one layer down — in the architecture of the consumer apps that sit at the top of the data-broker pipeline.

How the pipeline actually works

The chain is depressingly mundane:

1. A consumer installs an app — a game, a flashlight, a weather widget, a security-camera utility.
2. The app embeds an ad SDK or an analytics SDK. The SDK collects coarse and fine location, device identifiers, network metadata, sometimes more.
3. The SDK ships that data to an ad exchange or analytics vendor. Some of it ends up with a data broker.
4. The data broker resells the dataset to whoever can pay — marketers, hedge funds, governments, and, per CENTCOM's letter, hostile foreign actors.

There is no breach here. Nothing was hacked. Every step in this chain is legal-by-default and consensual-by-fiction (the user "agreed" via a 4-line privacy popup). That is what makes the architecture so dangerous: it works as designed.

When the Pentagon and a sitting U.S. senator both describe the consumer adtech stack as a battlefield surveillance tool, the takeaway for any developer or privacy-conscious user is not "we need better regulation later." The takeaway is: the only reliable defense against data being weaponized is data that was never collected in the first place.

The three questions every app on your phone now has to answer

When you read the CENTCOM letter against the FTC's recent Kochava settlement — which targeted precisely the same precise-location-data resale model — three questions emerge as load-bearing for any app that sits on a consumer device:

1. Does the app phone home with data that doesn't need to leave the device?

Most apps that nominally "process" your camera, microphone, or location data could, in principle, do that processing locally. They don't, because the cloud-by-default architecture lets the operator monetize the data on the back end. If an app's marketing copy emphasizes "cloud storage" or "always-on access from anywhere," that is also a description of an open pipeline to a data-broker desk.

2. Does the app need an account, an SDK suite, and a network connection to do its primary job?

The number of dependencies between "I opened the app" and "I see the feature I wanted" is roughly proportional to the number of third parties learning that you opened it. An app that requires sign-in, a remote analytics handshake, and a cloud round-trip is, by construction, an adtech endpoint, regardless of what its icon says.

3. If a regulator subpoenaed the operator tomorrow, what could they hand over?

This is the most useful test. Because the operator can only hand over what the operator stores, the answer to this question is also the answer to "what could a data broker resell, what could a state actor purchase, what could a hostile party correlate against you."

If the architectural answer is "nothing — we hold nothing on our servers because the feature runs on-device" — there is no pipeline. For a walkthrough of how to actually audit a camera app this way — file by file — see How to Read an Android Camera App's Architecture Like a Texas Regulator.

What this looks like in practice for a camera app

I write Background Camera RemoteStream, an Android app that turns an old phone into a privacy-first camera and live-streaming endpoint. The architectural choices map directly onto the three questions above:

• No cloud, by design. All recordings are stored locally on the device. The app's servers do not see a single frame of footage, and there is no "cloud backup" path that could route video to a data broker — because there are no servers in that path to begin with.
• No account, no analytics SDK, no tracking. The app does not require a sign-up. There is no third-party analytics SDK collecting device identifiers or fingerprinting the install. There is nothing to subpoena, and nothing to resell.
• YouTube Live is opt-in and direct. When a user chooses to live-stream, the stream goes directly from the device to YouTube's RTMP endpoint, with no intermediary. The app's developer never sees the stream and never holds the credentials beyond local storage.
• Screen-off recording stays on-device. A common reason competitor camera apps push to the cloud is that they want to function even if the phone is offline or lost. The trade-off is the data pipeline. The privacy-first answer is the same as the one the Pentagon situation suggests: the data that doesn't leave the device cannot be turned into a targeting input. The OS-level reason screen-off recording is hard to do right — Doze, foreground-service types, WorkManager — is covered in Why Does My Android Camera Stop Recording When the Screen Turns Off?.

This is the same architectural argument I made on May 25 in the Kimwolf DDoS botnet writeup, where the attack vector was Android Debug Bridge and inbound ports rather than ad SDKs and brokers. Different surface, same lesson: the camera app that minimizes its attack and resale surface is the one whose user is not on a target list.

The consumer takeaway

If you are repurposing an old phone as a camera — a baby monitor, a pet cam, a workshop monitor, a porch lookout — the architecture question is the same one CENTCOM is asking about every app a deployed servicemember might be carrying. For consumers specifically, the six warning signs a "free" camera app is selling data are mapped out in Is My Baby Monitor App Watching Me Too?, and the reference architecture for doing this right is in The Most Privacy-Respecting Way to Use an Old Android Phone as a Home Security Camera.

What does this app phone home about me, where does that data end up, and is there a path by which a stranger with money could read it?

A privacy-first camera app should be able to answer that with one word: nothing.

If you want one for your old Android device that does — no cloud, no account, no tracking, local-only storage, with optional opt-in YouTube Live for the cases where you do want to broadcast — Background Camera RemoteStream is on the Play Store:

Background Camera RemoteStream on Google Play

More about the architecture at superfunicular.com.

---

Sources:

• U.S. says troops were targeted with location data, as senator warns ad industry is a 'national security threat' — TechCrunch, May 28, 2026
• Pentagon says US troops are reportedly being targeted using location data — Military Times, May 28, 2026
• FTC to ban data broker Kochava from selling Americans' location data — BleepingComputer