At the end of July, a Catholic priest resigned from the church, after Catholic news site The Pillar outed him by purchasing location data from a data broker on his usage of Grindr. The incident didn’t just illustrate how people can wield Grindr data against members of the LGBTQ community. It also highlighted the dangers of the large, shadowy, and unregulated data brokerage industry selling Americans’ real-time locations to the highest bidder.

In a new report for the Cyber Policy Program at Duke University’s Sanford School of Public Policy, I surveyed 10 major data brokers and the sensitive data they advertise. They openly and explicitly promulgate data on individuals’ demographic characteristics (from race to gender to income level) and political preferences and beliefs (including support for the NAACP, ACLU, Planned Parenthood, and the National LGBTQ Task Force), and on current US government and military personnel. Several of these firms also market another disturbing product: Americans’ geo-locations.

Acxiom, one of the largest brokers with data on billions of people worldwide, advertises “location-based device data” on individuals. Need to know if someone has visited a location multiple times in the past 30 days, like a church, their therapist’s office, or their ex’s house? They’ve got you covered, according to a company marketing document. What about other insights based on individuals’ locations? Check out data from marketing firm NinthDecimal, according to a 2018 fact sheet, an Acxiom “partner” that provides “mobile device location and location context insights.” Military personnel, Acxiom says, can be located too: It offers “verification and location of military servicemen (deployed but missing from base)” as part of commercial work for credit card issuers and retail banks.

LexisNexis, another behemoth, advertises the ability to “determine a person’s current whereabouts” using recent driver license records. Experian outright advertises mobile location data. Oracle, which took a notable turn toward data brokerage in the past decade, advertises marketing services based on a user’s real-time location. In 2019, Oracle partnered with location data provider Bluedot (one of many such partners), who claimed that its data would provide a twentyfold improvement in pinpointing an individual’s location. Among other factors, Bluedot claimed to track the number of times an individual visited a location and how long they were there. A few years earlier, Oracle added PlaceIQ to its data marketplace, a company which then had data “from 475 million location points, 100 million unique users, and more than 10 billion daily location-enabled device movements.”

Then, of course, there are people-search or “white pages” sites, which allow internet users to search for data on anyone by entering their name. Scraping property records, tax filings, voting records, and more, these data brokers aggregate government and other publicly available documents and make them publicly searchable, for a small fee or at no cost whatsoever. While they don’t advertise individuals’ real-time geo-locations, they do provide relatively up-to-date information on where people live.

Perhaps none of this is surprising—data breach after data privacy scandal have spotlighted just how intimately private companies track Americans’ daily lives. However much these companies wish to normalize their surveillance, down to the exact sidewalk you stand on or restaurant you sit in, we can’t forget that data brokers selling this location data threaten civil rights, national security, and democracy.

On the civil rights front, federal agencies from the FBI to US Immigration and Customs Enforcement purchase data from data brokers—without warrants, public disclosures, or robust oversight—to carry out everything from criminal investigations to deportations. In doing so, data brokers circumvent limits on companies directly handing data to law enforcement (e.g., a cellular company can sell user data to a data broker which can then sell the data to the FBI). The federal government agencies using the data may then also circumvent a variety of legal restrictions in place around searches and seizures as well as federal controls which aren’t applied to “open source” or “commercially obtained” data, even if the data is on US individuals.