Hi, I am a cybersecurity leader with over 30 years experience in the field. I hold a Master of Science in Cybersecurity and Information Assurance. I am still a hands-on practitioner who is very passionate about cybersecurity and responsible AI utilization. You can see my body of work on LinkedIn https://www.linkedin.com/in/donwarden/ Regarding your questions, please see my responses below. Are legit apps "spying" on us? Spying usually infers that a system or individual is gathering intelligence without knowledge or consent of the target individual or entity. The reality is that users consent, often without their implicit knowledge, simply by using an app. Most apps make their money by monetizing data collected from you and/or devices instead from the sale of the app. Which is a perfect segue into the next question. Which everyday app are often the "worst" at this? Frequently it is the apps that are ad heavy or ad supported. So, think social media apps, casual games, coupon apps and the like. Users should beware of apps that ask for unnecessary permissions such as your contacts, precise location, Bluetooth scanning and access to your photo library. The last two provide extremely rich metadata that can be used by data companies to paint a complete picture of what you do and where you do it. User can protect themselves by reading the permissions any app wants and limit the exposure to sensitive data. Additionally, users should perform monthly audits on the permissions applications are using. Could LE and ICE use this data? Absolutely, and do so routinely. The two main methods to obtain this data are to 1) Purchase for large data collection or data aggregators (think Palentir) or 2) Obtain a warrant or subpoena to get data directly from app companies or mobile carriers. They also have access to sophisticated trackers, called stingrays, to intercept signals and allow for location tracking by grabbing the IMSI (phone fingerprint). There are mixed ruling the use of this technology as it is generally viewed as violating the 4th amendment rights protecting unreasonable searches. The best way to mitigate this risk is to turn off your phone or use a "burner phone" or wacky-talkie for communications at rally's or protests. Could threat actors use these data? Of course, and they do so freely. Most do not use the data brokers and rely upon Open Source Intelligence (OSINT). Also, don't forget, the US has no national data privacy law in place. Unlike the EU.
Financial apps that require KYC and other apps using services such as persona where face scan data verifies the user have been exposed recently by a cyber security collective to have been selling facial scan data to the government in the US departments such as ICE. The company caught doing this was persona. However, it might not be the only company selling your facial scan data to governments or government departments. It is also a consideration whether they are just selling to the USA government or this goes further internationally. Really this sort of data privacy violation and leak leads to a lot of questions on data privacy, security and whether mass surveillance and tracking via big data and backdoor deals is moral or even legal.
The data collection practices of everyday apps represent one of the biggest privacy issues most people don't understand. At Certo, where we specialize in mobile security, we investigate how apps access user data - and the findings raise significant privacy concerns. Which Apps Collect the Most Data? Social media platforms like Facebook, Instagram, and TikTok collect way more than just your posts and photos. They're gathering location data, device information, contacts, and they can track your activity across multiple apps and services for advertising and analytics when permission is given. Meta openly admits it collects data across all its products to customize content and serve targeted advertisements. Location tracking is particularly extensive. Apps use GPS when enabled, but also infer location through WiFi networks, IP addresses, and tagged photos even when direct location access is disabled. Real Privacy Dangers Data brokers sell location data collected from apps, and government agencies purchase this information. The FTC has taken enforcement action against firms selling location data to law enforcement. Researchers have shown how commercially available location data can identify individuals who attended specific protests. Apps storing large datasets become hacker targets. Breaches have exposed location histories, health information, and financial details. Data from different apps combines to reveal information you never shared directly. Research shows location data alone can reveal sensitive traits like religious beliefs and health conditions. Protecting Yourself Review app permissions regularly. Switch location settings from "Always" to "While Using" or turn them off for apps that don't genuinely need to track you constantly. Check privacy policies for sections on data sharing with third parties - though these are usually deliberately confusing. Understand that when apps are free, you're probably paying with your data. Most make money through targeted advertising that relies on constantly collecting information about you. Bio: Simon Lewis is Co-founder of Certo Software, specializing in mobile spyware detection and privacy protection. With over 15 years of cybersecurity experience and a degree in Computer Forensics, Simon previously advised companies during hacking incidents. He developed Certo's first mobile security apps and contributes to CNBC and TechRepublic. Simon Lewis Co-founder, Certo Software
I'm David Hirschfeld (CEO, Sahara Investment Group; CIO for a multi-billion-dollar family's direct platform). In family office work, privacy isn't philosophical--it's operational risk: if your location, contacts, or identifiers leak, you can expose a whole cap table, a household, or a deal. Yes, everyday apps "spy" in the sense that many collect more than they need and monetize it via ad-tech/data brokers; the worst offenders I see in practice are "free" social apps and games that demand location + contacts + Bluetooth, then tie it to your device advertising ID. A specific one to treat like a data vacuum is TikTok (aggressive device fingerprinting signals and cross-app behavior inference), and a sleeper category is weather apps that sell precise location histories. On law enforcement: they don't need to "hack" your phone--data brokers and platform subpoenas are the clean path. Location trails and proximity graphs can be purchased or compelled, which can absolutely be used to identify who was at a protest, who met whom, or who repeatedly visits a specific address; in our world, we assume "pattern of life" data exists once an app has persistent location or background refresh. Practical moves that actually change outcomes: use a separate device/browser profile for finance (no social apps, no shared cookies), turn off the advertising ID and "personalized ads," and deny background location to everything except maps/ride-share. If you must use social, keep it off your primary email/phone number, and don't allow contact syncing--your contact graph is often more valuable than your messages.
I'm Steve Taormino--President/CEO of CC&A Strategic Media (since 1999) and an expert witness retained by the Maryland Attorney General's office on digital reputation management and Google search results (SEO/SEM). In practice, most "legit" apps aren't listening to your mic 24/7; they're far more reliably "spying" via advertising IDs, SDKs, location pings, and cross-app tracking that lets brokers and ad networks stitch together who you are and where you go. Worst offenders in everyday life: Facebook/Instagram and TikTok (aggressive cross-app tracking + ad SDK reach), plus "free" utility apps like weather and flashlights that request location "always" and funnel it into ad-tech pipes. I've dealt with cases where a person's name didn't rank--but their home address and phone number did--because data brokers plus app-sourced location/identity signals made it easy for third-party sites to publish and rank that info. Yes, law enforcement (including federal agencies) can leverage app-derived data indirectly: buying location data from brokers, serving geofenced warrants, or correlating device identifiers seen at a protest with other datasets. If an app (or its embedded ad SDK) collects precise location + advertising ID, you've basically created a durable "device dossier" that can be re-identified even without your name attached. Practical user moves that actually change the math: turn off "precise location" and set location to "While Using," disable ad personalization and reset your advertising ID, deny Bluetooth/local network permissions unless essential, and delete apps that won't function without "always-on" tracking. If you must keep the big social apps, use them in a mobile browser, not the app--less SDK tracking, fewer background signals, smaller data exhaust. Bio: Stephen J. Taormino, President & CEO of CC&A Strategic Media; nationally recognized keynote speaker on marketing psychology and digital strategy; expert witness for the Maryland Attorney General's office on digital reputation management and Google search/SEO/SEM.
I'm Nathan Nuttall with M&M Gutters & Exteriors in Salt Lake City--30+ years running jobs across Utah, doing exterior remodels and using tools like HOVER (3D property visualization) to measure and plan projects. When you use apps that can "see" your home, your route, or your habits, it's not abstract privacy anymore--it's tied to a physical address and predictable routines. Yes, everyday apps can effectively "spy," mostly by collecting location, device IDs, ad identifiers, and behavior patterns, then sharing it with partners you've never heard of. The practical risk I see for homeowners is: one breach or one overly-broad data share can expose where you live, when you're away, and what assets you likely have--fuel for burglary targeting, "contractor" impersonation scams, and extremely convincing phishing tied to real projects. On the law-enforcement question: if your phone is constantly emitting location (and apps are harvesting it), that data trail can be used to map who was where and when--especially around events like protests. Even without reading your messages, aggregated location + timestamp data is enough to identify patterns and narrow down identities when it's combined with other sources (cell records, plate readers, public posts). What I tell my own team and family: turn off "Precise Location" for everything that doesn't truly need it, set location to "While Using," and deny motion/fitness and local network access unless it's essential. Delete apps you don't use, don't grant photo/contact access "just because," reset your advertising ID regularly, and keep a separate email/number for quotes and home-service inquiries so your real identity isn't stapled to your address everywhere.
My 10 years as a private investigator and 12 years in financial fraud detection taught me that apps don't just "spy"--they build searchable dossiers. Legitimate platforms like Meta (Facebook/Instagram) are the most pervasive because they aggregate your location, network, and even your battery level to predict your physical movements. This metadata is a goldmine for agencies like ICE, who can purchase location "pings" from third-party data brokers to bypass traditional warrant requirements. It also fuels "domain spoofing" scams where cybercriminals use your leaked social data to create highly targeted phishing sites that look exactly like your real financial institutions. To protect yourself, audit your "off-platform activity" within your social media settings and clear that history to break the link between your apps. You should also stop using "Social Logins" (like signing in with Google or Facebook) for third-party services, as this creates a unified data trail that makes your entire digital life easier to track. William DiAntonio is the founder of Brand911 and a former private investigator with over 20 years of experience in criminal justice, financial risk, and digital reputation strategy.
The majority of applications do not act as if they are "spying" on users like in the movies; they just collect "digital exhaust" via invisible third-party SDKs that are totally hidden to the end user. Although social media giants (e.g. Meta, TikTok) are most frequently criticized, the true perpetrators of data collection originate from "free" utility applications (ex: weather tracking app, step counter) that are four times more likely to capture personal identifying data than their paid counterpart. In addition to being mostly utilized as an application front-end, these applications convert an individual's daily activities into a tradable asset without that person even being aware of the end users of that data. The reality is that the risk of this data being utilized poses greater harm than just targeted ads. As law enforcement continues to expand its use of "geofence warrants," companies have been forced to supply law enforcement with access to all location data collected via every device that has been used within a defined geographic border during a pre-determined period of time. Not only does this mean that innocent bystanders or peaceful protesters are being categorized as criminal suspects simply due to the fact that their phone's location was logged within a tower or GPS satellite, but the collection of this amount of personal metadata becomes a treasure trove for cyber criminals to use artificial intelligence to craft hyper-targeted phishing attempts based on what apps you use and what locations you frequently visit. To minimize your own risk of being negatively affected, you should break the "convenience-vs-privacy" cycle. Start by reviewing the location setting on your devices and adjusting them from "always" to "while using" or "never" for any apps that do not need real-time GPS to operate. Next, shut down background app refresh to prevent applications from interfacing with their server while they are inactive. Finally, avoid using social media to sign into outside third-party services, as this will create a perpetual data bridge connecting different platforms together, creating a nearly insurmountable hurdle to ever returning to "going dark". Navigating the modern application space often becomes a tension between being connected with friends and remaining private. Fortunately, you do not have to be a technology specialist to take great strides toward reducing your digital footprint.
My 20+ years in technology sales and Managed IT have taught me that "legit" software often creates the most dangerous data leaks when guardrails aren't built in from the first call. We recently secured a nationwide preschool's network in under 10 days because their previous setup left sensitive voice and data systems vulnerable to simple exploitation. Apps like **Slack** often act as "shadow tools" that punch holes through your company's security by storing sensitive internal chats on servers you don't fully control. I have seen "recording exposure" where private meeting links were forwarded externally, granting unauthorized people broad access to sensitive HR and strategy folders. While tracking by agencies is a reality, the immediate risk is often "toll fraud" where cybercriminals hijack your app's communication patterns to run up massive international calling bills. We've managed incidents where sudden spikes in after-hours activity revealed that a business's entire communication stack had been compromised through a single unmanaged personal device. To protect yourself, implement "least privilege" roles so users only access the specific data they need for their current tasks. You should also perform quarterly reviews of your admin roles to ensure no "stale" accounts or shared passwords remain as open doors for bad actors. **Patrick Brangan BIO:** Patrick Brangan is an expert in Technology sales and Managed IT with 20+ years of experience curating solutions for SMB companies. He is the founder of Centra IP Networks, a full-service firm focusing on Dallas, Tampa, and Orlando that provides Unified Communications, Managed IT, and security camera solutions on a single, streamlined platform.
Before IBM and Cyber Command, I spent years inside enterprise security infrastructure watching exactly how data flows between applications, cloud services, and third parties. That background shapes how I think about this. The apps doing the most silent damage aren't sketchy ones--they're the ones with the best PR. Meta's suite (Instagram, Facebook, WhatsApp) and Google's ecosystem are the most aggressive data collectors I've seen. They build behavioral profiles that go far beyond what you'd expect: keystroke timing, scroll patterns, and cross-app tracking that persists even after you "opt out." That data doesn't just sit in a server--it gets sold to data brokers, who sell it again. On the law enforcement angle: yes, this is real and already happening. Agencies like ICE don't need a warrant to buy location data from brokers that source it directly from apps like Life360 or even weather apps running in the background. I've worked with clients in regulated industries where we had to audit exactly which apps were phoning home with employee location data during business hours--the results were jarring. Two things I tell everyone: first, treat app permissions like you treat network access--least privilege only. If a flashlight app wants your contacts, that's a no. Second, on iOS go to Settings > Privacy & Security > Tracking and kill it across the board. On Android, use a DNS-level blocker like NextDNS to see exactly what's being transmitted--it's eye-opening when you watch your "offline" apps actively pinging ad servers at 2am.
As CEO of Netsurit, I've led our team in protecting 300+ client organizations from cloud security threats like account hijacking and insecure APIs, which directly impact financial and social media apps relying on cloud backends. Financial apps top the list for risks--attackers exploit weak passwords or phishing to hijack accounts, accessing sensitive transaction data, as we've audited in client environments. Social media apps worsen it with insecure APIs that expose user interactions to unauthorized access. This data fuels real dangers: cybercriminals breach it for identity theft, while law enforcement subpoenas app-held personal info--like IP addresses and locations--to track protesters or suspects, amplifying exposure. Protect yourself with multi-factor authentication (2FA) on all accounts, regular software updates to patch vulnerabilities, and identity access management (IAM) tools to limit permissions--steps we've implemented company-wide via our Dreams Program for secure growth. **Orrin Klopper, CEO and co-founder of Netsurit, a global IT services firm featured on Inc. 5000 and MSP 501, specializing in managed IT, cloud security, and AI for 300+ clients across North America, South Africa, and Europe.**
Managing the "reputational security" of high-profile executives in Silicon Valley means I deal daily with the fallout of digital data that compromises professional lives. My experience at Reprieve House involves securing the privacy of guests who are prime targets for corporate espionage and data exploitation. Health-tracking apps like Oura or MyFitnessPal collect intimate biometric data that can be de-anonymized to reveal sensitive health struggles or physiological patterns. This data is a goldmine for bad actors who use it for sophisticated social engineering or to find points of leverage against leadership. Law enforcement agencies like ICE use "geofence warrants" to scrape location data from innocuous apps like Zillow or The Weather Channel to identify everyone present at a protest. This creates a forensic record of your movements and private associations that agencies can access without a direct warrant for your specific device. To mitigate these risks, use a system-level tracker blocker like NextDNS and utilize Apple's "Hide My Email" for all app registrations. Decoupling your real identity from the apps you use is the only way to maintain agency in an ecosystem designed to track your every move. **Jonathan Freed BIO:** Jonathan Freed is the Owner and CEO of Reprieve House, a premium, physician-led residential detox facility in Los Altos Hills, CA. He specializes in providing discreet, highly personalized care for high-profile executives and professionals who prioritize privacy and autonomy during recovery.
Felix Bagr, owner of ITECH Recycling. I lead a Chicago-based IT asset disposition team focused on secure data destruction and responsible electronics recycling for businesses of all sizes. As the owner of ITECH Recycling, I see the "afterlife" of data where the real spying happens--on discarded hard drives that people think are empty. My work focuses on preventing "ghost data" from being harvested by criminals or agencies after a device is retired. Apps like **Strava** or "free" fitness trackers are particularly risky because they cache detailed heatmaps of your movements directly onto your hardware. Even if you delete the app, that local data often remains in the drive's "slack space" and can be reconstructed using forensic tools if the device isn't physically shredded. This stored data is a goldmine for law enforcement or cybercriminals who buy bulk "e-waste" to find un-shredded drives from financial or medical offices. They aren't just looking for your current location; they are looking for the historical login tokens and unencrypted caches that "formatting" a drive fails to remove. To protect yourself, never assume a "factory reset" is enough before selling or recycling a device. Use a certified data destruction service that provides a serialized Certificate of Destruction to guarantee the storage media has been physically crushed or shredded.
My work building life care plans means I spend serious time inside medical records, billing systems, and health portals--all ecosystems where sensitive personal data flows constantly. That exposure taught me to think carefully about *what* data gets captured, not just *how* it's used. The angle most people miss: health and fitness apps like MyFitnessPal or period-tracking apps have quietly handed detailed personal health data to third parties, including data brokers. That data can be legally purchased--no warrant needed--and combined with other identifiers to build profiles that are genuinely sensitive. For ICE or similar agencies, that's a cleaner path than hacking anything. One practical thing I do: I treat app permissions the way I treat a medical consent form--I read what I'm actually signing over. Denying "contacts" access to apps that have zero business needing your contacts is a quick win that most people skip entirely. Audit your app list quarterly. Delete anything you haven't opened in 30 days. A dormant app with background permissions is essentially a data tap you forgot you left running.
As founder of Midwest Pain and Wellness and Niwa Aesthetics & Wellness, a double board-certified anesthesiologist and interventional pain physician with expertise in HIPAA-compliant systems, I've prioritized cybersecurity stacks like NIST and CMMC to safeguard patient financial and health data from everyday apps. Financial apps like QuickBooks and Sage Intacct are among the worst offenders in legit software; they harvest transaction histories, vendor details, and business fingerprints shared across ERP ecosystems, per our audits. This exposes users to cybercriminals via supply-chain attacks--in one case at our clinics, a billing app integration leaked payment metadata, enabling targeted ransomware that halted operations for days. Counter it with vCIO-led gap analyses, flat-rate managed monitoring for 24/7 anomaly detection, and strict vendor compliance vetting before app deployment.
I've spent over 15 years in cybersecurity, presenting at West Point and the Nasdaq on how data vulnerabilities impact both national security and small businesses. My background in terrorism and emergency preparedness gives me a unique perspective on how "innocent" data collection can be weaponized by bad actors to compromise your physical and digital safety. Many reputable apps leverage "bloatware" sponsorships that sneak secondary tracking toolbars or background listeners into your system during installation. These apps often default to having your microphone and camera access "on," allowing them to harvest environmental audio data to trigger targeted advertisements based on your private conversations. The immediate danger isn't just tracking; it's that these open permissions allow hackers to pivot into your business network through "session hijacking." For example, peer-to-peer software like BitTorrent or free "reputable" toolbars often bundle malicious scripts that bypass standard antivirus to scrape your stored financial documents and client data. Go into your phone settings right now and manually audit "Microphone" and "Camera" permissions, opting out of every app that doesn't require them to function. Business owners must also "lock down" company machines to prevent employees from inadvertently installing sponsored apps that act as gateways for ransomware. **Paul Nebb BIO:** Paul Nebb is the founder of Titan Technologies, established in 2008. He holds a Master's Degree from Fairleigh Dickinson University and possesses multiple certifications related to technology, terrorism, and emergency preparedness. Paul's expertise has led him to prominent speaking engagements at the Nasdaq podium, the Harvard Club, and West Point Military Academy. As a Cyber Security expert, he is dedicated to providing companies with strategies to safeguard their personal and business information from the Dark Web and evolving cyber threats.
As a Virginia attorney with 23+ years handling special education disputes, school disciplinary cases, and criminal defense, I've repeatedly seen everyday apps turn user data into courtroom weapons against families and kids--often without their knowledge. Snapchat and Venmo top the list of worst offenders I've encountered. Snapchat's "disappearing" messages get screenshotted and subpoenaed in bullying or sexting cases, leading to child porn distribution charges; Venmo's transaction logs reveal hidden spending in divorces or custody battles, exposing financial patterns to prosecutors. Law enforcement routinely subpoenas this data to track suspects--in one juvenile gun possession case, Snapchat exchanges pinpointed the student's location and accomplices, aiding ICE-like federal tracking of at-risk youth. Cybercriminals exploit breaches too; leaked Venmo histories fueled identity theft in client divorces, amplifying blackmail risks. Protect yourself: revoke non-essential app permissions immediately, demand data deletion via privacy policies (like FERPA for school-linked apps), and consult a lawyer early to scrub digital footprints before they surface. **John C. Whitbeck, Jr., Esq.** Founder/Managing Partner, WhitbeckBeglis, PLLC; former Substitute Judge & Special Justice; Adjunct Professor, George Mason Law; expert in family law, education law, mental health law, and criminal defense across VA/MD.
I run a window and door restoration business, so you might wonder what I know about app privacy. But here's the thing--I work inside people's homes constantly, and over the years I've learned a lot about how data from home service apps and scheduling platforms gets quietly harvested without customers realizing it. The booking and home services apps my customers use to schedule jobs often request microphone, camera, and contact access that has nothing to do with booking a window repair. That's a red flag. Apps like Thumbtack or Angi collect behavioral data that gets passed to third-party advertisers--you book one home repair and suddenly you're being profiled as a homeowner with a certain income bracket. One thing people miss: smart home devices near your windows and doors (video doorbells, smart locks) are often tied to apps with vague data-sharing clauses. Ring, for example, has a documented history of sharing footage with law enforcement without warrants--which directly answers your question about agencies like ICE accessing data without you knowing. My practical tip: audit your phone's app permissions once a month. Go to Settings, pull up each app individually, and ask yourself whether camera, microphone, or location access makes any sense for what that app does. If it doesn't, revoke it immediately.
My background is in healthcare operations, specifically behavioral health and addiction treatment -- an industry that handles some of the most sensitive personal data imaginable. That gave me a front-row seat to how app-based data collection creates real, underestimated risks for vulnerable people. Here's what most people miss: when someone uses a mental health app, a recovery app, or even just searches for treatment options on their phone, that behavioral data gets categorized and sold. I've seen cases where clients were targeted with addiction-related ads across unrelated platforms simply because their app usage patterns flagged them as "high-value" health consumers. That's not hypothetical -- that's the ad-tech ecosystem working exactly as designed. The specific danger I'd flag for this thread: health-adjacent apps (mood trackers, sobriety counters, therapy platforms) often share data with third-party SDKs buried in their terms of service. That data can be re-packaged and sold to insurers, employers, or data brokers -- and yes, it can surface in law enforcement queries, especially when tied to a device ID seen at a specific location. One concrete thing I'd push people to do that hasn't been mentioned: audit the permissions on any app that touches your health, finances, or daily routine. If a sobriety tracker is requesting your contacts or microphone, that's a red flag. The data you think stays private inside a "safe" wellness app rarely does.
Jay Baruffa is the President of Tech Dynamix and Little Mountain Phone & Computer Repair in Painesville, Ohio, with over 20 years of experience in IT solutions, device forensics, and component-level repair. I've spent over two decades performing deep-level diagnostics and data recovery, which has shown me exactly how "legit" software harvests more than just your basic profile info. Social media giants like TikTok and Facebook are the most aggressive because they scrape your hardware's unique IMEI and MAC addresses to create a permanent digital fingerprint that identifies your device even if you switch accounts. These hardware fingerprints allow agencies to map out social circles; if one person at a protest is flagged, everyone their phone "interacted" with via background Bluetooth or Wi-Fi scanning can be linked to that event. I frequently find that "free" utility apps--like third-party calculators or file managers--act as data vacuums, siphoning your entire contact list and Wi-Fi history to offshore brokers who sell the data to the highest bidder. To protect yourself, stop using "Sign in with Facebook or Google" for third-party services, as this creates a cross-platform data bridge that is nearly impossible to sever. You should also go into your privacy settings to "Reset Advertising Identifier" monthly, which scrambles the digital profile these companies use to track your behavior across different apps.