As another election season draws to a close, political campaigns have learned a lot about many voters already, including when they previously voted, how much they make, what issues matter to them, and where they get their news. But campaigns this year also know where voters have been. The location of our phones is a powerful tool that campaigns are using to laser-target our attention.

Dozens of companies stand ready to provide that data, offering new services specifically designed for political campaigns. They home in on your location using a variety of techniques, often starting with information publicly available from state voter files and then cross-referencing it with locations shared by your phone to indiscreet apps or snatched from ad networks as you surf the web. 

Political operators have reportedly used these capabilities to target people based on church attendance, visits to specific government buildings, and as they attend political rallies. One firm even claims to have repeatedly signed up prominent campaigns wanting to target the “captive audience” in line to vote on election day, though it says it discontinued that product.

While there is a growing public awareness of how hungry some political campaigns have become for sensitive personal data, including about people’s locations and movements, political observers and privacy experts are alarmed at the bigger picture of the industry that has emerged to serve them.

Political tracking firms, experts say, often go unmentioned in public campaign filings and could open a new vector for spreading misinformation and even suppressing votes. They also routinely circumvent privacy controls and permissions systems built into today’s smartphones and meant to protect the sensitive location data generated as you travel to work, school, home, and your doctor. For example, even if you turn off your phone’s location services, using the device’s web browser can still expose your approximate location to certain ads as you surf the internet, allowing trackers to store your coordinates. 

There are things you can do to protect yourself against this sort of tracking (see sidebar), and Congress and the Federal Trade Commission have brought intense scrutiny to the related, multibillion-dollar location data industry, placing it under existential threat. But the political targeting industry is a distinct and more slippery entity, and individual consumers have limited options for safeguarding their privacy against its tactics. 

“There are currently no mandated laws that require any sort of transparency in what candidates or other political actors are doing to target their audience,” said Jennifer Stromer-Galley, a professor at Syracuse University who has studied how political campaigns use data and technology. “The risk for mis- and disinformation and efforts to undermine our democratic systems is unfortunately high without some mandates for transparency and with that accountability.”

All political campaigns are built on the most basic form of location data: state voter files listing the name, address, party affiliation, and often the voting history of every voter in the U.S. (though the data included varies from state to state). These are provided to political parties, candidates, and in varying degrees, to the public. Voter file data is the foundation upon which all other campaign data is built. 

Campaigns are eager to layer additional personal information on top of this foundation to try and determine who you likely voted for in the past, how you might vote in the future, what motivates your choices—and if you can be persuaded to vote for their candidate or, even better, donate money. Their ultimate goal is to ensure that the campaign gets the most bang for its buck, spending its money efficiently to target the most receptive audience.   

To do this, campaigns need information held by commercial data brokers such as Experian and Acxiom who can provide everything from demographic data to credit scores to online browsing and news consumption habits. These firms aggregate sensitive data gleaned from scores of other companies, data that increasingly includes people’s locations and movements. 

Credit:Acxiom.com

Data brokers have jumped in to help campaigns layer other useful data on top of voter files, including other public and consumer data, to paint a fuller picture of any given voter.  

Political data company i360, for example, advertised that it can provide “1800 unique data points on all 270 million Americans,” ensuring “the most comprehensive profile of your target.”

Political data giant L2 details hundreds of fields available in its “Voter Dictionary,” including ethnicity, military status, pet ownership, net worth and education level.

Credit:L2

These types of firms offer to cross-reference mobile location data as a new source of campaign insights. The data they can layer on top of voter files, according to their marketing, includes hundreds of varied data points:

• Voters’ likely views on abortion, gun control, and COVID vaccine mandates
• Their interests (including “in Military History,” “in Theater,” “in Auto Work,” “in Woodworking")
• Whether they are likely members of a union
• Their likely religion
• Whether they are a gun owner
• Their net worth
• Whether they are a cat, dog, or horse owner
• What brands they regularly buy
• What streaming services they use 

Acxiom’s chief privacy officer, Jordan Abbott, told The Markup in an emailed statement that the company only uses “ethically sourced” data from vetted data suppliers. “We hold our clients and partners to the same high standards of privacy and ethics that Acxiom continually maintains,” he said. Abbott said that licensing data for political advertising makes up “less than 1%” of their business.” Abbott added that Acxiom does not collect or license movement data in the U.S. and that “[a]ny location data is limited to insights related to visits to commercial locations such as grocery stores and car dealerships in order to provide relevant offers.”  

There are several ways location data can be used in political targeting and several ways location data is collected. Let’s look at the various options a hypothetical political campaign has for using this kind of data to target voters.

Let’s assume that this campaign wants to learn more about the voters in its existing list, a list that started with names, addresses, and party affiliations from state voter files. To enrich this list, the campaign can turn to a  data broker like L2, Acxiom, Experian, or i360, which will add behavioral or consumer data. 

Armed with this additional information, the campaign can narrow the list to those voters most likely to be receptive to its advertising. To actually reach those people with ads on their phones and other devices, the campaign turns to a political targeting company like El Toro, which is able to use its own trove of data to match the names on the list to the IP addresses of online devices “with a 95% confidence level.” Then those specific IP addresses and corresponding devices can be targeted with online ads. In this case, the location is provided by the campaign from the state voter file, but the association between a person and an IP address is derived by El Toro, using unknown datasets. 

What if the campaign wants to identify voters that it doesn’t already have in its files? In this case, it could specify a list of geographic areas such as neighborhoods, college campuses, or even specific buildings by drawing a “geofence” on a map. A company like Agility Ads could then target people within these areas on behalf of the campaign. Agility Ads says it can target people in areas from “up to a full square mile or down to a few square feet,” ensuring “your audience is as specific as you need.” Any device that appears within the specified boundaries could be served ads if its owner is browsing the web or using an app at the time they are in the area. 

Sometimes the time and places being targeted can be extremely specific. Political targeting firm DSPolitical advertised for at least two election cycles the ability for campaigns to get the “last word” on their election messaging by targeting voters waiting in line to vote at polling locations. “This is a captive audience campaigns simply can’t afford to miss,” said Jim Walsh, co-founder and former CEO of DSPolitical, according to a blog post on its website. 

Reached by email, Mark Jablonowski, DSPolitical’s president and chief technology officer, told The Markup that the company hasn’t offered the “Last Word” targeting product since 2018. Jablonowski added that “DSPolitical does not collect location data. Instead we work with trusted location data vendors that work with exclusively opt-in data sets.” He added that the company has restrictions on targeting sensitive locations and reviews ad contents to prevent disinformation. 

In addition to this kind of targeting, which is known as “geofencing,” the campaign has the option of employing a virtual time machine to turn back the clocks and build a list of any active devices that appeared in the fenced area going back up to six months. This technique is known as “geoframing.”

The data needed to let the campaign target people’s locations in these various ways comes from an array of sources. 

Much of the geotargeting industry derives location data from the online ad placement system known as “real-time bidding,” in which publishers or app owners share device, ad unit, and location information to a split-second auction. This “bidstream” data can be used to derive the locations of mobile devices from the various IP addresses assigned to them as their owners move about. Although this technique provides less precise location information, it has the advantage of working even if a device has app location permissions turned off.

This method of exploiting ad auctions for location data has drawn the scrutiny of lawmakers in Congress. 

Google spokesperson Michael Aciman told The Markup in an email that the company has strict restrictions in place for real-time bidding on its platform, such as truncating IP addresses and only surfacing “coarse” location information with a minimum of three square kilometers. “….We also limit location data provided via real-time bidding by never sharing precise location or personally identifiable information with partners,” said Aciman. 

One option the campaign has is to turn to the multibillion-dollar location data industry, which collects, buys, and sells precise mobile device location information from the apps on your phone. 

Brokers in this industry typically source their data from apps used by large numbers of consumers, including apps focused on dating, weather, and family safety.

These apps get permission from users to obtain their location, then provide this information to third parties. They can do so by directly transmitting the data from the user’s phone to third parties using software developer kits (SDKs) embedded in the apps or by sending it back to their own servers and having those servers transmit it to the third parties. The latter technique has the advantage of being invisible to app store operators like Apple and Google, who have banned some third-party SDKs found to be collecting location data.

Location data firms like Gravy Analytics often sell “data enrichment,” which joins raw location data with behavioral and demographic data about the owner of the device. 

In 2018, a conservative political action committee called Catholic Vote reportedly used location data to target people who frequently attended Catholic churches in Missouri over a period of 60 days with ads declaring the Democratic U.S. Senate candidate “anti-Catholic.” 

Jacob Gursky is a privacy researcher who (along with Samuel Woolley) analyzed the surveillance capabilities of President Donald Trump’s 2020 reelection campaign app. “A lot of what [campaigns] are doing is just catching up to the technologies and the abuses that have already existed in the app ecosystem,” Gursky said.

Let’s look at the geotargeting services one company offers to political campaigns.

El Toro is a Louisville, Ky.–based advertising company that offers “100% Cookie-Free Device & IP Targeting” for clients, allowing ads to be targeted to devices at a particular street address. The company accomplishes this by cross-referencing a device’s mobile advertising ID and internet IP address with other databases. Its website claims that its technology has been used in more than 4,000 political campaigns and is accurate 95 percent of the time in targeting “real people in real households.” The company offers clients 50 percent of their money back if its services don’t increase turnout among targeted voters by at least 5 percent. 

Deanna Durrett, chief strategy officer for El Toro, told The Markup in an email that the company does not reveal any personally identifying information of targeted voters to clients and merely acts as a “clean room proxy” to direct ads to the client target data. “Our political business is largely limited to onboarding data from campaigns and delivering targeted digital advertising messages to voters, without the usage of geolocation data.… And we are proud that we have built a tool that is used to increase voter turnout and helps political campaigns cost-effectively communicate their messages,” Durrett said. Durrett also noted that the company works with all political parties and “both sides of issues.” 

One of El Toro’s products, “Venue Replay,” allows campaigns to define a geographic area and retroactively collect any mobile advertising IDs for devices that viewed certain ads or opened certain apps or visited certain sites (such as The Weather Channel, ESPN, Yahoo, USA Today, and CNN). On its site, the company says it places ads on “over 1 billion websites” and serves ads to “90% of the daily available ad inventory online.” Those collected device identifiers can then be used to target digital and direct mail ads.

The Markup spoke with two former El Toro employees who were familiar with how its targeting technology was used by clients. One said that deriving location from digital ad views helped the company bypass privacy controls. “So even if your location is off, your phone will grab the latitude and longitude,” this person said. “It’ll grab the timestamp of when that ad loaded.… It will also grab the ad ID for the device.”  The former employees requested that their names not be used as they still worked in the data industry. 

Durrett noted, “El Toro does not use client data for any purpose other than to perform marketing or business analytics services for that client. Client data is never co-mingled, and it is deleted upon completion of services for the client.”

Both former employees also noted that targeting voters was not the only political application of El Toro’s technology. The ability to target areas where policymakers gather made it attractive to groups trying to influence policy on specific issues. Such groups could “geofence” large geographic areas for ads. “There was a really large play around targeting vested interests or interest groups like lobbyists and senators because there’s no restriction on where that perimeter can be drawn,” said one former El Toro employee. 

“We could say, hey, we saw this device ID at the West Wing of the White House. We also saw this device ID at the congressional building. And we also saw this ID at 123 Main Street.” However, this person noted that there was a minimum number of devices that could be targeted for a campaign, even if the goal was to target one individual, making the service potentially a waste of money. “You kind of have to figure out if the juice is worth the squeeze.”

Durrett disputed that targeting an individual was possible today, saying that El Toro has a minimum of 500 target addresses for political advertising campaigns and that the company employs a “multi-layer review” of client campaigns that “helps ensure we are only providing services to legitimate entities running valid political campaign advertisements.” Durrett did say that single addresses, such as a sports venue, can be allowed for nonsensitive targeting under the company’s rules. 

Durrett said that El Toro’s internal practices “closely track” the Network Advertising Initiative’s Enhanced Standards for Precise Location Information, which recommends restricting the use, sale, or sharing of location data collected at sensitive locations such as houses of worship, correctional facilities, medical facilities, and political events such as rallies, marches, or protests.

Both former employees agreed that they thought the company did take privacy of individuals seriously and cited restrictions that were in place at the time of their employment for sensitive locations such as military installations. 

Voters are targeted not only by political data companies but also, increasingly, by general location data brokers, who have expanded beyond selling to the retail industry, real estate firms, and private equity firms. They believe their products, which can include raw location data or aggregated insights derived from the analysis of peoples’ movements, have growing value to the world of political campaigns.

For example, Gravy Analytics, a location data broker, offers to segment ad audiences into “Likely Republican Voter,” which includes “Mobile devices likely to vote for Republican candidates based on attending Republican focused political events and events and venues affiliated with conservative topics.” There is also a similar “Likely Democrat Voter” audience. 

Jolene Wiggins, chief marketing officer for Gravy Analytics, said the company respects voters’ privacy and that “[w]e do not create geofences around polling locations, nor do we monitor or create advertising audiences for devices observed at polling locations.” Wiggins also noted that the company removes data associated with sensitive locations and recently launched a tool to let other data companies restrict the collection of such data.

Federal Election Commission records show the Democratic National Committee paid location data company Foursquare in the 2020 election cycle $75,000 for “data analytics.” Foursquare declined to comment on the transaction. 

Foursquare also publishes a disclosure of the “political segments” that the company maintains to deliver interest-based ads, as part of its membership in the Network Advertising Initiative. Included in this list is “Political Rally Attendees: This segment contains consumers who have recently been seen at a campaign rally event for a political candidate. This segment excludes polling/caucus locations.”   

Another location data company, Kochava Collective, announced a partnership in 2019 with political targeting firm TargetSmart. After the Federal Trade Commission sued Kochava for collecting sensitive geolocation data in August, TargetSmart announced it was ending its partnership with Kochava, noting, “We find the details laid out in the FTC’s suit troubling and unacceptable.” 

Austin, Texas–based location data firm Phunware—which built the Trump 2020 app—was reported to have used geofencing to collect mobile device IDs for supporters who attended Trump rallies and provided a similar service to Texas Democrat Beto O’Rourke’s 2020 presidential campaign.  

Phunware’s chief operating officer, Randall Crowder, said the company is compliant with the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) and is committed to protecting user privacy. “At this time, we do not sell or buy location data and we will only collect users’ location data if they agree to an in-app permission prompt to provide their location only once or to always allow it,” said Crowder in an email to The Markup. 

Meta and Google both sit on mountains of precise location data on their users and remain massive platforms for political ads, but have placed significant restrictions on how political ads can target voters on the platforms. 

Starting in 2020, Google curtailed the capabilities available to political campaigns by only allowing targeting of political ads by age, gender, and “general location (postal code level).” Advertisers are also required to be verified by the platform, and political ads can be viewed in a public searchable archive.  

In 2021, after years of criticism following the Cambridge Analytica scandal, Meta announced that it would remove ad targeting by political beliefs, in addition to health causes (like World Diabetes Day), sexual orientation, and religion (which The Markup found to persist months after the announcement). Meta still allows political ads to target voters by location but restricts the accuracy of such targeting to within a mile or more. 

Both Twitter and TikTok have banned political ads since 2019. 

The ability to target voters for get-out-the-vote or influence campaigns with such precision and without their knowledge raised many concerns among privacy experts who spoke to The Markup. This sort of ad delivery, they said, raises questions about whether privacy and campaign disclosure laws have kept pace with advances in geotargeting and about what bad actors might do with these capabilities.

“You should be able to go to church without the government and politicians and corporations knowing you went to church, and making decisions about what to try to sell you or how to monitor you,” said Adam Schwartz, senior lawyer at The Electronic Frontier Foundation, who added that new laws are needed to limit the collection of personal data with a “special focus on the ad tech industry.”

Beyond basic privacy violations, experts also raised concerns about the potential for location tracking technology to amplify the power of political dirty tricks.

Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center (EPIC), said, “We’ve seen it in the past where [voters] could be targeted with misinformation about incorrect Election Day dates, incorrect polling locations. So the potential for misuse is there. Unfortunately it has become far too easy for groups to abuse the vast amount of data that’s out there about us.”

El Toro’s Durrett said, “El Toro has business processes and protocols for monitoring advertising campaigns, where every potentially sensitive advertising campaign is reviewed based on the audience, creatives, and landing page to ensure the legality of messages and that campaigns do not run afoul of El Toro’s policies.” 

It’s a black hole riddled with nonprofits.

Former El Toro Employee

Voters may also be increasingly left in the dark—both about how they were targeted and what political entities were behind the targeting. Fitzgerald said these new targeting techniques may not be well understood by the average voter. “If someone’s targeted with an ad on their phone, maybe they can put two and two together and say, ‘Oh, I visited such and such place. That’s why I’m getting this ad.’ But if an ad then shows up on their TV at home because this company has connected their mobile ad ID to the IP address of their television … your average voter, your average consumer can’t be expected to understand that level of data collection and use about them.”

The work of political data and tracking firms can also be obscured by holes in campaign disclosure laws. While the money that political campaigns and PACs are directly spending can be found in campaign finance disclosures, much of the specific work it pays for is subcontracted to smaller firms, escaping public scrutiny. 

Samuel Woolley is an ​​assistant professor at the University of Texas at Austin who has researched the use of location-based targeting in politics. “A lot of what’s happening in this space is actually happening through proxy organizations,” he said, like contractors, subcontractors, and affiliated super PACs.

Describing the world of political spending, one of the former El Toro employees said, “It’s a black hole riddled with nonprofits.” This matters, as most smaller nonprofits are excluded from current privacy laws, including California’s CCPA. The proposed federal privacy law, the American Data Privacy and Protection Act, would apply to nonprofits.  

While “there’s a lot of hype right now about the use of location data, social media, and trace data,” most campaigns just need the basics, said Syracuse’s Stromer-Galley. “I think for most bread-and-butter campaigns, especially down ticket, they’re never, ever going to have a need for that kind of data; the voter file and a high quality voter registration file is really the key. ”

While an industry is emerging around providing location data to political campaigns, it’s not yet clear whether the practice is effective or a waste of money.

Carolyn Rush ran for Congress this year in New Jersey’s 2nd Congressional District as a Democrat. FEC records show that Rush’s campaign paid El Toro $12,800 for digital advertising services. When asked in an interview with The Markup what El Toro’s targeting technology did for her campaign, Rush said, “I guess in a nutshell, I would say not very much.” Rush said she was contacted by many companies offering data solutions for reaching potential voters for her campaign, but El Toro’s offer stood out.

Describing El Toro’s pitch about matching physical addresses to IP addresses, Rush said, “It kind of makes sense. I didn’t know that there was anybody that had a database of that information. 

“I was trying to reach only registered Democrats who had voted in the last off-year primary, which would have been 2018.” Rush included her own address and those of her staff in the collection of addresses she provided to El Toro and looked to find her ad in the apps that the company said her messages might appear in. “I sat and scrolled through every application trying to see my ad pop up….  And I never saw it.”

In response to Rush’s experience, El Toro’s Durrett said it was not surprising that a “limited spend” like Rush’s produced limited results and that the issue was more likely the campaign’s approach to sway voters. “This campaign is not illustrative of the demonstrated success we have had with campaigns in reaching voters and increasing voter turnout,” said Durrett. 

On June 7, 2022, Rush lost the Democratic primary by 6,532 votes out of 27,866 that were cast.