The U.S. military, the Internal Revenue Service (IRS), Federal Bureau of Investigation (FBI), the Drug Enforcement Administration (DEA) and Department of Homeland Security (DHS) are reportedly among the agencies that have been buying citizens’ location data from commercial services. Now, a Treasury Department inspector general report has indicated that this practice is illegal without first obtaining a warrant. The agencies in question say they are buying commercially available data from those who have consented to having their data collected.

Recode reports that the Treasury Department report “casts doubt on that claim, saying a 2018 Supreme Court ruling that required law enforcement to get a warrant for cellphone tower data could be applied to location data, too.”

Currently government agencies purchase location data “through a series of intermediaries, a supply chain that is very difficult to follow and therefore difficult to stop.” It adds that, “with an entire industry dedicated to harvesting and selling location data, even a complete ban of one tracker won’t make much of a dent.”

Apps on the mobile phone are the source of location data that ends up in the hands of third-party companies that specialize in selling access to “advertisers, marketers, and data brokers — even other location data providers.” At ExpressVPN’s Digital Security Lab, principal researcher Sean O’Brien dubs this “data laundering,” adding that “there are so many actors sharing and selling data that it’s incredibly difficult to chase the trail.”

Vice and Senator Ron Wyden (D-Oregon) tracked one trail that led to X-Mode, a location data company selling data “obtained through its software development kit (SDK), which is in hundreds of apps with millions of users, to defense contractors” who then sold it to the military.

Apple and Google then banned X-Mode’s SDK from their app stores, but Digital Security Lab and Defensive Lab Agency co-founder Esther Onfroy later “looked at 450 Android apps and found X-Mode’s SDK in nearly 200 of them,” and, later, ExpressVPN “found 25 more apps with the SDK, most from a developer called CityMaps2Go.”

Even after Google removed these from their store, ExpressVPN found 22 more apps with the X-Mode SDK.

“Researchers outside of Google can identify the presence of these banned SDKs without the benefit of owning and operating Google Play,” said O’Brien. “We looked at apps by developers with known links to X-Mode and discovered the offending SDK using well-known methods. Consumers should reasonably expect that Google, or the steward of any app store, protects users from SDKs that have been banned — or there’s a serious disconnect between policy and practice.”

Researcher Wolfie Christl noted that, “location data brokers use many ways to source data from apps,” including embedding their data collection code, harvesting it from the bidstream in digital advertising, sourcing it directly from app vendors, or buying it from other data brokers.

“The mobile app economy became a cesspool of data exploitation,” he said. “The only way to fix this is to finally enforce data protection law in the EU, and to introduce strong legislation in the U.S. and in other regions.”