FBI Warns Foreign Apps May Harvest Americans' Data Without Installation

On March 31, 2026, the FBI issued a Public Service Announcement that went beyond its usual warnings about malware or phishing. The bureau warned that foreign-developed mobile applications — particularly those originating in China — can collect Americans' personal data even from people who have never downloaded or used the apps themselves [1]. The mechanism is straightforward: when someone who has installed a foreign app grants it access to their contacts, the names, phone numbers, and email addresses of everyone in that contact list can be uploaded to servers abroad, where local laws may allow government access.

The warning arrives at a moment when foreign-origin apps dominate U.S. download charts, the data broker industry operates with minimal federal oversight, and the legal architecture for restricting cross-border data flows is still under construction.

How Your Data Leaves Without Your Consent

The FBI's core claim — that non-users can have their data collected — rests on several well-documented technical pathways.

The most direct is contact graph harvesting. When an app requests and receives permission to access a user's contacts, it can upload the entire address book to remote servers. This creates what researchers call shadow profiles — identity records constructed from data a person never voluntarily shared [2]. Facebook acknowledged in 2018 that it had collected phone numbers and contact information for approximately 1.5 billion non-users through this mechanism. The same technique applies to any app that requests contact access.

A second vector is embedded software development kits (SDKs) — prepackaged code libraries that app developers integrate into their products for analytics, advertising, or push notifications. A 2024 study of wireless-scanning SDKs on Android found that 86% of apps integrating them collect at least one sensitive data type, including device identifiers, GPS coordinates, and WiFi and Bluetooth scan results [3]. Because SDKs operate within a host app, users may never know that a foreign company's code is running on their device.

The third pathway runs through the data broker ecosystem. Brokers aggregate personal information from app SDKs, public records, purchase histories, and location data, then sell packaged profiles to buyers who may include foreign entities. The U.S. data brokerage industry is valued at approximately $200 billion [4]. Companies like Acxiom maintain data across 62 countries on roughly 2.5 billion consumers [4]. The FTC alleged in 2024 that data broker X-Mode ingested more than 10 billion location data points linked to timestamps and unique persistent identifiers [5].

Research has also uncovered ID bridging within SDK ecosystems — where persistent and resettable identifiers are shared and synchronized across SDKs embedded in different applications, enabling long-term tracking and effectively reconstructing a user's movement history even across app uninstalls [3].

Which Countries, Which Companies, Which Laws

The FBI's March 2026 warning did not name specific applications, but referenced apps developed by foreign companies, with particular emphasis on those based in China [1]. Widely recognized examples cited in reporting include TikTok, Shein, and Temu [6]. The bureau noted that apps maintaining digital infrastructure in China are subject to China's national security laws.

The legal framework that concerns U.S. officials centers on China's 2017 National Intelligence Law, whose Article 7 states: "Any organization or citizen shall support, assist and cooperate with the state intelligence work in accordance with the law" [7]. Legal analysts and intelligence officials interpret this as compelling Chinese firms — including those operating abroad — to provide data to government intelligence agencies upon request. Article 14 requires sharing information about national security threats, and the obligations follow Chinese nationals wherever they work [7].

The Department of Justice has designated six countries of concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela [8]. Russia's data localization laws, enacted in 2015, require that personal data on Russian citizens be stored on servers within the country, giving Russian authorities direct jurisdictional access.

The Pushwoosh case illustrates how these risks materialize. In 2022, Reuters revealed that Pushwoosh, a push notification SDK headquartered in Novosibirsk, Russia, had disguised itself as a U.S.-based company. Its code was embedded in nearly 8,000 apps in Google and Apple's app stores — including apps used by the U.S. Army and the Centers for Disease Control and Prevention [9]. The Army removed the app citing "security concerns," and the CDC followed after reporters informed the agency of Pushwoosh's actual location.

The Domestic Data Collection Elephant in the Room

Critics of the FBI's warning argue it presents an incomplete picture by focusing on foreign threats while leaving domestic data collection largely unaddressed.

Google collects more personal data than any other major tech company, including location history, search queries, browsing data, and app usage across its ecosystem [10]. In 2022, Google paid $391.5 million to settle claims from 40 state attorneys general that the company had misled users about location tracking between 2014 and 2020 — described at the time as the largest multi-state privacy settlement in U.S. history [11].

Source: FTC, State AGs

Data as of Dec 1, 2024CSV

The FTC fined Czech-based antivirus company Avast $16.5 million in February 2024 for collecting and selling users' browsing data while simultaneously marketing its products as privacy protection tools [12]. In the same period, the FTC banned data brokers X-Mode and InMarket from selling sensitive location data. InMarket had been collecting precise geolocation from 100 million unique devices annually since 2016 [5].

The steelman case that the FBI warning is strategically selective runs as follows: U.S. intelligence agencies benefit from the domestic data broker ecosystem. Section 702 of the Foreign Intelligence Surveillance Act allows warrantless collection of communications data. U.S. agencies have purchased location data and other personal information from commercial brokers, bypassing warrant requirements [13]. A warning that focuses exclusively on foreign collection, without addressing the identical infrastructure operated by American companies, risks functioning as industrial policy disguised as national security — protecting U.S. surveillance access while restricting foreign competitors.

Defenders of the FBI's framing counter that the distinction between domestic and foreign collection is legally significant. U.S. companies operate under FTC oversight, are subject to state privacy laws, and face litigation risk. Foreign governments accessing data through national security mandates face no comparable accountability mechanisms, and the data can be used for espionage, coercion, and influence operations that have no domestic analogue.

Who Faces the Greatest Risk

The data vulnerability is not evenly distributed. A 2023 Duke University study found that sensitive data on active-duty military personnel — including health records, financial information, and religious practices — was available from commercial data brokers for as little as 12 cents per service member, with no background checks on purchasers [14].

The study warned that foreign intelligence services could use this data to "compromise, blackmail and then coerce troops by outing servicemembers' sexual orientations, releasing information that damages servicemembers' reputations, stalking and tailing personnel, or microtargeting personnel with particular messages" [14]. Location datasets could reveal visits to "a place of worship, a gambling venue, a health clinic, or a gay bar" — information with obvious coercive potential [14].

Federal employees handling classified or sensitive information face similar exposure. The DOJ's Data Security Program specifically identifies "government-related data" as a protected category alongside bulk personal data [8].

Journalists and activists, particularly those covering national security or working on issues involving the designated countries of concern, face elevated risk from geolocation tracking and communication metadata. Minority communities with historical ties to countries of concern may face additional scrutiny or targeting.

The FBI's March 2026 advisory did not include differentiated guidance for these high-risk populations [1]. It offered general recommendations — limit data sharing, download apps only from official stores, review app permissions — without addressing the specific threat models facing military personnel, federal employees, or other targeted groups.

The Legal Toolkit: What Exists and What Has Been Used

The U.S. government's authority to restrict foreign data collection operates through several overlapping mechanisms.

The Protecting Americans from Foreign Adversary Controlled Applications Act (PAFACA), signed into law on April 24, 2024, passed with bipartisan supermajorities: 352–65 in the House and 79–18 in the Senate [15]. The Supreme Court upheld the law unanimously on January 17, 2025, finding it narrowly tailored to a compelling government interest [15]. While commonly called the "TikTok ban," PAFACA authorizes the President to designate any website or application controlled by a foreign adversary as a covered entity, extending its reach beyond any single app [16]. Potential targets include WeChat and other Chinese-origin applications.

In practice, enforcement has been repeatedly deferred. TikTok was under a de jure ban from January 19, 2025, through January 22, 2026, but the ban was never enforced. President Trump issued a series of executive orders delaying enforcement — on January 20, April 4, June 19, and September 16 of 2025 — while pursuing a divestiture deal [15]. In January 2026, TikTok announced the establishment of TikTok USDS Joint Venture LLC as part of a deal to divest from ByteDance [15].

Executive Order 14117, signed by President Biden on February 28, 2024, took a different approach by targeting the data broker pipeline directly. It authorized the Attorney General to restrict the transfer or sale of bulk sensitive personal data to countries of concern [17]. The DOJ's implementing rule took effect on April 8, 2025, with full enforcement beginning July 8, 2025 [8].

Source: DOJ / Executive Order 14117

Data as of Apr 8, 2025CSV

The categories of data covered by the DOJ rule include geolocation, genomic data, biometric data, personal health data, financial data, and personal identifiers — reflecting the breadth of information that foreign actors could use for intelligence purposes [17].

The Legislative Gap

Despite these executive actions, the United States still lacks comprehensive federal privacy legislation.

The American Data Privacy and Protection Act (ADPPA), introduced in the 117th Congress as H.R. 8152, would have established data minimization requirements mandating that companies collect only data "necessary, proportionate, and limited to" their stated purpose [18]. It would have created a "duty of loyalty" requiring transparency about data use and third-party sharing. The bill advanced further than any previous federal privacy proposal but ultimately stalled.

The American Privacy Rights Act (APRA) in 2024 similarly failed to reach a floor vote. As of early 2026, no comparable comprehensive bill has been introduced in the current Congress [19]. Senate Commerce Committee Chair Ted Cruz (R-TX) and House Energy and Commerce Committee Chair Brett Guthrie (R-KY) have listed data privacy as a priority but have signaled a preference for narrower legislation — departing from broad data minimization mandates and trimming provisions related to AI and civil rights [19].

What does not currently exist in any proposed legislation:

• SDK disclosure registries that would require apps to publicly list all third-party code libraries and their countries of origin
• Mandatory third-party audits of data flows for apps exceeding a user threshold
• Real-time monitoring of cross-border data transfers

The PAFACA framework addresses app-level bans but does not reach the SDK layer — meaning Russian or Chinese code can continue operating inside American-developed apps without triggering any review. The Pushwoosh case demonstrated this gap years ago; it remains open.

What Effective Regulation Would Require

Addressing the full scope of the problem the FBI identified would require action on at least three fronts.

First, SDK transparency. App stores could require developers to disclose the origin and data practices of every SDK embedded in their applications. Apple took a step in this direction by publishing third-party SDK requirements, but compliance remains self-reported and enforcement is limited [20].

Second, data minimization with teeth. The failed ADPPA's approach — restricting collection to what is necessary and proportionate — would reduce the volume of data available for harvesting, whether by foreign apps, domestic brokers, or embedded SDKs. Without collection limits, downstream restrictions on data transfer are perpetually playing catch-up against an ever-growing pool of available information.

Third, closing the broker pipeline. Executive Order 14117 targets bulk data sales to countries of concern, but enforcement depends on identifying covered transactions — difficult in an industry built on opacity and intermediary chains. The data broker ecosystem that sells military personnel data for pennies per record [14] operates in the same market that the FBI warning implicitly relies on continuing to exist for domestic purposes.

The gap between the FBI's warning and the regulatory infrastructure available to act on it reflects a broader tension in U.S. data policy: the government has identified foreign data collection as a national security threat while maintaining a domestic data economy that generates the very vulnerabilities foreign actors exploit. Until that contradiction is addressed through legislation — not just executive orders with uncertain durability — the warning amounts to telling Americans to lock their front door while the back of the house has no walls.