Everyone knows your lo­ca­tion: track­ing my­self down through in-app ads

Recently I read about a mas­sive ge­olo­ca­tion data leak from Gravy Analytics, which ex­posed more than 2000 apps, both in AppStore and Google Play, that se­cretly col­lect ge­olo­ca­tion data with­out user con­sent. Oftentimes, even with­out de­vel­op­ers` knowl­edge. I looked into the list (link here) and found at least 3 apps I have in­stalled on my iPhone. Take a look for your­self!

This made me come up with an idea to track my­self down ex­ter­nally, e.g. to buy my ge­olo­ca­tion data leaked by some ap­pli­ca­tion. After more than cou­ple dozen hours of try­ing, here are the main take­aways: I found a cou­ple re­quests sent by my phone with my lo­ca­tion + 5 re­quests that leak my IP ad­dress, which can be turned into ge­olo­ca­tion us­ing re­verse DNS. Learned a lot about the RTB (real-time bid­ding) auc­tions and OpenRTB pro­to­col and was shocked by the amount and types of data sent with the bids to ad ex­changes. Gave up on the idea to buy my lo­ca­tion data from a data bro­ker or a track­ing ser­vice, be­cause I don’t have a big enough com­pany to take a trial or $10-50k to buy a huge data­base with the data of mil­lions of peo­ple + me.

Well maybe I do, but such ex­pense seems a bit ir­ra­tional.

Turns out that EU-based peo­ples` data is al­most the most ex­pen­sive. But still, I know my lo­ca­tion data was col­lected and I know where to buy it! My setup for this re­search in­cluded:My old iPhone 11 re­stored to fac­tory de­faults + new ap­ple id.

Felt too un­com­fort­able to do all this on my cur­rent phone. Charles Proxy to record all traf­fic com­ing in and out.

I set up the SSL cer­tifi­cate on the iPhone to de­crypt all https traf­fic. A sim­ple game called Stack by KetchApp - I re­mem­ber play­ing it at school 10-12 years ago. Choosing it as a lab rat felt nos­tal­gic.

To my sur­prise, there were a lot of KetchApp games on the list. Ok, here we go: only 1 app in­stalled with­out the de­fault Apple ones, Charles on, launch­ing Stack in 3, 2, 1…. These are the re­quests that the app sends in the first minute af­ter launch.

Take a look at the tim­ing of the re­quests - al­most every split sec­ond. Let’s take a look at the con­tents of the re­quests.

I ac­tu­ally checked every sin­gle one of them - but I’ll leave out only the in­ter­est­ing ones here. Let’s start with the juici­est re­quest sent to https://​o.isx.uni­ty3d.com - the first one that in­cluded my geo, while I dis­abled Location Services on iPhone for all apps!

If you are as naive as I was be­fore this, you might be sur­prised - what does Unity, the 3D en­gine, have to do with the in-app ad­ver­tise­ment or lo­ca­tion track­ing?

Perhaps that’s just some mon­i­tor­ing data to help im­prove the en­gine? Turns out that Unity’s main rev­enue stream (they made $2 bln+ in 2023) is Unity Ads - “Mobile Game Ad Network”. Sounds quite in­ter­est­ing.Be­low is the re­quest body in json for­mat sent to Unity Ads. I will only leave the fields worth men­tion­ing - the ac­tual size is 200+ keys. {

“ts”: “2025-01-18T23:27:39Z”, // Timestamp

“c”: “ES”, // Country code,

“d”: “sports.bwin.es”, // Domain; the app or web­site where the ad will be dis­played.

“bn”: “molocoads-eu-banner”, // WTF is moloco ads? We’ll see!

“cip”: “181.41.[redacted]”, // my IP !!

“dm”: “iPhone12,1″,

“ct”: “2″, // Connection type; e.g., Wi-Fi

“car”: “Yoigo”, // mo­bile net­work op­er­a­tor

“ifv”: “6B00D8E5-E37B-4EA0-BB58-[redacted]”, // ID for Vendor. We’ll get back to it!

“lon”: “2.[redacted]”, // Longitude …

“lat”: “41.[redacted]”, // Latitude …

“sip”: “34.227.224.225″, // Server IP (Amazon AWS in US)

“uc”: “1″, // User con­sent for track­ing = True; OK what ?!

}Ok, so my IP + lo­ca­tion + time­stamp + some ifv id are shared with Unity → Moloco Ads → Bwin, and then I see the ac­tual Bwin ad in the game.

Wonderful! As a quick note - lo­ca­tion shared was not very pre­cise (but still in the same postal in­dex), I guess due to the fact that iPhone was con­nected to WiFi and had no SIM in­stalled.

If it was LTE, I bet the lat/​lon would be much more pre­cise. Hello Facebook… What are you do­ing here?Next in­ter­est­ing re­quest that leaks my IP + time­stamp (= geo-dat­a­point) is Facebook.

What?!I don’t have any Meta [Facebook] app in­stalled on this iPhoneI did­n’t link the app nor my Apple ID to any Facebook ac­countI did­n’t con­sent to Facebook get­ting my IP ad­dress!And yet here we are:{

“bundles”: {

“bidder_token_info”: {

“data”: {

“bt_extras”: {

“ip”:“181.41.[redacted], // nice Extras, bro

“ts”:1737244649

“fingerprint”: null

“a lot of data: yes a loooooooot”

}We’ll talk more about this one in the next sec­tion. Why do you need my screen bright­ness level? Last re­quest I found in­ter­est­ing was sent to… Unity again:

https://​con­figv2.unityads.uni­ty3d.com.

Let’s see what’s in that con­fig Unity needs so much: {

“osVersion”:“16.7.1″,

“connectionType”:“wifi”,

“eventTimeStamp”:1737244651,

“vendorIdentifier”:“6B00D8E5-E37B-[redacted]”, // ifv once again

“wiredHeadset”:false, // ex­cuse me?

“volume”:0.5,

“cpuCount”:6,

“systemBootTime”:1737215978,

“batteryStatus”:3,

“screenBrightness”:0.34999999403953552,

“freeMemory”:507888,

“totalMemory”:3550640, // is this RAM?

“timeZone”:“+0100″,

“deviceFreeSpace”:112945148

“networkOperator”:“6553565535″

“advertisingTrackingId”:“00000000-0000….”, // in­ter­est­ing …

}There’s no “personal in­for­ma­tion” here, but hon­estly this amount of data shared with an ar­bi­trary list of 3rd par­ties is scary.

Why do they need to know my screen bright­ness, mem­ory amount, cur­rent vol­ume and if I’m wear­ing head­phones? I know the “right” an­swer - to help com­pa­nies tar­get their au­di­ence bet­ter!

For ex­am­ple, if you’re pro­mot­ing a mo­bile app that is 1 GB of size, and the user only has 500 MB of space left - don’t show him the ad, right?But I also heard lots of con­tro­ver­sies on this topic.

Like Uber dy­nam­i­cally ad­just­ing taxi price based on your bat­tery level - be­cause you’re not wait­ing for a cheaper op­tion with 4% left while stand­ing in the street. I can’t know if that or an­other one is true.

But the fact that this data is avail­able and ac­ces­si­ble by ad­ver­tis­ers sug­gests that they should at least think of us­ing it.

I would. Ok, enough with the re­quests.

We can al­ready see the ex­am­ples of dif­fer­ent ip and ge­olo­ca­tion leaks.

One more “provider” that also got my IP + time­stamp was ad­just.com - but the re­quest body was too bor­ing to in­clude. You might’ve al­ready no­ticed ifv and ad­ver­tis­ing­TrackingId == IDFA in the re­quests above - what are those? IFV, or IDFV, is “ID for Vendor”.

This is my id unique for each ven­dor, a.k.a de­vel­oper - in this case, KetchApp.

This checks out: I in­stalled an­other KetchApp game to quickly record the re­quests, and the ifv value was the same for it. Advertising Tracking ID, on the other hand, is the cross-ven­dor value, the one that is shared with an app if you choose “Allow app to track your ac­tiv­ity across …”.

As you can see above, it was ac­tu­ally set to 000000-0000… be­cause I “Asked app not to track”. I checked this by man­u­ally dis­abling and en­abling track­ing op­tion for the Stack app and com­par­ing re­quests in both cases. And that’s the only dif­fer­ence be­tween al­low­ing and dis­al­low­ing track­ing

I un­der­stand there might be noth­ing shock­ing to you in it - this is not re­ally kept se­cret, you can go and check the docs for Apple de­vel­op­ers, for ex­am­ple. But I be­lieve this is not com­mu­ni­cated cor­rectly to the end users, you and me, in any ad­e­quate way, shape or form: the free apps you in­stall and use col­lect your pre­cise lo­ca­tion with time­stamp and send it to some 3rd-party com­pa­nies. The only thing that stops any­one with ac­cess to bid data (yet an­other ad buy­ing agent, or ad ex­change, or a dataset bought or rented from data bro­ker, as you’ll see later) from track­ing you down with all trips you make daily is this IDFA that is not shared when you dis­al­low apps to “track you across apps” to “enhance and per­son­alise your ads ex­pe­ri­ence”. By the way: if you’re us­ing 10 apps from the same ven­dor (Playrix, KetchApp or an­other 1000-app com­pany) and al­low a sin­gle app to track you — it would mean that the data col­lected in all 10 apps will be en­riched with your IDFA which can later be ex­changed to your per­sonal data. At the same time, there is so much data in the re­quests that I’d ex­pect ad ex­changes to find some loop­hole ID that would al­low cross-app track­ing with­out the need for IDFA.

I found at least 20 ids like tid and sid, de­vice_id and uid (these 2 are shared with Facebook), and so on. By the way, the fact that Facebook col­lected my IP + time­stamp with­out any ad­e­quate con­sent / app con­nec­tion from my end is crazy.

I think Facebook is more than ca­pa­ble of con­nect­ing the dots and my Meta Account to this hit as soon as I lo­gin to Instagram or Facebook app on the same IP ad­dress. How does the data flow?Let’s get back to the re­quest that leaked my lo­ca­tion for a sec­ond and look at its trace. We’ll fo­cus on the par­ties in the mid­dle:Unity [ads] is an SSP (supply-side plat­form) that acts as a col­lec­tor of data from the app via SDK.

As an app de­vel­oper, you don’t need to worry about gath­er­ing the right data, reg­is­ter­ing as a pub­lisher on an ad ex­change or what­ever - just in­stall the SDK and re­ceive the money. All right, what about Molocoads? Moloco ads is a DSP net­work that re­sells data from mul­ti­ple SSPs (like Unity, Applovin, Chartboost). Basically, from al­most every one of the re­quested hosts I’ve seen pop up in Charles Proxy.

It then ap­plies some “smart op­ti­mi­sa­tion” and con­nects a va­cant ban­ner space on your phone screen with the ad­ver­tiser.Sounds like moloco ag­gre­gates a lot of data and ba­si­cally any­one (to be clear - any com­pany that be­comes an ad part­ner) can ac­cess the data by bid­ding lower than oth­ers.

Or imag­ine a real ad ex­change that bids nor­mally and col­lects all of the data along the way “as a side gig”.

Basically, this is how in­tel­li­gence com­pa­nies and data bro­kers get their data. At this point I was look­ing for any men­tions of Moloco on Telegram and Reddit, and I ran into this post that an­swered a lot of my ques­tions:Es­pe­cially, this com­ment. To quote a part of it:They ac­cess it if they in­te­grate with the provider of bid­stream, which would be the SSP. It’s on the SSP to ver­ify the ven­dor to whom they give ac­cess to bids. Usually, the re­quire­ment would be that you ac­tu­ally… bid.

SSPs want you to spend money, that’s how their busi­ness makes rev­enue. They might open up only part of the traf­fic to spe­cific ven­dors (i.e.. if you don’t bid world­wide, you won’t get the bid­stream world­wide, only in the re­gions in which you op­er­ate).Let’s move fur­ther. When I found out how the data gets out, I started look­ing for any place where it’s be­ing sold. It was a quick search.I found a data mar­ket­place called Datarade which is a panel with all sorts of data. When I searched for MAID-specific data, hun­dreds of op­tions showed up, like these two: The price of the Redmob dataset sur­prised me, - $120k a year… for what?

Let’s now take a look at their promo:Check out the list of fea­tures on the right - do any of them look fa­mil­iar?

Quick note: “low la­tency” means they know your lo­ca­tion from the last time any of the apps shared it. It can be as lit­tle as 5 sec­onds ago.

What’s even bet­ter is that Redmob pro­vides a free sam­ple of the data. I tried to re­quest it from their web­site, but the sam­ple never landed in my mail­box (surprise-surprise, timsh.org does­n’t seem like a cus­tomer with high po­ten­tial).

Thankfully, this sam­ple is pub­lic on Databricks Marketplace with this an­no­ta­tion:En­hance your prod­ucts and ser­vices us­ing our global lo­ca­tion data cov­er­ing over 1.5 bil­lion de­vices. Using our ex­ten­sive lo­ca­tion dataset, you can un­earth con­cealed pat­terns, con­duct rapid analy­ses, and ob­tain pro­found knowl­edge.

We can also pro­vide re­gion-spe­cific data (MENA, Africa, APAC, etc.) based on your spe­cific re­quire­ments. Our pric­ing model in­cludes an an­nual li­cens­ing op­tion, and we pro­vide free sam­ple data so that you can eval­u­ate the qual­ity of our dataset for your­self. Some sam­ple data for bet­ter un­der­stand­ingTo me, the most ab­surd part is the app col­umn - the source of the data can’t be more ob­vi­ous. I’m also quite in­ter­ested in the yod col­umn - if it’s the birthyear, where did they get it from? Never mind, who cares about your birthyear.All right, imag­ine I bought the ac­cess to a huge stream of Redmob data.

But my goal is to track and stalk peo­ple like my­self or any­one else, so I need some way to ex­change MAIDs (=ifa) for the ac­tual per­sonal info: name, ad­dress, phone num­ber… No prob­lem! This kind of dataset is sur­pris­ingly also pre­sent on Datarade.

Take a look at a sam­ple table with MAID <> PII type that is pro­vided by “AGR Marketing Solutions”:Inside - all per­sonal info (full name, email, phone num­ber, phys­i­cal ad­dress, prop­erty own­er­ship… and IDFAs. Congrats, you have just reached the bot­tom of this rab­bit hole.

Let’s wrap it up and make a cou­ple of bold state­ments.How to track your­self down?Use some free apps for a bit.

Move around and com­mute - this makes the geo data more valu­able. “Allow” or “ask not to track” - a combo of IP + lo­ca­tion + User-agent + ge­olo­ca­tion will still be leaked to hun­dreds of “3rd par­ties” re­gard­less of your choice.Wait for a few sec­onds un­til fake DSPs and data bro­kers re­ceive your data.Ex­change your full name or phone num­ber for an IDFA (if pre­sent), IP ad­dress and user-agent through the MAID <> PII data pur­chased some­where.Now, ac­cess the “Mobility data” con­sist­ing of ge­olo­ca­tion his­tory, and fil­ter it us­ing the val­ues from the pre­vi­ous step. I cre­ated a flow­chart that in­cludes al­most all ac­tors and data men­tioned above - now you can see how it’s all con­nected. This is the worst thing about these data trades that hap­pen con­stantly around the world - each small part of it is (or seems) le­git. It’s the big­ger pic­ture that makes them look ugly. Thanks for read­ing this story un­til the end!

My re­search was heav­ily in­flu­enced by these posts and in­ves­ti­ga­tions: Not long ago, the abil­ity to re­motely track some­one’s daily move­ments just by know­ing their home ad­dress, em­ployer, or place of wor­ship was con­sid­ered a pow­er­ful sur­veil­lance tool that should only be in the purview of na­tion states. But a…Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your LocationA hack of lo­ca­tion data com­pany Gravy Analytics has re­vealed which apps are—know­ingly or not—be­ing used to col­lect your in­for­ma­tion be­hind the scenes.

How 1 youtube video turned out to be a part of a mil­lion dol­lar scam scheme

I made a Chrome ex­ten­sion to help avoid play­ing cheaters in chess

If you google “chrome ex­ten­sion for cheat­ing in chess”, you’ll find a lot of them. Cheating is so easy, it’s crazy. If you google “chrome…

How I cre­ated an Ethereum Proof-of-Stake demo en­tirely with AI

Coristine, as WIRED pre­vi­ously re­ported, ap­pears to have re­cently grad­u­ated from high school and to have been en­rolled at Northeastern University. According to a copy of his ré­sumé ob­tained by WIRED, he spent three months at Neuralink, Musk’s brain-com­puter in­ter­face com­pany, last sum­mer.

Both Bobba and Coristine are listed in in­ter­nal OPM records re­viewed by WIRED as “experts” at OPM, re­port­ing di­rectly to Amanda Scales, its new chief of staff. Scales pre­vi­ously worked on tal­ent for xAI, Musk’s ar­ti­fi­cial in­tel­li­gence com­pany, and as part of Uber’s tal­ent ac­qui­si­tion team, per LinkedIn. Employees at GSA tell WIRED that Coristine has ap­peared on calls where work­ers were made to go over code they had writ­ten and jus­tify their jobs. WIRED pre­vi­ously re­ported that Coristine was added to a call with GSA staff mem­bers us­ing a non­govern­ment Gmail ad­dress. Employees were not given an ex­pla­na­tion as to who he was or why he was on the calls.

Farritor, who per sources has a work­ing GSA email ad­dress, is a for­mer in­tern at SpaceX, Musk’s space com­pany, and cur­rently a Thiel Fellow af­ter, ac­cord­ing to his LinkedIn, drop­ping out of the University of Nebraska—Lincoln. While in school, he was part of an award-win­ning team that de­ci­phered por­tions of an an­cient Greek scroll.

Kliger, whose LinkedIn lists him as a spe­cial ad­viser to the di­rec­tor of OPM and who is listed in in­ter­nal records re­viewed by WIRED as a spe­cial ad­viser to the di­rec­tor for in­for­ma­tion tech­nol­ogy, at­tended UC Berkeley un­til 2020; most re­cently, ac­cord­ing to his LinkedIn, he worked for the AI com­pany Databricks. His Substack in­cludes a post ti­tled “The Curious Case of Matt Gaetz: How the Deep State Destroys Its Enemies,” as well as an­other ti­tled “Pete Hegseth as Secretary of Defense: The Warrior Washington Fears.”

Killian, also known as Cole Killian, has a work­ing email as­so­ci­ated with DOGE, where he is cur­rently listed as a vol­un­teer, ac­cord­ing to in­ter­nal records re­viewed by WIRED. According to a copy of his now-deleted ré­sumé ob­tained by WIRED, he at­tended McGill University through at least 2021 and grad­u­ated high school in 2019. An archived copy of his now-deleted per­sonal web­site in­di­cates that he worked as an en­gi­neer at Jump Trading, which spe­cial­izes in al­go­rith­mic and high-fre­quency fi­nan­cial trades.

Shaotran told Business Insider in September that he was a se­nior at Harvard study­ing com­puter sci­ence and also the founder of an OpenAI-backed startup, Energize AI. Shaotran was the run­ner-up in a hackathon held by xAI, Musk’s AI com­pany. In the Business Insider ar­ti­cle, Shaotran says he re­ceived a $100,000 grant from OpenAI to build his sched­ul­ing as­sis­tant, Spark.

Are you a cur­rent or for­mer em­ployee with the Office of Personnel Management or an­other gov­ern­ment agency im­pacted by Elon Musk? We’d like to hear from you. Using a non­work phone or com­puter, con­tact Vittoria Elliott at vit­to­ri­a_el­liott@wired.com or se­curely at vel­liot­t88.18 on Signal.

“To the ex­tent these in­di­vid­u­als are ex­er­cis­ing what would oth­er­wise be rel­a­tively sig­nif­i­cant man­age­r­ial con­trol over two very large agen­cies that deal with very com­plex top­ics,” says Nick Bednar, a pro­fes­sor at University of Minnesota’s school of law, “it is very un­likely they have the ex­per­tise to un­der­stand ei­ther the law or the ad­min­is­tra­tive needs that sur­round these agen­cies.”

Sources tell WIRED that Bobba, Coristine, Farritor, and Shaotran all cur­rently have work­ing GSA emails and A-suite level clear­ance at the GSA, which means that they work out of the agen­cy’s top floor and have ac­cess to all phys­i­cal spaces and IT sys­tems, ac­cord­ing a source with knowl­edge of the GSA’s clear­ance pro­to­cols. The source, who spoke to WIRED on the con­di­tion of anonymity be­cause they fear re­tal­i­a­tion, says they worry that the new teams could by­pass the reg­u­lar se­cu­rity clear­ance pro­to­cols to ac­cess the agen­cy’s sen­si­tive com­part­mented in­for­ma­tion fa­cil­ity, as the Trump ad­min­is­tra­tion has al­ready granted tem­po­rary se­cu­rity clear­ances to un­vet­ted peo­ple.

This is in ad­di­tion to Coristine and Bobba be­ing listed as “experts” work­ing at OPM. Bednar says that while staff can be loaned out be­tween agen­cies for spe­cial pro­jects or to work on is­sues that might cross agency lines, it’s not ex­actly com­mon prac­tice.

“This is con­sis­tent with the pat­tern of a lot of tech ex­ec­u­tives who have taken cer­tain roles of the ad­min­is­tra­tion,” says Bednar. “This raises con­cerns about reg­u­la­tory cap­ture and whether these in­di­vid­u­als may have pref­er­ences that don’t serve the American pub­lic or the fed­eral gov­ern­ment.”

Some of the most ba­sic us­ages of Temporal in­clude get­ting cur­rent dates and times as an ISO string, but we can see from the ex­am­ple be­low, that we can now pro­vide time zones with many meth­ods, which takes care of com­plex cal­cu­la­tions you may be do­ing your­self:

Working with dif­fer­ent cal­en­dars is also sim­pli­fied, as it’s pos­si­ble to cre­ate dates in cal­en­dar sys­tems other than Gregorian, such as Hebrew, Chinese, and Islamic, for ex­am­ple. The code be­low helps you find out when the next Chinese New Year is (which is quite soon!):

Working with Unix time­stamps is a very com­mon use case as many sys­tems (APIs, data­bases) use the for­mat to rep­re­sent times. The fol­low­ing ex­am­ple shows how to take a Unix Epoch time­stamp in mil­lisec­onds, cre­ate an in­stant from it, get the cur­rent time with Temporal. Now, then cal­cu­late how many hours from now un­til the Unix time­stamp:

Currently, toLo­caleString does­n’t out­put a lo­cale-sen­si­tive string in the Firefox im­ple­men­ta­tion, so du­ra­tions above (PT31600H) are re­turned as a non-lo­cale-sen­si­tive du­ra­tion for­mat. This may change as it’s more of a de­sign de­ci­sion rather than a tech­ni­cal lim­i­ta­tion as for­mat­ting the du­ra­tion is pos­si­ble, so the poly­fill and Firefox im­ple­men­ta­tions may even­tu­ally con­verge.

There’s a lot to high­light, but one pat­tern that I thought was in­ter­est­ing in the API is the com­pare() meth­ods, which al­low you to sort du­ra­tions in an el­e­gant and ef­fi­cient way:

Bitcoin was never used by most Salvadorans, its mod­ern city was never built, and now it will cease to be le­gal ten­der in El Salvador, the first coun­try in the world to adopt it in 2021: a com­plete failed eco­nomic bet by President Nayib Bukele. Congress, dom­i­nated by the rul­ing party, ap­proved last Wednesday a con­fus­ing re­form to the Bitcoin Law at the re­quest of Bukele’s gov­ern­ment, which had no other op­tion to re­ceive the $1.4 bil­lion credit agreed in December with the International Monetary Fund (IMF).

The re­form elim­i­nated the word “currency” when re­fer­ring to bit­coin, but says it is “legal ten­der.” Despite the lack of clar­ity, it lifts, as re­quired by the IMF, the oblig­a­tion to ac­cept it in trans­ac­tions or debt pay­ments, a key con­di­tion for it to be “legal ten­der,” ac­cord­ing to eco­nomic an­a­lysts. With the change, “if some­one owes you money and wants to pay you in bit­coin, you can refuse to be paid in bit­coin, but you can­not refuse if it’s le­gal ten­der,” econ­o­mist Carlos Acevedo ex­plained.

The use of bit­coin in El Salvador’s dol­lar­ized econ­omy, ac­cord­ing to the new rule, will be op­tional and will be at the dis­cre­tion of the pri­vate sec­tor to ac­cept cryp­tocur­rency pay­ments for goods and ser­vices. Businesses are no longer re­quired to con­vert dol­lar prices into this cryp­tocur­rency. “Bitcoin no longer has that force of le­gal ten­der. That’s how it should have al­ways re­mained, but the gov­ern­ment wanted to force it and it did­n’t work,” econ­o­mist Rafael Lemus said.

The Bitcoin Law re­form will take ef­fect 90 days af­ter it’s pub­lished in the Official Gazette, which could hap­pen in the com­ing days. For Acevedo, for­mer pres­i­dent of the for­mer Central Bank, “it makes no sense” to have left in the re­formed law that it is “legal ten­der.” “It’s a mon­stros­ity that’s not un­der­stood and that should be cor­rected and made clear that bit­coin is no longer le­gal ten­der,” the econ­o­mist ar­gues.

But even be­ing so, Salvadorans, with the ex­cep­tion of a few, never em­braced Bukele’s ini­tia­tive, who en­joys enor­mous pop­u­lar­ity for his war against gangs, which dropped homi­cides to his­toric lows in El Salvador. A re­cent sur­vey by the Central American University (UCA) re­vealed that 92% of Salvadorans did not use bit­coin in their trans­ac­tions in 2024.

“I used it and did­n’t like it… Very com­pli­cated and risky. This is not for an em­ployee who barely gets by on their salary,” Juana Henríquez, a 55-year-old nurse, said, say­ing she had tried to make some profit and in­stead lost money. Bukele also failed to achieve his pro­ject, which he an­nounced with fire­works, to cre­ate Bitcoin City, a high-tech city that would be the cap­i­tal of bit­coin­ers in the coun­try and would take en­ergy for min­ing from a vol­cano in Conchagua, about 200 km from Salvador.

Berlin, a city 110 km east of San Salvador, and El Zonte beach (southwest) are two ar­eas that con­cen­trate bit­coin­ers, but many are for­eign res­i­dents or tourists.

Bitcoin’s biggest pro­moter in the coun­try, Bukele, has not yet re­ferred to the le­gal re­form. But of­fi­cials en­sure that the gov­ern­ment will con­tinue bet­ting on this cryp­tocur­rency, whose price cur­rently ex­ceeds $100,000. El Salvador’s am­bas­sador to the United States, Milena Mayorga, told jour­nal­ists Thursday, dur­ing a bit­coin event in San Salvador, that the law re­forms should be seen as an adap­ta­tion “to the cir­cum­stances.”

The gov­ern­ment, she as­sured, will con­tinue buy­ing bit­coin and hav­ing re­serves in this cryp­tocur­rency. According to the National Bitcoin Office, El Salvador has 6,050 bit­coins worth $634.8 mil­lion. “President Bukele con­tin­ues buy­ing bit­coin, we have a Bitcoin Office, we have the Bitcoin Law, bit­coin can be used in El Salvador. It has­n’t been an easy road,” Mayorga sum­ma­rized.

For Lemus, be­cause “the gov­ern­ment has its bit­coin re­serve and will buy more” it is nec­es­sary “to have trans­parency, for cit­i­zens to know how pub­lic funds are be­ing in­vested.” Bukele re­cently said he is con­vinced that with Donald Trump — whom he sup­ports — in the White House there will be “an ex­po­nen­tial reval­u­a­tion” of the cryp­tocur­rency. He fre­quently posts price in­creases on his so­cial net­works. For now, he re­mains silent.

I be­lieve we are break­ing news some news here. To help sus­tain in­de­pen­dent jour­nal­ism and analy­sis, please sup­port Inside Medicine. Thanks for read­ing…

[Note, 2/3/25: The Washington Post’s Lena Sun pointed out to me this morn­ing that some as­pects of what I re­ported here had been bro­ken in a story she up­dated on Friday evening. Here’s the link to that.]

The CDC has in­structed its sci­en­tists to re­tract or pause the pub­li­ca­tion of any re­search man­u­script be­ing con­sid­ered by any med­ical or sci­en­tific jour­nal, not merely its own in­ter­nal pe­ri­od­i­cals, Inside Medicine has learned. The move aims to en­sure that no “forbidden terms” ap­pear in the work. The pol­icy in­cludes man­u­scripts that are in the re­vi­sion stages at jour­nal (but not of­fi­cially ac­cepted) and those al­ready ac­cepted for pub­li­ca­tion but not yet live.

In the or­der, CDC re­searchers were in­structed to re­move ref­er­ences to or men­tions of a list of for­bid­den terms: “Gender, trans­gen­der, preg­nant per­son, preg­nant peo­ple, LGBT, trans­sex­ual, non-bi­nary, non­bi­nary, as­signed male at birth, as­signed fe­male at birth, bi­o­log­i­cally male, bi­o­log­i­cally fe­male,” ac­cord­ing to an email sent to CDC em­ploy­ees (see be­low).”

The pol­icy goes be­yond the pre­vi­ously re­ported pause of the CDC’s own pub­li­ca­tions, in­clud­ing Morbidity and Mortality Weekly Report (MMWR), which has seen two is­sues go un­re­leased since January 16, mark­ing the first pub­li­ca­tion gap of any kind in ap­prox­i­mately 60 years. Emerging in­fec­tious Diseases and Preventing Chronic Disease, the CDC’s other ma­jor pub­li­ca­tions, also re­main un­der lock and key, but have not yet been af­fected be­cause they are monthly re­leases and both were re­leased as sched­uled in January, prior to President Trump’s in­au­gu­ra­tion. The pol­icy also goes be­yond the gen­eral com­mu­ni­ca­tions gag or­der that al­ready pre­vents any CDC sci­en­tist from sub­mit­ting any new sci­en­tific find­ings to the pub­lic.

The edict ap­plies to both any pre­vi­ously sub­mit­ted man­u­script un­der con­sid­er­a­tion and those ac­cepted but not yet pub­lished. For ex­am­ple, if CDC sci­en­tists pre­vi­ously sub­mit­ted a man­u­script to The New England Journal of Medicine, The Journal of the American Medical Association, or any other pub­li­ca­tion, the ar­ti­cle must be stopped and re­viewed. (These are hy­po­thet­i­cal, but are ex­am­ples of ma­jor jour­nals where CDC of­fi­cials of­ten pub­lish.)

How many man­u­scripts are af­fected is un­clear, but it could be many. Most man­u­scripts in­clude sim­ple de­mo­graphic in­for­ma­tion about the pop­u­la­tions or pa­tients stud­ied, which typ­i­cally in­cludes gen­der (and which is fre­quently used in­ter­change­ably with sex). That means just about any ma­jor study would fall un­der the cen­sor­ship regime of the new pol­icy, in­clud­ing stud­ies on Covid-19, can­cer, heart dis­ease, or any­thing else, let alone any­thing that the ad­min­is­tra­tion con­sid­ers to be “woke ide­ol­ogy.”

Meanwhile, chaos and fear are al­ready guid­ing de­ci­sions. While the pol­icy is only meant to ap­ply to work that might be seen as con­flict­ing with President Trump’s ex­ec­u­tive or­ders, CDC ex­perts don’t know how to in­ter­pret that. Do pa­pers that de­scribe dis­par­i­ties in health out­comes fall into “woke ide­ol­ogy” or not? Nobody knows, and every­one is scared that they’ll be fired. This is lead­ing to what Germans call “vorauseilender Gehorsam,” or “preemptive obe­di­ence,” as one non-CDC sci­en­tist com­mented.

“I’ve got col­leagues pulling pa­pers over Table 1 con­cerns,” an of­fi­cial told me. (Table 1 refers to ba­sic de­mo­graphic in­for­ma­tion about the study pop­u­la­tions in­cluded in re­search pa­pers, rather than ac­tual re­sults.) Indeed, many stud­ies in­clude de­mo­graphic in­for­ma­tion about sex­ual ori­en­ta­tion. For ex­am­ple, a study de­scrib­ing mpox out­comes would likely in­clude ba­sic sta­tis­tics in ta­bles sum­ma­riz­ing the per­cent­age of pa­tients who were vac­ci­nated and were les­bian, gay, trans­gen­der, or oth­er­wise. This in­for­ma­tion can be highly im­pact­ful dur­ing an out­break, as it helps clin­i­cians de­velop poli­cies on who to vac­ci­nate (given lim­ited doses, as is the case with mpox), and even to whom scarce and lim­ited sup­plies of tests and treat­ments should be of­fered to max­i­mize ben­e­fits.

It is not nec­es­sar­ily the case that re­searchers who have sub­mit­ted ar­ti­cles but who have not yet re­ceived an of­fi­cial de­ci­sion from a jour­nal need to ac­tively re­call them, how­ever. But if a jour­nal sends an ar­ti­cle back for re­vi­sions, the au­thors would at that point have to cleanse the doc­u­ment of any “problematic lan­guage.” Of course, at that point, the gag or­der al­ready in place would halt any re­sub­mis­sion.

What can and can­not go for­ward ap­pears to re­quire ap­proval by a Trump po­lit­i­cal ap­pointee, an ex­plicit re­quire­ment for any pub­lic health com­mu­ni­ca­tions un­der the Trump Administration’s gag or­der. That’s slow­ing many things down. At pre­sent, there is only one po­lit­i­cal ap­pointee in the en­tire CDC, act­ing Director Susan Monarez (plus her per­sonal as­sis­tant, who is not a sci­en­tist). It’s un­clear if some de­ci­sions may be de­volved to lower of­fi­cials. For ex­am­ple, if a pa­per is pulled be­cause it sim­ply men­tions gen­der, it is un­known if any­one other than Monarez pos­sesses the au­thor­ity to ap­prove its re­sub­mis­sion.

“How can one per­son vet all of this?” an­other of­fi­cial asked, “especially one who, [like Monarez], came from an agency of, what, 130 peo­ple?”

And yet, that seems to be the theme of the new ad­min­is­tra­tion: a few priv­i­leged in­di­vid­u­als have been handed enor­mous au­thor­ity, cre­at­ing a back­log of de­ci­sions that may end up be­ing fairly ar­bi­trar­ily de­ter­mined.

We know it’s been a few weeks since our last up­date, and there’s a good rea­son for that. The en­tire com­pany took a break from the usual rou­tine to fly to Barcelona, Spain, for our an­nual re­treat - a chance to reen­er­gize and re­fo­cus for the ex­cit­ing jour­ney ahead.

But don’t worry, it was­n’t all fun and no work. In fact, we’ve got a pretty ex­cit­ing up­date for you to­day. The re­treat gave us fresh in­spi­ra­tion, and we’re ready to bring some of those new ideas to life start­ing right now.

We’re de­lighted to an­nounce the launch of the of­fi­cial Kagi Android app! This marks an im­por­tant mile­stone in our mis­sion to make Kagi Search more ac­ces­si­ble and en­cour­age more peo­ple to try it out.

The app al­lows users to be­gin us­ing Kagi Search im­me­di­ately right from the first launch (no ac­count needed!). For those with ex­ist­ing sub­scrip­tions, sign­ing in is seam­less, en­abling ac­cess to all Kagi fea­tures.

Additionally, the app in­cludes na­tive home­screen wid­gets, pro­vid­ing one-click ac­cess to search di­rectly from your home­screen.

If you use an Android de­vice, go check it out! We’ve sim­pli­fied the process of shar­ing Kagi with your net­work.

Additionally, a re­cent EU rul­ing pre­sents a sig­nif­i­cant op­por­tu­nity for Kagi. Google is now re­quired to in­clude any search en­gine that meets spe­cific cri­te­ria, such as hav­ing an app with over 5,000 in­stalls, in the de­fault list for Android and Chrome — in­stall the app to­day and help us meet the cri­te­ria!

Stay tuned for more ex­cit­ing up­dates com­ing soon!

Snaps are an in­no­v­a­tive search op­er­a­tor that al­lows for site-spe­cific searches di­rectly from the search bar. By sim­ply typ­ing @ fol­lowed by the des­ig­nated site bang, you can limit your search re­sults to a spe­cific web­site. For ex­am­ple, to search on Reddit or HackerNews, you can en­ter:

This fea­ture was made pos­si­ble thanks to the con­tri­bu­tion of our user @tuesday ( ) on Kagifeedback!

This will work with any bang that Kagi sup­port, in­clud­ing cus­tom bangs you de­fine. Kagi Bangs are open source, we wel­come your con­tri­bu­tions!

Universal Summarizer is one of the most-loved Kagi treats. The ex­ten­sion is now avail­able for Chrome - Download it here!

We had to split it out of Kagi Search ex­ten­sion for Chrome due to rules of the Chrome store. Kagi Universal Summarizer is avail­able to Firefox users via Kagi Search for Firefox and is na­tively built into the Orion browser.

It’s been 30 days since we launched the Assistant, and we’re ex­cited to share a range of new up­dates with you.

Upload func­tion­al­ity:

We’re ex­cited to an­nounce that you can now up­load a va­ri­ety of lo­cal files di­rectly to the Assistant! This new fea­ture al­lows you to add mul­ti­ple files in a sin­gle prompt. Here’s a list of sup­ported file types:

Additionally, you can add a URL to have its con­tents sum­marised or to pose ques­tions about it.

Stop but­ton

We’ve in­tro­duced a Stop but­ton that al­lows users to im­me­di­ately halt the Assistant’s stream­ing out­put.

Mobile im­prove­ments

And also made sev­eral en­hance­ments to our mo­bile ex­pe­ri­ence, and there’s even more on the way!

Code forces hu­mans to be pre­cise. That’s good—com­put­ers need pre­ci­sion. But it also forces hu­mans to think like ma­chines.

For decades we tried to fix this by mak­ing pro­gram­ming more hu­man-friendly. Higher-level lan­guages. Visual in­ter­faces. Each step helped, but we were still trans­lat­ing hu­man thoughts into com­puter in­struc­tions.

AI was sup­posed to change every­thing. Finally, plain English could be a pro­gram­ming lan­guage—one every­one al­ready knows. No syn­tax. No rules. Just say what you want.

The first wave of AI cod­ing tools squan­dered this op­por­tu­nity. They make flashy demos but pro­duce garbage soft­ware. People call them “great for pro­to­typ­ing,” which means “don’t use this for any­thing real.”

Many blame the AI mod­els, say­ing we just need them to get smarter. This is wrong. Yes, bet­ter AI will make bet­ter guesses about what you mean. But when you’re build­ing se­ri­ous soft­ware, you don’t want guesses—even smart ones. You want to know ex­actly what you’re build­ing.

Current AI tools pre­tend writ­ing soft­ware is like hav­ing a con­ver­sa­tion. It’s not. It’s like writ­ing laws. You’re us­ing English, but you’re defin­ing terms, es­tab­lish­ing rules, and man­ag­ing com­plex in­ter­ac­tions be­tween every­thing you’ve said.

Try writ­ing a tax code in chat mes­sages. You can’t. Even sim­ple tax codes are too com­plex to keep in your head. That’s why we use doc­u­ments—they let us or­ga­nize com­plex­ity, ref­er­ence spe­cific points, and track changes sys­tem­at­i­cally. Chat re­duces you to mem­ory and hope.

This is the core prob­lem. You can’t build real soft­ware with­out be­ing pre­cise about what you want. Every suc­cess­ful pro­gram­ming tool in his­tory re­flects this truth. AI briefly fooled us into think­ing we could just chat our way to work­ing soft­ware.

We can’t. You don’t pro­gram by chat­ting. You pro­gram by writ­ing doc­u­ments.

When your in­tent is in a doc­u­ment in­stead of scat­tered across a chat log, English be­comes a real pro­gram­ming lan­guage:

* You can see your whole sys­tem at once

* You can clar­ify and im­prove your in­tent

* You can track changes prop­erly

* Teams can work on the sys­tem to­gether

* Requirements be­come their own qual­ity checks

The first com­pany to get this will own the next phase of AI de­vel­op­ment tools. They’ll build tools for real soft­ware in­stead of toys. They’ll make every­thing avail­able to­day look like prim­i­tive ex­per­i­ments.

Please keep in mind that I’m only hu­man and there is a very, very high prob­a­bil­ity that there are er­rors in this guide. Additionally, I might sim­ply not know what I’m talk­ing about when it comes to some­thing! So email cor­rec­tions are highly ap­pre­ci­ated!

PDF:

US Letter, one sided, black and white

US Letter, two sided, black and white

Clone the whole thing from GitHub and fol­low the .

Contact Beej:

If you are tired of Google’s AI-powered search re­sults lead­ing you astray with poor in­for­ma­tion from bad sources, there is some good news. It turns out that if you in­clude any ex­ple­tives in your search query, Google will not re­turn an AI Overview, as they are called, at the top of the re­sults page.

For in­stance, if you search “How large is the stu­dent body of Yale University?” the search re­sults page will re­turn a large AI-generated blurb above the blue links. If you in­stead search, “How large is the fuck­ing stu­dent body at Yale University?” you will in­stead get a stan­dard list of blue link re­sults, sans-AI sum­mary.

This is not the first time in­ter­net sleuths have dis­cov­ered a way to dis­able Google’s AI-powered re­sults. Other meth­ods are more com­pli­cated, how­ever, like adding a spe­cific string of char­ac­ters to the search re­sults page URL. This method of swear­ing and plead­ing at Google to “just give me the fuck­ing links” is much more cathar­tic.

We are go­ing to go out on a limb here and say that if peo­ple are reg­u­larly find­ing tech­niques to dis­able AI sum­maries in Google searches, per­haps that means they do not want them in the first place? Google search re­sults have never been per­fect, of course—there is still a lot of poor in­for­ma­tion across the web. But AI sum­maries pre­sent users with a promi­nent blurb at the top of their search that looks au­thor­i­ta­tive when it just risks com­pound­ing the mis­in­for­ma­tion prob­lem with more er­ro­neous slop.

It is the same way Siri has been made worse by its in­te­gra­tion with ChatGPT. At least in the past, when the voice as­sis­tant did not know how to an­swer a ques­tion it would just throw users to the web. Now Siri of­fers up ChatGPT-generated re­sponses in­stead, some­times spit­ting out in­cor­rect non­sense in­stead of ad­mit­ting it is not sure. But this is all be­ing forced on users whether they like it or not. From Google Docs to X and Instagram, there are AI but­tons and search boxes and drop­downs every­where now, be­cause every tech com­pany needs to have an AI strat­egy. Is a ba­sic key­word search too much to ask?

When Google first in­tro­duced AI Overviews into search, it went vi­ral for re­turn­ing non­sen­si­cal re­sponses, such as sug­gest­ing that one can pre­vent cheese from slid­ing off their piz­zas by us­ing glue or im­prove gut health by eat­ing peb­bles. It is be­lieved Google’s model sourced the in­for­ma­tion from Reddit com­ments. AI does not know how to iden­tify sar­casm or satire.

Ars Technica ear­lier re­ported on the new loop­hole, which, if we are spec­u­lat­ing, is caused by Google’s overly cau­tious steer­ing of its AI model. Whereas a bot like xAI’s Grok is more than happy to swear and dis­cuss sen­si­tive top­ics, Google’s Gemini keeps it PG. Google has likely trained Gemini to avoid re­peat­ing ex­ple­tives, so it sim­ply is dis­abled in search when a curse word is pre­sent in or­der to avoid that.

Google has ar­gued that AI Overviews, as they are called, do not re­duce traf­fic sent to web­sites be­cause users will view sum­maries and be in­ter­ested in delv­ing deeper into the source ma­te­r­ial af­ter find­ing some­thing of in­ter­est. That logic has not com­forted me­dia com­pa­nies, which have been lit­i­gat­ing the likes of OpenAI and Perplexity for in­gest­ing their con­tent into large lan­guage mod­els.

We imag­ine Google will close the ex­ple­tive loop­hole even­tu­ally, but in the mean­time, if you are sick of AI, you now know an easy way to avoid it. Just tell Google to give you the fuck­ing links.