3 min read

The Government App That Tracks You

privacy government surveillance mobile security

The privacy manifest says: “This app does not collect any data.”

Here’s what it actually sends.

Security researchers at Atomic Computer installed mitmproxy on a Mac, routed an iPhone through it, and watched every HTTPS request the official White House iOS app makes. Not what the code could do — what it actually does.

In a single session browsing Home, News, Live, Social, and Explore:

  • 206 total requests
  • 48 went to whitehouse.gov (23%)
  • 158 went to third parties (77%)

The third parties include Elfsight (a Russian-founded widget company), OneSignal, Google DoubleClick, Facebook CDN, and Twitter.

What OneSignal Receives on Every Launch

On app launch, this is the actual decrypted request body sent to api.onesignal.com:

{
  "properties": {
    "language": "en",
    "timezone_id": "America/[REDACTED]",
    "country": "US",
    "first_active": 1774908688,
    "last_active": 1774909124,
    "ip": "[REDACTED]"
  },
  "identity": {
    "onesignal_id": "[REDACTED]"
  },
  "subscriptions": [{
    "device_model": "iPhone[REDACTED]",
    "device_os": "[REDACTED]",
    "rooted": false,
    "app_version": "47.0.4",
    "net_type": 1,
    "session_time": 61,
    "session_count": 3
  }]
}

Translation: every time you open the White House app, OneSignal receives:

  • Your IP address
  • Your device model and OS
  • Your timezone (narrows to a region)
  • When you first installed the app
  • When you last opened it
  • How many times you’ve opened it
  • How long each session lasted
  • Whether your phone is jailbroken
  • A persistent unique identifier that follows you across sessions

And also: Google DoubleClick (advertising tracking) made an appearance. In a government app.

The Gap Between Privacy Manifests and Reality

Apple’s App Store requires developers to fill out a “privacy nutrition label” — what data the app collects, why, and whether it links to your identity.

The White House app says: no data collected.

This isn’t a technicality or a loophole. OneSignal’s own documentation is explicit about what their SDK transmits. The developers either didn’t read it or didn’t care.

This is the same pattern we’ve seen before:

  • OkCupid: said data was for UX research, gave photos to a military AI company
  • Facebook: “connecting people,” logging every click, scroll, and hover
  • Fitness apps: selling location data to hedge funds and data brokers

The privacy policy is theater. The network traffic is the truth.

Why It Matters That It’s a Government App

If a social media app did this, the response would be: “Don’t install it.”

This is the official app of the White House.

People who install it are, by definition, people interested in government communications. They’re a politically-defined cohort. Their device fingerprints, IP addresses, and session patterns are now flowing through commercial data infrastructure — the same infrastructure that powers ad targeting, data brokering, and risk scoring.

OneSignal’s privacy policy says they may share aggregated data. OneSignal has investors and acquisition risk like any SaaS company. DoubleClick data flows into Google’s advertising graph.

The government produced an app that tells ad tech companies which citizens care about government news, how often they check it, and from where.

What Should Happen

Nothing will happen.

The app will stay in the App Store. The privacy manifest won’t be updated. There will be no fine, no investigation, no developer consequence.

Because there’s no law that requires government apps to follow higher standards than commercial apps. Because the FTC has shown, with OkCupid, that privacy violations settle for $0. Because the people who built the app either outsourced it to a contractor who didn’t audit their SDK dependencies, or knew and didn’t care.

This is what “the government app” looks like in 2026: more tracking infrastructure than a news website, a privacy label that is technically false, and a research team with a MITM proxy as the only watchdog.

Delete the app. Read the news in a browser. Use a VPN.

Not because the White House is malicious. Because the infrastructure they built their app on is the tracking industry — and they didn’t notice, or didn’t care to notice.

The privacy manifest says: “This app does not collect any data.”

The MITM proxy says otherwise.

← back to writings