Fedware: Government apps that spy harder than the apps they ban

The federal government released an app yesterday, March 27th, and it's spyware.

The White House app markets itself as a way to get "unparalleled access" to the Trump administration, with press releases, livestreams, and policy updates. The kind of content that every RSS feed on the planet delivers with one permission: network access. But the White House app, version 47.0.1 (because subtlety died a long time ago), requests precise GPS location, biometric fingerprint access, storage modification, the ability to run at startup, draw over other apps, view your Wi-Fi connections, and read badge notifications. It also ships with 3 embedded trackers including Huawei Mobile Services Core (yes, the Chinese company the US government sanctioned, shipping tracking infrastructure inside the sitting president's official app), and it has an ICE tip line button that redirects straight to ICE's reporting page.

This thing also has a "Text the President" button that auto-fills your message with "Greatest President Ever!" and then collects your name and phone number. There's no specific privacy policy for the app, just a generic whitehouse.gov policy that doesn't address any of the app's tracking capabilities.

The White House app might actually be one of the milder ones. I've been going through every federal agency app I can find on Google Play, pulling their permissions from Exodus Privacy (which audits Android APKs for trackers and permissions), and what I found deserves its own term. I'm calling it Fedware.

Ok so let me walk you through what the federal government is running on your phone.

The FBI's app, myFBI Dashboard, requests 12 permissions including storage modification, Wi-Fi scanning, account discovery (it can see what accounts are on your device), phone state reading, and auto-start at boot. It also contains 4 trackers, one of which is Google AdMob, which means the FBI's official app ships with an ad-serving SDK while also reading your phone identity. From what I found, the FBI's news app has more trackers embedded than most weather apps.

The FEMA app requests 28 permissions including precise and approximate location, and has gone from 4 trackers in older versions down to 1 in v3.0.14. Twenty-eight permissions for an app whose primary function is showing you weather alerts and shelter locations. To put that in context, the AP News app delivers the same kind of disaster coverage with a fraction of the permissions.

IRS2Go has 3 trackers and 10 permissions in its latest version, and according to a TIGTA audit, the IRS released this app to the public before the required Privacy Impact Assessment was even signed, which violated OMB Circular A-130. The app shares device IDs, app activity, and crash logs with third parties, and TIGTA found that the IRS never confirmed that filing status and refund amounts were masked and encrypted in the app interface.

MyTSA comes in lighter with 9 permissions and 1 tracker, but still requests precise and approximate location. The TSA's own Privacy Impact Assessment says the app stores location locally and claims it never transmits GPS data to TSA. I'll give them credit for documenting that, because most of these apps have privacy policies that read like ransom notes.

CBP Mobile Passport Control is where things get genuinely alarming. This one requests 14 permissions including 7 classified as "dangerous": background location tracking (it follows you even when the app is closed), camera access, biometric authentication, and full external storage read/write. And the whole CBP ecosystem, from CBP One to CBP Home to Mobile Passport Control, feeds data into a network that retains your faceprints for up to 75 years and shares it across DHS, ICE, and the FBI.

The government also built a facial recognition app called Mobile Fortify that ICE agents carry in the field. It draws from hundreds of millions of images across DHS, FBI, and State Department databases. ICE Homeland Security Investigations signed a $9.2 million contract with Clearview AI in September 2025, giving agents access to over 50 billion facial images scraped from the internet. DHS's own internal documents admit Mobile Fortify can be used to amass biographical information of "individuals regardless of citizenship or immigration status", and CBP confirmed it will "retain all photographs" including those of U.S. citizens, for 15 years.

Photos submitted through CBP Home, biometric scans from Mobile Passport Control, and faces captured by Mobile Fortify all feed this system. And the EFF found that ICE does not allow people to opt out of being scanned, and agents can use a facial recognition match to determine your immigration status even when other evidence contradicts it. A U.S.-born citizen was told he could be deported based on a biometric match alone.

SmartLINK is the ICE electronic monitoring app, built by BI Incorporated, a subsidiary of the GEO Group (a private prison company that profits directly from how many people ICE monitors), under a $2.2 billion contract. The app collects geolocation, facial images, voice prints, medical information including pregnancy data, and phone numbers of your contacts. ICE's contract gives them "unlimited rights to use, dispose of, or disclose" all data collected. The app's former terms of service allowed sharing "virtually any information collected through the application, even beyond the scope of the monitoring plan." SmartLINK went from 6,000 users in 2019 to over 230,000 by 2022, and in 2019, ICE used GPS data from these monitors to coordinate one of the largest immigration raids in history, arresting around 700 people across six cities in Mississippi.

And if you think your location data is safe because you use regular apps and avoid government ones, the federal government is buying that data too. Companies like Venntel collect 15 billion location points from over 250 million devices every day through SDKs embedded in over 80,000 apps (weather, navigation, coupons, games). DHS, FBI, DOD, and the DEA purchase this data without warrants, creating a constitutional loophole around the Supreme Court's 2018 Carpenter v. United States ruling that requires a warrant for cellphone location history. The Defense Department even purchased location data from prayer apps to monitor Muslim communities. Police departments used similar data to track racial justice protesters.

And then there's the IRS-ICE data sharing deal from April 2025. The IRS and ICE signed a Memorandum of Understanding allowing ICE to receive names, addresses, and tax data for people with removal orders. ICE submitted 1.28 million names. The IRS erroneously shared the data of thousands of people who should never have been included. The acting IRS Commissioner, Melanie Krause, resigned in protest. The chief privacy officer quit. One person leaving changes nothing about the institution, and the data was already out the door. A federal judge blocked further sharing in November 2025, ruling it likely violates IRS confidentiality protections, but by then the IRS was already building an automated system to give ICE bulk access to home addresses with minimal human oversight. The court order is a speed bump, and they'll find another route.

The apps, the databases, and the data broker contracts all feed the same pipeline, and no single agency controls it because they all share it.

The GAO reported in 2023 that nearly 60% of 236 privacy and security recommendations issued since 2010 had still not been implemented. Congress has been told twice, in 2013 and 2019, to pass comprehensive internet privacy legislation. It has done neither. And it won't, because the surveillance apparatus serves the people who run it, and the people who run it write the laws. Oversight is theater. The GAO issues a report, Congress holds a hearing, everyone performs concern for the cameras, and then the contracts get renewed and the data keeps flowing. It's working exactly as designed.