Surveillance Capitalism
Surveillance capitalism is extraction without consent — behavioral data harvested from people whose agreement was buried in terms they couldn't negotiate and can't revoke. We exclude companies whose revenue depends on this, and hold a high bar for any tech company where surveillance is a meaningful input. Until users can control, audit, and delete their data, this stays a core exclusion.
65 companies currently excluded under this screen
Ad platforms give targeting tools that make it trivially easy to find vulnerable populations — people susceptible to financial scams, emotional manipulation, and predatory lending. The platform may not say "here's how to rip these people off." But it certainly says "here's how to find them," and that distinction is not a defense.
We screen across two policy categories.
- Products (§ 2.5). Companies whose core product is surveillance: consumer tracking, privacy erosion tools, for-profit prisons. The test is centrality to the business model — not proximity to tech.
- Conduct (§ 3.4). Data exploitation and systematic privacy violations as a pattern. Being in tech is not disqualifying. What matters is governance: real deletion, encryption, anonymization, external audit.
For ad tech, we require strong, demonstrable privacy controls. DuckDuckGo, Signal, and Proton are useful reference points — business models that structurally prevent surveillance rather than merely promising not to.
Eventually, we hope this screen won't have to exist. That would require GDPR-equivalent governance in the U.S., external audit with real teeth, genuine data portability, and deletion that means deletion. None of those conditions exist today.
Surveillance infrastructure built for commercial purposes does not stay commercial. U.S. federal agencies have purchased data broker records to circumvent warrant requirements. The architecture is the same; the buyer changes.
In the short term, these business models are profitable. In the long term, the dominant platforms are destroying the organic discovery and trust that made them valuable. That is a structural fragility, not just an ethical one.
— Sloane Ortel, Founder & CIO
See § 2.5 / § 3.8 of our screening policy for the full criteria.
What we exclude
- Surveillance hardware manufacturers (cameras, sensors, screening systems)
- Intelligence and forensic software (mobile extraction, facial recognition, predictive analytics)
- Surveillance infrastructure built for deployment by governments or corporations
- Surveillance capitalism: deploying behavioral surveillance against own users for commercial gain (§ 3.8)
- Data brokers packaging consumer profiles without meaningful consent (§ 3.8)
- Operating, financing, or materially supporting for-profit incarceration (§ 3.8)
The regulatory risk is real and growing
GDPR, CCPA, the EU AI Act, and accelerating FTC enforcement converge on one conclusion: the data extraction model has a limited runway. [Meta's 2023 GDPR fine was €1.2 billion](https://www.dataprotection.ie/en/news-media/press-releases/Data-Protection-Commission-announces-conclusion-of-inquiry-into-Meta-Ireland). [DMA enforcement](https://digital-markets-act.ec.europa.eu/index_en) is ongoing. Companies whose revenue depends on frictionless access to personal data are accumulating regulatory liability the market has not priced in.
Facial recognition sits at the intersection of legal, reputational, and political risk. [San Francisco](https://www.sanfranciscopolice.org/your-sfpd/policies/19b-surveillance-technology-policies) and [Boston](https://www.boston.gov/sites/default/files/file/2021/02/Boston-City-Council-face-surveillance-ban.pdf) have enacted bans. Any company with significant government surveillance contracts faces a policy cliff — structurally identical to what coal faced in 2015.
This is not a tradeoff between ethics and returns. It is a screen that identifies underpriced regulatory risk.
Excluded Companies (65 total)
Showing 25 of 65 companies excluded under this screen.
| Ticker | Company | Reason |
|---|---|---|
| HD | Home Depot, Inc. (The) | Home Depot's data privacy record begins with one of the largest retail breaches in history. From April to September 2014 attackers used credentials stolen from a third-party vendor to deploy custom malware on self-checkout systems across 2,200 stores, exposing 56 million payment cards over five months. The breach cost Home Depot $179 million in settlements: $134.5 million to banks and credit card companies, $27 million to additional financial institutions, and $17.5 million to a multistate coalition of 46 attorneys general. Home Depot's Orange Apron Media network (formerly Retail Media+) provides advertisers access to behavioral and purchase data from 198 million individual customers, enabling retargeted advertising across social media and offsite channels. In January 2023, the Office of the Privacy Commissioner of Canada found that Home Depot had been sharing customer email addresses and in-store purchase information with Meta through Meta's Offline Conversions program from 2018 through October 2022, without customer knowledge or consent. The Commissioner rejected Home Depot's argument that its privacy statements constituted adequate consent. In 2024 a class action filed under the California Invasion of Privacy Act alleged that Home Depot allowed Google's Cloud Contact Center AI to monitor and record customer service calls without consent. A separate 2023 class action alleged the company embedded session-replay software on its website to intercept users' browsing activity. Home Depot also deploys Flock Safety automated license-plate readers in its parking lots and stores. Although the company states it does not grant direct access to federal law enforcement, reporting by 404 Media documented that ICE agents have used Flock Safety data for immigration enforcement investigations after local police departments forwarded the data — creating what the Interfaith Center on Corporate Responsibility described in a letter to Home Depot's board as "de facto federal surveillance without transparency or consent." Home Depot stores have become frequent sites for ICE arrests targeting migrant day laborers who congregate in parking lots. In January 2026, Zevin Asset Management led a shareholder proposal with 17 co-filers asking Home Depot to evaluate and report the privacy and civil rights risks associated with sharing data with third-party surveillance vendors, including the risk of "discrimination or wrongful detention from misuse of customer data." Home Depot's own privacy policy discloses that it shares demographic information including age, race, ethnicity, and gender with "law enforcement, public and government authorities." |
| GOOGL | Alphabet Inc. | Alphabet derives over 77% of its $350 billion annual revenue from advertising fueled by behavioral data extraction across Search, YouTube, Maps, Gmail, Android, and Chrome. Shoshana Zuboff's "The Age of Surveillance Capitalism" identifies Google as the originator of the surveillance capitalism business model — the systematic conversion of personal experience into behavioral prediction products sold to advertisers. The company's products function as an integrated behavioral surveillance infrastructure covering over 4.3 billion users globally. Regulatory enforcement has been sustained and escalating. In September 2025, a federal jury in the Northern District of California awarded $425.7 million in compensatory damages after finding Google continued collecting data from third-party apps even after nearly 100 million users explicitly disabled the "Web & App Activity" setting — a practice that persisted for eight years. The same month, France's CNIL imposed a €325 million fine for displaying advertisements in Gmail without consent and placing cookies during account creation without valid consent, affecting 50 to 60 million users, with a compliance deadline backed by €100,000 per day of non-compliance. Cumulative EU enforcement includes a €150 million CNIL cookie fine (2022), the 2018 GDPR record fine of €50 million, and the European Data Protection Board's 2022 finding that Google's adtech practices violated GDPR. Alphabet has not published a human rights impact assessment covering its advertising surveillance infrastructure. The company's 2024 FTC Staff Report documents indefinite retention of behavioral data and systematic failure to protect minors across its platform ecosystem. |
| CART | INSTACART (MAPLEBEAR INC) | Instacart's core business model is built on extracting and monetizing detailed behavioral data from both customers and shoppers. The company collects granular data on shopping habits, location, spending patterns, and even in-store movements, which it uses to power its advertising and pricing algorithms. This surveillance apparatus underpins its platform economics. This model has led to specific regulatory actions grounded in deceptive data practices. In December 2025, the Federal Trade Commission (FTC) announced a $60 million penalty against Instacart for deceiving consumers. The FTC order found the company misrepresented how customer data was used and failed to obtain meaningful consent for its practices. Separately, the District of Columbia Attorney General held Instacart liable for misrepresenting and omitting material facts about variable service fees added to orders. In January 2026, New York's Attorney General demanded information regarding Instacart's algorithmic pricing, citing non-compliance with 'clear and conspicuous' disclosure requirements. The company's deployment of this surveillance for price optimization was explicitly exposed in late 2025. An investigation by Consumer Reports, cited in regulatory filings, identified "surveillance pricing" and price manipulation on the platform. Instacart was testing an AI-driven model that used collected behavioral data to dynamically adjust item prices. Following significant customer backlash and regulatory scrutiny, the company shut down these dynamic pricing experiments in December 2025. |
| MAX | MEDIAALPHA INC CLASS A | MediaAlpha operates a lead-generation platform that connects insurance carriers with online shoppers. The company's core business involves collecting and analyzing consumer data to match individuals with insurance products. While MediaAlpha markets its technology as enabling efficient customer acquisition, its platform has been implicated in facilitating surveillance-based marketing practices. The Federal Trade Commission found that MediaAlpha initiated or facilitated unlawful telemarketing calls and failed to obtain proper consent from consumers. In July 2025, the company agreed to pay $45 million as part of a $145 million total settlement with Assurance IQ to resolve these charges. The FTC's action highlights how MediaAlpha's data-driven matching ecosystem can enable intrusive, non-consensual contact. Furthermore, a securities fraud investigation cited evidence suggesting that a significant portion of MediaAlpha's health insurance lead-buying partners were operating questionable schemes, indicating potential systemic issues with how consumer data is leveraged and sold through its platform. Despite achieving SOC 2 Type II compliance for security controls, these regulatory actions demonstrate that MediaAlpha's technology infrastructure supports business practices that surveil and target consumers without adequate transparency or consent, aligning with the surveillance technology exclusion criteria. |
| PUBM | PUBMATIC INC CLASS A | PubMatic operates an artificial intelligence-powered advertising technology platform that enables real-time bidding and user profiling across the digital advertising supply chain. Its core business involves tracking individuals across websites and mobile applications to build detailed behavioral profiles, which are then used to target advertising. This activity constitutes the development and sale of surveillance infrastructure deployed by third-party advertisers and publishers. The company faces ongoing litigation alleging systematic violations of federal and state communications privacy laws. A class-action complaint, which survived a motion to dismiss in early 2026, accuses PubMatic of violating wiretap laws and intruding upon seclusion through its online profiling and data tracking practices. A separate securities class action alleges the company made materially false and misleading statements about its business and prospects, with the stock falling 21% following a related disclosure. While the company provides privacy opt-out tools, its fundamental business model is built on the large-scale collection and analysis of user behavior to facilitate targeted advertising. This positions PubMatic as a provider of surveillance technology—specifically, the intelligence and predictive analytics software used to profile individuals for commercial deployment. |
| PINS | Pinterest operates a social media platform whose business model is built on behavioral surveillance and targeted advertising. The company extracts detailed data on user interests, browsing habits, and interactions to build predictive models for ad targeting, a core monetization strategy. This surveillance apparatus functions without meaningful consent. In October 2024, privacy advocacy groups filed a formal complaint with the French data protection authority, alleging Pinterest secretly tracks European users without obtaining lawful consent, allowing the platform to unlawfully profit from personal data. The complaint centers on the platform's processing of user data for personalized advertising without a valid legal basis under the GDPR. This follows the company's documented efforts in "Ads Candidate Generation using Behavioral Sequence Modeling," which explicitly seeks to enhance advertising systems by leveraging advanced behavioral tracking. The platform's privacy policy outlines broad data collection practices, but the 2024 complaint indicates a gap between stated policy and operational reality regarding consent. Pinterest's economic reliance on surveillance-based ad targeting places it within the surveillance capitalism model, where user relationships are systematically turned into data extraction and prediction products for commercial gain. | |
| DSP | Viant Technology | Viant Technology operates an advertising technology platform that uses artificial intelligence to plan, execute, and measure digital ad campaigns across channels. Its core business is built on tracking individuals across devices and platforms to serve targeted advertising, a form of mass behavioral surveillance deployed for commercial clients. The company’s platform privacy policy details the extensive data it processes, including device identifiers, browsing activity, and inferred characteristics, to build profiles for ad targeting. While Viant’s services are marketed to advertisers, the underlying technology—AI-powered cross-device tracking, real-time bidding on user attention, and pervasive data collection—constitutes surveillance infrastructure sold to third parties. This aligns with the surveillance technology category, which includes software and systems built for deployment by other entities to monitor populations. Viant’s own materials reference leveraging endpoint management software to enforce security policies and remove forensic evidence, indicating capabilities relevant to system control and data obfuscation. The evidence gathered does not specify government contracts or sales of facial recognition systems, but the company’s foundational ad-tech model is inherently a large-scale commercial surveillance operation. |
| BRZE | Braze, Inc | Braze operates a customer engagement platform that enables brands to collect, integrate, and leverage customer data for personalized marketing campaigns. The company’s core product is a software platform designed to orchestrate customer interactions across email, push notifications, SMS, and in-app messages based on user behavior and data signals. The platform’s functionality includes the collection and activation of customer data for real-time behavioral targeting and segmentation. While marketed for commercial engagement, the underlying data integration, predictive analytics, and automated decisioning capabilities represent a class of intelligence software that can be adapted for surveillance applications by third-party clients, including corporate or government entities. BrazeAI™ further augments this with automated content generation and optimization. Braze supplies the technical infrastructure that enables clients to execute large-scale, data-driven outreach and monitoring. The company’s positioning as a platform “built for today's on-demand, always-connected customers” underscores its role in enabling the persistent tracking and profiling of individuals. This places Braze within the ecosystem of companies providing surveillance-enabling technology to third parties. |
| 002415 | HikVision | Hikvision is a partly state-owned Chinese manufacturer of video surveillance hardware and AIoT solutions, including network cameras, video recorders, access control systems, and facial recognition technology. Its products are integral to surveillance infrastructure deployed by governments and corporations globally. The company has been placed on the U.S. Department of Commerce Entity List and is prohibited from receiving U.S. federal contracts due to national security risks and its alleged role in human rights violations. The UK Biometrics and Surveillance Camera Commissioner has publicly challenged government ministers to clarify procurement positions, citing Hikvision cameras and facial recognition technology as being implicated in systematic human rights abuses against Uyghur Muslims in Xinjiang. The company has, for over eight months, failed to answer formal questions from the UK Commissioner regarding the extent of its involvement. In June 2025, the Government of Canada ordered Hikvision Canada Inc. to cease all operations and wind up due to national security concerns. Hikvision has provided no substantive public commitments, transition plans, or independent human rights due diligence to mitigate these documented risks. |
| MGNI | Magnite Inc | Magnite operates a programmatic advertising platform that collects, analyzes, and monetizes detailed data on individuals' online behavior across desktop, mobile, and connected TV (CTV) environments. This business model is built on the large-scale tracking of web browsing, app usage, and viewing habits to enable targeted advertising. While the company describes its practices under "Responsible Advertising and Data Governance," its core service involves the aggregation and sale of behavioral data. In May 2025, Magnite was sued in a proposed class action alleging it tracked consumers' online behavior without adequate consent and then de-anonymized and sold this data. The lawsuit claims these practices constitute surreptitious data collection. This follows a 2021 report by Spruce Point Management that detailed the company's "dubious business practices." Magnite's technology enables AI-driven contextual signaling and audience targeting, which are forms of predictive analytics used to infer user characteristics and intent—a capability that aligns with the surveillance technology category's inclusion of intelligence and analytics software built for deployment by third parties. |
| MAR | Marriott International | Marriott International has been subject to enforcement actions across three separate data breaches spanning 2014 to 2022, collectively affecting approximately 344 million customers worldwide. The most significant breach originated in Starwood Hotels' reservation database in 2014, continued undetected through Marriott's 2016 acquisition of Starwood, and was disclosed in November 2018 after exposing approximately 383 million guest records including unencrypted passport numbers, payment card data, and loyalty account information. The UK Information Commissioner's Office fined Marriott GBP 18.4 million for GDPR violations. In October 2024, 49 state attorneys general and the District of Columbia reached a $52 million settlement, and Texas separately settled for $3.5 million. The FTC imposed a 20-year consent order requiring a comprehensive security overhaul, multi-factor authentication, and biennial third-party security assessments. A second breach in 2020 exposed 5.2 million guest records after hackers obtained employee credentials; a third in 2022 involved 20 GB of data exfiltrated via social engineering at a Baltimore property. |
| ALL | ALLSTATE CORP | Allstate, through its subsidiary Arity, covertly collected driving behavior data from over 45 million Americans by paying app developers to embed Arity tracking software into consumer apps including Life360, GasBuddy, Routely, and Fuel Rewards. The collected data — trillions of miles of geolocation tracking — was used to build what Arity called the "world's largest driving behavior database," which Allstate and other insurers used to justify premium increases on individual policyholders. Texas Attorney General Ken Paxton filed suit in January 2025 under the Texas Data Privacy and Security Act, the first enforcement action under that statute. The complaint alleges Allstate failed to provide clear notice or obtain informed consent before collecting and selling sensitive geolocation data. Separately, New York Attorney General Letitia James sued Allstate and subsidiary National General in 2025 over back-to-back data breaches in 2020 and 2021 that exposed driver's license numbers of more than 165,000 New Yorkers, after National General's websites displayed full driver's license numbers in plain text with minimal input. |
| TMO | Thermo Fisher Scientific Inc | Thermo Fisher supplied DNA sequencing equipment to Chinese police in Xinjiang used for mass biometric surveillance of the Uyghur Muslim minority. A 2017 Human Rights Watch report revealed the company's equipment was central to building a massive biometric database of the persecuted population. AP's 2025 investigation found the DNA kits were specifically designed for Uyghur population profiling. Further investigations by Citizen Lab and Human Rights Watch documented Chinese authorities conducting involuntary mass DNA collection in Tibet — including blood draws from children as young as five — using Thermo Fisher profiling kits. The company halted Xinjiang sales in 2019 under intense public pressure, and quietly ceased Tibet kit sales in mid-2023. However, AFSC reports that 2021 investigations revealed Thermo Fisher was still doing business with Chinese security agencies after the announced halt. The Henrietta Lacks family sued Thermo Fisher in 2021 for unjust enrichment from mass-producing her living tissue without consent, raising broader questions about the company's approach to biological material ethics. |
| TMUS | T-MOBILE US INC | T-Mobile has a documented pattern of massive data breaches spanning 2021-2023, demonstrating systemic failures in data security governance. In August 2021, attackers stole records of 47.8 million customers including SSNs, driver's license numbers, and dates of birth, resulting in a $350 million class action settlement (approved June 2023) plus $150 million in mandatory security investments. In 2022, another breach via SIM-swapping and phishing compromised internal systems. In January 2023, a misconfigured API exposed personal data for 37 million current customers. The FCC settled in September 2024 for $31.5 million ($15.75M penalty + $15.75M security investment) covering all three breaches, finding the attacks were "varied in their nature, exploitations, and apparent methods of attack" — indicating not isolated incidents but recurring governance failures. Washington State AG filed a separate lawsuit over the 2021 breach. T-Mobile was required to adopt zero trust architecture and phishing-resistant MFA, confirming the company's prior security posture was materially deficient. |
| CGNT | Cognyte | Cognyte develops and sells intelligence and investigative analytics software to government agencies and law enforcement. Its core products include surveillance and monitoring platforms designed for mass data collection, analysis, and predictive analytics. The company’s technology is built for deployment by third parties, primarily state security services. The company has faced specific, grave allegations regarding its operations in Myanmar. According to investor documentation, Cognyte is implicated in allegations of potentially aiding and abetting crimes against humanity through the provision of surveillance technology that could facilitate human rights abuses against the Rohingya population. The company has also been cited for a lack of transparency, having not responded to investor guides on these high-risk human rights issues. This pattern of supplying advanced surveillance tools to regimes engaged in severe rights violations, coupled with non-disclosure, demonstrates a material risk of complicity in systemic harm. |
| 2236 | Dahua Technology | Dahua Technology is a global manufacturer of video surveillance hardware and software, including cameras, video management systems, and AI-powered analytics. Its products are deployed by governments and corporations worldwide. In 2023, Voice of America reported Dahua was marketing cameras with "skin color analytics" features, a capability that enables racial profiling. The Organized Crime and Corruption Reporting Project (OCCRP) documented in 2024 that Dahua cameras purchased by the Georgian government were being installed in Tbilisi amid escalating anti-government protests, sparking fears among demonstrators and human rights groups that the technology would be used to monitor, intimidate, and suppress dissent. The Uyghur Human Rights Project (UHRP) has reported on Dahua’s links to human rights abuses in East Turkistan (Xinjiang), alleging its technology is integral to surveillance systems used for mass internment and population control. The company has not publicly responded to these specific allegations. |
| META | Meta Platforms, Inc. | The company has broken records around the world for data privacy fines. Ireland's Data Privacy Commission assessed a $1.2 billion fine for transferring European users' data to the United States, which is the largest GDPR fine yet. The Texas Attorney General won a $1.4 billion settlement against Meta for surreptitiously building a database of biometric facial data without user consent, in violation of the Texas Capture or Use of Biometric Identifier Act. The European Commission assessed an additional $200 million fine for Meta's ‘Consent or Pay' advertising model. Under this model, EU users of Facebook and Instagram had a choice between consenting to personal data combination for personalised advertising or paying a monthly subscription for an ad-free service. The Federal Trade Commission has also sought to ban Meta from collecting data on users under the age of 18 and block new product launches without a third party assessor's confirmation that META's privacy program has no gaps or weaknesses. |
| ZETA | Zeta Global Holdings Corp | Zeta Global Holdings Corp operates an omnichannel data-driven cloud platform that sells customer identity resolution and predictive analytics as core products. Its technology is built to ingest, unify, and analyze consumer data from online and offline sources to enable targeted marketing. This business model involves developing and selling intelligence software that profiles individuals at scale, which constitutes surveillance infrastructure built for deployment by corporate clients. The company’s platform is designed to perform identity resolution, audience segmentation, and predictive scoring for marketing campaigns. These capabilities represent the core components of commercial surveillance systems, which are then deployed by third parties to monitor and influence consumer behavior. While the primary application is marketing, the underlying technology—profiling, tracking, and predicting individual behavior—falls within the definition of surveillance technology as a product. |
| QNST | QUINSTREET INC | QuinStreet operates a performance marketing business that generates leads for clients in sectors including education, financial services, and insurance. This model relies on tracking and analyzing user behavior across digital channels to target and deliver potential customers. The company’s technology infrastructure, which captures and processes detailed user data for client acquisition, functions as a commercial surveillance system. While QuinStreet’s systems are built for marketing, the underlying data harvesting and profiling capabilities are substantively similar to intelligence-gathering platforms. A 2017 Foreign Intelligence Surveillance Court opinion revealed that an unnamed internet company, later identified through reporting as likely being QuinStreet, challenged a National Security Letter (NSL) in 2014. This indicates the company possessed user data of a type and scale that attracted government surveillance demands under the USA PATRIOT Act. |
| VZ | Verizon Communications Inc. | Verizon Communications Inc. operates a telecommunications network that collects and monetizes customer location data as a core business activity. The company’s privacy notice discloses the collection of a wide range of personal data, including precise geolocation, device identifiers, browsing history, and app usage data, which it uses for advertising and business intelligence. This data monetization practice has resulted in significant regulatory penalties. In September 2025, the Second Circuit upheld a Federal Communications Commission order imposing a $46.9 million fine on Verizon. The penalty was for selling access to customers’ real-time location data to data aggregators without obtaining meaningful, affirmative consent, a violation that constituted 63 continuing days of non-compliance. This enforcement action followed earlier findings that Verizon and other carriers had failed to protect this sensitive information from unauthorized access. |
| AXON | Axon Enterprise, Inc. | Axon Enterprise operates Fusus (acquired 2022), a real-time crime center platform that integrates private surveillance cameras, drones, automated license plate readers, and other feeds into a single police-accessible interface. Over 2,400 law enforcement agencies use the platform. The EFF documented how Fusus connects thousands of privately owned cameras to police monitoring without meaningful consent from recorded individuals — camera owners opt in, but subjects of surveillance do not. Civil liberties organizations including the ACLU have warned that real-time crime centers built on Fusus lack regulatory oversight at local, state, or federal levels. In Dearborn, Michigan, community groups raised alarms that the system could be used to target activists and immigrants. Axon markets Fusus explicitly as enabling continuous real-time surveillance of public and private spaces, representing a core commercial surveillance infrastructure product. |
| RAMP | LiveRamp Holdings Inc | LiveRamp Holdings (formerly Acxiom) is a pure-play data broker whose core business is compiling detailed identity profiles on hundreds of millions of individuals and selling them to advertisers, pharmaceutical companies, and other data brokers. The company aggregates personal data from online and offline sources into unique "RampID" profiles containing names, addresses, device identifiers, and browsing histories, then monetizes them through a Data Marketplace. A class-action lawsuit (Riganian v. LiveRamp) alleges that one plaintiff's data was disclosed to at least 62 third parties including Google, Amazon, and Microsoft without consent. In July 2025 a federal judge in the Northern District of California denied LiveRamp's motion to dismiss, allowing claims of privacy violations and wiretapping to proceed. The company rebranded from Acxiom in 2018 after its connection to Cambridge Analytica's voter targeting operation was exposed. |
| FLNT | FLUENT INC | Fluent Inc. operates a consumer data brokerage business that has been formally charged by the Federal Trade Commission with operating a deceptive “consent farm.” The FTC’s July 2023 complaint alleges that since 2011, Fluent used deceptive ads and websites promising free rewards from major brands to harvest consumers’ personal data, which it then sold to third parties. As part of a settlement, Fluent was required to direct all customers who purchased its consumer data prior to May 2023 to delete that information. This business model, which collects and monetizes personal data at scale for downstream use, functions as surveillance infrastructure built for deployment by corporate clients. Separately, a company named Fluent Home markets and sells professional smart home security systems featuring intelligent video surveillance and 24/7 video verification, directly offering surveillance hardware and monitoring services to consumers. |
| CLBT | Cellebrite DI Ltd | Cellebrite DI Ltd. develops and sells digital forensic extraction technology, primarily to law enforcement and government agencies. Its core product suite enables the physical extraction and analysis of data from mobile devices, including locked or encrypted phones. This technology has been documented as a tool enabling human rights abuses. In December 2024, Amnesty International reported that Serbian authorities used Cellebrite tools to unlock phones before infecting them with spyware as part of a surveillance campaign targeting activists and journalists. In January 2026, a report by The Citizen Lab, Front Line Defenders, and Access Now detailed how Jordanian authorities used Cellebrite technology to access the phones of detained civil society members following protests, enabling further surveillance. These incidents illustrate a pattern where Cellebrite’s forensic tools facilitate state-level surveillance of civil society. |
| TTD | The Trade Desk Inc | The Trade Desk operates a global digital advertising platform whose business model is built on behavioral surveillance. The company collects, analyzes, and monetizes detailed data on internet users' browsing habits, interests, and online behaviors to facilitate targeted advertising. This core activity—profiling individuals across the web to predict and influence their actions for commercial gain—constitutes surveillance capitalism. This data-centric model has drawn legal scrutiny. As of March 2025, The Trade Desk is a defendant in a federal data privacy litigation case in the Northern District of California (*In re The Trade Desk, Inc. Data Privacy Litigation*, Case No. 3:25-cv-02889-CRB). The company's own regulatory filings consistently cite material risks from evolving data privacy laws and consumer protection statutes like the FTC Act, which govern its core data processing activities. |
+ 40 more companies excluded under this screen
Sign in to see the full list. We cap the public list to keep our research from being scraped wholesale.