The benefits of enabling location data on mobile devices are numerous, but the potential for misuse of this information is a serious security concern. A recent investigation reveals how easily this data can be accessed and the potential risks it poses, even to sensitive groups like military personnel.
The joint investigation, conducted by Wired, 404 Media, Bayerischer Rundfunk (BR), and Netzpolitik.org, centered around a free location data sample from Datastream, a Florida-based data broker. This sample contained location information of US military and intelligence personnel stationed overseas, including at German airbases suspected of housing US nuclear weapons. The source of this data was initially unknown, raising significant security concerns.
Following the investigation’s findings, US Senator Ron Wyden pressed for answers. Datastream attributed the data collection to Eskimi, a Lithuanian ad-tech company. This revelation highlights the complex and often opaque nature of the location data industry. Data from a Lithuanian company, concerning US military personnel in Germany, ended up with a Florida-based data broker, potentially available for sale to virtually anyone.
Datastream claims the data was legally obtained and intended for digital advertising, not resale. However, the potential for misuse remains.
Senator Wyden’s office contacted Eskimi regarding these concerns, but received no response. Subsequent attempts to reach Lithuania’s Data Protection Authority (DPA) also failed initially, despite emphasizing the national security implications of a Lithuanian company selling location data of US military personnel serving abroad.
Eventually, after contact with the Lithuanian embassy in Washington, D.C., the DPA responded, initiating an investigation. The outcome of this investigation remains to be seen.
Eskimi participates in Google’s Authorized Buyer program, which requires adherence to Google’s policies. Google stated they regularly audit participants and investigate alleged misconduct. However, even if action is taken against Eskimi, the issue of location data harvesting and sale by advertising companies is widespread.
Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, characterizes advertising companies as “surveillance companies with better business models,” emphasizing the inherent risk of data exploitation within the industry.
While most smart device users are not military personnel, this situation underscores the vulnerability of location data. Users can take steps to disable location services on their devices. Given the potential risks, government personnel, in particular, should consider disabling location services or utilizing a VPN for enhanced privacy and security.
