US data broker sells location data taken from millions of German users

Map pin symbol on dice
Tracking and profile building for marketing purposes must be banned, consumer advocates demand. (Source: IMAGO / Zoonar)

Data brokers sell sensitive location data taken from users around the globe. A joint investigation by Bayerischer Rundfunk (BR) and netzpolitik.org now shows that brokers also share data linked to people living in Germany. Politicians warn of a “security-related problem.”

Location data, or geo-tracking data, is frequently collected by smartphone apps: for instance, by weather or navigation apps. Often this data is packaged and sold for commercial purposes – like showing users targeted advertising.

Reporters at BR and netzpolitik.org received a free sample of location data from the US data broker Datastream – a taste of the broker’s commercially available offerings. As they describe in an article published last week detailing the findings of their investigation, BR and netzpolitik.org made contact with the company through the Germany-based online marketplace Datarade.

The data set consisted of 3.6 billion geo-tracking data points collected over a two-month time period last year. The data seems to come from several million people in Germany, and can be used to construct highly detailed profiles based on a person’s movements. Because of a few errors in the data set, it wasn’t possible to determine exactly how many people it pertains to. Datastream claims it can deliver location data that is updated by the hour. Netzpolitik.org calls this a “new dimension of mass surveillance.”

While the location data aren’t linked to users’ names, they are linked to a unique “Mobile Advertising ID” that is assigned to each device.

BR and netzpolitik.org’s reporters write that they were able to identify several people based on their residences and places of work and to reconstruct how they spent entire days – including visits they took to clinics or brothels.

Verified data

In order to verify the data, BR and netzpolitik.org contacted some of the individuals whose movements they were able to trace. The individuals were surprised to learn that their location data was commercially available.

Also included in the data set were the profiles of what are presumed to be tens of thousands of individuals who work in so-called security-related fields. These individuals’ workplaces include federal ministries, weapons manufacturers, branches of the Verfassungsschutz domestic intelligence service, the Federal Intelligence Service (Bundesnachrichtendienst), and the federal police, as well as German military facilities.

Neither Datarade, the online platform, nor Datastream, the company that supplied the data, responded to questions from BR and netzpolitik.org.

Impacting “the privacy of every individual”

Ramona Pop, the president of the Verbraucherzentrale Bundesverband, Germany’s independent consumer advisory body, told BR and netzpolitik.org that users are “clearly at the mercy of” the marketing industry. Said Pop, “European lawmakers must finally recognized that personal user data does not belong in the hands of the marketing industry and change the law accordingly. Tracking and profile creation for marketing purposes must be categorically banned.”

Konstantin von Notz of the Green Party characterized the data-sharing as a “security-related problem.” Von Notz, chairman of the control committee in parliament that oversees the intelligence services warned that governments could also use data of this kind for espionage purposes. “If you know how people act and where they go, then you can spy on them. You can create points of contact and generate seemingly coincidental situations that allow you to enter into conversations with people in order to recruit them or bribe them,” von Notz said. He also demanded that data not be allowed to be kept or sold “in this form” and said that it concerned the “privacy of everyone who lives in the Federal Republic.”

Louisa Specht-Riemenschneider, professor of data law and data protection at the University of Bonn and recently appointed successor to the current Commissioner for Federal Data Protection, said that it is very difficult for European authorities to go after data brokers located outside of the European Union. In her view it is also difficult to take measures against data marketplaces like Datarade. Said Specht-Riemenschneider: “The data marketplace is essentially a broker, it doesn’t process personal data itself. In a certain sense this is a regulatory loophole.” It is therefore urgent, she said, for lawmakers to find a solution.

Criticism of location data sales in the US as well

The sale of data by data brokers has long come in for criticism, especially in the US. The New York Times for example showed in 2018 that such data sets can be used to gain detailed information about individuals.

Cases have also come to light of authorities in the US purchasing such data. Critics say that state authorities can use commercially available data to get access to information that they would otherwise need a court order to obtain – and warn that individuals’ privacy is at risk.

The US Federal Trade Commission has already taken action against data brokers: in one case, the agency prohibited the company X-Mode from sharing or selling “sensitive location data.” The FTC warned that such data could indicate for instance whether a person is seeking a particular medical treatment.

Netzpolitik.org has published an article with tips on how to turn off or at least limit location monitoring by smartphone apps. (js)