Apps Exposed and Sold Location Data for Overseas US Military and Intelligence Personnel (UPDATED)
Credit: Diego González
Toggle Dark Mode
Update: Lithuanian ad-tech company Eskimi, said to have sold the data mentioned in the report, denies it had any involvement.
Reports last year revealed that a Florida-based data broker had sold the location data of US military and intelligence personnel serving overseas. However, the source of the sensitive data was not revealed then. Now, there have been claims that the location data was harvested by multiple mobile apps with revenue-sharing agreements with an ad-tech company in Lithuania and then resold by an America-based firm.
However, Lithuanian ad-tech company Eskimi, said to have sold the data, denies it had any involvement. The firm says it is not a data broker, and “any implication to the company selling data is false.”
Unfortunately, many apps collect location data. This is a necessity for map and navigation apps, and it also provides an advantage in camera apps, which record and share the location of where a photo was taken.
However, several apps that collect location data have no clear reason for doing so. Luckily for iOS users, apps are required to request permission before collecting location data, and most iPhone users have likely seen a request for permission, even if the need for doing so isn’t apparent.
When apps do this, the developer has likely signed an agreement to share the valuable data with ad-tech companies that use it to target in-app ads according to the user’s location. The developer gets a share of the ad revenue, but they rarely have any idea how much data is actually being harvested on their users.
Sadly, these agreements are written by lawyers, meaning they are full of vague terms, some of which may allow all the location information to be resold. Some less-than-savory developers may resell the data even if the agreement doesn’t allow it.
Last year, it was revealed that a US firm called Datastream was selling the location data for active U.S. military and intelligence personnel. An investigation by Wired and other publications reveals how the sensitive data was captured.
The joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org analyzed a free sample of location data provided by Datastream. The investigation revealed that Datastream was offering access to precise location data from devices likely belonging to American military and intelligence personnel overseas—including at German airbases believed to store US nuclear weapons. Datastream is a data broker in the location data history, sourcing data from other providers and then selling it to customers
[…]
The data was likely collected through SDKs (software development kits) embedded in mobile apps by developers who knowingly integrate tracking tools in exchange for revenue-sharing agreements with data brokers.
Following this reporting, the office of Senator Ron Wyden demanded answers from Datastream Group about its role in trafficking the location data of US military personnel. In response, Datastream identified Eskimi as its source, stating it obtained the data “legitimately from a respected third-party provider, Eskimi.com.”
Eskimi says it did not share or sell location data of military personnel or any other data in Germany or Europe with Datastream group.
It hasn’t yet been determined which apps provided the data, but investigations into the sources are ongoing. Currently, it is unknown whether the agreements signed by the developers actually permitted the location data to be re-sold or whether the data was intended only to be used to serve up in-app ads.
While there have been no accusations that the original intention was to capture data from the military, filtering users’ locations to identify users likely to be serving at a US military base is trivial.
Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, says many ad-tech companies sell location data to corporations and governments, calling ad companies “merely surveillance companies with better business models.”
