German Probe Finds Data Brokers Exposed 3.6 Billion Location Points

A recent investigation by German outlets netzpolitik.org and Bayerischer Rundfunk (BR) has revealed that data brokers are disseminating the location data of millions of people in Germany, posing severe risks to privacy and national security. The investigation uncovered a dataset containing 3.6 billion entries, exposing detailed movement profiles and highlighting a new dimension of mass surveillance.

The research team, including Katharina Brunner, Rebecca Ciesielski, Maximilian Zierer (BR), Robert Schöffel, and Eva Achinger (netzpolitik), traced the data to Datastream Group, a US-based company. The dataset was obtained through Datarade, an online marketplace run by a Berlin-based startup that connects buyers and sellers of data. The dataset, offered as a free sample, contained mobile advertising IDs (MAIDs) which can be used to track individual devices and their movements.

The 3.6 billion location points on the dataset map reveal intricate details about daily routines, such as commutes to work, visits to recreational areas, and even more intimate movements, like visits to rehabilitation clinics and swinger clubs. These points can be connected to create comprehensive movement profiles that invade the privacy of millions of individuals.

The entangled data brokers network

Stichproben, or spot checks, confirmed the authenticity of the data. The team managed to identify several individuals, including their places of residence and work, from the movement profiles. Although the dataset lacked names or phone numbers, it often required minimal effort to link a movement profile to a specific individual using publicly available information like phone directories or social media.

Datarade, the intermediary platform, is partially funded by the German government's High-Tech Gründerfonds. The company claims to only act as a broker and insists that it complies with legal requirements. However, the ease with which sensitive data is traded raises significant privacy concerns. Datastream Group, the US company providing the data, updates its database hourly, offering data from up to 163 countries for purposes such as personalized advertising and real estate planning.

Beyond privacy, the investigation uncovered severe security risks. The dataset includes movement profiles of individuals working in critical areas such as military bases, intelligence agencies, and other security-related institutions. For example, location data from NATO's training grounds in Grafenwöhr and the Ramstein Airbase could allow adversaries to track military personnel and operations, posing a substantial espionage threat. Konstantin von Notz, chairman of the Parliamentary Control Panel overseeing German intelligence services, highlighted the danger, warning that such data could be used by foreign intelligence services to compromise national security.

Calls for regulatory reform

The investigation has prompted strong reactions from various stakeholders. Ramona Pop, president of the German Consumer Federation (vzbv), and other experts have called for stricter regulations to protect consumer data from being exploited by the advertising industry. The federal ministries of defense and interior acknowledged the risks and emphasized ongoing efforts to educate their staff about secure IT practices.

Despite the revelations, the legality of data trade remains ambiguous. Companies often cite user consent obtained through app privacy policies as their legal basis. However, experts argue that these consents are typically neither informed nor voluntary, as users often have no alternative but to accept extensive data sharing to use the apps.

Louisa Specht-Riemenschneider, the designated Federal Data Protection Commissioner, emphasized the regulatory gaps and urged the legislature to address these issues. She highlighted that current laws inadequately cover entities that broker data rather than process it directly, leaving significant loopholes in data protection.

The findings of this investigation underscore the urgent need for regulatory reforms to safeguard personal data and national security. This privacy breach happened in Germany, where strict GDPR laws are supposed to protect people from such practices. If 3.6 billion location points can be traded so easily there, the operational status for data broker networks in places with weaker or no privacy laws, like many U.S. states, can be easily deduced.