It was discovered last year that location data for US military and intelligence personnel serving overseas was being sold by a Florida-based data broker, but the source of that sensitive data was unclear at the time.
It’s now been revealed that the data was captured by a variety of mobile apps with revenue-sharing agreements with a Lithuanian ad-tech company, and then resold by an American company …
The problem of location data captured by apps
A great many apps capture location data. For some apps, this is clearly a necessity, such as map apps, transit navigators, and so on. For others, there’s a tangential benefit, like camera apps which can store the location at which a photo was taken. Apple’s own Camera app does this, for example, so that we can search for photos taken in particular places.
But there are also countless examples of apps which collect location data for no clear reason. iOS forces apps to request permission for this, and we’ve probably all seen apps pop up the request for no apparent reason.
This is likely because location data is valuable to advertisers. Developers sign agreements with ad-tech companies which allow ads within their apps to be targeted by country (or even by city) in return for a share of the revenue.
The problem is that many of these agreements have vague terms which may allow the location data to be re-sold. Even where the agreement doesn’t permit this, rogue companies can re-sell it anyway.
Locations sold for US military and intelligence personnel
It last year came to light that that Datastream, a US company, was selling location data for US military and intelligence personnel. An investigation by Wired and others has now revealed how this data was captured.
The joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org analyzed a free sample of location data provided by Datastream. The investigation revealed that Datastream was offering access to precise location data from devices likely belonging to American military and intelligence personnel overseas—including at German airbases believed to store US nuclear weapons. Datastream is a data broker in the location data history, sourcing data from other providers and then selling it to customers […]
The data was likely collected through SDKs (software development kits) embedded in mobile apps by developers who knowingly integrate tracking tools in exchange for revenue-sharing agreements with data brokers.
Following this reporting, the office of Senator Ron Wyden demanded answers from Datastream Group about its role in trafficking the location data of US military personnel. In response, Datastream identified Eskimi as its source, stating it obtained the data “legitimately from a respected third-party provider, Eskimi.com.”
Eskimi is a Lithuanian ad-tech company, which claimed that the data was not supposed to have been re-sold.
It’s not known at this stage which apps were the source for the data, but investigations are continuing. It’s also unclear whether the agreements signed by the developers actually allowed the location data to be re-sold, rather than used purely to serve ads within their apps.
It’s not being suggested that anyone specifically set out to capture military data, but filtering by locations of US military bases both at home and overseas would be an exceedingly trivial way to identify people who are likely to be serving personnel.
‘Surveillance companies with better business models’
Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, says this is just one example of a growing problem. He says many ad-tech companies are selling location data to both corporations and governments.
“Advertising companies are merely surveillance companies with better business models,” Edwards says.
It’s not the first time that apps have exposed location data of military personnel serving overseas. There have also been known examples of the military and US law enforcement agencies purchasing location data.
9to5Mac’s Take
Even leaving aside the sensitivity of military data, nobody using an iPhone or Android app expects their location data to be re-sold, no matter what may be buried within the small-print of the privacy policy.
It’s time for laws to ban the sale of sensitive personal data.
Photo by Joel Rivera-Camacho on Unsplash
FTC: We use income earning auto affiliate links. More.
