Missing Link: How millions of German citizens are being commercially spied on

Contents

Some people may have become aware of the international trade in location data for the first time this week. Reporters from Bayerischer Rundfunk (BR) and Netzpolitik.org obtained a data set of almost 3.6 billion location data linked to Mobile Advertising IDs (MAIDs) via a Berlin-based data marketplace called Datarade. These MAIDs are used to individually identify smartphone users and desktop computers to apps and websites. The data originates from the US company Datastream Group and was distributed via the Berlin marketplace as a free sample to journalists who pretended to be interested buyers.

However, the fact that such data is collected and traded internationally is nothing new. In December 2019, for example, the New York Times revealed details of a similar data set that the newspaper had received from anonymous whistleblowers. The Norwegian broadcaster NRK then reported on similar practices with data from Norway. Finally, in January, the Dutch radio station BNR discovered the Berlin marketplace Datarade and obtained 80 gigabytes of data from Dutch smartphone users. All of these reports add up to a kind of Snowden moment for the digital advertising industry: they inevitably bring to light a practice that experts have long expected, but which the general public was hardly aware of until now.

"Missing Link"

What's missing: In the fast-paced world of technology, we often don't have time to sort through all the news and background information. At the weekend, we want to take this time to follow the side paths away from the current affairs, try out other perspectives and make nuances audible.

• All our the "Missing Links"

How controversial is location data actually?

The collection of location data by smartphone apps is often dismissed on the grounds that this data is not linked to personal data. Providers argue that almost every app on our smartphones wants to know the GPS position of our device to the second and at a very granular level – even though many apps do not appear to need any location data at all and especially not to this level of detail. However, this argument ignores how much knowledge can be gained from analyzing metadata. For example, it has been known for years that law enforcement agencies have successfully uncovered many murder cases and even terror plots based on metadata alone. Investigators often don't even need to know what suspects talk about in phone calls, it is enough to know who talked to whom, when and for how long. And perhaps where these people have been.

If you have fine-grained location data on a person, you can find out where that person is at night and where they spend the time from 8 a.m. to 5 p.m. during the week, exactly where they live and work. In many cases, this information can be used to identify the person in question via posts on social media or from other public sources. In the same way, the Netzpolitik.org reporters linked the anonymous advertising IDs with real people in their research.

The next step is to see what these people do. Do they regularly visit hospitals or doctors? Do they visit brothels and swingers clubs? Do long stays at other addresses at weekends indicate a secret affair? This becomes even more critical if the person being tracked works for the military, a secret service or the government, for example. The reporters also found such data records in the location data grab bag, for example of people who apparently work for the Federal Intelligence Service (BND) or the Special Operations Force KSK of the German Armed Forces. There is also data on people who go in and out of the highly secure "Camp Kherson" – the area on the military training ground in Grafenwoehr, Bavaria, where the US Army trains Ukrainian soldiers on the crown jewel of its weapons technology, the M1 Abrams main battle tank.

How does international data trading work?

The data in the possession of the reporters from BR and Netzpolitik.org apparently comes from various smartphone apps. It is fairly easy for software developers on Android and iOS to collect such data. There are countless software development kits (SDKs) that developers of such apps can integrate into their programs. These are ready-made software modules that request location data from the cell phone operating system when the corresponding app is running and then send it on to advertising companies and tracking networks. In return, the app operators earn money from the transmission of their users' data.

However, the data obtained by the journalists is only a snapshot. If they had taken out a subscription with the data provider in the USA, they would have been supplied with a daily stream of location data, as the company promises. With some providers, this data is even updated hourly. And it is available to anyone who is willing to pay: companies, private individuals, law enforcement agencies and intelligence services. It can be assumed that government bodies of repressive, totalitarian states also buy and use such data sets.

As the advertising IDs can be reset in the operating system, they cannot be transferred 1-to-1 to individuals. However, there are not only companies that trade in this data, but also those that have made it their business to combine data records from different sources and assign changing MAIDs to individual users. For example, it is conceivable that two iOS IDs and the advertising IDs of several Windows computers of one and the same user can be assigned to the same person – simply because of the related location data distributed across the various MAIDs. With modern big data analysis techniques and the use of neural networks and other statistical algorithms, such analyses can be carried out on a large scale and fully automatically in a short time. Back in 2021, the US magazine Vice reported that there are a whole host of companies that specialize in linking supposedly anonymous advertising IDs to specific individuals in exchange for money.

Governments also use special service providers to expose and track individuals based on such data. Two years ago, for example, The Intercept reported on a company called Anomaly Six, which spies on Russian soldiers in Ukraine for the US government. In order to impressively demonstrate its capabilities and win the lucrative government contract, this company had tracked and exposed the US government's own spies at the CIA and NSA using smartphone data.