Trade in location data as a security risk

Reporters from BR and Netzpolitik.org say they have received a data set containing 3.6 billion location data from smartphone apps from a US data trader. The data presumably comes from several million people in Germany, some of which could be used to reconstruct precise movement profiles, as each data point is linked to a "Mobile Advertising ID" (MAID). Companies use this type of data to analyze people's behavior and send them targeted advertising.

According to BR and Netzpolitik.org, the data set also contains movement profiles of presumably tens of thousands of people who work in security-relevant areas, for example in federal ministries, armaments companies, offices of the Federal Office for the Protection of the Constitution, the Federal Intelligence Service and the Federal Criminal Police Office, as well as military facilities in Germany. Although the profiles are not linked to names, in several cases the reporters were able to identify people by their places of residence and workplaces and were able to trace entire daily routines.

BR quotes Konstantin von Notz, Chairman of the Parliamentary Control Committee (PKGr) of the Bundestag. He sees a "relevant security problem". Hostile states could use such data for espionage purposes. Notz's deputy on the PKGr also considers the risk of espionage to be "extremely high".

Privacy risks

In some cases, a Google search was enough to identify the people behind the movement profiles, as it is easy to deduce where someone probably lives and works from the accumulation of location data, according to the report. This is particularly easy for people who live in detached houses. The reporters found advertising IDs in specialist psychiatric clinics, swingers' clubs, brothels and prisons. Anna Wegscheider, a lawyer at HateAID, sees the movement profiles as a great danger for people affected by digital violence, such as stalkers.

The data collection is a free sample, which is dated for a period of around eight weeks at the end of 2023 and which the reporters say they received free of charge from a US retailer. They made contact with the retailer via an online marketplace called Datarade, which is operated by a German company. On the platform, several data traders state that they obtain location data from weather, navigation, gaming and dating apps, for example. Companies buy such data to display personalized advertising to users.

A small sample of the global data trade

The current research by Netzpolitik.org and BR under the title "Databroker Files" was based on a comparatively small section of the global data trade. "But the insights are sufficient to reveal a new dimension of mass surveillance," writes netzpolitik.org. In order to verify the authenticity of the data, random samples of those affected were identified. Based on the movement profiles, it is often possible to find out which person is behind an ID.

Data journalists Ingo Dachwitz and Sebastian Meineck from Netzpolitik.org explained at the 37C3 conference in December 2024 that operators of apps, websites, all smart devices, bonus programs, credit card and payment services such as Mastercard as well as providers of surveys and competitions supplied personal data including cookie IDs and a mobile ad identifier (MAID) to data brokers. These brokers created "large containers for people" who "have the same characteristics." From this, they created individual segments that advertisers could use via auction platforms with real-time bidding, for example, and book targeted ads.

(anw)