Last year, it came to light that a data broker based in Florida was selling location information for US military and intelligence personnel stationed abroad, but the origins of that sensitive data remained unclear at the time.
However, it has now been disclosed that this data was gathered through various mobile applications that had revenue-sharing agreements with a Lithuanian ad-tech firm, which was then sold by an American company …
The issue of app-collected location data
Numerous applications gather location information. For certain apps, this is essential—for instance, map applications and navigation aids. Others, like camera applications, offer a secondary advantage, such as storing the location where a photo was taken. Apple’s Camera app, for instance, allows users to search for images based on location.
Nevertheless, there are many applications that collect location data without a clear justification. iOS requires applications to request permission for this access, and many users have likely encountered such requests without any apparent reason.
This trend likely stems from the fact that location data holds significant value for advertisers. Developers enter into agreements with ad-tech companies that facilitate targeting ads by geographical area (even down to the city level) in exchange for a share of the revenue.
The concern is that many of these agreements feature ambiguous terms that might allow the location data to be resold. Even when the agreements explicitly prohibit this, unscrupulous companies may still proceed to sell it.
Location data sold for US military and intelligence users
Recently, it was uncovered that Datastream, an American company, was marketing location data connected to US military and intelligence personnel. An investigation by Wired and other outlets has now illuminated how this information was sourced.
The joint inquiry, conducted by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org, analyzed a free sample of location data from Datastream. The findings indicated that Datastream was providing access to precise location data from devices likely associated with American military and intelligence personnel abroad—including at German airbases suspected of housing US nuclear weapons. Datastream functions as a broker in the location data market, sourcing data from various providers and selling it to clients […]
The data in question was likely obtained through SDKs (software development kits) integrated into mobile apps by developers who knowingly incorporate tracking tools in exchange for revenue-sharing agreements with data brokers.
In response to this reporting, Senator Ron Wyden’s office sought clarification from Datastream Group regarding its involvement in the sale of location data for US military personnel. In its reply, Datastream cited Eskimi as its data source, claiming it acquired the data “legitimately from a respected third-party provider, Eskimi.com.”
Eskimi is a Lithuanian ad-tech firm that asserted the data was not intended for resale.
At this point, it remains uncertain which specific apps were responsible for the data collection, and investigations are ongoing. It remains ambiguous whether the developers’ agreements permitted the resale of location data, or if it was strictly to support advertising within their apps.
There is no assertion that there was a deliberate attempt to capture military-related data, but filtering by locations of US military bases—both domestically and internationally—would be a remarkably straightforward way to pinpoint individuals who are likely military personnel.
‘Surveillance firms with more advantageous business models’
Zach Edwards, a senior threat analyst at the cybersecurity firm Silent Push, indicates that this situation reflects a broader, escalating issue. He points out that numerous ad-tech companies are selling location information to both private corporations and government entities.
“Advertising firms are essentially surveillance firms with more lucrative business models,” asserts Edwards.
This is not the first incident where applications have compromised the location data of military members stationed abroad. There have also been documented instances where the military and US law enforcement agencies have procured location data.
DMN’s Perspective
Setting aside the sensitive nature of military data, individuals using iPhone or Android applications do not expect their location information to be sold, irrespective of the fine print in privacy policies.
Legislation is needed to prohibit the trade of sensitive personal data.
Photo by Joel Rivera-Camacho on Unsplash
FTC: We use income-earning auto affiliate links. More.
