Data Broker FilesHow data brokers sell our location data and jeopardise national security

The AdTech industry is torpedoing the privacy of millions of people in Germany and is a threat to national security. But the underlying problem is global: databrokers sell location data without sufficient control. This is the summary of a joint research by netzpolitik.org and BR.

- , - in Datenschutz - keine Ergänzungen
A lonely road in the dark. Fog. In the background, columns of numbers in the sky - coordinates.
Located. (The data on this graphic is randomly generated and illustrative). – Street: Pixabay/elg_darling; Fog: Vecteezy; Montage: netzpolitik.org

This is a joint investigation with Bayerischer Rundfunk (BR). Team BR: Katharina Brunner, Rebecca Ciesielski, Maximilian Zierer, Robert Schöffel, Eva Achinger.

Our investigation with BR (Bayerischer Rundfunk) shows for the first time how data brokers sell the location data of millions of people in Germany. However, the problem has an international dimension. Here we answer key questions and provide an overview of the most important publications.

What do the Data Broker Files contain?

  • netzpolitik.org and BR have obtained a data set with 3.6 billion location data points from Germany. The data contains around 11 million different device identifiers and is dated to a period of around two months at the end of 2023.
  • The data reveals the GPS-locations and hence the movements of millions of people. This allows conclusions to be drawn about where they work, live, shop or go for a walk, whether they go to hospital, daycare or a brothel.
  • Through simple online research, we were able to clearly identify several people behind the data, as, for example, their home address is listed in the telephone directory and they disclose their place of work on social media.
  • However, our investigation also revealed that at least some device identifiers and timestamps in the dataset are incorrect. The number of tracked devices in the dataset is probably lower than 11 million.

How did netzpolitik.org obtain the data?

  • This data set originates from the data broker Datastream Group based in Florida, USA. However, it is just one example of the global trade in personal data. Behind it is an almost impenetrable network of thousands of companies.
  • We received the data as a free sample, which was intended to serve as a preview for a monthly subscription: For around USD 14,000, the broker offers a continuous stream of fresh location data from millions of smartphones around the world, almost in real time.
  • We got in touch with the data broker via a data marketplace operated from Germany. It is called Datarade and is based in Berlin. Datarade brings data traders and buyers together.

Where does the location data originate from?

  • The location data comes from mobile phone apps that pass on GPS data for advertising purposes. Users usually have to consent to this once in the app’s privacy policy.
  • We do not know exactly which apps the location data from the analysed data set originates from. However, we learned from other data brokers that such location data usually comes from popular apps such as weather, navigation or dating apps.
  • According to our findings, this is a global problem. On the data marketplace, we found offers with location data from all continents, including other EU countries. They are advertised by numerous brokers.
  • Our investigation describes the scale of the problem in Germany, after similar investigations have already been published for the USA, Norway the Netherlands and Switzerland.

How do data brokers jeopardise Germany’s security?

  • The data set also contains the locations and hence movements of people who apparently work for federal ministries, the German armed forces, security authorities and intelligence services. This makes the findings relevant to national security.
  • For example, we were able to identify a person in a senior position who deals with security issues for a federal ministry, as well as a person who works for a German secret service. We found movement profiles at German intelligence agency locations where even agents of the US National Security Agency are said to come and go.
  • Such data could also be acquired by foreign intelligence services and used for espionage or sabotage – for example, to locate military sites, track down targets or expose agents.

Is that kind of data trading legal?

  • As a legal basis, companies in the industry generally refer to the app user’s consent to the respective privacy policies. These often require consent for data transfers to data brokers.
  • According to the General Data Protection Regulation (GDPR) of the European Union, such consent is only valid if it is given for specific cases and the data subjects are informed and act voluntarily.
  • Data protection experts assume that these requirements are not met here. This is because the reference to the transfer of data to hundreds of companies is often hidden in the data protection provisions, meaning that consent can hardly be given on an informed basis.

Who is doing something about data trading?

  • The German data protection authorities have so far hardly dared to take action against the complex data broker industry. The authorities mainly become active when affected citizens file complains. However, such complaints are rare.
  • There are currently no signs of any legal consequences for the companies mentioned in our investigation. The 3.6 billion pieces of location data we received came from a US broker. European data protection law is often difficult to enforce abroad.
  • For the German data marketplace Datarade, on the other hand, the GDPR probably does not apply. This is the assessment of the Berlin Data Protection Commissioner following a preliminary review. This is because a company would have to process the data itself in order to be subject to the GDPR. However, the marketplace merely connects interested parties and data brokers and collects a commission for sales.

How are politicians reacting to the investigation?

  • „In a free society, such sensitive personal information should not be available to third parties for commercial purposes,“ writes the German Federal Ministry of Consumer Protection (BMUV). „Once the data has been fed into the advertising networks, users lose all control and their misuse can hardly be prevented.“ The Federal Ministry is therefore advocating regulation that promotes „a consistent switch to alternative advertising models“ that do not require personal data.
  • „It is out of the question that something has to happen. This is an unacceptable situation in this form,“ says German MP Konstantin von Notz (Greens). He is also a member of the board of the Parliamentary Control Committee, which oversees the federal intelligence services. He describes the availability of such data records for external services as a „relevant security problem“. „In this specific case, it contradicts the security interests of the Federal Republic of Germany.“ Notz demands: „This data must not be collected in this form and must not be sold“.
  • „There can only be one conclusion: such business models must be stopped,“ says MP Martina Renner (Left Party). „In my view, commercial data trading, especially with such sensitive data, must be prohibited. We urgently need far-reaching improvements to data protection and telemedia service regulation in the EU.“
  • MP Roderich Kiesewetter (Christian Democratic Union, CDU), Deputy Chairman of the Parliamentary Control Committee, is also calling for more protection. He talks about regulating data marketplaces and sellers „so that such data records are not used by foreign adversary services in the context of hybrid warfare“ and „to protect our citizens from data tapping by foreign states.“

How do experts react to the investigation?

  • „Consumers are obviously at the mercy of the advertising industry,“ says Ramona Pop, President of the Federation of German Consumer Organizations. „European legislators must finally recognize that personal user data does not belong in the hands of the advertising industry and take legal action. Tracking and profiling for advertising purposes must be banned as a matter of principle.“
  • In the context of data marketplaces, the designated Federal Data Protection Commissioner Louisa Specht-Riemenschneider speaks of a „legal protection gap“, regarding services that do not process data themselves, but contribute to it, for example by initiating contact between data brokers and buyers. „Legislators are urgently required to find solutions here, for example in the BDSG.“ BDSG stands for Federal Data Protection Act, which is currently undergoing reform in parliament.
  • „The data market definitely needs to be regulated more closely,“ demands Thorsten Wetzling, who heads the research unit „Digital Rights, Surveillance and Democracy“ for the Interface think tank. He believes that the EU Commission, which is reorganizing itself following the recent parliamentary elections, has a responsibility to act.
  • „We hope that the revelations will wake up the population, the supervisory authorities and also the legislators,“ says lawyer Martin Baumann from the Viennese data protection NGO noyb. The NGO will also consider taking legal action against the companies involved.
  • „This is a massive security risk for those affected by digital violence,“ writes Anna Wegscheider, a lawyer at the non-profit organization HateAid. Stalkers could use such data to track down others.

What do the companies involved say about the investigation?

  • Datarade GmbH, based in Germany, and the US-based Datastream Group did not respond to our press inquiries.
  • Regarding a similar investigation by Eric van den Berg for the Dutch BNR Nieuwsradio in January, Datarade wrote (translated from Dutch): „As a platform, we only act as an intermediary. We do not sell datasets ourselves. Data traders can offer their datasets for sale on our platform to get in touch with interested parties. Of course, we only allow legal content on our platform, as stated in our general terms and conditions. […] Datarade considers it important to take action against legal violations.“

What do German security authorities say about the investigation?

  • In response to an inquiry, the German Ministry of Defense writes: „We are aware of the potential risk and consider it very likely that every member of the Bundeswehr, like every cell phone user, is exposed to this risk in both their private and work environment.“ The Bundeswehr is Germany’s armed forces.
  • When asked, the Ministry of the Interior and the Ministry of Defence state that they regularly sensitize their employees to the potential risks.
  • The German government is apparently aware that foreign intelligence services purchase data from data traders. The Ministry of the Interior and the Ministry of Defense state: Foreign intelligence services would generally use all available means. „This also includes the purchase and use of data available on the internet.“

Do German intelligence services buy from data traders?

  • When asked, the responsible ministries did not comment on whether German intelligence services also buy from data brokrs themselves. The Ministry of Defense wrote with regard to the Military Counterintelligence Service (MAD): The responsible federal office uses „all legally permissible means“.
  • It is known from the USA that government agencies purchase information from commercial data brokers. A study by the Interface think tank recently came to the conclusion that it is plausible that German intelligence services also use data traders as a source.
  • Whether German services have a concrete legal basis for this is a matter of debate. A legal justification formulated by the German government for the reform of the foreign intelligence service BND at least suggests this. There, the purchase of data from advertising databases is described as the procurement of information from „generally accessible sources“.

The publications on the Data Broker Files at a glance

… by netzpolitik.org

  • „Wie Datenhändler Deutschlands Sicherheit gefährden“, July 16 2024
  • „Firma verschleudert 3,6 Milliarden Standorte von Menschen in Deutschland“, July 16 2024
  • „Jetzt testen: Wurde mein Handy-Standort verkauft?“, July 16 2024
  • „So stoppt man das Standort-Tracking am Handy“, July 16 2024
  • Kommentar: „Dieses Staatsversagen schadet uns allen“, July 16 2024
  • Zusammenfassung: „Die große Datenhändler-Recherche im Überblick“, July 16 2024

… by BR

Most of our articles are written in German, but you can translate them directly in your browser for free, for example with Firefox or the Chrome extension Google Translate.

Do you know more about the data broker industry or have other tips for our team? Please reach out to Sebastian or Ingo. If possible, please use encrypted channels and a device that does not belong to your employer.

Deine Spende für digitale Freiheitsrechte

Wir berichten über aktuelle netzpolitische Entwicklungen, decken Skandale auf und stoßen Debatten an. Dabei sind wir vollkommen unabhängig. Denn unser Kampf für digitale Freiheitsrechte finanziert sich zu fast 100 Prozent aus den Spenden unserer Leser:innen.

Über die Autor:in

Sebastian Meineck ist Journalist und seit 2021 Redakteur bei netzpolitik.org. Zu seinen aktuellen Schwerpunkten gehören digitale Gewalt, Jugendmedienschutz und Künstliche Intelligenz. Er interessiert sich besonders für Methoden der Online-Recherche; darüber schreibt er einen Newsletter und gibt Workshops an Universitäten. Zu seinen vorigen Stationen gehören VICE (Senior Editor), Motherboard (Editor-in-chief), der SPIEGEL (Autor) und die Deutsche Journalistenschule München. Das Medium Magazin hat ihn 2020 zu einem der Top 30 unter 30 im Journalismus gekürt.

Kontakt: E-Mail (OpenPGP), Sebastian Hinweise schicken | Sebastian für O-Töne anfragen | Mastodon

Ingo ist Journalist und Kommunikationswissenschaftler. Seit 2016 ist er Redakteur bei netzpolitik.org und hier unter anderem Ko-Host des Podcasts Off/On. Ingos Themen sind der Überwachungskapitalismus, die digitale Zivilgesellschaft und der Strukturwandel der Öffentlichkeit. Er schreibt häufig über Datenmissbrauch und Datenschutz, Targeted Advertising, Plattformregulierung, Transparenz, Lobbyismus, Wahlkämpfe und die Polizei. Gelegentlich ist er auch als Moderator oder Lehrbeauftragter an Universitäten tätig und gibt Workshops in digitaler Selbstverteidigung. Ingo ist Ko-Autor der Studie "Medienmäzen Google" und Mitglied des Vereins Digitale Gesellschaft sowie der Evangelischen Kirche.

Kontakt: E-Mail (OpenPGP), Mastodon, Twitter, FragDenStaat

Veröffentlicht 16.07.2024 um 06:00
Kategorie
Schlagworte
Weitere Artikel
Die Collage zeigt eine Frau, die auf ihr Handy schaut. Wie geht einen Wanderweg entlang. Hinter ihr auf dem Weg erstrecken sich Ortsmarken, die zeigen, dass sie getrackt wurde. Vom Handy gehen Signale aus. Am Horizont ist ein Auge.
Datenschutz

Databroker FilesFirma verschleudert 3,6 Milliarden Standorte von Menschen in Deutschland

Datenhändler verbreiten die Standorte von Menschen in Deutschland – teils sogar kostenlos, wie Recherchen von netzpolitik.org und BR zeigen. Ein Datensatz mit 3,6 Milliarden Einträgen offenbart genaue Bewegungsprofile und eine neue Dimension der Massenüberwachung.

Lesen Sie diesen Artikel: Firma verschleudert 3,6 Milliarden Standorte von Menschen in Deutschland

0 Ergänzungen

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Bitte keine reinen Meinungsbeiträge! Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter netzpolitik.org/kommentare. Deine E-Mail-Adresse wird nicht veröffentlicht.