This is a joint investigation with Bayerischer Rundfunk (BR). Team BR: Katharina Brunner, Rebecca Ciesielski, Maximilian Zierer, Robert Schöffel, Eva Achinger.
Our investigation with BR (Bayerischer Rundfunk) shows for the first time how data brokers sell the location data of millions of people in Germany. However, the problem has an international dimension. Here we answer key questions and provide an overview of the most important publications.
- What do the Data Broker Files contain?
- How did netzpolitik.org obtain the data?
- Where does the location data originate from?
- How do data brokers jeopardise Germany’s security?
- Is that kind of data trading legal?
- Who is doing something about data trading?
- How are politicians reacting to the investigation?
- How do experts react to the investigation?
- What do the companies involved say about the investigation?
- What do German security authorities say about the investigation?
- Do German intelligence services buy from data traders?
- The publications on the Data Broker Files at a glance
What do the Data Broker Files contain?
- netzpolitik.org and BR have obtained a data set with 3.6 billion location data points from Germany. The data contains around 11 million different device identifiers and is dated to a period of around two months at the end of 2023.
- The data reveals the GPS-locations and hence the movements of millions of people. This allows conclusions to be drawn about where they work, live, shop or go for a walk, whether they go to hospital, daycare or a brothel.
- Through simple online research, we were able to clearly identify several people behind the data, as, for example, their home address is listed in the telephone directory and they disclose their place of work on social media.
- However, our investigation also revealed that at least some device identifiers and timestamps in the dataset are incorrect. The number of tracked devices in the dataset is probably lower than 11 million.
How did netzpolitik.org obtain the data?
- This data set originates from the data broker Datastream Group based in Florida, USA. However, it is just one example of the global trade in personal data. Behind it is an almost impenetrable network of thousands of companies.
- We received the data as a free sample, which was intended to serve as a preview for a monthly subscription: For around USD 14,000, the broker offers a continuous stream of fresh location data from millions of smartphones around the world, almost in real time.
- We got in touch with the data broker via a data marketplace operated from Germany. It is called Datarade and is based in Berlin. Datarade brings data traders and buyers together.
Where does the location data originate from?
- The location data comes from mobile phone apps that pass on GPS data for advertising purposes. Users usually have to consent to this once in the app’s privacy policy.
- We do not know exactly which apps the location data from the analysed data set originates from. However, we learned from other data brokers that such location data usually comes from popular apps such as weather, navigation or dating apps.
- According to our findings, this is a global problem. On the data marketplace, we found offers with location data from all continents, including other EU countries. They are advertised by numerous brokers.
- Our investigation describes the scale of the problem in Germany, after similar investigations have already been published for the USA, Norway the Netherlands and Switzerland.
How do data brokers jeopardise Germany’s security?
- The data set also contains the locations and hence movements of people who apparently work for federal ministries, the German armed forces, security authorities and intelligence services. This makes the findings relevant to national security.
- For example, we were able to identify a person in a senior position who deals with security issues for a federal ministry, as well as a person who works for a German secret service. We found movement profiles at German intelligence agency locations where even agents of the US National Security Agency are said to come and go.
- Such data could also be acquired by foreign intelligence services and used for espionage or sabotage – for example, to locate military sites, track down targets or expose agents.
Is that kind of data trading legal?
- As a legal basis, companies in the industry generally refer to the app user’s consent to the respective privacy policies. These often require consent for data transfers to data brokers.
- According to the General Data Protection Regulation (GDPR) of the European Union, such consent is only valid if it is given for specific cases and the data subjects are informed and act voluntarily.
- Data protection experts assume that these requirements are not met here. This is because the reference to the transfer of data to hundreds of companies is often hidden in the data protection provisions, meaning that consent can hardly be given on an informed basis.
Who is doing something about data trading?
- The German data protection authorities have so far hardly dared to take action against the complex data broker industry. The authorities mainly become active when affected citizens file complains. However, such complaints are rare.
- There are currently no signs of any legal consequences for the companies mentioned in our investigation. The 3.6 billion pieces of location data we received came from a US broker. European data protection law is often difficult to enforce abroad.
- For the German data marketplace Datarade, on the other hand, the GDPR probably does not apply. This is the assessment of the Berlin Data Protection Commissioner following a preliminary review. This is because a company would have to process the data itself in order to be subject to the GDPR. However, the marketplace merely connects interested parties and data brokers and collects a commission for sales.
How are politicians reacting to the investigation?
- „In a free society, such sensitive personal information should not be available to third parties for commercial purposes,“ writes the German Federal Ministry of Consumer Protection (BMUV). „Once the data has been fed into the advertising networks, users lose all control and their misuse can hardly be prevented.“ The Federal Ministry is therefore advocating regulation that promotes „a consistent switch to alternative advertising models“ that do not require personal data.
- „It is out of the question that something has to happen. This is an unacceptable situation in this form,“ says German MP Konstantin von Notz (Greens). He is also a member of the board of the Parliamentary Control Committee, which oversees the federal intelligence services. He describes the availability of such data records for external services as a „relevant security problem“. „In this specific case, it contradicts the security interests of the Federal Republic of Germany.“ Notz demands: „This data must not be collected in this form and must not be sold“.
- „There can only be one conclusion: such business models must be stopped,“ says MP Martina Renner (Left Party). „In my view, commercial data trading, especially with such sensitive data, must be prohibited. We urgently need far-reaching improvements to data protection and telemedia service regulation in the EU.“
- MP Roderich Kiesewetter (Christian Democratic Union, CDU), Deputy Chairman of the Parliamentary Control Committee, is also calling for more protection. He talks about regulating data marketplaces and sellers „so that such data records are not used by foreign adversary services in the context of hybrid warfare“ and „to protect our citizens from data tapping by foreign states.“
How do experts react to the investigation?
- „Consumers are obviously at the mercy of the advertising industry,“ says Ramona Pop, President of the Federation of German Consumer Organizations. „European legislators must finally recognize that personal user data does not belong in the hands of the advertising industry and take legal action. Tracking and profiling for advertising purposes must be banned as a matter of principle.“
- In the context of data marketplaces, the designated Federal Data Protection Commissioner Louisa Specht-Riemenschneider speaks of a „legal protection gap“, regarding services that do not process data themselves, but contribute to it, for example by initiating contact between data brokers and buyers. „Legislators are urgently required to find solutions here, for example in the BDSG.“ BDSG stands for Federal Data Protection Act, which is currently undergoing reform in parliament.
- „The data market definitely needs to be regulated more closely,“ demands Thorsten Wetzling, who heads the research unit „Digital Rights, Surveillance and Democracy“ for the Interface think tank. He believes that the EU Commission, which is reorganizing itself following the recent parliamentary elections, has a responsibility to act.
- „We hope that the revelations will wake up the population, the supervisory authorities and also the legislators,“ says lawyer Martin Baumann from the Viennese data protection NGO noyb. The NGO will also consider taking legal action against the companies involved.
- „This is a massive security risk for those affected by digital violence,“ writes Anna Wegscheider, a lawyer at the non-profit organization HateAid. Stalkers could use such data to track down others.
What do the companies involved say about the investigation?
- Datarade GmbH, based in Germany, and the US-based Datastream Group did not respond to our press inquiries.
- Regarding a similar investigation by Eric van den Berg for the Dutch BNR Nieuwsradio in January, Datarade wrote (translated from Dutch): „As a platform, we only act as an intermediary. We do not sell datasets ourselves. Data traders can offer their datasets for sale on our platform to get in touch with interested parties. Of course, we only allow legal content on our platform, as stated in our general terms and conditions. […] Datarade considers it important to take action against legal violations.“
What do German security authorities say about the investigation?
- In response to an inquiry, the German Ministry of Defense writes: „We are aware of the potential risk and consider it very likely that every member of the Bundeswehr, like every cell phone user, is exposed to this risk in both their private and work environment.“ The Bundeswehr is Germany’s armed forces.
- When asked, the Ministry of the Interior and the Ministry of Defence state that they regularly sensitize their employees to the potential risks.
- The German government is apparently aware that foreign intelligence services purchase data from data traders. The Ministry of the Interior and the Ministry of Defense state: Foreign intelligence services would generally use all available means. „This also includes the purchase and use of data available on the internet.“
Do German intelligence services buy from data traders?
- When asked, the responsible ministries did not comment on whether German intelligence services also buy from data brokrs themselves. The Ministry of Defense wrote with regard to the Military Counterintelligence Service (MAD): The responsible federal office uses „all legally permissible means“.
- It is known from the USA that government agencies purchase information from commercial data brokers. A study by the Interface think tank recently came to the conclusion that it is plausible that German intelligence services also use data traders as a source.
- Whether German services have a concrete legal basis for this is a matter of debate. A legal justification formulated by the German government for the reform of the foreign intelligence service BND at least suggests this. There, the purchase of data from advertising databases is described as the procurement of information from „generally accessible sources“.
The publications on the Data Broker Files at a glance
… by netzpolitik.org
- „Wie Datenhändler Deutschlands Sicherheit gefährden“, July 16 2024
- „Firma verschleudert 3,6 Milliarden Standorte von Menschen in Deutschland“, July 16 2024
- „Jetzt testen: Wurde mein Handy-Standort verkauft?“, July 16 2024
- „So stoppt man das Standort-Tracking am Handy“, July 16 2024
- Kommentar: „Dieses Staatsversagen schadet uns allen“, July 16 2024
- Zusammenfassung: „Die große Datenhändler-Recherche im Überblick“, July 16 2024
- „ADINT – gefährliche Spionage per Online-Werbung“, July 19 2024
- „US-Senator schaltet Pentagon ein; Bundesministerium fordert EU-Gesetze“, July 19 2024
- „Datarade – geschickte Geschäfte im Graubereich“, July 25 2024
- „Abgeordnete kritisieren Staatsgeld für Datenmarktplatz“, July 31 2024
- „Werbe-IDs damals und heute: Wer nicht aufpasst, wird getrackt“, September 3 2024
- „Wie Datenhändler NATO und US-Militär bloßstellen“, November 20 2024
- „Datenhandel ist Gift“, November 20 2024
… by BR
- ARD-Politikmagazin report München, July 16 2024
- 11km – der tagesschau-Podcast, July 16 2024
- ARD Audiothek, Der Funkstreifzug, July 16 2024
- „Ausspioniert mit Standortdaten“ BR Web-Special, July 16 2024
- (English) Under Surveillance, BR Web Special, July 16 2024
- „Spionagerisiko für Militär und Geheimdienste“, July 16 2024
- „Das gefährliche Geschäft mit den Standortdaten“, July 16 2024
- „Verbraucherschutzministerium will Datenhandel einschränken“, July 17 2024
- „Handel mit Standortdaten: Politiker fordern Einschränkungen“, July 25 2024
- „Risiko für Militäreinrichtungen“, November 20 2024
… by other partners
- „Anyone Can Buy Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels in Germany“, WIRED, November 20 2024
Most of our articles are written in German, but you can translate them directly in your browser for free, for example with Firefox or the Chrome extension Google Translate.
Do you know more about the data broker industry or have other tips for our team? Please reach out to Sebastian or Ingo. If possible, please use encrypted channels and a device that does not belong to your employer.
0 Ergänzungen