Frankfurt, Germany, Hauptbahnhof
Travelers in Frankfurt, Germany's Central Station. Image: Gabriel Menchaca via Unsplash

US company's geolocation data transaction draws intense scrutiny in Germany

A U.S.-based data broker reportedly provided 3.6 billion individual geolocation data points derived from millions of Germans’ smartphone apps — including those belonging to national security officials — to a journalist through a German company that connects data buyers and sellers.

The U.S.-based data broker Datastream Group reportedly shared vast amounts of personal information with the journalist, offering it as a “free sample which was intended to serve as a preview for a monthly subscription,” according to joint reporting by the German public broadcaster Bayerische Rundfunk (BR) and the digital civil rights opinion news site netzpolitik,org.

The German company Datarade — an internet marketplace bringing together data buyers and vendors — connected Datastream Group with the journalist, the outlets reported.

The two outlets say the transaction is an example of the ease of acquiring highly sensitive location data on the open market. Several individuals whose information was shared expressed shock that the European Union’s stringent data privacy laws, which require consumers consent to third-party sharing of location data, did not protect them from a U.S-based data broker peddling their precise coordinates, BR reported.

Datastream Group and Datarade are not being accused of a crime or a regulatory violation, though it remains to be seen how Europe’s tough data privacy authorities will react to the report’s findings.

Datastream Group charges about $14,000 for the monthly subscriptions, which supply clients with “a continuous stream of fresh location data from millions of smartphones around the world, almost in real time,” netzpolitik.org reported.

A netzpolitik.org staffer obtained the data, which was collected during an eight-week period in late 2023, after filling out a Datarade registration form with his real name and newsroom address. From there, Datastream Group gave him the data after a “brief phone call,” BR reported.

The location data was pulled from advertising IDs, which the ad industry uses to tailor marketing to specific smartphones. Once equipped with a specific advertising ID, data buyers can track the movements of  individuals. 

“Long tables with coordinates [and] timestamps accurate down to the second,” were shared, the outlets reported.

The outlets were able to create “movement profiles” for tens of thousands of national security and military officials with the data.

For example, by matching where one person slept with their daytime whereabouts the news outlets were able to pinpoint and identify an official working for a field office of Germany’s foreign intelligence organization (BND), BR reported. 

The Datastream Group and Datarade did not immediately respond to requests for comment.

“Unauthorized persons are not allowed on the grounds,” BR reported, referring to the foreign intelligence agency’s field office. “Hardly anyone who works there shares their employment status publicly.”

Documents made public in 2013 by whistleblower Edward Snowden revealed that the windowless building, popularly known as “the Tin Can,” was used by the National Security Agency to help build its worldwide mass surveillance effort.

That identified BND official also regularly visited American military bases in Germany. The data tied the official’s home address to the U.S. military, BR reported.

Officials traveling to Germany’s domestic intelligence agency also were outed by the data, BR reported.

Employees at that building also do not publicly reveal their professional affiliation and are forced to turn over their mobile phones when they arrive at work.

The documents obtained showed a large number of  “data points in the parking lots and at various building entrances,” BR said.

By tracking the location of an individual who often parks at the complex, BR said it was able to link to their home address, find out their name and several of their social media profiles, which gave BR reporters “their rough age, education level, family situation and hobbies, in addition to … numerous vacation photos.”

While BR and netzpolitik.org highlighted the national security risks embedded in the sale of the location data, the outlets also noted that it made it “possible to establish movement profiles – some of them quite precise – of several million people,” most of them ordinary citizens.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Suzanne Smalley

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.