[German]Research by several German media outlets reveals that US data brokers are offering the locations of cell phone users in Germany. Some of the data can even be accessed free of charge, as research by netzpolitik.org and BR shows. A data set with 3.6 billion entries reveals precise movement profiles and a new dimension of mass surveillance.
US data brokers and German intermediaries
I came across the research by netzpolitik.org and BR via X, which uncovered the facts of the broker files in the German article Firma verschleudert 3,6 Milliarden Standorte von Menschen in Deutschland.
In Berlin, there is a company calle Datarade, which is funded by the German government and acts as a kind of data trader. I once searched for location data from Germany on their website and received the following offer.
Registered users receive a free data set with sample data for each of these offers. netzpolitik.org was able to access the data collection of the US data broker Datastream Group via Datarade. This US company offers hourly updated location data from up to 163 countries on a monthly subscription basis. This location data can be used for personalized advertising or to find suitable places to buy real estate.
Where does the data come from?
Of course, I immediately asked myself where the data was collected. My first thought was that it was mobile phone providers who collect and sell such data. But this is probably out of the question, as they only have location data from radio cell bearings (unless the cell phone user explicitly shares their GPS location with the mobile phone provider).
Then it would also be possible for Google in Android and Apple in iOS to collect this location data and sell it on. I quickly ticked off this point too. The obvious answer: users pass on this GPS data voluntarily and with consent if they agree to the corresponding data protection provisions in apps and grant GPS access.
Mass surveillance 'at its best'
netzpolitik.org and BR have now revealed the extent of this data collection. They were able to access a dataset with 3.6 billion location data of mobile device users in Germany. The whole thing was placed on a map of Germany and the billions of data points were obtained. But it is only by linking individual points via their unique MAID (mobile advertising ID) that a pattern emerges.
Specifically, this pattern shows where the mobile device in question was located. This makes it possible to find out people's everyday lives – anonymously in the data set. As netzpolitik.org writes: "Some things don't seem very exciting when a data point is always on a main road. But if you follow these data points, they inevitably lead to the mobile phone owner's place of residence, to their employer, possibly to the gym, to the markets where they shop, possibly to daycare centers and schools where children are dropped off and so on.
If you combine this location data with other sources, you can very quickly find out who is behind a MAID. According to netzpolitik.org, this becomes embarrassing when the location data reveals "trips" to swingers clubs or rehab clinics. The netzpolitik.org article lists specific examples of problematic locations (psychosomatic, psychiatric and addiction clinics, prisons, swingers' clubs, brothels, etc.). Based on the MAID and the distribution of the data points, it is possible to draw conclusions about individual persons or families.
Secret services would have a field day with this data and are likely to possess it. The same applies to law enforcement agencies – but above all, companies can acquire these data sets. The data collection comes from the advertising industry and is usually used to analyze people's behavior.
netzpolitik.org and BR was able to identify some people from the 3.6 billion data points that comprised the GPS locations of two months "at the end of 2023". This made it possible to verify that the location data was genuine, as random checks revealed. Ramona Pop, President of the Federation of German Consumer Organizations, sees "consumers at the mercy of the advertising industry" and believes the risks are incalculable.
The trade in data is extremely problematic. People not only lose their privacy, but also run the risk of becoming victims of doxing, where perpetrators publish private information in order to intimidate people. Depending on the data set, further risks such as stalking, but also blackmail and coercion are possible. It is explosive that members of security authorities could be identified during the research.
The facts of the case show the extent to which app users (via Wi-Fi etc.) and mobile phone users are already being tracked and thus made transparent and analyzable. Incidentally, the General Data Protection Regulation (GDPR) does not offer any means of preventing this, as app users have generally consented to the collection of data when installing or first accessing the app. Consumer advocates now want to launch initiatives to ban this practice – but this is only possible through legal regulations.
In this article, netzpolitik.org describes how to determine the mobile advertising ID under Android and iOS. The site also offers a search function that can be used to search for this MAID in the sample data sets. It's possible, to delete this MAID in Android settings.