Leaked! US Army Location Data Sold To Foreigners Via Mobile Application

Senator Ron Wyden requested an explanation from the Datastream Group (photo; x @slisker)

JAKARTA - The location of US military and intelligence personnel on duty abroad is known to have been sold by a Florida-based data broker. However, the original source of this sensitive data was still unclear.

It is now revealed that the data was collected by various mobile applications that have revenue-sharing agreements with ad technology company from Lithuania, which is then resold by American companies.

Many applications collect location data. For some applications, this is a necessity, such as map applications and transportation navigation. For other applications, location data can be an additional feature, for example a camera application that stores photo-taking locations.

However, there are many applications that collect location data for no apparent reason. iOS users must have seen a request for location access permission from an application that doesn't appear to require this feature.

This happens because location data is very valuable for advertisers. App developers often sign agreements with ad-tech companies that allow in-app ads to be targeted by user location, in exchange for parts of ad revenue.

The problem is, many of these agreements have vague provisions, which allow location data to be resold. Even if the initial agreement does not allow this, some irresponsible companies can still sell the data illegally.

Last year, it was revealed that Datastream, a US company, sold data on the location of US military and intelligence personnel. The latest investigation by Wired and several other parties is now revealing how the data was collected.

Joint WIRED investigations, Bayerischer Rundfunk (BR), and Netzpolitical.org analyzed site data samples provided by Datastream. The investigation found that Datastream offers access to accurate location data from devices most likely owned by US military and intelligence personnel abroad including at German air bases believed to store US nuclear weapons.

Datastream acts as a data broker, obtaining data from other providers before selling them to their customers.

The data is likely collected through SDKs (software development kits) embedded in mobile applications by developers who consciously integrate tracking devices in exchange for yield sharing agreements with data brokers.

After this report emerged, Senator Ron Wyden's office asked for an explanation from the Datastream Group regarding its role in selling the location data of US military personnel. In its response, Datastream identified Eskimi as their data source and stated that they obtained the data legally from the respected third-party provider, Riskimi.com.

Eskimi is an ad-tech company from Lithuania that claims that the data they provide should not be resold.

Until now, it is not known which applications are the source of the data. Investigations are still ongoing to determine whether the agreement signed by the application developer does allow location data to be resold, or should only be used to display in-app ads.

Although there is no indication that someone deliberately collected data on the location of US military personnel, the filtering based on the location of US military bases, both at home and abroad, could easily identify individuals who are most likely active personnel.

Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, said that this case is just one example of an increasingly big problem. According to him, many advertising technology companies sell location data to companies and governments.

"Advertising companies are basically just surveillance companies with better business models," Edwards said.

This is not the first time data on locations for military personnel have been exposed by mobile applications. Previously, there had been several cases where data on US military locations were sold or accessible to outsiders, such as:

Despite the sensitivity of military data, no iPhone or Android users think that their location data will be resold, no matter what might be written in the app's privacy policy.

This case shows how easy it is for a person's personal information, including sensitive location data, to change hands without their knowledge. This highlights the need for stricter regulation and higher awareness from users about how their data is being used.