The uncontrolled data trade of the online advertising industry threatens the privacy of millions and Germany’s national security, according to a report by netzpolitik.org and Bayerischer Rundfunk from research.
netzpolitik.org and Bayerischer Rundfunk they got it a dataset containing 3.6 billion German location data. The data contains about 11 million different device identifiers and dates back to the end of 2023, a period of about two months. The data reveals the movement profile of millions of people, so that, for example, conclusions can be drawn about where they work, where they live, where they shop or walk, whether they go to a hospital, nursery or brothel. With a simple online search, journalists were able to clearly identify several people based on the data, for example because their home address is listed in the phone book and their workplace is listed on social media.
The dataset comes from Datastream Group, a data trading company based in Florida, USA. However, this is just one example of the global trade in personal data, behind which there is an almost impenetrable network of thousands of companies. The data was given to the journalists as a free sample, which would have served as a subscription preview. For about $14,000, the retailer offers a near-real-time stream of fresh location data from millions of smartphones around the world. The data trader was contacted through a data market operated from Germany. It is called Datarade and is based in Berlin.
Location data comes from mobile phone applications that transmit GPS data for, among other purposes, advertising purposes. Users usually have to agree to this once in the app’s privacy policy. Such location data usually comes from popular weather, navigation or dating apps. So this is a global problem, with location data from all continents, including other EU countries, on the data market. These are advertised by many merchants.
The dataset contains movement profiles of individuals who are apparently working for federal ministries, the German armed forces, security authorities and intelligence services and who are relevant to national security. For example, the reporters were able to identify a senior official who deals with security issues in a federal ministry and a person who works for the German secret service. Movement profiles have been found at locations of the German intelligence agencies where American NSA agents are said to be visiting as well. Such data can also be obtained by foreign intelligence services and used for espionage or sabotage – for example, to locate military sites, locate targets or expose agents.
As a legal basis, the companies that process the data usually rely on the consent of the users of the application contained in the data protection regulations. These often provide that the data can be forwarded to traders. According to the General Data Protection Regulation (GDPR), such consent is only valid if it is given in specific cases and the data subjects are informed and act voluntarily. According to data protection experts, these requirements are usually not met, as the reference to the transfer of data to hundreds of companies is often hidden in the data protection provisions, so the consent can hardly be informed.
The German data protection authorities have so far not dealt with the data trading industry, they only become active when the concerned citizens make a complaint. However, such complaints are rare. The 3.6 billion location data comes from an American retailer and data protection laws are often difficult to enforce abroad. The Datarade data market in Berlin is probably not covered by the GDPR – this was established by the Berlin data protection commissioner after a preliminary investigation. This is because the company would have to process the data itself in order to be covered by the GDPR. However, the marketplace merely connects interested parties and merchants and collects a commission on sales.
“In a free society, such sensitive personal data should not be made available to third parties for commercial purposes,” writes the Federal Ministry for Consumer Protection (BMUV). “Once the data is in the hands of advertising companies, users lose all control and abuse can hardly be prevented”. The federal department is therefore advocating for regulations that promote “a consistent transition to alternative advertising models” that do not require personal information.
The headquarters of the German Office for the Protection of the Constitution is in Köln-Chorweiler, the blue dots are mobile phones
“For me, there is no question that something needs to be done. This situation in this form is unacceptable,” said Konstantin von Notz (Greens), a member of the Bundestag. He is the chairman of the parliamentary control committee that oversees the federal secret services. The accessibility of such data to external services ” “In this particular case, this goes against the security interests of the Federal Republic of Germany. This data must not be collected and then sold.”
“Only one conclusion can be drawn: such business models must be abolished,” says MP Martina Renner. “In my opinion, data trading, especially the trading of such sensitive data, should be banned. We urgently need a profound change in the regulation of data protection and media services in the EU.” Bundestag Member of Parliament Roderich Kiesewetter (CDU), deputy chairman of the parliamentary control committee, also wants greater protection. from eavesdropping by foreign states”.
“Consumers are clearly at the mercy of the advertising industry,” says Ramona Pop, President of the German Association of Consumer Protection Organizations. tracking and profiling should be prohibited.” Federal data protection commissioner Louisa Specht-Riemenschneider talks about a “law protection gap” in the context of data markets: services that do not process data themselves, but only contribute to its processing, for example by initiating contact between data traders and buyers. “Legislators urgently need to find a solution, such as a federal privacy law.”
The Büchel Air Base of the German Air Force, where American nuclear weapons are also stored. The data set includes 38,474 location data of 189 identifiers
“The data market must be regulated more strictly,” demands Thorsten Wetzling, who heads the research area dealing with surveillance and civil rights at the Interface think tank. According to him, the task falls on the EU, which is now reorganizing itself after the recent parliamentary elections. “We hope that such revelations will shake up the population, the supervisory authorities and the legislators,” says lawyer Martin Baumann, an employee of the Vienna-based data protection NGO noyb. The organization is also considering legal action against the companies involved. “This represents a huge security risk.” for those affected by digital violence,” writes Anna Wegscheider, a lawyer at the non-profit organization HateAid. Bullies can use such data to track others down.
The German government is apparently aware that foreign intelligence services are buying data from traders. According to the Department of the Interior and the Department of Defense, foreign intelligence services generally use all available tools. “This includes the purchase and use of data available on the Internet.” “We are aware of the potential risk and consider it very likely that all members of the Bundeswehr, like all mobile phone users, are exposed to this risk both in their private lives and in their profession,” the German Ministry of Defense wrote to journalists.
The relevant ministries have not commented on whether German intelligence services themselves buy from data traders. Regarding the Military Interdiction Service, the Ministry of Defense wrote: the competent federal agency uses “all legally permitted means”. It is a known fact that US government agencies purchase information from data traders. A recent study by the think tank Interface concluded that it is likely that the German intelligence services are also using such a source. Whether the German services have a specific legal basis for this is disputed, at least the legal justification formulated by the German government in connection with the reform of the BND indicates this. In it, purchasing data from advertising databases is described as obtaining information from “generally available sources”.
Source: sg.hu
