A recent media investigation has uncovered that Datastream Group, a data broker based in Florida, has been selling sensitive location data that tracked United States military and intelligence personnel while they were stationed overseas. Initially, the source of this data remained unidentified, raising significant concerns about the implications for national security and the privacy of military personnel.
New revelations from a letter obtained by a coalition of media outlets, including WIRED, indicate that the core source of this data was Eskimi, a relatively obscure advertising technology company based in Lithuania. This connection exposes the intricate and often opaque relationships prevalent in the location data industry, where sensitive information about U.S. military personnel was sourced from a Lithuanian company before being offered for sale by a Florida-based broker.
The implications of this situation are troubling. Zach Edwards, a senior threat analyst at cybersecurity firm Silent Push, warned of a global insider threat posed by unidentified advertising companies. He noted that these entities may operate with little oversight, potentially endangering military personnel by selling sensitive data to just about anyone, including governmental and private interests.
In December, a collaborative investigation by WIRED, Bayerischer Rundfunk, and Netzpolitik.org scrutinized a sample of location data made available by Datastream. The findings revealed that Datastream had access to highly precise data points from mobile devices that were likely associated with American military personnel in Germany, particularly around airbases suspected of housing U.S. nuclear weapons. Datastream serves as an intermediary in the data supply chain, procuring information from various sources and distributing it to clients. Their promotional materials previously emphasized offerings that included mobile location data in conjunction with advertising metrics.
The dataset under examination contained approximately 3.6 billion location points, recorded at millisecond intervals, from nearly 11 million mobile advertising IDs in Germany over a span of one month. The collection of this extensive data set is believed to have been facilitated through software development kits (SDKs) embedded within mobile applications, a process that allows developers to share user tracking information for financial incentives.
In light of these findings, Senator Ron Wyden’s office has sought clarification from Datastream Group regarding its involvement in the trafficking of this location data. In response, Datastream acknowledged Eskimi as the source of the data, claiming it was obtained legitimately from a respected third-party provider. However, Vytautas Paukstys, the CEO of Eskimi, refuted any commercial relationship with Datastream, asserting that his company does not function as a data broker.
Despite the circumstances, M. Seth Lubin, representing Datastream Group, maintained that the data was lawfully sourced and originally intended for digital advertising, rather than resale. Lubin referred to a nondisclosure agreement when asked to reveal the source of the data and criticized the investigative analysis as reckless.
The Department of Defense has refrained from commenting on specific inquiries related to the investigation, but previously acknowledged the risks posed by geolocation services to personnel safety, urging service members to uphold stringent operational security measures.
In an effort to unpack these complicated issues, Wyden’s office has attempted to engage both Eskimi and Lithuania’s Data Protection Authority for several months, expressing concerns about the national security threats associated with the sale of location data linked to U.S. military personnel. However, their attempts have not yielded any responses, prompting further outreach to the Lithuanian embassy’s defense attaché in Washington, DC.
As this situation unfolds, it presents a significant case study on the vulnerabilities inherent in the data ecosystem, particularly regarding the potential tactics employed by adversarial entities. Techniques such as initial access—gaining entry into networks to gather data—play a crucial role in understanding how such sensitive information can be exploited. This incident not only highlights the risks faced by military personnel but emphasizes the pressing need for greater transparency and security protocols within the data broker industry.
