What actually happens to the location data that smartphone apps collect every day? Ingo Dachwitz and his colleague Sebastian Meineck from netzpolitik.org asked themselves this question. Together with Bayerischer Rundfunk and international partners, they have been on the trail of the so-called “Databroker Files” for almost two years. What they uncovered is shocking: via the Datarade.ai platform, the journalists received free “sample data sets” from data traders containing more than 13 billion location data from over 140 countries. In one German data set alone there were 3.6 billion location points, assigned to around eleven million smartphones.
Read more after the ad
In an interview with c’t editor Holger Bleich and heise legal counsel Joerg Heidrich, Dachwitz explains how the research worked. Using a tool built by BR data journalist Katharina Brunner, the data could be visualized on maps. Using the Mobile Advertising ID – a unique advertising identifier that Android and iOS make available to the apps – the movement patterns of individuals could be tracked over weeks.
Ingo Dachwitz in the c’t podcast A matter of interpretation
Using simple OSINT methods, such as comparing home addresses with doorbell plates and telephone books, the team was able in some cases to assign the supposedly anonymous data to people: high-ranking officials, employees of the Federal Intelligence Service and the Office for the Protection of the Constitution, soldiers at US military bases such as the Büchel Air Base and even a suspected NSA employee in Bad Aibling.
Fine ante portas
The data comes from two sources: on the one hand from tracking SDKs that app developers install into their applications for little money, and on the other hand from real-time auction systems for online advertising (real-time bidding). The journalists particularly noticed the Weather Online app. The North Rhine-Westphalia data protection supervisory authority then paid the provider a visit and found that precise location data was actually being leaked. The Hamburg data protection authority also found what they were looking for through research on a dating app.
Legally, the three agree, the entire business model can hardly be justified. Consent cannot practically reflect the complex data flows with hundreds of companies involved; according to the data protection authorities, there is no legitimate interest in advertising tracking anyway. In addition, according to Dachwitz, platforms like Datarade do not see themselves as responsible parties within the meaning of the GDPR, they only act as mediators. Dachwitz therefore calls for a political debate: Instead of shifting responsibility solely to users, clear bans on certain data transactions are needed.
If you want to protect yourself, you can at least reset or deactivate the advertising ID on your smartphone, only allow apps to access your location when you are actively using it, and consistently refuse tracking. A tool on netzpolitik.org also allows you to compare your own advertising ID against the German data set.
Read more after the ad
Episode 158:
Here you can find all previous episodes:
(hob)
