The data trail emerged after Florida-based data broker Datastream Group was found offering highly detailed location information from devices believed to belong to American military and intelligence personnel overseas.
The dataset contained an astounding 3.6 billion location coordinates, tracked at millisecond intervals, from approximately 11 million mobile advertising IDs in Germany over just one month.
According to the joint investigation by WIRED, Bayerischer Rundfunk, and Netzpolitik.org, the tracking was facilitated through software development kits (SDKs) embedded in mobile applications. App developers integrate these tracking tools in exchange for revenue-sharing agreements with data brokers.
The situation has drawn attention from US Senator Ron Wyden's office, which demanded answers from Datastream Group. While Datastream claims it obtained the data "legitimately" from Eskimi, the Lithuanian company's CEO, Vytautas Paukstys, denies any commercial relationship with Datastream.
“Eskimi does not have or have ever had any commercial relationship with Datasys/Datastream Group,” referring to another name that Datastream has used and that Eskimi “is not a data broker.” - Wired noted in the report.
The implications for military security are significant. The Pentagon acknowledged the risks associated with geolocation services, with spokesperson Javan Rasnake urging service members to strictly follow operational security protocols.
The case has also attracted regulatory attention. Lithuania's Data Protection Authority is gathering information about the situation, and if found in violation of GDPR provisions, Eskimi could face fines of up to €20 million.
Google, where Eskimi is an authorized advertising partner, stated that the company "must abide by our policies" and undergoes regular audits. “Google regularly audits its Authorized Buyers program participants, and reviews allegations of potential misconduct,” the spokesperson adds.
Wired wrote that a cybersecurity expert, Zach Edwards, says, "Advertising companies are merely surveillance companies with better business models."
Essentially, the global advertising bid stream is a giant trust fall, which companies like Google are failing to police. Companies like Eskimi would never have access to this amount of data unless they are approved by companies like Google via their “Authorized Buyers” program.
— Zach Edwards (@thezedwards) February 12, 2025
This case demonstrates how commercial advertising technology can compromise national security by collecting and selling sensitive location data.
The investigation reveals the complex web of global data trading, where information collected for advertising purposes can be repurposed for surveillance, raising serious questions about privacy, national security, and the need for stronger regulation of the ad-tech industry.