The trade of location data, gleaned from GPS and similar technologies embedded in mobile apps, continues to raise privacy concerns. This data, which tracks user movement, is often collected by apps and subsequently sold to specialized data brokerage firms. These firms compile the data into databases, which are then offered for commercial purposes, either openly or through private channels. This practice mirrors previous instances, documented as early as 2019, where seemingly anonymized databases were easily de-anonymized, revealing the detailed movement patterns of unsuspecting individuals.
A recent investigation has uncovered further evidence of this trade, focusing on a US-based data company employing novel methods to construct a massive database of user location and movement. This data, originating from a vast array of apps, is often collected without the knowledge of the app developers themselves. The dataset, a snapshot from a single day in July 2024, represents a mere sample of the data held by the company, Datastream Group (also known as Datasys), intended to entice potential clients. Despite its limited scope, the dataset is staggering in size: 380 million recorded positions from mobile devices across 137 countries, including Sweden, sourced from approximately 40,000 apps. These apps range from games and weather apps to dating services, highlighting the pervasive nature of this data collection.
The database, scrutinized by the German organization Netzpolitik.org and an international media collaboration involving DN, reveals the extent of location data harvesting. Datastream Group has not responded to inquiries from the media network. The precision of the logged positions varies depending on the app. Some leverage GPS technology, enabling meter-by-meter tracking, while others rely on IP addresses, providing a less precise but still potentially revealing location, including overseas travel or, in some cases, city or neighborhood. Critically, the database also includes unique advertising ID numbers, which can be cross-referenced with other databases, posing a significant threat to user anonymity and facilitating the identification of individuals.
Over 12,000 of these ID numbers in the database link back to Sweden, indicating the prevalence of location tracking within the country. The apps involved include some of the world’s most popular, such as the German weather app Wetter Online, the messaging service Kik, the Swedish-developed game Candy Crush Saga, and the flight tracking app Flightradar24. Alarmingly, the dataset also includes data from apps handling sensitive health information, dating apps for sexual minorities, and religion-related apps, potentially revealing intimate details about users’ lives and beliefs.
Many of the companies behind the apps featured in the database, including Candy Crush and Flightradar24, have not addressed inquiries regarding the presence of their user data. It’s noteworthy that Candy Crush, developed by the Stockholm-based company King, only appears to have the less precise, IP-based location data logged in the database. However, other app developers who have responded deny any business relationship with Datastream Group and express bewilderment at how data from their apps, often sensitive in nature, ended up in the company’s possession.
The exact mechanism of data collection remains unclear, but the likely culprit is in-app advertising. When apps connect to sophisticated real-time ad delivery systems, personal user data is transmitted between various parties, creating opportunities for this data to become a commodity. The CEO of Hornet, a queer dating app, expressed surprise at the level of detail in the location data and denied intentionally sharing such information. He suggested that an advertising network might have passed the data on without consent and pledged to investigate the matter. This recent revelation follows a similar incident involving the company Gravy Analytics, which was hacked, with stolen location data, likely originating from ad networks, being offered for sale. These incidents highlight the vulnerability of user data within the complex ecosystem of in-app advertising and the potential for its exploitation by data brokers.
