Lithuanian Adtech Firm And Florida Data Broker Trafficked In Sensitive U.S. Military And Intelligence Worker Location Data

Last November you might recall that Wiredreleased an excellent reportdocumenting how it was trivial to buy the sensitive and detailed movement data of U.S. military and intelligence workers as they moved around Germany. The culprit, as usual, was a global collection of super dodgy data brokers and adtech firms that see little in the way of meaningful oversight and regulation.

The original story documented how Wired was able to buy 3.6 billion location coordinates, some logged at millisecond intervals with meter precision, from up to 11 million mobile advertising IDs in Germany over a one-month period. The data detailed intelligence and military employees as they wandered not just around European towns and cities, but their movement at sensitive military locations.

At the time, Wired didn't have a solid bead on the origins of the data, outside of the fact they were able to buy the data in question from a Florida data broker named Datastream. But in an also excellent follow up report they say they've figured out where it originated: a Lithuanian adtech firm.

Now, a letter sent to US senator Ron Wyden's office that was obtained by an international collective of media outlets-including WIRED and 404 Media-reveals that the ultimate source of that data was Eskimi, a little-known Lithuanian ad-tech company."

WIRED posits that the original data was collected via SDKs embedded in mobile apps by developers looking to strike revenue sharing deals with data brokers. This Lithuanian adtech company Eskimi then provided data on US military personnel in Germany to a data broker in Florida, which - thanks to our prioritization of making money over public safety or national security - was able to sell that data to effectively anyone. With very few safeguards or oversight.

Senator Ron Wyden has been at the heart of efforts to expose how data brokers often sell this kind of sensitive data to any nitwit with two nickels to rub together. A year ago his office documented how one data broker collected the sensitive movement of abortion clinic visitors, then turned around and sold it to right wing extremists who targeted these vulnerable women with health care disinformation.

I thought those revelations would be a bombshell. But they barely saw a tiny fraction of the attention reserved for Zuck's latest midlife crisis fashion rebrand.

Keith Chu, chief communications adviser and deputy policy director for Wyden, told WIRED that they've been trying to get additional information from Eskimi and Lithuania's Data Protection Authority (DPA) for months with no response from either. After contacting the defense attache at the Lithuanian embassy in Washington, DC, Wyden's office got a response indicating there might or might not be an investigation:

The Lithuanian DPA told reporters in an email that it currently is not investigating this company" and it is gathering information and assessing the situation in order to be prepared to take well-informed actions, if needed." If the Lithuanian DPA does decide to investigate and finds Eskimi in violation of GDPR provisions, the company could face significant consequences-including fines up to 20 million."

Time and time and time again the U.S. has prioritized making money over protecting consumer privacy, market health, or national security. And it's certain to only get worse during a second Trump term stocked with folkslike new FCC boss Brendan Carr, dedicated to ensuring his friends at AT&T, Verizon, and T-Mobile never face anything close to real accountability for their own dodgy location data practices.

The U.S. government also enabled this mess, ever since it realized that it (and every other government intelligence agency) could exploit this corruption-fueled dysfunction and bypass the pesky warrant process by simply buying the same consumer location data. Instead of freaking out about the full scope of the problem, we decided to engage in a myopic multi-year freak-out about TikTok.

At some point there will be a privacy scandal involving location data that's so horrific, Congress will be forced to act. I'm just not particularly excited to see what that scandal looks like. To dislodge our corrupt apathy, it will most assuredly have to involve the embarrassing data of the rich and powerful, or potentially a loss of life at unprecedented scale.

And even then it's far from clear this will result in good legislation, or just corruption-fueled, loophole-filled crap ghost written by all the worst offenders in the space. And even then, as Lithuania illustrates, there's no guarantee that a meaningful privacy law would be meaningfully enforced by the same regulators and courts the Trump Supreme Court is gleefully taking a hatchet to.