It’s an early Tuesday morning somewhere in Bavaria. A person gets into a car to begin the commute to work. The person’s location data, which we have obtained, show the precise route taken for the commute. The drive ends at a secured facility to which most people have no access – a intelligence location in Upper Bavaria.

The person’s name isn’t in the data. But we are able to figure out where they likely live – namely in the house where they spend most of their nights. We have thousands of signals from that location. To protect the person, we are not publishing their place of residence here.

We are able to follow their route to work dozens of times.

This location data is from a vast trove of data that we, BR and

netzpolitik.org

Movement Profiles Reveal Intimate Details

Such datasets are sold on the internet – on a marketplace headquartered in Berlin for example. When approached by

netzpolitik.org

Such movement profiles reveal personal, even intimate details about smartphone users: Where do they work? Where do they live? Where do they do their shopping? Do they sometimes spend the night elsewhere? Do they make frequent visits to the hospital? Or to a psychiatrist? Or perhaps a brothel? We found all of that in the dataset we were provided.

In an interview with BR and

netzpolitik.org

And we are in fact able to learn, with the help of our dataset, private details about the person who regularly drives to the building in Bad Aibling: including family relationships, preferred supermarket and weekend activities.

We can even see where in the BND complex this person spends most of their time – in a building that made global headlines several years ago.

From a distance, we are unable to prove that this person works for the U.S. intelligence agency NSA in Germany. But there are plenty of clues pointing in that direction. We approach the U.S. Embassy and the BND to ask if they still cooperate in Bad Aibling and if they are aware that location data could provide an opening for espionage. But we receive no response to our query.

We continue analyzing the data to see if other security agencies might be affected – and quickly make our next discovery.

We follow the location data of one person who regularly parks there. Using their place of residence, we are able to determine this person’s name and find several social media profiles. We now know their rough age, education level, family situation and hobbies, in addition to having seen numerous vacation photos.

When contacted by BR and

netzpolitik.org

The Verfassungsschutz told BR and

netzpolitik.org

“Extremely High” Espionage Danger

“If you know how people behave and move, then they can be spied on,” says Konstantin von Notz. “Then you can establish contact or generate random situations to start a conversation with the ultimate goal or recruiting them, bribing them or whatever.” His deputy on the Parliamentary Oversight Panel, the Christian Democrat Roderich Kiesewetter, believes the risk of espionage is “extremely high.” Germany, he says, is “in the focus of Russian, Chinese and Iranian operations of influence.” Commercially traded data, he says, provide an opening for spying by foreign intelligence agencies or criminals.

Tens of Thousands of Cases at the Military and Police

We systematically examine additional publicly known locations across Germany that are relevant for national security – and the situation is similar everywhere we look. We find tens of thousands of movement profiles of people who have access to these sensitive sites, including facilities belonging to the Federal Criminal Police Office (BKA), the Special Operations Forces (KSK) of the German military, other German military and air force facilities, federal ministries, the German agency responsible for securing military supplies, the elite force of the German federal police (GSG9), defense companies and many more.

The U.S. Embassy in Germany declined to comment on the cases within its area of responsibility. When confronted with the cases of location data within their areas of responsibility, the Interior Ministry and the Defense Ministry stated that their employees are regularly informed of the danger of surveillance. Both are apparently aware that foreign intelligence agencies use commercially available data for espionage. They stated that foreign intelligence agencies use all available means to acquire information, exert influence and pursue their own interests. That includes, they said, the purchase and use of data available on the internet.

Questions and Answers about the investigation

Where does the data come from?

The data comes from a U.S. data vendor who offers it for purchase on an online marketplace based in Berlin. The internet marketplace Datarade sees itself as a broker between data vendors and people or companies who are interested in buying that data. Those looking to purchase data through Datarade must register on the platform. Sebastian Meineck from

netzpolitik.org

netzpolitik.org

netzpolitik.org

Did we pay for the data?

No. Even though the dataset includes 3.6 billion datapoints, it was provided free of charge as a sample for a potential monthly subscription the vendor was hoping to sell. The data are from a period of around eight weeks near the end of 2023. A subscription that includes hourly updated location data for people from over 150 countries would cost $14,000 per month.

Why is such data for sale on the internet?

Companies typically purchase this information for the purposes of sending personalized advertising to mobile phones. An example: A person who visited a furniture store on a Saturday would be sent targeting advertisements for home decoration objects.

What apps collect the data?

We received no information about the apps that collected the data. Neither the data vendor nor Datarade responded to our questions. Other vendors speak generally about apps for weather, navigation, gaming and dating, saying they have established good contacts with the developers of such apps and have been provided direct access to the data.

Depending on settings, smartphone operating systems like iOS and Android allow installed apps to collect and share location data. Whether they do so only when the app is in use or also when they are running in the background depends on the operating system and on what access rights the user has given the app.

What was the reaction of those people we found in the dataset?

BR and

netzpolitik.org

Why is this data trade not prohibited?

Data vendors who operate outside of the European Union are largely inaccessible for European agencies, says Louisa Specht-Riemenschneider, a professor of data rights and data protection at the University of Bonn and the German government’s designated data protection commissioner. But trading platforms like the Berlin-based Datarade are also difficult to regulate. “The data marketplace is essentially a broker that does not process any personal data itself. In a sense, it is a regulatory gap.” She says that it is urgently necessary for lawmakers to find a solution.

Do German intelligence agencies also use such data?

It is legally permissible, but there is far too little regulation, says Thorsten Wetzling of Interface, a Berlin think tank that specializes in the societal impacts of digitalization. A current Interface study indicates that German intelligence services also used commercially available datasets for their purposes. “Intelligence agencies, no matter what country they are from, have an interest in collecting as much information as they can,” says Wetzling. The BND and the Verfassungsschutz declined to respond to questions on this issue. Wetzling says: “This possibility of obtaining information with a credit card is one that poses numerous risks to national security and deeply impacts the freedoms and fundamental rights of millions of app users, which we all are.”