Last year, a media investigation revealed that a Florida-based data broker, Datastream Group, was selling highly sensitive location data that tracked United States military and intelligence personnel overseas. At the time, the origin of that data was unknown.
Now, a letter sent to US senator Ron Wyden’s office that was obtained by an international collective of media outlets—including WIRED and 404 Media—reveals that the ultimate source of that data was Eskimi, a little-known Lithuanian ad-tech company.
Eskimi’s role highlights the opaque and interconnected nature of the location data industry: A Lithuanian company provided data on US military personnel in Germany to a data broker in Florida, which could then theoretically sell that data to essentially anyone.
“There’s a global insider threat risk, from some unknown advertising companies, and those companies are essentially breaking all these systems by abusing their access and selling this extremely sensitive data to brokers who further sell it to government and private interests,” says Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, referring to the ad-tech ecosystem broadly.
In December, the joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org analyzed a free sample of location data provided by Datastream. The investigation revealed that Datastream was offering access to precise location data from devices likely belonging to American military and intelligence personnel overseas—including at German airbases believed to store US nuclear weapons. Datastream is a data broker in the location data history, sourcing data from other providers and then selling it to customers. Its website previously said it offered “internet advertising data coupled with hashed emails, cookies, and mobile location data.”
That dataset contained 3.6 billion location coordinates, some logged at millisecond intervals, from up to 11 million mobile advertising IDs in Germany over a one-month period. The data was likely collected through SDKs (software development kits) embedded in mobile apps by developers who knowingly integrate tracking tools in exchange for revenue-sharing agreements with data brokers.
Following this reporting, Wyden’s office demanded answers from Datastream Group about its role in trafficking the location data of US military personnel. In response, Datastream identified Eskimi as its source, stating it obtained the data “legitimately from a respected third-party provider, Eskimi.com.” Vytautas Paukstys, CEO of Eskimi, says that “Eskimi does not have or have ever had any commercial relationship with Datasys/Datastream Group,” referring to another name that Datastream has used, and that Eskimi “is not a data broker.”
In an email responding to detailed questions from the reporting collective, M. Seth Lubin, an attorney representing Datastream Group, described the data as lawfully sourced from a third party. While Lubin acknowledged to Wyden that the data was intended for use in digital advertising, he stressed to the reporting collective that it was never intended for resale. Lubin declined to disclose the source of the data, citing a nondisclosure agreement, and dismissed the reporting collective’s analysis as reckless and misleading.
The Department of Defense (DOD) declined to answer specific questions related to our investigation. However, in December, DOD spokesperson Javan Rasnake said that the Pentagon is aware that geolocation services could put personnel at risk and urged service members to remember their training and adhere strictly to operational security protocols.
In an email, Keith Chu, chief communications adviser and deputy policy director for Wyden, explained how their office has tried to engage with Eskimi and Lithuania’s Data Protection Authority (DPA) for months. The office contacted Eskimi on November 21 and has not received a response, Chu says. Staff then contacted the DPA multiple times, “raising concerns about the national security impact of a Lithuanian company selling location data of US military personnel serving overseas.” After receiving no response, Wyden staff contacted the defense attaché at the Lithuanian embassy in Washington, DC.
