Last year, a media investigation revealed that a Florida-based data broker, Datastream Group, was selling highly sensitive location data that tracked United States military and intelligence personnel overseas. At the time, the origin of that data was unknown.
Now, a letter sent to US senator Ron Wyden’s office that was obtained by an international collective of media outlets—including WIRED and 404 Media—claims that the ultimate source of that data was Eskimi, a little-known Lithuanian ad-tech company. Eskimi, meanwhile, denies it had any involvement.
Eskimi’s alleged role—and its denials—highlight the opaque nature of the location data industry: A data broker in Florida claims a Lithuanian company provided data on US military personnel in Germany. That data could theoretically be sold to essentially anyone. But the exact ways in which the data is collected, compiled, and shared remains unclear.
“There’s a global insider threat risk, from some unknown advertising companies, and those companies are essentially breaking all these systems by abusing their access and selling this extremely sensitive data to brokers who further sell it to government and private interests,” says Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, referring to the ad-tech ecosystem broadly.
In December, the joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org analyzed a free sample of location data provided by Datastream. The investigation revealed that Datastream was offering access to precise location data from devices likely belonging to American military and intelligence personnel overseas—including at German airbases believed to store US nuclear weapons. Datastream is a data broker in the location data history, sourcing data from other providers and then selling it to customers. Its website previously said it offered “internet advertising data coupled with hashed emails, cookies, and mobile location data.”
That dataset contained 3.6 billion location coordinates, some logged at millisecond intervals, from up to 11 million mobile advertising IDs in Germany over a one-month period. The data was likely collected through SDKs (software development kits) embedded in mobile apps by developers who knowingly integrate tracking tools in exchange for revenue-sharing agreements with data brokers.
Following this reporting, Wyden’s office demanded answers from Datastream Group about its role in trafficking the location data of US military personnel. In response, Datastream identified Eskimi as its alleged source, claiming it obtained the data “legitimately from a respected third-party provider, Eskimi.com.”
Vytautas Paukstys, CEO of Eskimi, says that “Eskimi does not have or have ever had any commercial relationship with Datasys/Datastream Group,” referring to another name that Datastream has used, and that Eskimi “is not a data broker.” A subsequent email from a company spokesperson says, “Eskimi does not have any commercial relationship with Datastream Group. Without a doubt, Eskimi did not share or sell location data of military personnel or any other data in Germany or Europe with Datastream group.”
In an email responding to detailed questions from the reporting collective, M. Seth Lubin, an attorney representing Datastream Group, described the data as lawfully sourced from a third party. While Lubin acknowledged to Wyden that the data was intended for use in digital advertising, he stressed to the reporting collective that it was never intended for resale. Lubin declined to disclose the source of the data, citing a nondisclosure agreement, and dismissed the reporting collective’s analysis as reckless and misleading.
The Department of Defense (DOD) declined to answer specific questions related to our investigation. However, in December, DOD spokesperson Javan Rasnake said that the Pentagon is aware that geolocation services could put personnel at risk and urged service members to remember their training and adhere strictly to operational security protocols.
