Last year, a media investigation uncovered that Datastream Group, a Florida-based data broker, was selling highly sensitive location data on U.S. military and intelligence personnel stationed overseas. Initially, the source of this data was unclear. However, a recent letter to Senator Ron Wyden revealed that the data originated from a Lithuanian ad-tech firm known as Eskimi.
Eskimi’s involvement exemplifies the complex and opaque nature of the location data industry, as a foreign company provided sensitive information about U.S. military members in Germany to an American data broker. This data could potentially be sold to various entities.
Zach Edwards, a senior threat analyst at Silent Push, emphasized the risks posed by unknown advertising firms that exploit their access to sensitive data, potentially endangering national security by selling that information to both government and private parties.
Following the previous investigation that highlighted Datastream’s sale of precise location tracking of military personnel—specifically around airbases where U.S. nuclear weapons are stored—Wyden’s office sought clarification regarding Datastream’s practices. In their response, Datastream admitted to sourcing the data from Eskimi but insisted that it was obtained legally. Meanwhile, Eskimi’s CEO denied any existing commercial relationship with Datastream, asserting that Eskimi does not act as a data broker.
Datastream’s legal representative claimed that the data was originally for digital advertising purposes and not intended for resale, but refused to disclose additional details due to a nondisclosure agreement.
The U.S. Department of Defense (DOD) did not comment specifically on the investigation but acknowledged the risks associated with geolocation services and urged military personnel to adhere to operational security protocols. Wyden’s office has been trying to engage with Eskimi and Lithuania’s Data Protection Authority (DPA) to address the potential national security implications of selling such location data. Despite multiple attempts, communications were met with little response until the DPA finally asked for more information.
While awaiting the DPA’s findings, which could result in significant penalties against Eskimi, Wyden’s office also informed Google about potential misuse of location data related to defense personnel. Google confirmed that Eskimi is part of its Authorized Buyer program, implying it must comply with Google’s policies and undergo regular audits.
Regardless of potential actions against Eskimi, experts like Edwards caution that many other firms might still be engaging in similar practices, suggesting that the broader advertising landscape serves as a facade for surveillance activities.
