An investigative report has uncovered the source of a sensitive data leak involving the movements of U.S. military and intelligence personnel. It was revealed that the Florida-based company Datastream Group had been trading precise geolocation data of American service members stationed abroad. These data originated from Lithuania, supplied by a little-known advertising technology firm, Eskimi.
The Lithuanian company transmitted information about U.S. military personnel in Germany to Datastream Group, a data broker with the ability to sell this intelligence to virtually any buyer. The investigation found that Datastream was offering access to 3.6 billion precise location points gathered from 11 million mobile devices over a single month, including coordinates of military bases suspected to house U.S. nuclear warheads. The data were recorded with extraordinary precision, even capturing movements in millisecond intervals.
These geolocation details were collected via software development kits (SDKs) embedded in mobile applications, which developers integrated in exchange for a share of advertising revenue. Once the information became public, the office of U.S. Senator Ron Wyden demanded an explanation from Datastream. The company asserted that the data had been lawfully obtained through a “trusted supplier,” Eskimi. However, an Eskimi representative denied any collaboration with Datastream, maintaining that Eskimi does not operate as a data broker.
Datastream, in turn, refused to disclose the true origin of the data, citing a nondisclosure agreement, and dismissed the journalists’ findings as “irresponsible and misleading.” The U.S. Department of Defense declined to comment but had previously urged military personnel to adhere strictly to operational security protocols to prevent geolocation leaks.
Senator Wyden also attempted to reach out to Eskimi and Lithuania’s data protection regulator but received no response. It was only in January 2024 that the Lithuanian regulator requested further information and pledged to assess the situation. If Eskimi is found to be in violation of GDPR regulations, the company could face fines of up to €20 million.
In November 2023, the senator’s office also alerted Google that Eskimi—one of its advertising partners—was selling data on U.S. military movements. Google pledged to conduct an audit of its partners, but experts remain skeptical about whether this will lead to any substantial systemic reforms.
