Under Surveillance: How Location Data Jeopardizes German Security

This article is nominated for the European Press Prize 2025 in The Innovation Award category. Originally published by Bayerischer Rundfunk/BR24 and netzpolitik.org, Germany. Translation provided by kompreno. 

Our smartphones know a lot about us. Such as our location.

Such information allows navigation apps to get us where we want to go right down to the last meter, while weather apps tell us when to expect rain and dating apps show us people nearby.

But numerous app providers sell our location data onward.

This investigation by public broadcaster Bayerische Rundfunk (BR) and netzpolitik.org shows why this data is dangerous for high-ranking public officials, members of the military and even for intelligence agents.

It’s an early Tuesday morning somewhere in Bavaria. A person gets into a car to begin the commute to work. The person’s location data, which we have obtained, show the precise route taken for the commute. The drive ends at a secured facility to which most people have no access – an intelligencelocation in Upper Bavaria.

As so often, this person parks their car in the parking lot of the Mangfall Barracks in Bad Aibling.

The former German military base is outlined in yellow. 

Today, the site serves as a publicly known field office of the Bundesnachrichtendienst (BND), Germany’s foreign intelligence organization.

The person’s name isn’t in the data. But we are able to figure out where they likely live – namely in the house where they spend most of their nights. We have thousands of signals from that location. To protect the person, we are not publishing their place of residence here.

We are able to follow their route to work dozens of times.

Unauthorized persons are not allowed on the grounds of the BND site. Hardly anyone who works there shares their employment status public. 

But we are able to clearly see that this person accesses the BND site from Texas Street. 

And we can see something else as well: This person always heads for the same building. There is a cluster of location data, depicted as blue dots, at the site.

This location data is from a vast trove of data that we, BR and netzpolitik.org, have evaluated – long tables with coordinates, timestamps accurate down to the second and identification numbers known as advertising IDs. Expressed as a series of letters and numbers, advertising IDs are used by the advertising industry to serve targeted advertising to select smartphones. But the location data can also be used for other purposes: If you have all the location data for a specific advertising ID, you can create a movement profile for an individual person.

Such datasets are sold on the internet – on a marketplace headquartered in Berlin for example. When approached by netzpolitik.org, a vendor there made a sample dataset available free of charge in the hopes of securing a new customer. The data includes 3.6 billion individual location datapoints from smartphone apps. Our reporting shows that the data makes it possible to establish movement profiles – some of them quite precise – of several million people across Germany.

Such movement profiles reveal personal, even intimate details about smartphone users: Where do they work? Where do they live? Where do they do their shopping? Do they sometimes spend the night elsewhere? Do they make frequent visits to the hospital? Or to a psychiatrist? Or perhaps a brothel? We found all of that in the dataset we were provided.

In an interview with BR and netzpolitik.org, Konstantin von Notz, a Green Party member of German parliament, the Bundestag, spoke of a data protection problem for all people in Germany “who have a mobile phone and who have to be able to move around freely and unobserved in this country.” He is the chair of the Bundestag’s Parliamentary Oversight Panel (PKGr), which keeps tabs on German intelligence organizations. First and foremost, however, he sees a “relevant security problem,” and warns that hostile states could use such data for spying purposes.

And we are in fact able to learn, with the help of our dataset, private details about the person who regularly drives to the building in Bad Aibling: including family relationships, preferred supermarket and weekend activities.

We can even see where in the BND complex this person spends most of their time – in a building that made global headlines several years ago.

The person frequently heads for a building that played a role in the documents made public in 2013 by whistleblower Edward Snowden: a structure with a metal roof and no windows that BND agents allegedly referred to as “the Tin Can.” According to the documents made public by Snowden, the U.S. intelligence agency NSA used the building for internet surveillance. 

We can also see in the data that the person also spent time at other U.S. military bases in Germany and at a different BND site. It is possible to link the person’s home address with the U.S. military.

From a distance, we are unable to prove that this person works for the U.S. intelligence agency NSA in Germany. But there are plenty of clues pointing in that direction. We approach the U.S. Embassy and the BND to ask if they still cooperate in Bad Aibling and if they are aware that location data could provide an opening for espionage. But we receive no response to our query. 

We continue analyzing the data to see if other security agencies might be affected – and quickly make our next discovery. 

The Chorweiler district of Cologne: This is the location of the headquarters of the German Federal Office for the Protection of the Constitution (Verfassungsschutz), the country’s domestic intelligence agency. On satellite photos, the building looks like a zig-zag line. The Verfassungsschutz’s mission includes counterespionage and protecting the country from terrorism and cyberattacks. 

Just like at the BND, those who work here tend not to make their place of work public information.

Those who work here must hand in their mobile phones at the entrance for security reasons, as the German Interior Ministry said when contacted. And that is clearly evident in the data.

We are indeed able to find relatively little location data inside the building. But there are numerous datapoints in the parking lots and at various building entrances.

We follow the location data of one person who regularly parks there. Using their place of residence, we are able to determine this person’s name and find several social media profiles. We now know their rough age, education level, family situation and hobbies, in addition to having seen numerous vacation photos. 

When contacted by BR and netzpolitik.org, the Verfassungsschutz said that private and work phones are not allowed at agency facilities. It is a rule that may make it more difficult for confidential information to reach the outside world. But despite the measure, it is still possible to track staff members back to their own homes.

The Verfassungsschutz told BR and netzpolitik.org that it would establish appropriate measures for the protection of its employees and would sensitize them to the potential security risks relating to the evaluation of their location data.

“Extremely High” Espionage Danger

“If you know how people behave and move, then they can be spied on,” says Konstantin von Notz. “Then you can establish contact or generate random situations to start a conversation with the ultimate goal or recruiting them, bribing them or whatever.” His deputy on the Parliamentary Oversight Panel, the Christian Democrat Roderich Kiesewetter, believes the risk of espionage is “extremely high.” Germany, he says, is “in the focus of Russian, Chinese and Iranian operations of influence.” Commercially traded data, he says, provide an opening for spying by foreign intelligence agencies or criminals.

Tens of Thousands of Cases at the Military and Police

We systematically examine additional publicly known locations across Germany that are relevant for national security – and the situation is similar everywhere we look. We find tens of thousands of movement profiles of people who have access to these sensitive sites, including facilities belonging to the Federal Criminal Police Office (BKA), the Special Operations Forces (KSK) of the German military, other German military and air force facilities, federal ministries, the German agency responsible for securing military supplies, the elite force of the German federal police (GSG9), defense companies and many more.

Grafenwöhr Military Training Ground

191,415 location datapoints from 1,275 advertising IDs

Around 13,000 U.S. troops are stationed in Grafenwöhr, along with members of the Bundeswehr and other NATO militaries. In April, the BKA arrested two Russian-Germans here who were thought to be spying on behalf of a Russian intelligence agency.

Camp Kherson, Grafenwöhr

1,192 location datapoints from 39 advertising IDs

Camp Kherson is located inside the Grafenwöhr Military Training Ground. Currently, the U.S. army is training Ukrainian soldiers at the site in the use of various weapons systems, including Abrams battle tanks. 

Barracks at Treptower Park, Berlin

4,639 location datapoints from 693 advertising IDs

The site is a hotspot for security agencies, with police and intelligence agencies working closely together here. Some 40 agencies cooperate as part of the Joint Counter-Terrorism Center alone, including the BKA, theVerfassungsschutz , the BND and Germany’s military intelligence agency MAD.

Büchel Air Base

38,474 location datapoints from 189 advertising IDs

The Buchel Air Base is a site used by the German Air Force. It is also thought to be home to strictly monitored U.S. nuclear weapons. Potential locations of nuclear weapons, however, are officially neither confirmed nor discussed.

Lucius D. Clay Kaserne, Wiesbaden

74,968 location datapoints from 799 advertising IDs

This is the site of the U.S. military’s European headquarters and will soon become the NATO headquarters for supporting Ukraine. The site is also important for intelligence, with several U.S. agencies using the surveillance station there.

Federal Office of Bundeswehr Equipment, Koblenz

7,356 location datapoints from 220 advertising IDs

The office is responsible for equipping Germany’s military, the Bundeswehr, with weapons and other materiel. In May, an officer stationed here was sentenced to three-and-a-half years in prison for espionage. He was convicted of passing information to Russia.

Bundesnachrichtendienst (BND), Pullach

990 location datapoints from 108 advertising IDs

The site used to function as BND headquarters and remains vital to the agency’s technical surveillance capabilities. A former BND department head who once worked here is thought to have passed classified information on to the Russians. He is currently the focus of legal proceedings for high treason.

Ramstein Air Base

164,223 location datapoints from 1,964 advertising IDs

The military airport in Rhineland-Palatinate is the largest U.S. base outside of the United States. Ramstein is the logistical hub of the U.S. military in Europe and plays a key role in NATO missile defense.

 Bundesnachrichtendienst (BND), Berlin

1,744 location datapoints from 332 advertising IDs

Completed in 2019, the building complex serves as the headquarters of Germany’s foreign intelligence agency and the site where the majority of the agency’s employees work. It is also home to the BND’s training center.

Konrad Adenauer Kaserne, Cologne

7,952 location datapoints from 414 advertising IDs

This site is home to Germany’s military intelligence agency MAD. The agency’s mission includes uncovering anti-constitutional activities, espionage and sabotage within the German army.

Graf Zeppelin Kaserne, Calw

8,489 location datapoints from 107 advertising IDs

This is the location of the command center of Germany’s Special Operations Forces (KSK), the Bundeswehr’s elite unit. Members of the KSK are trained in freeing hostages abroad and taking target persons into custody in addition to other delicate operations. As a rule, KSK soldiers do not make their membership in the unit public.

What do the agencies say? 

When confronted with the cases of location data within their areas of responsibility, the Interior Ministry and the Defense Ministry stated that their employees are regularly informed of the danger of surveillance. Both ministries are apparently aware that foreign intelligence agencies use commercially available data for espionage. They stated that foreign intelligence agencies use all available means to acquire information, exert influence and pursue their own interests. That includes, they said, the purchase and use of data available on the internet. The U.S. Embassy in Germany declined to comment on the cases within its area of responsibility.

Where does the data come from?

The data comes from a U.S. data vendor who offers it for purchase on an online marketplace based in Berlin. The internet marketplace Datarade sees itself as a broker between data vendors and people or companies who are interested in buying that data. Those looking to purchase data through Datarade must register on the platform. Sebastian Meineck from netzpolitik.org did so, using his real name and his newsroom’s address. Soon after he completed his registration, several vendors contacted Meineck with offers. After a brief phone call, one of the vendors sent him a download link leading to an extensive dataset. Netzpolitik.org shared this dataset with BR and it was then evaluated jointly. The online platform Datarade and the seller of the data did not respond to queries from BR and netzpolitik.org.

Did we pay for the data?

No. Even though the dataset includes 3.6 billion datapoints, it was provided free of charge as a sample for a potential monthly subscription the vendor was hoping to sell. The data are from a period of around eight weeks near the end of 2023. A subscription that includes hourly updated location data for people from over 150 countries would cost $14,000 per month.

Why is such data for sale on the internet?

Companies typically purchase this information for the purposes of sending personalized advertising to mobile phones. An example: A person who visited a furniture store on a Saturday would be sent targeting advertisements for home decoration objects.

What apps collect the data?

We received no information about the apps that collected the data. Neither the data vendor nor Datarade responded to our questions. Other vendors speak generally about apps for weather, navigation, gaming and dating, saying they have established good contacts with the developers of such apps and have been provided direct access to the data.

Depending on settings, smartphone operating systems like iOS and Android allow installed apps to collect and share location data. Whether they do so only when the app is in use or also when they are running in the background depends on the operating system and on what access rights the user has given the app.

What was the reaction of those people we found in the dataset?

BR and netzpolitik.org contacted several people whose movement profiles we found in the dataset. They confirmed that the data was accurate. There were some minor errors, but vacations, work commutes and even walks with the dog could all identified with the data. All of them expressed surprise that their location data had been offered up for purchase by a data vendor from the U.S. The EU’s General Data Protection Regulation (GDPR) codifies the principle of consent: Apps are only allowed to share location data with third parties if users explicitly provide their permission during installation. The people we spoke with said they couldn’t remember having provided their permission for the sharing of their location data.

Why is this data trade not prohibited?

Louisa Specht-Riemenschneider, a professor of data rights and data protection at the University of Bonn and the German government’s designated data protection commissioner, is critical of the fact that location data is traded in this manner. Just because we allow an app to establish our location, we are completely unable to know where our data might ultimately end up, she says. She demands a societal debate: “Where is the data processing that we want as a society? And where is the processing that we don’t want? And that processing that we don’t want must be prohibited,” she says. 

Why are the data vendors and the data marketplace in Berlin not monitored more closely?

Data vendors who operate outside of the European Union are largely inaccessible for European agencies, says Louisa Specht-Riemenschneider. But trading platforms like the Berlin-based Datarade are also difficult to regulate. “The data marketplace is essentially a broker that does not process any personal data itself. It a sense, it is a regulatory gap.” She says that it is urgently necessary for lawmakers to find a solution. 

Do German intelligence agencies also use such data?

It is legally permissible, but there is far too little regulation, says Thorsten Wetzling of Interface, a Berlin think tank that specializes in the societal impacts of digitalization. A current Interface study indicates that German intelligence services also used commercially available datasets for their purposes. “Intelligence agencies, no matter what country they are from, have an interest in collecting as much information as they can,” says Wetzling. The BND and the Verfassungsschutz declined to respond to questions on this issue. Wetzling says: “This possibility of obtaining information with a credit card is one that poses numerous risks to national security and deeply impacts the freedoms and fundamental rights of millions of app users, which we all are.”

How is it possible for users to avoid ending up in such a dataset?

Users can check two settings on their smartphones: location sharing and the advertising ID. Instructions on how to do so can be found on the BR24 website.