Data showing the specific movement of tens of thousands of smartphones in Ireland is available to purchase from companies working in the digital marketing and advertising industries, an undercover Prime Time investigation has found.
The availability of the data from brokers has raised major worries about personal privacy, but also national and domestic security, including at the highest levels of the Department of Justice.
Phones in the data could be tracked back to specific residential addresses after entering high-security prisons, military bases, and Leinster House, as well as sensitive locations like health clinics and mental health facilities.
Having been made aware of the availability of the data by Prime Time, the Data Protection Commission said in a statement it is "extremely concerned."
It said that "information about an individual's location can pose a serious risk to their security and well-being."
"We are currently working to identify the data broker in question and if they are headquartered in Ireland, we will take action ourselves. However, if they are headquartered in another EU country we will engage with the relevant data protection authority to deal with the matter."
The data available for purchase shows the minute-by-minute movement of phones, while the locations provided are specific enough to show movement within home addresses, as well as the patterns of life of the smartphone owner.
A large sample of what was available to purchase from one company was given to Prime Time for free during the investigation in which a team of journalists posed as founders of a newly established data analytics and marketing firm.
The sample data contained the movement of 64,000 phones in Ireland over two weeks in April.
The undercover Prime Time team was told the data could be provided as a constantly updated feed, with a 24-to-72 hour delay.
'It feels wrong...’
Dr Cathal Berry, formerly commander of the Irish Army Ranger Wing and the military governor of Portlaoise Prison, the highest security prison in the country, said: "There are nefarious actors out there who will take full advantage of this type of information.
"If people know where your home address is, then you're at risk there from that point of view, particularly if you're in quite an elevated position in the public service in the part of the State apparatus."
Dr Berry said that the availability of this data "feels wrong, if something feels wrong, it shouldn't be legal".
The Prime Time investigation sought to examine the data and technology underpinning personalised online ads and marketing, which has long been a concern of privacy rights activists.
The type of data obtained is referred to as location or geospatial data. It is not the most commonly available type of data but was offered by several companies.
When asked about privacy concerns, sellers said a privacy breach does not occur because the owner of the phone is not identified.
They also noted that the smartphone owners would have given permission for the sale of the location data through the terms and conditions of installed apps.
The companies trading the data did not identify from which apps the location information is compiled.
Whose phone is in the data?
From the data, Prime Time was able to quickly identify the home addresses and routines of life of specific individuals by examining the tracks of devices which entered certain locations then returned to residential addresses.
One was a person who works in Leinster House, in the parliamentary office of government TD, Barry Ward.
The individual did not want to be identified but did confirm the information in the dataset was accurate.
They gave Mr Ward permission to speak to Prime Time, and Prime Time permission to show Mr Ward the mapped data linked to their smartphone.
The data showed that individual’s routine and exact movements, including their routes into and out of Leinster House, when they were in their local supermarket, location of weekend activities, and times they returned and left home.
"What has really shocked me is the extent to which you can take that data parcel, break it down to an individual, trace the individual's movements to the extent that you can identify where they live, where they work, or where they go on a day-to-day basis," Mr Ward told Prime Time.
"The notion that the information about their movements is free and available to buy for anyone is frightening, totally inappropriate, and definitely dangerous," he said.
Military locations
Devices moving through military bases exposed the residential addresses of smartphone owners, but also potentially the movement times of naval vessels.
Phones which passed through Naval Headquarters on Haulbowline Island, in Cork, could be followed from the base into the waters off the south coast where signal connection was lost, and later at other ports and harbours.
Multiple devices could also be seen entering and leaving McKee Barracks in Dublin, which is home to the Defence Forces’ Military Intelligence Service, before returning to residential addresses.
For privacy and security reasons, Prime Time did not attempt to identify the people who passed through these locations.
"There are risks, obviously, for sure, particularly for specialised people in our armed forces, like particular pilots, bomb disposal operators, captains of ships," Dr Cathal Berry said.
"From a routine point of view, it makes perfect sense that people use mobile phones but from an operational perspective, there is a risk of compromise there, and that's something we need to tighten up on, I think, judging by the data you provided."
In a statement, the Defence Forces said "the safety and security of its personnel, locations and operations are of paramount importance."
"The Defence Forces takes several proactive steps to ensure security is maintained in sensitive locations including minimising electronic footprint in these areas. The Defence Forces ensures it is capable of tapering the electronic footprint of our personnel and operations depending on the nature of any operations we conduct."
"As a learning organisation the Defence Forces will continue to review and update its policies and procedures in relation to emerging technologies and ensure that our personnel are kept up to date to any potential risks that may face them and how to counter them."
Several contributors to the Prime Time investigation said it raises significant questions for the Data Protection Commission (DPC).
"This is where the regulators come in, and this is where our politicians come in to make sure that we have the appropriate guardrails in place, that people's data isn't being exploited," Dr Cathal Berry, himself a former independent TD, said.
"We are absolutely meant to be protected by law against this activity," said Johnny Ryan of the Irish Council for Civil Liberties.
"The problem is that the enforcer, the Data Protection Commission, has entirely failed for years to address this in any meaningful way. The enforcer has the power. They can go to a court, a warrant and they can kick doors down," he added.
For his part, Fine Gael TD Barry Ward, whose staff member’s phone appeared in the data, said he is prepared to work with the DPC on the issue.
"If there is more legislation or more regulation required, then come to Leinster House, come to the government, come to the politicians," he said, in reference to the DPC.
"We will change that because we cannot allow our citizens to be exposed to that level of intrusion into their personal private lives where corporations have no business going."
Additional Reporting from Kristo Mikkonen. Additional research by Katie-Marie Murnane.
Kate McDonald and Aaron Heffernan’s investigation broadcasts on the 18 September edition of Prime Time at 9.35pm on RTÉ One and the RTÉ Player.
