Back to Blog

Odido Router Secretly Sends Your Data to Turkish AI Company Lifemote

Disclosure: This article contains affiliate links. We may earn a commission at no extra cost to you.

Your internet router is the most trusted device in your home. Every phone, laptop, smart TV, and baby monitor connects through it. So what happens when your ISP's router is secretly sending detailed analytics about every device on your network to a foreign AI company?

That's exactly what pentester Sipke Mellema discovered when he analyzed the network traffic of the Zyxel T-56, the router Odido (formerly T-Mobile Netherlands) provides to its customers. The router was sending MAC addresses, device names, data usage statistics, and even nearby WiFi network information to Lifemote, a Turkish AI company that sells WiFi analytics to ISPs.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has confirmed that MAC addresses are personal data. Odido's response? "Our privacy statement is on our website."

Why this matters: This isn't about cookies or browser tracking. Your router sees everything on your local network: every device, every connection, every data transfer. When that information is sent to a third party without your informed consent, your home network is no longer private.

What Sipke Mellema Found

Sipke Mellema, a professional pentester, intercepted and analyzed the network traffic leaving his Odido-provided Zyxel T-56 router. What he found was alarming. The router was regularly sending detailed telemetry data to servers operated by Lifemote, including:

  • MAC addresses of every device connected to the network
  • Device names (often revealing personal information like "iPhone van Sarah" or "Work Laptop Pieter")
  • Data usage per device (how much each device downloads and uploads)
  • Nearby WiFi network SSIDs and MAC addresses from neighbors' routers
  • Hotspot information and network performance metrics

Lifemote was initially reported as an American company by De Telegraaf, but Tweakers later corrected this: Lifemote is headquartered in Turkey.

Who Is Lifemote?

Lifemote is a Turkish AI company that specializes in WiFi analytics and network optimization for ISPs. Their business model is simple: ISPs embed Lifemote's software into their routers, and Lifemote collects and analyzes the data to generate insights about network performance, device behavior, and WiFi quality.

On the surface, this sounds like a legitimate service. ISPs want to know when routers have problems so they can reduce support calls. But the scope of the data collection goes far beyond what's needed for network diagnostics.

Collecting MAC addresses and device names of every connected device isn't necessary to diagnose WiFi interference. Scanning and reporting nearby WiFi networks has nothing to do with your router's performance. And sending all of this to a company in Turkey, outside the EU's GDPR jurisdiction, raises serious questions about data protection.

Turkey and GDPR: Turkey does not have an EU "adequacy decision," meaning the European Commission has not determined that Turkey provides an adequate level of data protection. Transferring personal data to Turkey requires additional safeguards under GDPR Article 46, such as Standard Contractual Clauses (SCCs) and a Transfer Impact Assessment (TIA). It is unclear whether Odido has these safeguards in place for the Lifemote data transfer.

Dutch DPA: MAC Addresses Are Personal Data

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) was clear in their response to the Tweakers investigation. A spokesperson stated:

"A MAC address is a unique number of a device. A MAC address is personal data if you can also find out who the device belongs to."

For an ISP like Odido, this is obvious. They know exactly which customer uses which router, which means every MAC address collected through that router can be directly linked to a specific person or household.

The AP also emphasized the rules around data sharing with third parties:

"If a telecom provider shares personal data with another party, it must have a legal basis for doing so. In addition, data subjects must be properly informed about this."

The key question is whether Odido's generic privacy statement constitutes "properly informing" customers that their device MAC addresses, device names, and neighbors' WiFi data are being sent to a Turkish AI company. Most privacy experts would argue it does not.

Can Your Router Data Reveal Your Location?

Sipke Mellema highlighted a particularly concerning aspect of the data collection: location tracking.

MAC addresses of nearby WiFi networks can be used to determine a router's physical location with surprising accuracy. Companies like Google and Apple have been mapping WiFi networks for years via their Street View cars and mobile devices. If you know which WiFi networks surround a particular router, you can pinpoint its location without GPS.

Mellema drew a chilling parallel to real-world consequences: in the United States, ICE (Immigration and Customs Enforcement) has used commercially available data, including WiFi and location data, to track and detain individuals. While the Netherlands is not the US, the principle stands: once this data exists in a third-party database, you lose control over who can access it and how it's used.

How WiFi-based location tracking works: Every WiFi router broadcasts a unique MAC address (BSSID). Google, Apple, and others have mapped millions of these addresses to physical locations. If Lifemote's database contains MAC addresses of nearby routers around your home, that data can be cross-referenced with existing WiFi location databases to determine exactly where you live, even without your IP address or GPS coordinates.

Your Neighbors' Data, Without Their Consent

Perhaps the most striking aspect of this story is that the Zyxel T-56 scans nearby WiFi networks and sends the SSIDs (network names) and MAC addresses of neighboring routers to Lifemote.

This means the data collection isn't limited to Odido customers. Your neighbor's router, which might be from KPN, Ziggo, or any other provider, is also being cataloged by Odido's equipment. Those neighbors never agreed to any Odido privacy policy. They never signed an Odido contract. They have no relationship with Lifemote whatsoever.

And yet, their router's unique identifier and network name are being sent to servers in Turkey.

Security journalist Brenno de Winter pointed out the commercial value of this kind of data. Router analytics reveal household patterns: how many devices are active, when people are home, what kinds of devices they use. This is exactly the kind of behavioral data that advertising companies, data brokers, and AI training operations find valuable.

A Pattern of Privacy Problems

This router telemetry revelation comes just weeks after Odido's massive data breach, where hacking group ShinyHunters claimed to have stolen 21 million customer records including passport numbers and IBANs. Together, these incidents paint a picture of a telecom company with a casual attitude toward customer data.

Aspect Feb 2026: Data Breach Mar 2026: Router Telemetry
Type External hack (ShinyHunters) Intentional data sharing
Data exposed Names, addresses, IBANs, passport numbers MAC addresses, device names, usage data, neighbors' WiFi
Affected 6.2M confirmed (21M claimed) All Zyxel T-56 users + their neighbors
Consent N/A (criminal breach) Buried in generic privacy statement
Data destination Dark web Lifemote servers (Turkey)
Odido response Breach notification + F-Secure offer "Our privacy statement is on our website"

While a data breach is a criminal act committed against a company, the Lifemote data sharing was a deliberate business decision. Odido chose to embed Lifemote's analytics into the router firmware. They chose to collect this scope of data. And they chose to send it to a company in Turkey.

Odido's Evasive Response

When confronted by Tweakers and De Telegraaf, Odido's response was telling in its brevity: "Our privacy statement is on our website."

No explanation of what data is shared with Lifemote. No details about what safeguards are in place for the Turkey data transfer. No acknowledgment that scanning neighbors' WiFi networks might be problematic. No offer to let customers opt out.

This "read our privacy policy" response is a classic deflection. Privacy policies are often hundreds of pages long, written in legal language, and designed to cover as much data collection as possible with the vaguest possible language. The GDPR requires informed consent, which means customers need to actually understand what's happening with their data. Burying router telemetry details in a generic privacy statement does not meet this standard.

How Can You Protect Yourself?

If you're an Odido customer (or any ISP customer concerned about router telemetry), here are concrete steps you can take:

Check Your Router's Admin Settings

Log into your router's admin panel (usually at 192.168.1.1 or 192.168.0.1) and look for any analytics, telemetry, or "customer experience improvement" settings. Disable anything that sends data to third parties. On the Zyxel T-56, check for Lifemote-related settings or remote management options.

Use Your Own Router

The most effective solution: replace your ISP's router with your own. In the Netherlands, you have the legal right to use your own modem and router (vrije modemkeuze). Buy a router from a reputable brand, connect it to the fiber/DSL box, and disable the ISP router. No ISP-provided firmware means no ISP-embedded analytics.

Enable MAC Address Randomization

Modern operating systems (iOS 14+, Android 10+, Windows 10/11, macOS Sonoma+) can randomize your device's MAC address per network. This makes it harder to track your specific devices, even if the router reports MAC addresses. Enable this in your WiFi settings on each device.

Be Careful with Device Names

Device names like "Sarah's iPhone" or "Pieter Work Laptop" reveal personal information. Rename your devices to something generic: "Phone-1", "Laptop-2", or random strings. This won't stop MAC address collection, but it reduces the personal data linked to each device.

Use a VPN for Internet Traffic

A VPN encrypts your internet traffic, preventing your ISP from seeing which websites you visit. However, a VPN does not prevent router-level telemetry. The router still knows which devices are connected and can still scan nearby WiFi networks. A VPN protects your traffic, not your network metadata.

Privacy tip: Check what your IP address reveals at myip.foo, test for DNS leaks that expose your browsing to your ISP, and test for WebRTC leaks that bypass VPN protection. If you want to encrypt your internet traffic, consider a VPN like NordVPN. But remember: for router-level data collection, using your own router is the only real solution.

The Bigger Picture: ISP Routers as Surveillance Devices

The Odido/Lifemote case is unlikely to be unique. ISPs worldwide embed third-party analytics into their routers. Most customers never check their router's network traffic. Most wouldn't know how even if they wanted to.

ISP-provided routers have become potential surveillance devices sitting in your living room. They see every device, know every connection, and increasingly share this data with third-party companies that customers have never heard of.

The GDPR gives EU citizens strong data protection rights, but those rights are meaningless if you don't know what data is being collected. This is why discoveries like Mellema's are crucial. Without security researchers independently auditing ISP equipment, this kind of data collection would continue indefinitely in the shadows.

If the Dutch Data Protection Authority takes this seriously, this could become a precedent-setting case for router telemetry across the EU. If they don't, it sends a clear message to ISPs everywhere: embed whatever analytics you want, bury it in a privacy policy, and no one will stop you.

Common Questions

What data does the Odido router send to Lifemote?

The Zyxel T-56 router sends MAC addresses and names of all connected devices, data usage per device, nearby WiFi network SSIDs and MAC addresses, hotspot information, and network performance metrics. This data is sent to Lifemote, a Turkish AI company that provides WiFi analytics to ISPs.

Who is Lifemote?

Lifemote is a Turkish AI company specializing in WiFi analytics for ISPs. They were initially misidentified as American in early reporting. They analyze router telemetry data to provide ISPs with insights about network performance and device behavior.

Are MAC addresses personal data under GDPR?

Yes. The Dutch Data Protection Authority confirmed that a MAC address is personal data when it can be linked to a person. Since Odido knows which customer uses which router, all MAC addresses collected through their routers are personal data. This means GDPR rules about consent, data minimization, and international transfers fully apply.

Can I opt out of the Lifemote data sharing?

Odido has not provided a clear opt-out mechanism. Your best options are: check your router's admin settings for analytics toggles, contact Odido to demand data sharing be disabled, or replace the ISP router with your own under the Dutch free modem choice right (vrije modemkeuze).

Does this affect non-Odido customers too?

Yes. The router scans nearby WiFi networks and sends their SSIDs and MAC addresses to Lifemote. This means your neighbor's Odido router is collecting data about your WiFi network, even if you're a KPN, Ziggo, or other ISP customer who never consented to anything.

Conclusion

The Odido/Lifemote revelations are a wake-up call about a type of surveillance hiding in plain sight. Your ISP's router isn't just connecting you to the internet. It's potentially cataloging every device in your home and your neighbors' homes, then shipping that data to companies you've never heard of in countries with weaker data protection.

Key takeaways:

  • Odido's Zyxel T-56 router sends MAC addresses, device names, usage data, and nearby WiFi networks to Turkish AI company Lifemote
  • The Dutch DPA confirms MAC addresses are personal data when linkable to a person (which they always are for ISPs)
  • The router scans neighbors' WiFi networks, affecting people who never consented to any Odido data collection
  • Turkey has no EU adequacy decision, raising serious GDPR data transfer concerns
  • This comes weeks after Odido's ShinyHunters data breach, revealing a pattern of careless data practices
  • Using your own router is the most effective protection against ISP router telemetry
  • Odido's response ("our privacy statement is on our website") falls short of GDPR's informed consent requirements

The lesson is clear: never blindly trust your ISP's equipment. If privacy matters to you, use your own router, audit your network, and stay informed about what your devices are really doing.

Check your network privacy:

  1. Check what your IP reveals at myip.foo
  2. Test for DNS leaks that expose your browsing to your ISP
  3. Test for WebRTC leaks that bypass VPN protection
  4. Consider using your own router instead of your ISP's
  5. Encrypt your traffic with a VPN like NordVPN

Related Articles