A joint investigation across five European newsrooms has uncovered that mobile phone location data, collected under the guise of ad tracking, is openly traded and can be used to precisely track the movements of millions of people in the EU, including senior government officials and NATO personnel.
Despite GDPR protections, the investigation shows a growing surveillance threat that undermines both privacy and European security.
Led by reporters from Netzpolitik.org, Bayerischer Rundfunk, L’Echo, Le Monde, and BNR, the investigation analyzed two large datasets from commercial data brokers, amounting to 278 million geolocation records in Belgium alone. These datasets, originally marketed as free “previews” to potential buyers, contain highly granular location data linked to mobile advertising IDs. Without spending any money or employing sophisticated tools, reporters were able to identify dozens of individuals, including EU Commission staff, diplomats, and journalists, and reconstruct detailed movement patterns.
Among the most concerning revelations: reporters were able to track a senior EU official’s daily commute, gym visits, and exact office location inside the Berlaymont building. They also found thousands of data points collected from within EU institutions, including:
- 264 unique devices identified in the EU Commission headquarters.
- 756 devices seen across the European Parliament.
- 543 devices tracked inside NATO facilities in Brussels.
These findings highlight that the EU’s General Data Protection Regulation (GDPR), once hailed as the gold standard for digital rights, is being circumvented by an opaque and largely unregulated data broker industry. Although GDPR requires user consent for data collection and limits the purpose for which data can be used, the investigation shows that consent mechanisms are often misleading, and data collected for advertising is repurposed for resale and potential espionage.
The underlying mechanism is tied to Mobile Advertising IDs (MAIDs), unique identifiers assigned by Apple and Google to every device. While these IDs are meant for ad personalization, they allow data brokers to create rich, longitudinal profiles by correlating frequent location pings with identifiable places like homes, workplaces, or leisure venues. Even with pseudonymization, deanonymizing individuals was trivial for the investigative team through open-source intelligence (OSINT) techniques such as matching address data, checking nameplates, or referencing public directories.
Everyone is traceable
The European Commission, the primary executive body of the EU responsible for proposing legislation and managing day-to-day governance, has acknowledged the investigation’s findings with concern. It has since issued new guidance to its staff regarding ad tracking and notified national CSIRTs of the risks.
NATO, headquartered in Brussels, saw over 9,600 data pings from within its facilities. A NATO spokesperson admitted awareness of the risks but declined to detail mitigation strategies. Meanwhile, Belgium’s military has launched internal reviews after movement data from sensitive installations was also uncovered.
Security experts warn that hostile state actors, including Russia and China, could exploit such data for hybrid threats, including espionage, profiling of military personnel, or tracking political dissidents. As Kirsi Pere from the EU-NATO affiliated Hybrid CoE stated, this type of data “could be exploited by hostile actors to harm democratic society and undermine the decision-making capability of a state.”
Consent deception and protection measures
Many users grant access to their location through innocuous apps without realizing that their data will be resold. Consent banners often employ deceptive “dark patterns” to push users toward accepting data collection, and the fine print rarely discloses the downstream data flows to brokers and third parties.
Moreover, the principle of purpose limitation is routinely violated. Data that was supposedly collected to personalize ads is instead monetized through resale to entities that may include foreign intelligence services. These secondary uses are neither disclosed to users nor covered by the original consent, making the practice not only unethical but, according to data protection experts, outright illegal.
Users should disable ad tracking on iOS and Android by resetting and limiting the use of MAIDs, restricting location permissions, and preferring privacy-respecting apps from developers who commit to not sharing data with third parties.
Leave a Reply