Journalists in Europe say they have been able to easily track senior European Union officials by their mobile phones, gathering commercially available location data from a range of apps, and exposing a major conflict over privacy issues at the heart of Brussels and across the continent.
The findings, which were reported by Netzpolitik, are based on a “free sample” dataset offered for sale by a data broker. The stash included 278 million granular records harvested from a variety of ordinary smartphone apps that — unbeknown to the tens of millions of people who downloaded them — were gathering location information in and around Belgium, which brokers repackage and sell to government agencies, marketers and even hedge funds.
The European Union institutions reportedly acknowledged concerns about the trade in trails of citizens’ and officials’ whereabouts, and have released new guidance to staff to minimize tracking risks.
A Free Sample Unmasked High-Value Targets
Reporters said the dataset contained movement histories of people in and out of the European Commission’s Brussels headquarters as well as other sensitive EU buildings. They traced hundreds of devices to specific roles and routines by matching repeated pings at offices and home addresses.
The coalition found approximately 2,000 location markers associated with the devices of 264 officials and some 5,800 markers connected to more than 750 devices moving within the European Parliament. Such detail can expose attendance in closed-door meetings, travel patterns and personal habits — intelligence adversaries covet.
The information came from software development kits that were built into common apps, from weather and navigation programs to shopping and gaming apps. Once harvested, those coordinates are aggregated, “anonymized” and sold downstream — but re-identification is so trivial with sufficient points.
Why the GDPR Isn’t Stopping the Broker Trade
The GDPR, a law in Europe regulating the processing of personal data (which includes this kind of sharing), requires specific, informed consent. But in practice, policing the sprawling location data supply chain has been haphazard and slow, creating a vacuum that allowed brokers, ad-tech middlemen and SDK vendors — who specialize in software code that collects location data — to work with few restraints.
Agents and brokers regularly say their data is anonymized. But researchers at MIT found that only a few time-stamped location points would be enough to place the overwhelming majority of people in a location, suggesting that “anonymous” mobility traces could indeed lead straight back to actual humans without great difficulty.
The European Data Protection Supervisor has repeatedly sounded the alarm about commercial location tracking and the system risks it poses, especially for officials and journalists. But the market is now a multi-billion-dollar industry that packages up, sells and resells information on your movements far too rapidly for regulators to track.
The national security stakes of location data are real
Granular location data can reveal networks of sensitive individuals, meetings between people in closely held entities, and the traveling habits of persons or groups. To policymakers, diplomats and security personnel, all of that exposure can translate into targeted surveillance, coercion or physical threats.
The risks are not hypothetical. And in a previous breach at Gravy Analytics, researchers examining the exposed records demonstrated how historical location trails could be used to piece together where people live, work and spend time — an instant dossier on millions. And the existence of such datasets in the open market reduces barriers for adversarial intelligence services and criminal actors.
Location brokerage also complicates oversight. In other cities and states, researchers have recorded government agencies purchasing commercial location data to skirt the need for warrants. Legal systems around Europe vary, but those same data feeds are available to any buyer with the means.
What EU staff can do now to reduce location tracking
There are workarounds, but they’re not pinpoint. On iOS, officials can opt out of cross-app tracking prompts, restrict precise location information for an app only and reset a device’s advertising identifier on a weekly basis. On Android, they have the power to turn off ad personalization, change their advertising ID and limit what each app can do with access to background location.
Security teams need to audit installed apps, cull any that lack an obvious need for location and enforce mobile device management policies that limit SDK telemetry. Turning off location services if not required, wherever possible, will reduce the frequency and precision of logged pings.
Still, none of the settings shut down an app that has been given legitimate location permission but monetizes it quietly. We need institutional guidance, ongoing training and procurement rules that prevent invasive SDKs.
Next steps for regulators to curb location data sales
They also say that regulators should ban the sale of precise location data without clear consent and a specific, limited opt-in, and prohibit the trading of data assigned to sensitive places like government buildings, hospitals and shelters. Certainly, treating mobile ad IDs as personal data, and ensuring enforcement, would snip off a commonly used broker defense.
Audits of “anonymization” claims could also be required by authorities, as could data broker registries and standardized APIs for deleting or exporting personal information. In coordinated action by the national watchdogs, backed up by the European Data Protection Board, we could close off loopholes exploited by cross-border ad-tech actors.
The new revelations highlight that the stakes are not theoretical or down the road. If a broker’s free sample can unearth details of the movements of top EU officials, the market’s paid-for feeds can crack open an awful lot more than that. Without effective enforcement and more tightly controlled data flows, Europe’s most stringent privacy regulations will remain easy to sidestep — at scale and for sale.
