National Security Risk: Commercial Brokers Selling Location Data of EU & NATO Officials
Millions of mobile phones across the European Union leave behind digital footprints every day that can be purchased on the open market. Coordinates of movement, home and workplace locations, visits to gyms, hospitals — even to intimate venues — are all traded in commercial databases ostensibly assembled for ad targeting. An investigation by journalists from Bayerischer Rundfunk, L’Echo, Le Monde and BNR, published under the Databroker Files project, reveals that this trade jeopardizes not only the privacy of citizens but also the security of Europe.
The reporters found that even senior officials of the European Commission — including staff in directorates reporting to Ursula von der Leyen — unwittingly became subjects of surveillance. Precise coordinates of private residences and offices, together with detailed travel routes through Brussels, were obtainable from inexpensive sample packages sold by brokers as trial data before subscription purchase. Two data sets alone, analysed by the journalists, contained roughly 278 million movement records from users in Belgium.
Despite the assurances of the GDPR enacted in 2015, the inquiry shows that Europeans’ autonomy in the digital realm remains unsecured. Mobile apps continue to harvest user locations and funnel them to advertising networks, which in turn sell the information to brokers who resell it to third parties. Potential buyers are not limited to marketers; foreign intelligence services also appear among the clientele.
Against a backdrop of espionage alerts, drone incursions and cyberattacks, commercial location databases have emerged as a new surveillance channel — one that rivals Cold War–era techniques. The European Commission has acknowledged concern over the sale of geolocation data for citizens and officials and has issued fresh guidance to staff on ad settings for work and personal devices. National CSIRTs have likewise been notified of the risks.
Journalists uncovered more than 2,000 geotags linked to 264 devices within the European Commission’s buildings, and about 5,800 tags from 756 devices in the European Parliament. The data contained hundreds of phones belonging to personnel in sensitive areas — from diplomatic missions to the Council of the EU and the EEAS. Investigators were able to reconstruct private addresses for at least five employees, including high-ranking diplomats; the precision of coordinates allowed them to match door signs and public records, demonstrating that such geodata are far from anonymous.
Within NATO’s Brussels headquarters alone, some 9,600 points were logged by 543 devices. Alliance representatives acknowledged the danger of third-party data collection but declined to detail countermeasures. Belgian military authorities pledged tighter rules for smartphone use, yet even innocuous apps may exfiltrate coordinates to external servers.
As StratCom CoE analysts warned years ago, datasets of this kind can reveal troop movements and the locations of critical assets. Corbinian Rückerbauer of Germany’s Interface centre observes that European security services have not fully grasped the scope of the threat nor debated it publicly. His colleague Thorsten Wetzling calls the situation “extremely alarming,” especially amid persistent attempts by adversaries to probe vulnerabilities in Europe’s defence architecture.
The root of the problem lies in mobile apps whose users consent, often thoughtlessly, to location sharing for advertising. Developers embed third-party tracker code, and the harvested data ripple out to dozens of servers belonging to participants in ad-bidding ecosystems. Brokers then repackage and resell the information, inflating datasets with synthetic identifiers to create the illusion of vast troves. Even when imperfect, such records are sufficient to trace individuals and institutions. Among the marketplaces implicated is the Berlin platform Datarade.
Only a handful of those whose devices appeared in the databases agreed to speak. A representative of EDRi confessed that discovering one’s own “transparency” without consent is frightening and undermines the right to privacy. A journalist at L’Echo confirmed that the data pinpointed his home and leisure locations, despite his conscious efforts to minimise his digital trace.
Formally, the brokers’ business contravenes GDPR: consent must be informed and voluntary, and processing limited to stated purposes. Yet most users accept app terms without understanding where their data ultimately flow. Other legal safeguards — such as prohibitions on processing information that reveals political beliefs, sexual orientation, or the visitation of religious sites — are routinely breached.
European regulators act mainly upon citizen complaints, and few people know where to complain. As a result, oversight is reduced to superficial cookie-banner checks while the hidden infrastructure remains unchecked. Regulators lack resources and technical experts; some probes have begun in Germany, but local authorities admit that without legislative reform the problem will persist.
The ePrivacy regulation, which might have curbed such surveillance, was finally shelved in spring 2025 under pressure from the advertising and media industries. Citizens were left with convoluted consent dialogs instead of a clear “right not to be tracked.”
Hopes now rest on a prospective Digital Fairness Act, yet Members of the European Parliament warn against premature optimism: Brussels has prioritised “reducing bureaucracy.” Meanwhile, MEPs from the EPP, S&D and the Greens are calling for a strict ban on geolocation trading, mandatory registration of data brokers, and classification of mass surveillance as a national security threat.
A Europe striving for digital sovereignty has discovered, to its dismay, that the private advertising ecosystem can hand adversaries a map of its own vulnerabilities.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
