Precise locations and revealing movement patterns: the mobile phone location data of millions of people in the EU is up for sale. Collected supposedly only for advertising purposes, this data can also be used for espionage. European data protection is failing – even top EU officials in Brussels are affected. The EU Commission says: ‚We are concerned.“

<figure class="wp-caption entry-thumbnail"><figcaption class="wp-caption-text">Hundreds of potentially sensitive EU employees can be targeted with openly traded cell phone location data. – Building: IMAGO/Zoonar; Figures: Pixabay/Mohammed Hasan; Fog: Vecteezy, Montage: netzpolitik.org</figcaption></figure>

This is a joint investigation with Bayerischer Rundfunk, L’Echo (Belgium), Le Monde (France), BNR (Netherlands). It is part of the “Databroker Files”. Here’s a summary of the EU-investigation. A German version of this article was published under the title „Datenhändler verkaufen metergenaue Standortdaten von EU-Personal“.

There are detached houses with front gardens in an upmarket district of Brussels, and the political centre of the European Union is not far away. When they are out and about early in the morning, a top EU official only needs about 20 minutes by car to get to their workplace. They work in a unit under the authority of Commission President Ursula von der Leyen at the Berlaymont building, the European Commission’s headquarters. Conveniently, there’s a spa and fitness centre along their way to work – they have passed by it, too.

We know this and more because we have their exact location data. The data even tells us exactly where their office is in the EU Commission building. We discovered their movement patterns, along with those of millions of other Europeans, in commercially traded data.

This data reveals where people live and work, as well as their behaviour and preferences. It can also show visits to clinics, religious buildings, party and trade union headquarters, as well as brothels and swingers‘ clubs.

The investigative team has data records from several data brokers. They are giving these away as a sample — a free preview of what is on offer with a paid subscription. For this investigation, we analysed two new datasets containing around 278 million records of mobile phone locations in Belgium.

Danger of espionage like during the Cold War

Almost ten years ago, a revolution with four letters took place here in Brussels: GDPR. In December 2015, the European Parliament, the Council and the European Commission agreed on the text of the General Data Protection Regulation. It was intended to harmonise the protection of fundamental rights in the digital world with a data-based economy. And it came with the promise of informational self-determination: that people should generally have sovereignty over who does what with their data.

This promise remains unfulfilled to this day. Instead, the Databroker Files reveal an unprecedented loss of privacy that can affect all people who participate in digital life by using apps on smartphones or tablets. The uncontrolled data business is no longer just an issue of consumer and fundamental rights protection; it also poses a threat to Europe’s security.

The risk of espionage in the EU is high, at least since Russia launched its large-scale war of aggression against Ukraine in February 2022. Authorities warn of Russian sabotage suspicious drones violate European airspace, a Chinese spy infiltrated the EU Parliament​​​​ – hardly a month goes by without a new espionage scandal. Back in 2020, the then president of the German domestic intelligence service compared the situation to that of the Cold War.

Those responsible have apparently not yet sufficiently recognised the extent of the danger posed by commercially collected data in this context. When confronted with the results of our research, the EU Commission stated: „We are concerned with the trade of geolocation data from citizens and Commission officials.“ The Commission has now issued new guidance to its staff regarding ad tracking settings on both corporate and private devices. It has also informed other Union entities and Computer Security Incident Response Teams (CSIRTs) in Member States.

In response to this investigation, members of the European Parliament (MEP) are demanding decisive action. „In view of the current geopolitical situation, we must take this threat very seriously and put an end to it,“ writes Axel Voss (CDU) from the conservative EPP group. Lina Gálvez Muñoz, a Spanish MEP from the Socialist Group S&D, calls for the EU to treat the issue „as a priority security threat, not just a privacy concern“. With regard to the military threat posed by Russia, German MEP Alexandra Geese (Greens/EFA) demands: „Europe must prohibit large-scale data profiling.“

Hundreds of potentially sensitive employees targeted

Our investigation shows how easy it is to spy on top EU staff using commercially traded location data. Based only on the preview data sets available to us, and without paying a cent, we were able to spot hundreds of devices belonging to people working for the European Union in sensitive areas. In the EU Commission headquarters alone, there were around 2,000 location pings from 264 different devices. In the European Parliament, there were around 5,800 location pings from 756 devices.

For example, a movement profile illustrates the daily commute of an EU Parliament employee. They travelled from a community near Brussels to the city centre via the urban motorway. The tracking shows how the employee visits several buildings of the EU Parliament, a supermarket and a restaurant.

Furthermore, we found thousands of location pings in various other institutions, ranging from the Council of the European Union to the European External Action Service and the European Data Protection Supervisor. The preview data sets used for this analysis are just the tip of the iceberg. Paid subscriptions promise large-scale mass surveillance with a constant supply of up-to-date location data.

Even with this limited data, we were able to identify the private addresses of five individuals who work or have worked for the EU, including three people in senior positions. Among the EU staff we identified are a the top Commission official mentioned at the beginning, a high-ranking diplomat from an EU country, and employees of the EU Parliament and the European External Action Service. Initially, they were all suspicious when we contacted them. Some preferred to speak to us only briefly or not at all. None of them wanted to be quoted publicly. Two of the individuals in question confirmed to us that the location data indeed shows their place of residence and workplace, as well as their movements in Brussels. We also found a digital rights activist and a journalist in the data, who confirmed its accuracy.

The data travels along winding paths through an opaque ecosystem, beginning with apps that claim to only track users for advertising purposes. Ultimately, it ends up in the hands of data brokers, and, potentially, anyone who asks for it. These could be advertising companies, journalists – or even foreign intelligence services.

Location data is not anonymous

The data sets offered by data brokers do not contain the names or addresses of mobile phone users who are tracked at every step. Nevertheless, we were able to identify several individuals. This was made possible, among other things, by the so-called Mobile Advertising ID, which is a unique identifier for the online advertising industry that Google and Apple automatically assign to each phone.

Each location in our data sets is linked to such an ID. This allows loose data points to be combined to form detailed movement profiles. Places of residence and work can easily be identified because locations are noticeably concentrated here. Particularly in the case of freestanding houses with publicly visible doorbell signs, it quickly becomes clear whose location data is involved. In some cases, the residents of a house can also b