Netzpolitik.org released its investigation into the files of data brokers, and the results were disturbing, even to seasoned privacy advocates. The newsroom revealed that vast troves of mobile advertising data collected by ordinary apps contained hundreds of millions of GPS points, many of which mapped directly inside the European Commission, Parliament, and NATO headquarters in Brussels.
The findings sound like a spy thriller, but they’re not fiction. They expose a quiet, sprawling trade in mobile location data that turns everyday apps into potential intelligence tools. Yet this problem isn’t new. Journalists and researchers have been warning for years that our phones leak far more than we think, and that lawmakers are moving too slowly to stop it.
Let’s unpack what’s happening, what’s been known for years, what governments are (barely) doing, and what you can do to protect yourself.
What Netzpolitik Found Out
The investigation “Databroker Files: Targeting the EU” focused on a sample dataset provided by a commercial data broker. Even that preview contained 278 million location records from Belgium, enough to visualize the movement of thousands of devices across EU and NATO facilities. Each dot represented a real smartphone ping, collected from everyday apps with location permissions.
The journalists didn’t need hacking skills or special access: the data was legally purchasable on the open market. By combining timestamps with map coordinates, they could reconstruct travel patterns of individuals who appeared to work in European institutions.
Some patterns were so distinct that re-identification was straightforward. “Anonymous” data quickly becomes personal when someone visits the same home every night and the same office every morning.
In other words, commercial surveillance works perfectly, and even people working on Europe’s digital sovereignty are not immune.
Nothing’s New on this Planet
This is not the first alarm bell; far from it. For nearly a decade, journalists and researchers have shown that mobile apps feed a global tracking industry worth billions.
- Motherboard (2020) revealed that U.S. firm X-Mode Social was selling GPS data from popular Muslim prayer and weather apps to U.S. military contractors. The data revealed soldiers’ movements in conflict zones.
- The Intercept (2021) exposed Anomaly Six, a company claiming to monitor three billion devices worldwide, founded by former U.S. intelligence officers.
- The Wall Street Journal (2022) demonstrated how raw location data from dating apps could pinpoint people visiting abortion clinics, synagogues, or shelters, proving that “anonymized” datasets can endanger lives.
- Electronic Frontier Foundation (2023) uncovered Fog Data Science, which sold real-time phone tracking data to U.S. police departments, allowing warrantless surveillance.
- Haaretz (2024) found that Israeli company Patternz used similar data for predictive profiling across the Middle East.
European watchdogs such as Tactical Tech and Lighthouse Reports have long warned that real-time advertising auctions (RTB) leak billions of personal data points every day, often to unknown servers.
What’s new in 2025 is the scale and political sensitivity: this time, the data includes the movements of diplomats, EU officials, and NATO personnel. The risk is no longer abstract; it’s geopolitical.
The Social Effect: How Privacy Loss Changes Behaviour
Beyond the legal and security angles, the social consequences are profound.
When people realise their movements and online habits can be recorded, they often respond by altering their behaviour — a phenomenon scholars call “surveillant anxiety” or self-regulation under observation.
Empirical research supports this effect: a 2025 study in Systems found that individuals who believe they are being watched are significantly more likely to modify their actions both online and offline. Earlier academic work, such as “The Surveillant Consumer”, describes how consumer surveillance leads to self-censorship and behavioral restraint.
Large-scale surveys confirm that many citizens feel powerless over their digital identities. The Project Liberty Global Insight Report found that only 18% of respondents felt they had a “great deal” of control over their data, while most reported “little or no control.” The DMA Global Data Privacy Report (2023) documents a similar “control deficit,” with 58% of consumers stating they cannot prevent companies from sharing their personal information.
Together, these findings reveal a growing chilling effect: as awareness of surveillance expands, people become more cautious about their digital footprints, and increasingly distrustful of institutions that handle personal data. In an era where everyday life is trackable, freedom itself now depends on privacy, a resource most citizens feel they no longer control.
Privacy vs. Profit: Did Lawmakers Blink First?
Europe’s privacy system is often praised as the toughest in the world. The General Data Protection Regulation (GDPR), which has been in effect since May 2018, prohibits the processing of personal data without consent.
In theory, the resale of location datasets should already be illegal. In practice, enforcement is painfully slow and uneven. National data protection authorities (DPAs) are underfunded, and cross-border investigations can take years to complete. The ad-tech ecosystem, meanwhile, evolves in weeks.
The ePrivacy Regulation, once proposed to tighten rules on cookies, tracking, and communications metadata, was withdrawn by the European Commission in 2025 after years of political and industry resistance. This leaves a gaping hole: it was the only proposal that directly addressed real-time data tracking and the ad-broker ecosystem.
Obviously, behind that political caution lies money. Europe’s digital advertising sector generated around €119 billion in 2024, with giants such as Google, Meta, and numerous intermediaries lobbying aggressively against stricter regulations. In short, privacy competes with profit, and profit still wins.
What You Can Do While They Do Almost Nothing
While legislators debate, individuals can still act. Full anonymity is impossible; mobile networks themselves log your location. However, you can drastically reduce data exposure with a few minutes in your settings.
iPhone (iOS)
-
Limit location sharing.
Settings > Privacy & Security > Location Services > toggle OFF globally or choose each app > While Using the App or Never.
> Disable Precise Location for less accuracy.
-
Block tracking requests.
Settings > Privacy & Security > Tracking > switch off Allow Apps to Request to Track.
-
Restrict background data.
Settings > General > Background App Refresh > OFF globally or per app.
-
Stop analytics sharing.
Settings > Privacy & Security > Analytics & Improvements > turn all options OFF.
-
Review system services.
Settings > Privacy & Security > Location Services > System Services > disable Significant Locations & Routes.
Android
-
Turn off or limit location.
Settings > Location > toggle OFF, or per-app: Settings > Location > App permissions > choose Allow only while using or Don’t allow.
For Android 12+: Settings > Apps > [app] > Permissions > Location > manage Location permissions.
-
Delete advertising ID.
Settings > Security & Privacy > More privacy settings in Privacy section > Ads > tap Delete advertising ID.
-
Restrict background data.
Settings > Apps > [app] > Mobile data > disable Background data.
-
Disable Wi-Fi/Bluetooth scanning.
Settings > Location > Location Services > turn off Wi-Fi and Bluetooth scanning.
-
Pause Google tracking.
Settings > Google > tap your name/email > Manage your Google Account > Data & privacy > turn off Web & App Activity and Location History (Timeline), then delete history.
These actions won’t make you invisible, but they’ll make you a low-value target, and in the data-broker economy, that’s powerful.
Conclusion
The Databroker Files are more than a privacy scandal; they’re a mirror showing how the digital economy has turned personal movement into a commodity. Earlier investigations in the U.S., Israel, and now Europe expose the same truth: the boundary between marketing and surveillance has collapsed.
Every time lawmakers delay, public trust erodes further. Citizens begin to assume that privacy online is impossible, which only normalizes exploitation.
Yet personal agency still matters. Adjusting your settings, questioning the apps you install, and supporting privacy-focused services are small but collective acts of resistance.
Your phone doesn’t have to be an open book. In a world where even diplomats’ movements can be bought and sold, closing a few pages might be the most political gesture you can make.
Monday-Sunday: 5:00am - 8:00pm (PT)
Leave a Comment