Databroker Files: officials for sale

In November 2025 a cross-border investigation led by netzpolitik.org, with Bayerischer Rundfunk, L’Echo, Le Monde and BNR, showed that the movements of senior EU and NATO personnel could be reconstructed from data sold by the advertising industry. The reporters obtained a sample of roughly 278 million location records from Belgium, drawn from ordinary smartphone apps and traded through commercial data brokers, and traced devices back to the buildings where European security is administered.

What the data showed

The sample carried location pings tied to advertising identifiers, the per-device codes that ad networks use to follow a phone across apps. Inside three of the most sensitive addresses in Brussels the pattern was unambiguous: about 2,000 pings from 264 devices at the Commission’s Berlaymont headquarters, roughly 5,800 pings from 756 devices at the European Parliament, and 9,600 pings from 543 devices at NATO headquarters. Belgian military sites appeared in the set as well.

From those traces the reporters privately identified five people working or formerly working for EU institutions, three of them in senior positions, among them a top Commission official, a high-ranking diplomat and staff of the European External Action Service. Two confirmed that the home and workplace locations in the data were accurate.

Bought, not hacked

Nothing here was hacked. The data was collected legally, for advertising, and sold on an open market; the reporters obtained preview sets without paying, having previously sourced material through the Berlin marketplace Datarade. The commercial data layer, elsewhere an extension of state capability, is in this case the whole of it. A foreign service would not need to intercept anything to build a pattern of life on a named official, only to buy it.

Reporting on the investigation noted that NATO’s own strategic-communications researchers had warned as early as 2021 that commercially traded advertising data could be exploited for espionage. The files make the warning concrete. The European Commission called the trade a concern, issued guidance to staff on ad-tracking settings for work and personal devices, and notified member-state incident-response teams. That the response is a settings guide, rather than a rule the market has to follow, is the legal gap, seen from the inside.

Last reviewed: 2026-07-08.