Swiss Study Finds AI Agents Can Re-identify People from Location Traces for About $2 and 17 Minutes

A new arXiv preprint from Swiss researchers says autonomous AI agents were able to re-identify people from location traces using only public web sources, at an average cost of about $2.24 and 17 minutes per target in their test sample. The June 26 paper, “Agentic AI-Powered Re-Identification: An Emerging, Scalable Threat to Mobility Microdata Privacy,” by Oscar Thees, Roman Müller and Matthias Templ of the University of Applied Sciences and Arts Northwestern Switzerland, presents the result as a feasibility study rather than a broad estimate of how often such attacks would work in the real world.

Why that matters is not that mobility data can reveal identity. That has been understood for years. The paper’s claim is narrower and more operational: large language model-based agents may now automate much of the work that once required time-consuming manual searches, potentially making re-identification cheaper, faster and more scalable. As the arXiv preprint puts it, “In this feasibility study, we demonstrate in a real world setting that agentic AI fundamentally changes this threat model.”

The researchers evaluated the system on a convenience sample of 43 participants in Switzerland. Rather than buying or using real broker data, they generated simulated GPS traces around participants’ true home addresses and, where applicable, work addresses; the paper says participants explicitly consented to the use of those addresses in the experiment. The attacker model assumed access to raw GPS mobility traces of the type that could be obtained from a commercial data broker, plus publicly available web sources including search engines, public registers, directories and social media. The paper says the system used no deception and no fake accounts. “Our results demonstrate that, from spatio-temporal data and public sources alone, our agentic AI successfully re-identified 18 of the 25 re-identifiable individuals (72%) and 18 of 43 cases overall (41.9%),” the arXiv preprint says. When the system produced a named candidate, it was correct in 18 of 19 cases, or 94.7% precision.

Operationally, the paper describes a setup using LLM agents orchestrated through Anthropic’s Claude Code CLI, with claude-sonnet-4-6 as the primary model and authorized web search and fetch tools. “Across the 43 evaluation runs, each attempt cost on average $2.24 in API charges at list prices … and took on average 17 minutes of unattended computation,” the arXiv preprint says. All 43 runs were completed in a single day through parallelization, according to the paper.

The underlying privacy risk is not new. In 2013, a study by Yves-Alexandre de Montjoye and colleagues found that four spatio-temporal points could uniquely identify about 95% of people in a large mobile-phone dataset. That work helped establish how distinctive human movement patterns can be. What is new in the Swiss paper is the argument that modern AI agents can carry out the linking work at low cost and with limited human involvement.

The authors also frame the findings as relevant to GDPR Recital 26, part of the European Union’s privacy law framework that assesses whether someone is identifiable using “all the means reasonably likely to be used,” taking account of available technology, cost and time. In plain terms, data does not necessarily count as anonymous if identifying people from it is practical with tools that are realistically available. The paper argues that agentic AI shifts that calculation by reducing the labor and expense needed to connect mobility traces to named individuals.

The authors also stress the limits of what they tested. The sample was small, limited to Switzerland and based on simulated traces rather than traces taken directly from broker datasets. They withheld the dataset, code, prompts and agent skills to avoid facilitating misuse. And they present the work as a proof of concept, not a population-level estimate of how often supposedly anonymized location data can be re-identified.