Where Trust Fails: Mapping Location-Data Provenance Risks in Europe

TL;DR

This paper analyzes location-data provenance risks in Europe, proposing a taxonomy and design principles for trustworthy, contestable location evidence to enhance digital sovereignty and security.

Contribution

It introduces a risk taxonomy for provenance failures and advocates for location as a verifiable evidence-bearing claim in digital trust infrastructure.

Findings

Identifies patterns of provenance failures across sectors.

Proposes a taxonomy decomposing failure modes.

Suggests proof-of-location as a key mechanism for trust.

Abstract

European digital sovereignty and security increasingly depends on whether high-impact decisions can be grounded in location evidence that remains credible under adversarial pressure. This paper frames a cross-sector analysis as a location-data provenance problem: not merely what a device or service reports as location, but whether there is contestable evidence about where and when an asserted event occurred, who or what produced the assertion, and under which audit and retention guarantees. There are observable patterns across democratic processes and the information environment, trade and origin-sensitive supply chains, finance and illicit shipping flows, critical infrastructure and mobility, and harms targeting individuals' private and social domains. In these patterns we see a recurring asymmetry in which locality, presence, routing, or jurisdiction can be asserted cheaply while institutions and affected parties face costly reconstruction when disputes arise. To make this challenge actionable, this paper introduces a compact risk taxonomy that decomposes provenance failures into integrity axes and recurring failure modes, and derives design expectations for next-generation digital trust infrastructure centered on contestability under dispute, while remaining privacy- and rights-compatible. It argues for treating location as a digital primitive that should be represented as evidence-bearing claims rather than self-asserted coordinates, and positions proof-of-location (PoL) mechanisms as a candidate capability layer for producing verifiable presence claims under explicit threat and privacy assumptions. The outcome is a sector-neutral foundation for future architectural work on a next-generation digital trust infrastructure for Europe.