A report by the United States Central Command (CENTCOM) warns that deployed U.S. personnel could be tracked using commercially available location data.
Location data is collected from smartphones, apps, and various online services that ordinary users and U.S. soldiers frequently use. Data brokers buy and aggregate the information before selling it to third parties.
However, adversaries could also buy and use location data to identify where troops converge and their daily routines and leverage that information to plan attacks or perform counterintelligence operations.
“Commercial location data can be used to identify where U.S. troops congregate and their pattern of life, which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs, as well as for counterintelligence purposes,” states a letter written by a bipartisan group of legislators.
Adversaries use location data to target U.S. troops
CENTCOM says it had evidence of adversaries using location data on multiple occasions to target or spy on deployed U.S. military personnel. CENTCOM’s theatre of operation includes the Middle East, where U.S. forces are battling the Iranian Revolutionary Guard Corps (IRGC) to reopen the Strait of Hormuz.
According to U.S. Senator Ron Wyden (D-OR), one of the authors, adtech technology poses a national security threat, and the Pentagon should start treating it as such: “DoD must immediately adopt common sense cyber protections to prevent the sale of location data that can undermine national security and risk the lives of U.S.personnel.”
Meanwhile, the Department of Defense (DoD) has yet to disclose whether the IRGC had leveraged commercial location data to target U.S. forces in the Middle East. Nevertheless, the letter warned that foreign adversaries could still buy commercially available location data to target the U.S. military.
Subsequently, the legislators blamed the DoD for failing to “prioritize this threat and implement common sense cyber defenses recommended by federal cybersecurity experts.”
Department of Defense fails to act on misuse of location data
The legislators warned that, over the last decade, the Department was aware of the threat posed by location data to deployed U.S. military personnel.
A report submitted by a military contractor in 2016 demonstrated that they could track smartphones on U.S. military bases involved in special operations in Syria, and trace them to an abandoned cement factory. In 2024, journalists tracked U.S. military personnel at 11 military bases in Germany, including their off-base activity, using data from 11 million devices bought from a data broker.
“Adtech can geolocate a person or group of people,” said Josh Marpet, Senior Product Security Consultant, Finite State. “Surprised? You shouldn’t be. 20 years ago, Motorola made a system to see when your bluetooth enabled phone walked into a store, so they could send you a coupon to keep you in the store and make you buy. Strava revealed just about every secret US Military base, the world over. And now ads, targeted, personalized, and geo-located, are showing where our servicemembers are, wherever they go in the great green earth.”
In 2017, mobile fitness app Strava revealed the locations of U.S. military sites in the Middle East, after releasing a Global Heat Map of its users. In 2018, the DoD banned the use of apps that share location data in operational areas.
Additionally, the DoD continued to purchase location data from the same contractor and others, thereby encouraging the industry’s growth.
“As Motherboard reported in 2021, DoD was purchasing location data sourced from Muslim prayer and dating apps,” the letter stated. “In 2022, the Defense Intelligence Agency revealed to Congress that it buys and searches domestic location data without a warrant.”
Subsequently, the letter recommended disabling advertising IDs and location sharing on military-issued devices and migrating from the Chrome browser to more privacy-focused alternatives. According to North Carolina’s Republican U.S. Representative Pat Harrigan, a former U.S. Army Special Forces officer, browsers like Chrome were built from the ground up to collect user data.
“Instead, DoD should pre-install on DoD devices and require the use by DoD personnel of privacy-focused web browsers that protect users with anti-tracking cyber defenses, such as ad blocking and the Global Privacy Control (GPC), which is already enforced by law in 12 states,” the letter adds.
Both Apple’s iOS and Google’s Android use unique advertising IDs to enable advertisers and data brokers to uniquely identify and track users. However, both operating systems enable users to opt in or out. Nevertheless, the feature is enabled on most government-issued smartphones.
The DoD should also coordinate with states, such as California, that have universal data broker Delete Request and Opt-out laws, compelling data brokers to delete collected user data.
Meanwhile, the legislators acknowledged that the DoD recently rolled out “the capability to administratively disable location sharing on smartphones.”
