Pentagon Knew Enemies Could Track Troops’ Phones for Years – Now They Are
▼ Summary
– The Pentagon received warnings for nearly a decade that commercial location data could reveal the positions of US troops and nuclear weapons, but the warnings were ignored.
– US Central Command has now confirmed that adversaries are using commercial location data to target or surveil US personnel in the Middle East.
– Despite repeated alarms from intelligence agencies and lawmakers, comprehensive privacy legislation has stalled, leaving the data broker industry largely unregulated.
– In 2016, a demonstration showed that purchased location data could track elite US troops from bases in the US to a covert base in Syria.
– Researchers and journalists have shown that data brokers sell detailed information on military personnel, including names and locations, for as little as 12 cents per record, with minimal vetting.
For nearly a decade, the Pentagon received repeated warnings from its own contractors, intelligence analysts, and federal agencies that commercially available location data could expose American troops to enemy targeting. Now, the risk has become a reality on the battlefield. A newly disclosed letter from US Central Command confirms that adversaries are actively using the commercial data broker economy to track and target US forces in the Middle East.
The document, first reported by Reuters, marks the first official acknowledgment that threat actors are exploiting phone location data purchased from data brokers to surveil American personnel in active war zones. US Central Command reports receiving “multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater.” This confirmation lands atop a troubling history of ignored warnings that stretches back years.
The Pentagon was not the only institution to hear these alarms. For the better part of a decade, US lawmakers received similar briefings from intelligence assessments, expert witnesses, and their own colleagues about the dangers of commercially available location data. Yet comprehensive privacy legislation has repeatedly stalled in Washington. The one narrow fix that passed,a requirement that data shared with military contractors not be resold,left the broader, unregulated industry untouched.
One of the earliest warnings came in 2016 at the Joint Special Operations Command compound at Fort Bragg, California. A government technologist demonstrated to senior officers how commercial location data,bought, not hacked,could track phones from Fort Bragg and MacDill Air Force Base in Florida, the home stations of America’s most elite units. The data trail led through Turkey and into northern Syria, where it clustered at a covert forward operating base. The same data was available to any advertiser or foreign intelligence service.
Even as the Pentagon was warned that the location-data marketplace endangered its own people, parts of the department were eager to become its customers. In 2021, the Defense Intelligence Agency disclosed to Congress that it uses commercially purchased phone location data,including on Americans,without a warrant, arguing that none is required. Months earlier, Motherboard reported that the US military was buying location data harvested from popular consumer apps.
In 2023, the Army paid to have the threat spelled out. Researchers at Duke University, working under a grant from the US Military Academy at West Point, set out to buy data on American service members the way a foreign adversary might. They scraped hundreds of data broker websites and found thousands of listings advertising data on military personnel, including datasets titled “Military Families Mailing List” and “Hard Core Military Families.”
The researchers started buying. For as little as 12 cents a record, with almost no vetting, they purchased names, home addresses, health conditions, and financial details on active-duty troops. Posing as a buyer operating through a Singapore-based domain, they also obtained the same kind of data geofenced to Fort Bragg, Quantico, and other installations. One broker offered to skip its identity check if they paid by wire.
A year later, WIRED found the same kind of data flowing through Google’s own advertising platform. Working with data obtained by the Irish Council for Civil Liberties,whose investigator had gained access to a US broker’s audience lists by standing up a fake analytics firm,WIRED identified marketing “segments” on Google’s Display & Video 360 that singled out US government employees deemed “decisionmakers” working “specifically in the field of national security.” Other lists targeted people who work for companies licensed to build missiles, space-launch vehicles, and the cryptographic systems that protect classified data.
The Irish Council for Civil Liberties investigator said he expected to have his cover story tested. “When I signed up, there was no questions asked whatsoever,” he told WIRED at the time. “I could have been anybody.”
(Source: Wired)