Lawmakers Seek Pentagon’s Explanation on Location Data Threats

A bipartisan group of lawmakers is pressing the Pentagon for answers after U.S. Central Command disclosed that foreign adversaries are potentially using commercially available location data to track U.S. military personnel stationed abroad.

In a letter addressed to Army Chief Information Officer Kirstin Davis, the lawmakers—led by Oregon’s Democratic Senator Ron Wyden and Republican Representative Pat Halligan—expressed concerns that the Pentagon is not taking adequate measures to safeguard U.S. service members from risks related to counterintelligence and military protection. They highlighted the issue of data brokers selling personal information, especially cell phone location data.

The information, as provided by U.S. Central Command, indicated that it had received several reports suggesting adversaries were likely to exploit commercial location data to monitor U.S. troops.

The lawmakers are focusing on the considerable data broker market that gathers and sells location data from smartphones, apps, and advertising networks. This information could be accessed by adversaries to pinpoint military bases, observe troop movements, or track individual service members.

They criticized the Pentagon for not addressing these vulnerabilities adequately, despite being aware of them for years. “The ability of foreign adversaries to purchase location data from the cell phones of U.S. personnel in military hotspots reflects a failure in prioritizing this threat and implementing straightforward cyber defenses,” they wrote.

According to the May communications with lawmakers, CENTCOM only began allowing the disabling of location sharing on government smartphones. However, advertising identifiers—which are used by data brokers and advertisers to track devices—remain activated on these government-issued devices, contradicting long-standing cybersecurity recommendations.

The lawmakers are urging the Pentagon to disable these advertising identifiers on all government smartphones and to instruct personnel to do the same on personal devices while abroad and within military facilities. They also suggested replacing web browsers that collect advertising data with privacy-focused alternatives that include anti-tracking features.

The Defense Department has been aware of the security risks associated with commercially available location data for some time. For instance, in 2018, a fitness tracking app inadvertently revealed military personnel’s locations by publishing a global heatmap. Other fitness apps and location services have raised similar concerns, potentially compromising military sites and identifying service members.

While the Army has put restrictions on the use of geolocation apps and devices in operational areas, lawmakers assert that more fundamental protections to limit the collection and sale of such data have not been fully realized.

Experts in cybersecurity emphasize that the concerns extend well beyond fitness tracking applications. “A vast commercial data ecosystem is actively collecting location data from users,” noted Justin Sherman, CEO of Global Cyber Strategies. He pointed out that foreign adversaries could easily acquire this information through data brokers and digital advertising networks.

According to Sherman, if foreign adversaries recognize that such American data is readily available in the commercial market, they might think, “Why hack it when you can just buy it?” This opens the door for them to exploit gaps in U.S. privacy laws and the weaknesses in data protection frameworks globally, making it easier to obtain sensitive location information.

Once acquired, this data can be used to identify individuals, monitor their movements, and create detailed profiles of their daily patterns, which can pose significant risks to military personnel and their families. “This isn’t just a personal privacy issue—it’s a serious national security concern,” Sherman added.

The lawmakers’ concerns bring to light important questions about the extent of access foreign adversaries have to commercially available data and whether existing Pentagon measures are adequate to ensure the safety of U.S. forces in sensitive areas.