For many individuals, the act of downloading smartphone applications and granting them access to location data has become a routine part of daily life. However, for U.S. military service members and their families, this seemingly innocuous action carries significant security risks, potentially offering foreign adversaries opportunities to compromise personal safety and information security, according to information security experts and U.S. lawmakers.
U.S. Central Command (CENTCOM) has previously informed members of Congress about documented instances of this threat. During Operation Epic Fury, a campaign primarily directed against Iran, CENTCOM “received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater.” This alarming disclosure was highlighted in a May 28 letter sent to the Pentagon by Senator Ron Wyden (D-Ore.) and Representative Pat Harrigan (R-N.C.), alongside several other legislators. The letter expressed profound concern that the Department of Defense (DOD) has not yet deactivated the advertising data feature on government-issued Apple and Android smartphones, a feature designed to share user location and other personal data with the commercial advertising industry.
Lawmakers contend that foreign adversaries can readily acquire this sensitive information from hundreds of data brokers. By purchasing commercially available data, these actors can determine where service members reside and track their daily patterns and movements. The congressional letter explicitly states, “The Department of Defense has not taken basic steps to protect U.S. military personnel from the serious counterintelligence and force protection threat posed by the collection and sale of personal information, including cell phone location data, by data brokers.”
This threat is not merely theoretical, according to Clayton Swope, a senior fellow at the Center for Strategic and International Studies (CSIS) and an information security expert. Despite an increased general awareness of cybersecurity issues, many service members and their families may not fully comprehend the ease with which foreign adversaries can locate and monitor them. Each time an application is downloaded, users are typically prompted to decide whether the app can share their location and online activity data for the purpose of delivering personalized advertisements. When service members grant this permission, they inadvertently create a potential vulnerability.
“This isn’t sophisticated,” Swope explained to Air & Space Forces Magazine. He elaborated that anyone can purchase advertising data from data brokers and then utilize artificial intelligence (AI) tools to quickly identify individuals who reside in military housing near bases under surveillance. Each smartphone possesses a unique advertising identifier linked to the user. While these identifiers are intended to be anonymous, adversaries can glean substantial intelligence by consistently tracking a phone’s location.
Swope described the process: “Did it hang out on a U.S. military base? Did it go and hang out in military housing from 10 p.m. to 6 a.m.? And then you could figure out from that pattern of life.” He further emphasized the lack of public understanding regarding this specific danger: “Right now, I don’t feel like people understand this threat enough to know what you’re giving away when you might say yes, allow that app to track me. … Someone might want to target you or your family.”
Around the same period that lawmakers sent their letter to the Pentagon, Chief Master Sergeant of the Space Force John Bentivegna’s official Instagram account was compromised with Iranian propaganda. This incident served as a stark reminder that cyber threats are constantly evolving and can affect anyone, regardless of their position. According to various tech-focused media outlets, a hacker reportedly manipulated Meta’s AI support assistant bot to reset the account password. Experts suggest that such an incident might have been prevented through the use of multifactor authentication (MFA), which typically involves a one-time code sent via SMS or an authenticator app.
Bentivegna addressed the incident in a statement, noting, “Threats we face online are constantly evolving, and no one is immune, from individuals to large organizations. Taking simple steps like using strong passwords, enabling multifactor authentication, and staying alert to suspicious activity can go a long way toward protecting yourself and those around you.” However, experts clarify that the threat posed by adversaries exploiting commercial advertising data to target service members is distinct from incidents stemming from poor cybersecurity hygiene, like the Instagram hack.
“It’s very different than the threat that would come from poor cybersecurity hygiene; it really translates more into the physical realm than when you think of your vulnerability in cyberspace,” Swope stated. He elaborated that this particular threat “is taking advantage of information that is available for purchase legally … to do harm to service members.”
In April, CENTCOM informed Congress that the advertising ID feature remained active on government-issued smartphones. However, the command also indicated that the Defense Information Systems Agency (DISA) is actively testing a capability to disable this feature. Additionally, CENTCOM reported that it had deployed a capability in May to administratively disable location sharing on smartphones. Despite these steps, the lawmakers’ letter reflects continued concern over the pace and comprehensiveness of the DOD’s response.
Members of Congress are urging the Pentagon to implement more robust protective measures for service members. Their demands include disabling the “advertising ID on all DOD-issued smartphones and issue a policy mandating that DOD personnel disable the advertising ID on all personal phones brought onto DOD facilities or taken to overseas deployments.” Senator Wyden’s office confirmed to Air & Space Forces Magazine that the Pentagon has not yet formally responded to their letter. A Defense Department official, adhering to standard policy, declined to comment on congressional correspondence.
Retired Air Force Brig. Gen. Gregory Touhill, a former federal chief information security officer now at Carnegie Mellon University, affirmed that it is “perfectly reasonable” for Senator Wyden and other lawmakers to seek clarification from the Defense Department regarding its plans to address this issue. Touhill estimated the global presence of approximately 3,000 data brokers, with over 500 registered in California alone, underscoring the vast and unregulated nature of the data market.
The problem extends beyond government-issued smartphones to encompass a wide array of personal electronic devices utilized by service members and their families. This includes personal phones, iPads, smartwatches, fitness trackers, and other wearable technologies. “These are trackable,” Touhill warned, referring to this collective data footprint as “digital exposure.”
Touhill highlighted a historical complacency within the cybersecurity community: “For many years, cyber experts have been saying ‘hey, this could do this and this could do that,’ and folks said ‘oh, you guys are just the science fiction naysayers; you go to the default of doom.'” He stressed the critical need for command-level discussions and comprehensive education to better manage this pervasive risk to the force. “If we don’t educate up and down the chain as to what the risks are and how to mitigate those risks, we’re suboptimizing our ability to conduct the missions in an AI enabled, analytical world,” Touhill asserted.
Swope identified disabling the ad targeting feature on government smartphones as the “most sensible” immediate solution. Until such comprehensive measures are implemented, he advised service members to consistently deny applications permission to track their location for advertising purposes. “Does that minimize all risk? No, but it buys down your risk every time you click—don’t track me, because that’s one less app that has that data that then could sell it to a third party.”
He clarified that while some apps genuinely require geolocation data to function, users can still deny them the right to use that data for advertising. “Some of these apps need your geolocation in order for it to function, so there’s still the potential to be exposed. You’re just saying you’re denying them essentially the right to use that in a way that kind of creates this vulnerability through the third-party data brokers.”
Why This Matters
The exploitation of commercial location data poses a significant and evolving national security threat, directly impacting the safety and operational effectiveness of U.S. military personnel. Unlike traditional cyber threats that target digital infrastructure or information, this vulnerability leverages legally purchased commercial data to create real-world, physical risks for service members and their families. This issue highlights several critical concerns:
- Direct Threat to Personnel and Operations: Adversaries using readily available data can identify, track, and potentially target military personnel, their residences, and their movements both domestically and abroad. This capability can compromise ongoing operations, intelligence efforts, and force protection, transforming routine personal activities into potential security breaches.
- Escalating Counterintelligence Risks: The ability for foreign actors to easily access and analyze “patterns of life” data on service members creates a fertile ground for counterintelligence operations, including recruitment attempts, surveillance, and harassment, making it harder for the U.S. to protect its personnel and sensitive information.
- Erosion of Trust and Morale: If service members and their families feel that their personal data is not adequately protected by their own government, it can erode trust in institutional safeguards and negatively impact morale, potentially affecting retention and willingness to serve in sensitive roles.
- Broader Implications for Data Privacy: This situation underscores the broader societal challenge of pervasive data collection by commercial entities. For military personnel, who often operate in sensitive environments, the intersection of commercial data practices and national security creates a unique and urgent privacy dilemma that extends beyond typical consumer concerns.
- Urgent Need for Policy and Education: The lack of comprehensive policies within the DOD to address this specific threat, coupled with a perceived lack of awareness among service members, indicates an urgent need for robust regulatory frameworks, mandatory technical safeguards on government-issued devices, and extensive education campaigns for all military personnel and their families regarding their “digital exposure.” This includes developing clear guidelines for both government-issued and personal devices, particularly when operating in sensitive areas.
- Evolution of Warfare: The weaponization of commercially available data represents a new frontier in hybrid warfare, where adversaries can achieve strategic objectives without direct military confrontation, using information gleaned from seemingly benign consumer interactions. Addressing this requires a re-evaluation of security paradigms that often focus on classified information while overlooking the vulnerabilities inherent in unclassified commercial data streams.
Ultimately, the ability of adversaries to purchase and exploit commercial location data is not just a privacy issue; it is a fundamental national security challenge that demands immediate and comprehensive action from the Department of Defense and policymakers.