A bipartisan group of lawmakers has requested information from the Pentagon following disclosures from U.S. Central Command (CENTCOM) about threats posed by foreign adversaries using commercially available location data to target American military personnel overseas. In a letter addressed to War Department Chief Information Officer Kirsten Davies, Senators Ron Wyden and Representative Pat Harrigan expressed concerns that the Pentagon has not taken adequate measures to protect military personnel from risks associated with the collection and sale of personal information, including cell phone location data, by data brokers.
The lawmakers referenced information from CENTCOM, which indicated it had received multiple reports regarding the exploitation of commercial location data by adversaries to surveil U.S. personnel. They highlighted the commercial data broker industry, which collects and sells location information from smartphones and apps, as a significant concern, noting that adversaries could potentially use this data to identify military bases and track troop movements.
The letter criticized the Pentagon for not addressing this known vulnerability, stating that the ability of foreign adversaries to purchase location data from U.S. personnel's phones is a result of the Department of Defense's (DOD) failure to prioritize this issue and implement recommended cybersecurity measures. According to the letter, CENTCOM only recently implemented a capability to disable location sharing on government-issued smartphones and has not disabled advertising identifiers on these devices, despite recommendations from cybersecurity experts.
The lawmakers urged the Pentagon to take immediate steps to disable advertising identifiers on government smartphones and to guide personnel on disabling such features on personal devices used in military contexts. They also called for replacing web browsers that allow advertising-related data collection with privacy-focused alternatives.
The Pentagon has been aware of the security risks associated with commercially available location data for several years. In 2018, the Strava fitness app inadvertently revealed sensitive locations of military personnel through a global activity heat map. Although the DOD issued guidance to limit the use of applications that share geolocation data in operational areas, lawmakers argue that more fundamental protections against the collection and sale of location information have not been fully implemented.
Cybersecurity experts have indicated that the issue extends beyond fitness applications, as a wide range of commercial systems collect and sell location data. Justin Sherman, CEO of Global Cyber Strategies, noted that foreign adversaries can exploit gaps in U.S. privacy laws and the widespread availability of U.S. data on the commercial market. He emphasized that the sale of location data poses a significant national security threat to military personnel and their families, allowing adversaries to track movements and build detailed profiles of individuals.
