For almost a decade, U.S. defense officials have been alerted by contractors, analysts, and intelligence sources about significant vulnerabilities associated with commercially available location data. Despite these ongoing warnings, sensitive information detailing where American troops are stationed, including the locations of their operational and nuclear facilities, has remained accessible to anyone with a credit card. Recently, the consequences of this oversight became evident in a conflict zone.
Newly released documentation indicates that U.S. Central Command has received numerous reports indicating that adversaries are exploiting commercial location data to track and target U.S. military personnel in operational theaters. This marks the first formal acknowledgement from military leadership regarding the use of data brokers to locate American forces in the Middle East.
This alarming situation was brought to light through a report from a prominent news outlet, which obtained the Central Command correspondence. However, the confirmation only scratches the surface of a longer, troubling history that highlights a continuous pattern of negligence.
U.S. lawmakers have been exposed to similar warnings regarding the threats posed by accessible location data, stemming from the same intelligence reports shared with the Pentagon. Yet multiple attempts to establish comprehensive privacy legislation in Washington have stalled. While a narrow legislative measure was enacted—prohibiting the resale of location data shared with military contractors—the broader ecosystem remains largely untouched.
Warnings began as early as 2016. At a classified briefing for senior officers at Fort Bragg, a government technologist showcased how commercially acquired location data, rather than illicit hacking, could track mobile devices from key military bases through various countries and into operational sites in Syria. That same data was easily available to advertisers and foreign intelligence services alike.
Even as alerts about the dangers of location data flooding the marketplace were being issued, certain Defense Department sectors actively sought to engage with this market. The Defense Intelligence Agency revealed to Congress in 2021 that it was actively utilizing commercial location data, including that of American citizens, without the need for a warrant, asserting that no such requirement exists. Earlier reports had indicated the military was purchasing location data harvested from widely used consumer applications.
In 2023, further investigations underscored the emerging threats. Researchers at an esteemed university, operating under a military grant, sought to purchase data on American service members as if they were foreign adversaries. They discovered thousands of listings advertising sensitive information about military personnel, including marketing datasets targeting “Military Families” and “Hard Core Military Families.”
As part of their research, they managed to procure detailed personal information, such as home addresses and health conditions, at an astonishingly low cost, with little to no verification. Their operations led them to acquire data geofenced around key military installations, further highlighting the ease of access that exists within these data broker systems.
Close to a year later, a different investigation identified similar data streams circulating within well-known advertising platforms. Analysts were able to identify specific demographic segments targeting government employees involved in national security and those engaged with companies manufacturing sensitive military technologies.
The implications of these developments raise considerable security concerns. The tactics involved suggest adversaries could be leveraging initial access strategies, exploiting unguarded data pathways to assemble intelligence on military efforts. This highlights the need for ongoing vigilance and robust cybersecurity measures to protect sensitive information in an increasingly interconnected digital landscape.