A bipartisan group of lawmakers is seeking answers from the Pentagon following disclosures from U.S. Central Command regarding threats posed by foreign adversaries using commercially available location data to target American military personnel overseas. In a letter to Chief Information Officer Kirsten Davies, Senators Ron Wyden and Representative Pat Harrigan expressed concerns that the Pentagon has not implemented adequate measures to protect military personnel from risks associated with the collection and sale of personal information, including cell phone location data, by data brokers.
The lawmakers referenced information from U.S. Central Command, which reported multiple instances of adversaries exploiting commercial location data to surveil U.S. personnel. They highlighted the commercial data broker industry, which gathers and sells location information from smartphones and applications, as a significant threat. The lawmakers noted that adversaries could potentially purchase this data to identify military installations and monitor troop movements.
The letter criticized the Pentagon for not addressing this vulnerability, which has been recognized for years. The lawmakers stated that the ability of foreign adversaries to buy location data from U.S. personnel is a result of the Department of Defense's failure to prioritize this issue and implement recommended cybersecurity defenses.
According to the letter, U.S. Central Command only recently introduced a capability to disable location sharing on government-issued smartphones. The lawmakers also pointed out that advertising identifiers on these devices remain active, despite recommendations to disable them.
They urged the Pentagon to disable advertising identifiers on all government-issued smartphones and to provide guidance for personnel regarding personal devices used overseas. Additionally, they called for replacing web browsers that facilitate data collection with privacy-focused alternatives.
The Pentagon has been aware of the security risks associated with commercially available location data for several years. In 2018, a fitness-tracking app inadvertently disclosed the locations of military personnel through a global heat map. Although the War Department issued guidance to limit the use of applications that share geolocation data, lawmakers argue that more fundamental protections are still lacking.
Cybersecurity experts emphasize that the issue extends beyond fitness applications, as the commercial data ecosystem collects extensive location information from various digital services. Justin Sherman, CEO of Global Cyber Strategies, noted that foreign adversaries can exploit gaps in U.S. privacy laws and obtain location data through data brokers and digital advertising networks. He warned that the sale of location data poses a serious national security threat to military personnel and their families.