US Troops Targeted Using Commercial Location Data

US military personnel deployed to active war zones have been targeted using commercially available location data, according to threat reports received by US Central Command (Centcom). The disclosure marks the first official confirmation that US forces in theatre have faced this kind of targeting, and it is drawing sharp criticism from lawmakers who say the Pentagon has moved too slowly to protect its own troops.

Centcom confirmed the threat in an April 14 letter shared with Reuters by Senator Ron Wyden, an Oregon Democrat. The letter said Centcom had received multiple threat reports about adversaries exploiting commercial location data to target or surveil US personnel. It offered no further specifics, but Centcom's area of responsibility includes the Gulf region, where US forces are currently in a standoff with Iran over the Strait of Hormuz.

How location data becomes a weapon

The mechanics are straightforward but hard to defend against. Apps and service providers routinely collect precise location data from smartphones and other devices. That data is sold to data brokers, who package and resell it through networks of intermediaries, often for digital advertising purposes. Anyone willing to pay, including foreign military and intelligence services, can buy it.

A letter sent Thursday to the Pentagon by Wyden and a bipartisan group of lawmakers spelled out the risk plainly: commercial location data can reveal where troops gather and their patterns of movement, which adversaries can use to direct missile strikes, drone attacks, and roadside bombs, and for counterintelligence purposes. The letter said lawmakers had repeatedly tried to get more detail from military officials about the reported targeting and had gotten nowhere.

This is not a new vulnerability. As far back as 2016, a US defence contractor used commercially available location data to track special operations forces from their bases in the United States to a sensitive staging post in Syria, a case first reported by The Wall Street Journal. More recently, journalists at Wired and two German news outlets used billions of location coordinates from a data broker to map the detailed movements of people at or near 11 US military and intelligence sites in Germany.

What lawmakers want the Pentagon to do

The bipartisan letter, cosigned by Representative Pat Harrigan, a North Carolina Republican and former US Army Special Forces officer, listed concrete steps the Pentagon should have already taken. These include disabling the unique advertising ID on military-issued devices, automatically turning off location sharing on smartphones used in the field, and moving personnel away from Google's Chrome browser toward more privacy-focused alternatives.

Harrigan was direct, saying browsers like Chrome are built to collect and share user data, and that every day they remain on government-issued devices gives adversaries a tool against US troops. In response, Alphabet's Google said Chrome has industry-leading security and that the company has long pushed for stronger rules governing data brokers.

Wyden went further, calling on the government to treat the adtech industry itself as a national security threat. The Interactive Advertising Bureau and the Association of National Advertisers did not respond to requests for comment. The Pentagon also did not respond to messages seeking comment on the matter.

The core problem is structural. The same data pipeline that powers targeted advertising on consumer apps is openly accessible on commercial markets with few restrictions. There is no rule preventing a foreign government from purchasing the same location feeds that advertisers use to serve ads. Until the government either mandates restrictions on what data brokers can sell to foreign buyers, or forces changes to how devices issued to military personnel handle tracking, the exposure persists.

The next pressure points to watch are whether the Pentagon responds to the lawmakers' letter with concrete policy changes, whether Congress moves to regulate data broker sales to foreign entities, and whether the Department of Defense takes administrative steps, like disabling advertising identifiers on issued devices, that do not require new legislation. The threat reports Centcom has already received suggest the risk is not theoretical.