The Pentagon Knew Enemies Could Track Troops’ Phones for Years. Now They Are

For nearly a decade, the Pentagon received persistent warnings from its own contractors, analysts, and intelligence agencies regarding the alarming ease with which commercially available location data could be exploited. These warnings, which highlighted the risk of enemies purchasing detailed maps of where American troops sleep, work, and even store nuclear weapons, have now materialized into a critical security threat. US Central Command (CENTCOM) has officially acknowledged receiving “multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater,” marking the first formal confirmation that the burgeoning data-broker economy is actively being used to hunt American forces in the Middle East. This revelation underscores a long-standing pattern of unheeded warnings. For the better part of a decade, US lawmakers were privy to the same alarms about the dangers of commercially available location data, echoing the intelligence assessments presented to the Pentagon. Despite these repeated warnings from witnesses and their own colleagues, comprehensive privacy legislation in Washington has consistently stalled. The solitary, narrow fix that did pass—a requirement that data shared with military contractors not be resold—proved woefully inadequate, leaving the broader, multi-billion-dollar data brokerage industry largely untouched and unregulated. One of the earliest and most striking demonstrations of this vulnerability occurred in 2016. At the Joint Special Operations Command compound at Fort Bragg, a government technologist showed senior officers how commercial location data, acquired legally rather than through hacking, could track phones from elite US military bases like Fort Bragg and MacDill Air Force Base, through Turkey, and into a covert forward operating base in northern Syria. This same highly sensitive data, capable of revealing troop movements and concentrations, was readily available to any advertiser or foreign intelligence service, highlighting a severe systemic flaw. Paradoxically, even as the Pentagon was being warned about the dangers of the location-data marketplace, certain departments within it were eager to become customers. In 2021, the Defense Intelligence Agency (DIA) disclosed to Congress its practice of using commercially purchased phone location data, including on American citizens, without a warrant, asserting that none was required. Months prior, reports indicated that the US military was actively buying location data harvested from popular consumer applications, further blurring the lines between national security and commercial exploitation. The extent of this threat was further detailed in 2023 when the Army commissioned researchers at Duke University, under a West Point grant, to simulate an adversary's data acquisition process. These researchers easily scraped hundreds of data broker websites, finding thousands of listings for military personnel data, including “Military Families Mailing List.” For as little as 12 cents per record, and with minimal vetting, they purchased names, home addresses, health conditions, and financial details of active-duty troops. Posing as a buyer from Singapore, they even obtained geofenced data for installations like Fort Bragg, with one broker offering to bypass identity checks for wire payments. A subsequent 2024 investigation by WIRED, collaborating with the Irish Council for Civil Liberties, revealed similar data flowing through Google's advertising platform. They identified marketing “segments” on Google's Display & Video 360 specifically targeting US government “decisionmakers” in national security, alongside lists for employees of companies building missiles, space-launch vehicles, and cryptographic systems. A prior WIRED investigation in late 2024, working with German outlets, obtained a “free sample” of 3.6 billion location coordinates from a Florida broker, showing the daily movements of 12,313 American military and intelligence personnel across 11 US installations in Germany, including highly sensitive sites like Büchel Air Base, where nuclear weapons are believed to be stored. The Pentagon's response, urging individual service members to follow operational security protocols, has been consistently shown to be insufficient by its own commissioned research, including a May 2025 Army Cyber Institute report highlighting pervasive commercial trackers on unclassified networks and simple, systemic fixes.