A newly revealed letter shows that the warnings fell on deaf ears: US Central Command has now confirmed that it has received “multiple threat reports related to the adversarial exploitation of commercial location data to target or monitor US personnel in theater” – the first official acknowledgment that the data-broker economy is being used to prey on US forces in the Middle East.
The targeting was first reported by Reuters, which obtained the Centcom letter. But confirmation atop a record that is longer and more damaging than a single document might suggest.
For most of a decade, US lawmakers have heard the same warnings about the dangers of commercially available location data that the Pentagon has heard – from the same intelligence assessments, from witnesses, from their own allies. Yet comprehensive privacy legislation has repeatedly stalled in Washington, and the one narrow fix that passed — a requirement that data shared with military contractors not be resold — left the broader industry untouched.
One of the earliest warnings came in 2016. At the Joint Special Operations Command complex at Fort Bragg, California, a government technologist briefed senior officials demonstrated how commercial location data — purchased, not hacked — could track phones from Fort Bragg and MacDill Air Force Base in Florida, home stations to America’s most elite units, through Turkey and into northern Syria, where they were clustered at a secret forward operating base. The same data was available to any advertiser or foreign intelligence service.
Even though the Pentagon had been warned that the location-data marketplace was putting its own people at risk, parts of the department were eager to become its customers. The Defense Intelligence Agency disclosed to Congress in 2021 that it uses commercially purchased phone location data – including from Americans – without a warrant, taking the position that none is needed. Months ago, Motherboard reported that the US military was purchasing location data obtained from popular consumer apps.
In 2023, the military pays to eliminate the threat. Researchers at Duke University, working under a grant from the U.S. Military Academy at West Point, planned to buy data on U.S. service members the way a foreign rival might. They scoured hundreds of data broker websites and found thousands of listings advertising data on military personnel, including datasets titled “Military Families Mailing List” and “Hard Core Military Families.”
Researchers started shopping. For as little as 12 cents per record, with almost no vetting, they purchased the names, home addresses, health status and financial details of active-duty soldiers. Posing as buyers working through a Singapore-based domain, they also obtained the same type of geofenced data for Fort Bragg, Quantico and other installations. One broker offered to skip their identity checks if they paid by wire.
A year later, WIRED found the same type of data flowing through Google’s own advertising platform. Working with data obtained by the Irish Council for Civil Liberties – whose investigator had gained access to the US broker’s audience list by setting up a fake analytics firm – WIRED identified marketing “segments” on Google’s displays and Video 360 that listed US government employees considered “decision-makers” working “particularly in the area of national security”, as well as targeting people who were interested in missiles, Work for companies licensed to create cryptographic systems that protect space-launch vehicles and classifieds. data.
The investigator for the Irish Council for Civil Liberties said he hoped his cover story would be tested. “When I signed up, there were no questions asked,” he told WIRED at the time. “I could be anyone.”
<a href