Data brokers are helping enemies target US troops. The Pentagon must step up, lawmakers say

Adversaries have used commercially available location data to target U.S. servicemembers in war zones, a bipartisan group of lawmakers revealed Thursday. 

In a letter to Pentagon CIO Kirsten Davies, 14 members of Congress — led by Sen. Ron Wyden, D-Ore., and Rep. Pat Harrigan, R-N.C. — warned that the department “has not taken basic steps to protect U.S. military personnel from the serious counterintelligence and force protection threat posed by the collection and sale of personal information, including cell phone location data, by data brokers.”

Reuters first reported the news. 

Last month, U.S. Central Command revealed to lawmakers that it “has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater.” The letter includes CENTCOM's answers to questions on the subject.

This type of data can be acquired from legitimate data brokers for a nominal fee and then used to track a person's location, particularly ones who follow set routines or are based in remote areas. 

“That foreign adversaries are still able to buy location data collected from the phones of U.S. personnel serving in military hotspots is a direct result of DOD leadership’s failure to prioritize this threat and implement common sense cyber defenses recommended by federal cybersecurity experts,” the lawmakers wrote. 

The Pentagon has been aware for some time now of the security vulnerabilities posed by publicly available location data from smartphones or other wearable electronic devices. 

When mobile fitness app Strava released a Global Heat Map of its users’ activities in late 2017, it inadvertently gave away the locations of some U.S. military sites in the Middle East and provided precise details on the routes personnel took when they jogged. Similar location data from running app Polar also revealed the locations of military personnel, and could be used in some cases to track them to their homes.

DOD subsequently issued a directive in August 2018 that banned uses of apps and devices that share geolocation data “while in locations designated as operational areas.”

In their letter, however, the lawmakers said CENTCOM shared that it “only rolled out the capability to administratively disable location sharing on smartphones” this month. The combatant command also revealed that the Pentagon has not yet taken steps to deactivate the tracking numbers on smartphones that are used by advertisers and data brokers. 

“Both iOS and Android also include an opt-in privacy setting to disable this unique advertising ID, which the National Security Agency and the Cybersecurity and Infrastructure Security Agency recommend,” the letter said. “Unfortunately, USCENTCOM confirmed that the advertising ID is still not disabled on government-issued smartphones, but stated that the Defense Information Systems Agency is currently testing a capability to do so.”

The lawmakers urged DOD to disable the advertising ID on all agency-issued smartphones and to issue guidance requiring personnel to do the same on their personal devices brought overseas or onto military facilities. They also called for the agency to remove web browsers “designed to facilitate data collection by Google and other advertising companies” from Pentagon-issued devices.

“Instead, DoD should pre-install on DoD devices and require the use by DoD personnel of privacy-focused web browsers that protect users with anti-tracking cyber defenses, such as ad blocking and the Global Privacy Control (GPC), which is already enforced by law in 12 states,” the letter said.