US military personnel are being targeted using location data, Pentagon letter shows

US forces deployed to war zones have been targeted using commercially available location data, according to reports received by military officials and disclosed in a Pentagon letter.

US Central Command confirmed the threat in an April 14 letter to Senator Ron Wyden, an Oregon Democrat, who shared it with Reuters. Centcom's area of responsibility includes the Gulf, where US forces are operating near the Strait of Hormuz.

How are US military personnel being targeted using location data?

Adversaries are using commercially available location data to identify where US troops gather and track their patterns of movement, which can then be used to direct missile strikes, drone attacks and roadside bombs.

The data is typically collected from smartphones by apps or service providers, then sold through data brokers and networks of intermediaries. Lawmakers warned it can also be exploited for counterintelligence purposes.

What did US Central Command say about the location data threat?

In its April 14 letter, Centcom said it had "received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater."

The letter offered no further specifics. Wyden and a bipartisan group of legislators described the disclosure as the first official confirmation that US forces had been targeted in an active war zone, in a follow-up letter sent to the Pentagon on Thursday.

The Pentagon said in an email it would respond directly to the lawmakers but did not elaborate. The lawmakers said their efforts to obtain more detailed information from military officials about the reported targeting had been unsuccessful. Wyden said in a statement it was time to "start treating the adtech industry as a national security threat."

How does the commercial location data trade work?

Location data is widely used in digital advertising, a key revenue source for many tech companies. Apps and service providers collect the data from smartphones and other devices before selling it to data brokers, who collate and resell it, sometimes through complex chains of intermediaries.

The privacy risks of trading people's daily movements on the open market have long been publicly debated, but the national security dimension has drawn sharper scrutiny recently.

The threat is not new. As far back as 2016, a US defense contractor used commercially available location data to track special operations forces from their bases in the United States to a sensitive staging post in Syria, according to an account first reported by the Wall Street Journal.

More recently, journalists at Wired and two German outlets used billions of coordinates from a data broker to map the movements of people at or near 11 US military and intelligence sites in Germany.

What measures have lawmakers urged the Pentagon to take?

The congressional letter said military officials should have acted faster to protect personnel, given what they already knew about the location data trade.

Specific recommendations included disabling the unique advertising ID on military-issued devices, automatically turning off location sharing on smartphones used in the field, and steering staff away from Google's Chrome browser toward more privacy-focused alternatives.

One of the letter's cosigners was Representative Pat Harrigan, a North Carolina Republican and former US Army Special Forces officer. Harrigan said browsers like Chrome "are built from the ground up to collect and share user data" and that every day they remain on government-issued devices "is another day we are handing our adversaries a weapon against our own troops."

Google said in a statement that Chrome had "industry leading security" and that it had long advocated for stronger rules and safeguards against data brokers. The Interactive Advertising Bureau and the Association of National Advertisers did not return requests for comment.