Commercial location data is being used to target US servicemembers, lawmakers warn

Foreign adversaries have used commercially available data from U.S. servicemembers to target their locations in active war zones, a bipartisan group of lawmakers revealed Thursday. 

In a letter to Department of Defense Chief Information Officer Kirsten Davies, fourteen members of Congress — led by Sen. Ron Wyden, D-Ore., and Rep. Pat Harrigan, R-N.C. — warned that the Pentagon “has not taken basic steps to protect U.S. military personnel from the serious counterintelligence and force protection threat posed by the collection and sale of personal information, including cell phone location data, by data brokers.”

Reuters first reported the news. 

According to unclassified written responses that the lawmakers shared with their letter, U.S. Central Command revealed last month that it “has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater.”

This type of data can be acquired from legitimate data brokers for a nominal fee and then used to track the locations of groups of individuals, particularly those who follow set routines or are based in remote areas. 

“That foreign adversaries are still able to buy location data collected from the phones of U.S. personnel serving in military hotspots is a direct result of DOD leadership’s failure to prioritize this threat and implement common sense cyber defenses recommended by federal cybersecurity experts,” the lawmakers wrote. 

The Pentagon has been aware for some time now of the security vulnerabilities posed by publicly available location data from smartphones or other wearable electronic devices. 

When mobile fitness app Strava released a Global Heat Map of its users’ activities in late 2017, it inadvertently gave away the locations of some U.S. military sites in the Middle East and provided precise details on the routes personnel took when they jogged. Similar location data from running app Polar also revealed the locations of military personnel, and could be used in some cases to track them to their homes.

DOD subsequently issued a directive in August 2018 that banned uses of apps and devices that share geolocation data “while in locations designated as operational areas.”

In their letter, however, the lawmakers said CENTCOM shared that it “only rolled out the capability to administratively disable location sharing on smartphones” this month. The combatant command also revealed that the Pentagon has not yet taken steps to deactivate the tracking numbers on smartphones that are used by advertisers and data brokers. 

“Both iOS and Android also include an opt-in privacy setting to disable this unique advertising ID, which the National Security Agency and the Cybersecurity and Infrastructure Security Agency recommend,” the letter said. “Unfortunately, USCENTCOM confirmed that the advertising ID is still not disabled on government-issued smartphones, but stated that the Defense Information Systems Agency is currently testing a capability to do so.”

The lawmakers urged DOD to disable the advertising ID on all agency-issued smartphones and to issue guidance requiring personnel to do the same on their personal devices brought overseas or onto military facilities. They also called for the agency to remove web browsers “designed to facilitate data collection by Google and other advertising companies” from Pentagon-issued devices.

“Instead, DoD should pre-install on DoD devices and require the use by DoD personnel of privacy-focused web browsers that protect users with anti-tracking cyber defenses, such as ad blocking and the Global Privacy Control (GPC), which is already enforced by law in 12 states,” the letter said.