“USCENTCOM has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater,” the Department of Defense wrote in responses that Senator Ron Wyden’s office attached to a congressional letter this week.
DoD confirmation: commercial location data used against troops
Lawmakers led by Senator Ron Wyden (D-OR) and Representative Pat Harrigan (R-NC), joined by about a dozen colleagues, on Thursday pressed DoD Chief Information Officer Kirsten Davies after receiving what they call the first public confirmation that commercial geolocation data purchased from data brokers has been used to target or surveil American troops in active war zones. According to the congressionally shared material, that information was provided to Wyden’s office in April but only released after Wyden pushed back on “markings that restricted public release.”
How the data brokers obtained the information
The Defense Department’s responses describe the source of the leak as standard commercial channels: smartphone advertising profiles sold by commercial data brokers. The DoD told Wyden’s staff that both personally owned devices and government-issued smartphones can produce the advertising identifiers and associated data that brokers collect and sell — and that those datasets can be exploited by foreign adversaries to locate U.S. personnel.
Gaps in device controls and operational guidance
The DoD’s responses lay out a mix of technical and policy shortfalls. USCENTCOM’s geolocation risk guidance, the department said, “directs personnel to disable geolocation functionality when not needed; periodically review device and application privacy settings; and limit public sharing of information.” But the DoD also acknowledged that such guidance “doesn’t always fully disable geolocation on smartphones.”
On government-issued devices, the DoD said the “Personalized Advertising setting is disabled by group policy on the Mobile Device Management Server,” but added that “Ad Targeting Information is not disabled and can be edited by a user.” Wyden’s team summarized that the Pentagon’s MDM blocks the serving of personal ads but does not prevent the transmission of device advertising IDs and related data that brokers use.
The DoD told Wyden it is migrating to a new MDM solution that would allow location services to be completely disabled on government-issued devices and was “targeting a completion date of early May.” The department declined to answer questions from The Register, saying it would respond to Wyden instead. The DoD’s material does not confirm whether the MDM migration was finished.
Army BYOD move, CENTCOM changes, and historical warnings
The problem is not entirely new. Wyden’s letter cites briefings contractors provided to military leadership as far back as 2016 warning that smartphones owned by military members could be tracked easily. The letter accuses DoD officials of failing to treat the issue “as a five-alarm fire” and asserts the department “has known about this threat for over a decade, yet have failed to take meaningful steps to protect our men and women in uniform.”
Operational practice may be changing unevenly. The Army, in a press release earlier this month, set a target for the return of Army-managed work smartphones by the end of May and said the “primary and preferred method for connectivity is the Bring Your Own Device, or BYOD, program.” CENTCOM has reportedly strengthened geolocation controls in its area of operations, though the DoD responses do not indicate whether average service members are complying.
What this means for USCENTCOM, the Army, and U.S. service members
- USCENTCOM: The command has instituted stricter geolocation guidance and is the locus of the documented threat reports; its measures are a immediate attempt to limit adversary exploitation of commercial data, but the DoD admits the guidance cannot always fully sever geolocation signals.
- The Army: The branch’s move toward BYOD and the planned return of Army-managed smartphones at month’s end places emphasis on users’ device choices and privacy settings, increasing reliance on individual compliance and raising questions about how the Army will enforce or support technical mitigations.
- U.S. service members: Both personal and issued devices can leak advertising IDs and location-relevant signals; official guidance asks personnel to disable geolocation and review app settings, but DoD material makes clear those steps do not guarantee that location data stops flowing to brokers.
Analysts and members of Congress now face a narrow factual field: commercial brokers have sold location data tied to U.S. personnel in theater; DoD guidance and current MDM settings do not fully stop the transmission of advertising identifiers; the department has known of the risk for years; and a transition to an MDM that could fully disable location services was slated for early May but is not publicly confirmed as complete. The question the record leaves most clearly on the table is whether the combination of new MDM controls, CENTCOM policy changes, and the Army’s shift to BYOD will be sufficient — and timely — to close a vulnerability that lawmakers say has been exploited in active war zones.




