“has not taken basic steps to protect U.S. military personnel from the serious counterintelligence and force protection threat posed by the collection and sale of personal information, including cell phone location data, by data brokers,” 14 members of Congress wrote in a letter to the Pentagon’s chief information officer.
Lawmakers' warning to the Pentagon
The letter, led by Sen. Ron Wyden (D‑Ore.) and Rep. Pat Harrigan (R‑N.C.), was delivered to Pentagon CIO Kirsten Davies and argued that the Department of Defense “has not taken basic steps” to protect servicemembers from commercially available location data. Reuters first reported the exchange. The group said data collected and sold by brokers can be purchased for a nominal fee and used to track individuals, particularly those with regular routines or those based in remote locations.
CENTCOM: commercial location data used to "target or surveil U.S. personnel in theater"
U.S. Central Command informed lawmakers last month that it “has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater.” CENTCOM told lawmakers it only rolled out the capability to administratively disable location sharing on smartphones this month, and confirmed that the advertising identifier used by advertisers and data brokers remains enabled on government‑issued phones.
Historical precedents and the 2018 DoD directive
The lawmakers referenced past incidents showing how publicly available location streams can expose military movements. When the fitness app Strava released a Global Heat Map in late 2017, it revealed the locations of some U.S. military sites in the Middle East and showed precise running routes used by personnel. Similar location disclosures from the Polar running app also revealed locations and, in some cases, routes to residences. In response to those and related vulnerabilities, DOD issued a directive in August 2018 banning uses of apps and devices that share geolocation data “while in locations designated as operational areas.”
Technical steps lawmakers demand
The letter urged the department to take a set of concrete technical actions. Lawmakers called for disabling the advertising ID on all agency‑issued smartphones and for issuing guidance requiring personnel to do the same on personal devices brought overseas or onto military facilities. They noted that both iOS and Android include an opt‑in privacy setting to disable the unique advertising ID — a move recommended by the National Security Agency and the Cybersecurity and Infrastructure Security Agency — but that USCENTCOM confirmed the advertising ID “is still not disabled on government‑issued smartphones.” The Defense Information Systems Agency is “currently testing a capability” to deactivate that identifier, CENTCOM said.
Lawmakers also asked the Pentagon to remove web browsers “designed to facilitate data collection by Google and other advertising companies” from Pentagon‑issued devices, and instead to pre‑install and require the use of privacy‑focused browsers offering anti‑tracking defenses such as ad blocking and the Global Privacy Control (GPC). The letter points out that GPC “is already enforced by law in 12 states.”
What this means for DoD personnel, CENTCOM, and data brokers
- DoD personnel: The lawmakers want immediate guidance that would require disabling advertising IDs on personal devices when brought into overseas or restricted facilities, and expect centralized controls on government‑issued phones to limit location sharing.
- CENTCOM and combatant commands: CENTCOM’s reports of multiple threat incidents place operational pressure on commands to adopt administrative controls for location sharing and to accelerate DISA testing of advertising ID deactivation.
- Data brokers and advertisers: The letter frames the commercial sale of location and identifier data as an actionable counterintelligence and force‑protection risk, implying heightened scrutiny or operational restrictions on how that information can be collected or associated with government personnel.
The Pentagon CIO and DISA: decisions ahead
The exchange places the next choices squarely with the Pentagon CIO, Kirsten Davies, and with DISA, which is testing a capability to disable advertising IDs on government devices. Lawmakers requested system‑level interventions — administrative disabling of location sharing and advertising identifiers, removal of certain browsers, and pre‑installation of privacy‑oriented alternatives — rather than relying solely on individual behavior. The letter frames those changes as “common sense cyber defenses recommended by federal cybersecurity experts.”
The public record in the letter and CENTCOM’s responses leaves a clear, immediate benchmark: whether the department will move from testing to broad deployment of these administrative controls and issue binding guidance for personal devices when used on military premises or overseas.




