Adversaries Exploit Commercial Location Data to Target U.S. Military Personnel
The U.S. Department of Defense has confirmed that adversaries have utilized commercially available location data to monitor and potentially target American military personnel in active combat zones. This revelation underscores the significant risks associated with the widespread collection and sale of personal location information.
In a letter shared by Senator Ron Wyden with TechCrunch, U.S. Central Command (USCENTCOM) acknowledged receiving multiple threat reports concerning the exploitation of commercial location data by hostile entities to surveil U.S. personnel in operational theaters. The letter, however, did not provide specific instances or detailed examples of such activities.
The practice of collecting location data is prevalent in the digital advertising industry. Mobile applications and websites often gather users’ location information, which is then sold to data brokers. These brokers, in turn, sell the data on the open market, making it accessible to various entities, including foreign governments and military organizations. Notably, the U.S. government and military have previously purchased such data without obtaining warrants.
The implications of this data trade are profound. Adversaries can potentially use the acquired location data to track the movements of military personnel, identify patterns, and plan attacks or surveillance operations. This vulnerability highlights the urgent need for stringent regulations governing the collection, sale, and use of location data.
Senator Ron Wyden has been a vocal advocate for privacy and data security. In response to the recent revelations, he emphasized the necessity of treating the advertising technology (adtech) industry as a national security threat. Wyden’s concerns are not unfounded. The adtech industry’s extensive data collection practices have long been a point of contention, with critics arguing that they pose significant privacy risks to individuals and, as recent events suggest, national security risks as well.
The Federal Trade Commission (FTC) has taken steps to address these concerns. In January 2024, the FTC banned data broker X-Mode Social from sharing or selling users’ sensitive location data. The settlement required X-Mode, now known as Outlogic, to delete all previously collected location data unless explicit consumer consent was obtained or the data was de-identified. This action marked a significant move by the FTC to curb the unregulated sale of sensitive location information.
Despite such regulatory actions, the issue persists. In March 2026, FBI Director Kash Patel confirmed that the agency had resumed purchasing Americans’ data and location histories to aid federal investigations. This practice raises questions about the balance between national security interests and individual privacy rights.
The sale of location data is not limited to data brokers. Telecommunications companies have also been implicated. In April 2024, the U.S. Federal Communications Commission (FCC) fined major wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint, a total of approximately $200 million for illegally sharing and selling customers’ real-time location data without consent. The FCC’s investigation revealed that these carriers sold access to customers’ location data to third-party companies, which then resold the data, creating a gray market for sensitive information.
The National Security Agency (NSA) has also been involved in purchasing Americans’ internet browsing records without a warrant. In January 2024, NSA Director Gen. Paul Nakasone disclosed that the agency buys various types of information from data brokers for foreign intelligence, cybersecurity, and authorized mission purposes. This practice has raised significant concerns about privacy and civil liberties.
The scale of government agencies’ use of commercially available location data is substantial. In July 2022, documents obtained by the American Civil Liberties Union (ACLU) revealed that the Department of Homeland Security (DHS) used mobile location data to track people’s movements on a much larger scale than previously known. This warrantless data collection has significant implications for privacy rights.
The Federal Trade Commission has also taken legal action against data brokers for selling sensitive location data. In August 2022, the FTC sued data broker Kochava Inc. for selling geolocation data from hundreds of millions of mobile devices, which could be used to trace individuals’ movements to sensitive locations such as reproductive health clinics, domestic violence shelters, and places of worship. The lawsuit aimed to halt Kochava’s data collection practices and requested the deletion of already collected data.
The targeting of U.S. military personnel using commercially available location data is a stark reminder of the vulnerabilities inherent in the current data ecosystem. It underscores the need for comprehensive legislation and robust enforcement mechanisms to protect individuals’ privacy and national security. As technology continues to evolve, so too must the frameworks that govern data collection, sharing, and usage to prevent exploitation by malicious actors.
