Pentagon Warned of Commercial Data Tracking Risk for Years as Adversaries Exploit Location Intelligence

US Central Command has confirmed receiving multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in operational theaters, according to a WIRED investigation published today. The acknowledgment caps a decade-long pattern of warnings within the Pentagon about the operational security risks posed by the commercial data broker ecosystem—warnings that preceded concrete evidence of hostile intelligence exploitation by years.

The Central Command confirmation follows mounting evidence that the same commercial data marketplace used by US intelligence agencies has become a two-way street, accessible to foreign adversaries seeking to track American military personnel and installations.

A Decade of Internal Warnings

The vulnerability was demonstrated internally as early as 2016, when a government technologist at Joint Special Operations Command at Fort Bragg showed how commercially available location data could track phones from Fort Bragg and MacDill Air Force Base through Turkey into northern Syria. The demonstration revealed the operational security implications of location data brokers aggregating and reselling smartphone telemetry at scale.

By 2021, the Defense Intelligence Agency disclosed to Congress that it routinely purchases commercially available phone location data, including information on Americans, without obtaining warrants. The admission highlighted the Pentagon's own participation in the same data marketplace now being exploited against US forces.

Internal guidance documents reflect growing awareness of the threat vector. A 2022 Air Force operations security document warned explicitly that in the event of conflict with Russia, the Russian government could leverage location tracking technology to pinpoint US force locations. The National Security Agency has published mobile device best practices guidance advising against bringing devices to sensitive locations and recommending weekly power cycling of devices to disrupt persistent tracking.

Earlier warning signs emerged in a 2013 Department of Defense Inspector General report, which found that the Army had failed to implement effective cybersecurity programs for commercial mobile devices—a gap that appears to have persisted through the following decade.

Research Exposes Market Reality

Academic research conducted in 2023 under a grant from the US Military Academy at West Point demonstrated the practical accessibility of military personnel data. Duke University researchers purchased data on military personnel for as little as 12 cents per record, revealing the commodity pricing that makes such intelligence collection economically viable for state and non-state actors alike.

The Duke team identified thousands of data listings specifically targeting military personnel across hundreds of data broker websites. Dataset titles included "Military Families Mailing List" and "Hard Core Military Families," indicating purpose-built intelligence products rather than incidental data collection. Operating through a Singapore-based domain, the researchers successfully obtained geofenced data covering Fort Bragg, Quantico, and other sensitive installations.

The research methodology—posing as foreign buyers—mirrors the likely approach of hostile intelligence services seeking similar data products. The ease of access suggests that operational security measures have not kept pace with the commercial data ecosystem's expansion and sophistication.

Digital Targeting Infrastructure

Beyond raw location data, WIRED identified marketing segments within Google's Display & Video 360 platform that specifically target US government employees identified as national security decision-makers. The existence of such granular targeting categories indicates that the digital advertising ecosystem has developed the capability to identify and reach senior defense personnel through their online activities.

This targeting capability extends the threat model beyond passive location tracking to active information operations and social engineering campaigns. The precision of these advertising tools means that foreign intelligence services could potentially deliver tailored content to specific categories of defense personnel at scale.

Looking at the broader intelligence implications, we have seen this pattern before—during the early commercial internet buildout of the late 1990s, when the intelligence community struggled to adapt collection and protection practices to rapidly evolving digital infrastructure. The current situation reflects a similar lag between technological capability and operational doctrine, compressed into an even shorter timeframe by the pace of mobile and cloud adoption.

Defensive Measures and Systemic Challenges

The Defense Information Systems Agency maintains approval processes for mobile devices through its Approved Products List Integrated Tracking System, but the challenge extends beyond hardware to the applications and services running on approved devices. Security Technical Implementation Guides provide configuration baselines, yet these measures address device security rather than the broader data broker ecosystem that operates largely outside DoD control.

The fundamental tension lies in balancing operational requirements with security constraints. Military personnel require communication and navigation capabilities that inherently generate location telemetry, while data brokers operate in a largely unregulated marketplace where aggregated datasets change hands with minimal oversight.

Current mitigation strategies focus on device hygiene—power cycling, avoiding sensitive locations, and using approved hardware—but these measures address symptoms rather than the underlying data collection and brokerage infrastructure that enables adversary access.

Implications for Force Protection

The confirmed exploitation of commercial location data represents a shift in the threat landscape from theoretical vulnerability to active operational risk. Unlike traditional signals intelligence collection, which requires proximity and specialized equipment, commercial data access requires only financial resources and basic operational security measures to mask the purchaser's identity.

This democratization of location intelligence capabilities compresses the timeline between threat identification and operational impact. Where signals intelligence collection typically required months or years of preparation, commercial data purchases can provide near-real-time access to movement patterns and location histories.

The scale of the commercial data marketplace means that defensive measures must address not just individual operational security practices but the systemic availability of US military personnel data through commercial channels. The Reuters reporting that initially exposed adversary targeting of US personnel using commercial location data marked a shift from theoretical risk to confirmed operational impact.

For force protection planners, the challenge involves developing countermeasures that account for the commercial data ecosystem's global reach and minimal regulatory constraints. Traditional operational security models assumed that sensitive location information required direct collection—an assumption that no longer holds in an environment where commercial data brokers aggregate and resell location telemetry at commodity pricing.

The Central Command confirmation signals institutional recognition that this threat vector has moved from potential to kinetic, requiring adaptation of force protection measures to address an intelligence collection capability that operates through commercial rather than traditional espionage channels.