How Commercial Phone Tracking Data Is Exposing U.S. Military Personnel to Foreign Adversaries

US Central Command has now confirmed what Pentagon officials have been warning about for over a decade: companies that buy and sell smartphone location data are making it dangerously easy for foreign governments to track American military personnel and bases. A WIRED investigation published today revealed that adversaries are actively exploiting this same commercial data marketplace to surveil U.S. troops in combat zones and sensitive locations worldwide.

The confirmation marks a turning point. What started as an internal Pentagon concern years ago has now become a confirmed operational threat.

A Problem Spotted But Not Solved

As far back as 2016, a government technologist at Joint Special Operations Command demonstrated the vulnerability in a striking way: he purchased commercially available location data and traced smartphones moving from Fort Bragg and MacDill Air Force Base through Turkey into northern Syria. The point was unmistakable—the detailed movement patterns of U.S. military personnel were available for purchase to anyone with money.

By 2021, the Defense Intelligence Agency admitted to Congress that it routinely buys this same commercially available location data, often without a warrant. The irony was hard to miss: the Pentagon's own intelligence arm was shopping in the same data marketplace that enemies were using against them.

Warning signs had surfaced even earlier. A 2013 Defense Department Inspector General report found that the Army had failed to put adequate security measures in place for mobile devices. Subsequent documents—including a 2022 Air Force operations security guide and NSA mobile device guidance—explicitly warned that an adversary like Russia could use location tracking to pinpoint where U.S. forces were positioned. The advice given to troops was blunt: avoid bringing phones to sensitive locations, and power down devices weekly to disrupt tracking.

What the Data Brokers Actually Sell

In 2023, researchers at Duke University working under a grant from the U.S. Military Academy at West Point decided to test how accessible military personnel data really was. The results were sobering. They found they could buy detailed location records on military personnel for as little as 12 cents per person. The researchers identified thousands of datasets being advertised specifically for military targeting, with names like "Military Families Mailing List" and "Hard Core Military Families"—purpose-built intelligence products, not random byproducts of data collection.

Operating through a Singapore-based website, the researchers obtained geofenced location data pinpointing Fort Bragg, Quantico, and other military installations. The ease of purchase revealed that whatever security measures the Pentagon had in place, they were not keeping up with the sophistication and scale of the commercial data business.

The historical parallel here is instructive. When the commercial internet was being built out in the late 1990s, the intelligence community struggled just as hard to adapt its collection and protection practices to new digital infrastructure. We are seeing a similar mismatch between technical capability and defensive doctrine today—but compressed into a far shorter timeframe, driven by the explosive growth of mobile phones and cloud services.

How Advertisers Can Pinpoint Military Officials

The vulnerability extends beyond raw location data. WIRED researchers found that Google's advertising platform, Display & Video 360, contains marketing segments that specifically target U.S. government employees working on national security. This means foreign intelligence services could use the same tools that commercial advertisers use to deliver tailored content—misinformation, phishing links, or social engineering campaigns—directly to defense officials based on their online behavior.

This shifts the threat from passive tracking to active manipulation. A foreign adversary no longer needs to intercept communications or plant spies; they can use tools designed for selling shoes and insurance to reach specific military planners with custom-crafted propaganda or deception campaigns.

The Mismatch Between Technology and Defense

The Pentagon has defensive tools in place. The Defense Information Systems Agency maintains an approved list of secure mobile devices, and the military has detailed security configuration guides. But these measures address the symptoms, not the disease. They tell troops to avoid bringing phones to sensitive locations and to power down periodically, but they do nothing to stop data brokers from collecting and selling location information in the first place.

The underlying problem is structural. The commercial data broker industry operates in a largely unregulated space, with location data changing hands constantly and often globally, beyond any Pentagon oversight or control. Military personnel need phones for navigation and communication—that is non-negotiable—yet the very act of carrying and using those devices generates location data that ends up for sale in marketplaces designed to be accessible to any buyer with a credit card.

From Theory to Live Threat

What makes this shift significant is the practical difference between the old threats and the new one. Traditionally, foreign intelligence services had to invest months or years in surveillance operations—they needed agents on the ground, specialized equipment, and careful planning. Commercial location data has inverted that equation. For a small financial outlay and basic operational security to hide the buyer's identity, an adversary can get near-real-time movement patterns and location histories of U.S. military personnel.

The commodification of location intelligence means that what was once a specialized espionage capability is now available at scale and low cost. Reuters reporting earlier this year documented that adversaries were already using this data against U.S. personnel in the field. The Central Command confirmation suggests that the Defense Department now understands this is not a theoretical vulnerability anymore—it is an active operational problem that requires new defensive thinking.

Force protection teams now face a new kind of challenge. Traditional operational security training assumed that sensitive location information had to be actively collected through espionage. That assumption no longer holds. The Pentagon must develop countermeasures that account for the fact that location data on its personnel is already flowing through commercial channels beyond its control and reach. The threat has moved from potential to kinetic, and the Pentagon's defensive posture has not yet caught up.