Foreign enemies have a shockingly simple way to track US troops overseas, lawmakers warn

A bipartisan group of lawmakers is demanding answers from the Pentagon after U.S. Central Command disclosed it had received multiple threat reports indicating foreign adversaries were exploiting commercially available location data to target or surveil American military personnel overseas.

In a letter to War Department Chief Information Officer Kirsten Davies, lawmakers led by Sen. Ron Wyden, D-Ore., and Rep. Pat Harrigan, R-N.C., warned that the Pentagon "has not taken basic steps to protect U.S. military personnel from the serious counterintelligence and force protection threat posed by the collection and sale of personal information, including cell phone location data, by data brokers."

The lawmakers cited information provided by U.S. Central Command, which told Congress it "has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater."

The warning centers on the vast commercial data broker industry, which collects and sells location information generated by smartphones, apps and advertising networks. Lawmakers say adversaries may be able to purchase or otherwise obtain that data and use it to identify military installations, monitor troop movements or track individual service members.

HACKERS CLAIM MASSIVE BREACH OF COMPANY THAT TRACKS AND SELLS AMERICANS' LOCATION DATA

After revealing that CENTCOM had received multiple threat reports involving adversaries exploiting commercial location data, the lawmakers argued the Pentagon has failed to adequately address a vulnerability that has been known for years.

"That foreign adversaries are still able to buy location data collected from the phones of U.S. personnel serving in military hotspots is a direct result of DOD leadership's failure to prioritize this threat and implement common sense cyber defenses recommended by federal cybersecurity experts," the lawmakers wrote.

According to the letter, CENTCOM told lawmakers it only rolled out a capability to administratively disable location sharing on government-issued smartphones in May. Lawmakers also said advertising identifiers — unique tracking numbers used by advertisers and data brokers to monitor devices across apps and services — remain active on government-issued devices despite longstanding recommendations from cybersecurity agencies to disable them.

ALLSTATE SUED FOR ALLEGEDLY TRACKING AND SELLING 45M AMERICANS' LOCATION DATA

The lawmakers urged the Pentagon to disable advertising identifiers on all government-issued smartphones and issue guidance requiring personnel to do the same on personal devices used overseas or on military installations. They also called for the Departement of War to replace web browsers that facilitate advertising-related data collection with privacy-focused alternatives that include anti-tracking protections.

The Pentagon has been grappling with the security implications of commercially available location data for years. In 2018, the fitness-tracking app Strava inadvertently revealed the locations and movement patterns of military personnel after publishing a global heat map of user activity. Similar concerns later emerged involving other fitness and location-based applications that exposed military installations and, in some cases, could be used to identify individual service members.

The War Department subsequently issued guidance restricting the use of applications and devices that share geolocation data in operational areas. But lawmakers argue the department has not fully implemented more basic protections designed to limit the collection and sale of location information in the first place.

Fox News Digital reached out to the Pentagon for comment. 

Cybersecurity experts say the concern extends far beyond fitness-tracking applications.

The commercial data ecosystem collects vast amounts of location information generated through smartphones, mobile applications, advertising technology systems and other digital services.

"The United States' foreign adversaries have plentiful opportunities to exploit commercial location data on Americans, because so much location data is collected, shared, sold, inferred, and much more across the commercial market on millions of Americans every day," Justin Sherman, CEO of research and advisory firm Global Cyber Strategies, told Fox News Digital.

Sherman said foreign adversaries can potentially obtain access to location data through data brokers, digital advertising networks and other commercial systems that collect and sell information about users' movements.

"If you're one of the United States' foreign adversaries, you have advanced cyber capabilities, but you see all this U.S. data out there on the commercial market, you'd think: 'why hack when I can buy?'"

"Foreign adversaries can take advantage of gaps in U.S. privacy laws, failures in other countries to lock down data, and the pervasiveness of digital systems to get location data from data brokers, real-time bidding networks for digital ads, and many other commercial sources," Sherman said.

Once obtained, Sherman said the data can potentially be used to identify individuals, track their movements over time and build what intelligence professionals refer to as "patterns of life" — detailed pictures of a person's routines, habits and activities.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

"The sale of location data in particular on Americans' devices puts military personnel at risk, can expose their families and other people in their lives, and allow anyone with the data to see the sites they visit, map patterns of life, run intelligence operations against them, and more," Sherman said. "It's a serious national security threat."

The lawmakers' letter raises fresh questions about how much commercially available data foreign adversaries can access and whether existing Pentagon safeguards are sufficient to protect American troops operating in sensitive environments around the world.