The U.S. military spent years watching adversaries circle closer. Warnings piled up. Demonstrations showed exactly how commercial data could expose troops. Yet action lagged. Now Central Command confirms the threat has arrived.
In April, U.S. Central Command told Congress it had received multiple threat reports of adversaries exploiting commercial location data to target or surveil American personnel in theater. The disclosure, shared by Sen. Ron Wyden with Reuters, marks the first official Pentagon acknowledgment that forces in active conflict zones face this specific risk. Centcom’s area covers the Gulf, where U.S. troops confront Iranian forces. The letter warned that such data reveals where troops gather and their patterns of life. Adversaries can exploit that for missile strikes, drone attacks, roadside bombs or counterintelligence.
But the military knew far earlier. A 2016 demonstration at Joint Special Operations Command revealed phones traveling from domestic bases through Turkey to cluster at a sensitive staging site in Syria. The data came not from sophisticated hacking but from ordinary apps. Anyone with money to spend could buy it. The Wall Street Journal first reported the incident involving defense contractor PlanetRisk, which had set out to track refugees yet stumbled on U.S. special operations movements.
That should have changed everything. It didn’t. Lawmakers and researchers repeated the alarms. The Defense Intelligence Agency admitted in 2021 it bought similar data without warrants. Army-funded studies at Duke University and West Point showed brokers sold troop information for pennies per record with little screening. One 2024 investigation pulled billions of location coordinates from a single broker and traced thousands of devices across U.S. bases in Germany, including sites tied to nuclear weapons storage. Those findings, from WIRED in partnership with German outlets, exposed movements at 11 installations.
Fixes existed. The Pentagon simply failed to scale them.
Cheap measures sat on the shelf. Disable advertising identifiers on issued devices. Block or replace Google’s Chrome browser, long criticized for its tracking defaults. Automatically turn off location services in forward areas. Enroll personnel in data broker opt-outs. An Army Cyber Institute report from May 2025 spelled out these steps. It found more than one in five domains visited on Army networks hosted trackers. The fixes demanded minimal resources. Yet rollout of even basic location-sharing controls on government phones only began this month, a decade after the first clear demonstration.
And the contradictions mount. Earlier this month the Army directed soldiers to handle government business on personal phones. Those same devices feed the advertising ecosystem that brokers harvest. Officials claim work apps create separation. Data brokers don’t see walls. They see signals. Patterns. Clusters that scream target.
Recent developments sharpen the picture. On the same day the Centcom confirmation broke, a bipartisan group of 14 lawmakers sent a pointed letter to the Pentagon’s chief information officer. They cited the decade of ignored expert recommendations. They demanded action on advertising IDs, browser choices and the 2017 law meant to shield vulnerable personnel. Rep. Pat Harrigan, a former Army Special Forces officer, put it bluntly. Browsers built to collect and share data hand adversaries weapons against U.S. troops. Every day they remain in use counts against security. Wyden called for treating the adtech industry as a national security threat.
The data trade operates in plain sight. Apps for weather, games and dating collect location. Brokers aggregate, package and sell. No hacking required. Foreign actors or anyone with a credit card can acquire it. In one German dataset, 3.6 billion coordinates tied to 11 million phones over two months painted detailed pictures of life at U.S. facilities. Devices zigzagged through training ranges. They lingered near sensitive bunkers. The sample came from a broker offering free trials. Access required almost no verification.
Ukraine and Russia have offered live demonstrations of phone risks in combat. Both sides have used cell signals, roaming data and app emissions to locate forces. Russian strikes early in the conflict reportedly relied on clusters of foreign-registered phones. U.S. commanders studied those lessons. Yet domestic policy moved slowly. Privacy bills that could have curbed broker practices passed the House but stalled in the Senate. One narrow measure barred resale of data sold to military contractors. The wider market continued unchecked.
Google defended its browser as offering industry-leading security. It said it has pushed for national privacy rules. The company did not address specific military device concerns. Data brokers and advertising groups offered no comment when contacted by reporters. The Pentagon itself declined immediate responses to multiple outlets.
So the gap remains. Troops receive reminders about operational security. They hear that personal discipline matters. But the infrastructure feeding their devices to brokers stays in place. Research shows individual vigilance falls short when systems push data by design. Patterns emerge from routine behavior. A phone left on. An app granted permissions. A base visited daily. Those fragments build targeting packages.
Recent news adds urgency. The Independent reported the Centcom confirmation alongside fresh lawmaker pressure. Stars and Stripes covered the bipartisan push for stronger device controls. Each account draws from the same documents. Each highlights the same delay between knowledge and response. The military understood the exposure. It bought the data itself in places. It watched contractors demonstrate the risk live. Still the fixes waited.
Adversaries face no such hesitation. They purchase what the market offers. They fuse it with other intelligence. They strike. The result lands in threat reports from active theaters. Those reports now sit with Congress. They force a question the Pentagon has fielded for ten years. Why act now, when the warnings began so long ago?
The answer lies in the data itself. It never stopped flowing. Phones kept emitting. Brokers kept selling. Troops kept carrying devices built for convenience over concealment. The battlefield simply caught up to what analysts predicted. Short, sharp demonstrations in 2016. Detailed studies in 2023 and 2025. Investigations that mapped real movements in 2024. All pointed the same direction. All described the same vulnerabilities. The military’s own researchers called the solutions straightforward and inexpensive. Implementation took a decade. And now the reports confirm exploitation in theater.
Change may finally arrive. Lawmakers press for immediate browser shifts and identifier controls. They want enrollment in opt-out regimes and stricter policies on personal devices. Whether those steps scale fast enough remains open. The adtech economy moves quicker than bureaucracy. Data brokers adapt. New intermediaries appear. Phones evolve but keep location at their core.
For forces deployed today the message carries weight. Turn off what you can. Follow protocols. Yet the deeper fix requires institutional will. The Pentagon knew. Its experts warned. Its researchers quantified the cost at nearly nothing. The question now is whether confirmation of real-world targeting finally closes the gap between awareness and action. Troops in the Gulf and beyond wait for the answer.


WebProNews is an iEntry Publication