CENTCOM revealed foreign adversaries reportedly used cell phone location data to target U.S. troops

U.S. Central Command revealed to Congress that it has received multiple threat reports indicating that foreign adversaries have used the location data collected from U.S. cellular devices to target U.S. military forces likely in the Middle East, according to a new letter from members of Congress.

The revelation was made public in a letter sent to the Pentagon by a bipartisan group of U.S. congressmen and senators on Thursday, with the members saying that they had “serious concern” that, for years, the Department of Defense (also known as the Department of War) had not taken “basic steps to protect U.S. military personnel from the serious counterintelligence and force protection threat posed by the collection and sale of personal information, including cell phone location data, by data brokers.”

The bipartisan group was responding to an April letter from CENTCOM, which had stated that the combatant command “has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater.”

CENTCOM’s area of responsibility encompasses 21 countries in Central Asia, South Asia, and the Middle East, including Afghanistan, Bahrain, Egypt, Iran, Iraq, Israel, Jordan, Kazakhstan, Kuwait, Kyrgyzstan, Lebanon, Oman, Pakistan, Qatar, Saudi Arabia, Syria, Tajikistan, Turkmenistan, the United Arab Emirates, Uzbekistan and Yemen.

The revelation by CENTCOM, first reported by Reuters, came amidst Operation Epic Fury, the U.S. military campaign against the Iranian regime.

The letter Thursday to the War Department’s chief information officer was sent by a Democratic Sens. Ron Wyden, Oregon; Elizabeth Warren and Ed Markey, Massachusetts; Martin Heinrich, New Mexico; and Alex Padilla, California.

The House members who signed on are Democrat Reps. Robert Garcia and Sara Jacobs, California, and GOP Reps. Pat Harrigan, North Carolina; Eli Crane, Arizona; Matt Van Epps, Tennessee; Scott Perry, Pennsylvania; Keith Self and Mike McCloud, of Texas, and Greg Steube, of Florida.

“DoD has known about this serious threat for over a decade, but has failed to adopt commonsense cyber defenses that are recommended by federal agencies,” the letter reads. “DoD has now confirmed to Congress that foreign adversaries are exploiting commercially available location data to target U.S. military personnel in war zones.”

CENTCOM had told Wyden back in April that it had received multiple reports about foreign foes exploiting this cell phone data to attempt to track or hit U.S. forces, but the combatant command said these threats were being mitigated.

“The Threat Fusion Cell identified, tracked, and disseminated these threats through the USCENTCOM Threat Working Group and to component force protection personnel,” CENTCOM said last month. “Additionally, USCENTCOM has disseminated threat assessments to component force protection personnel demonstrating adversary capabilities to exploit commercial location data for targeting purposes. These assessments inform force protection measures across the AOR.”

The members of the House and Senate wrote on Thursday that “this is the first time DoD has confirmed that adversaries are using commercial location data to target U.S. military personnel in an active war zone.”

“Commercial location data can be used to identify where U.S. troops congregate and their pattern of life, which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs, as well as for counterintelligence purposes,” the bipartisan letter added. “That foreign adversaries are still able to buy location data collected from the phones of U.S. personnel serving in military hotspots is a direct result of DoD leadership’s failure to prioritize this threat and implement common sense cyber defenses recommended by federal cybersecurity experts.”

CENTCOM had told Wyden in April that “CENTCOM personnel are not prohibited from possessing or using personal smartphones within the USCENTCOM AOR” but that “USCENTCOM's geolocation risk guidance directs personnel to disable geolocation functionality when not needed; periodically review device and application privacy settings; and limit public sharing of information.”

CENTCOM also said last month that it was “currently migrating government-issued mobile devices to a new Mobile Device Management Server which will allow for location services to be completely disabled” and that the “estimated completion date” for that was early May.

The threat posed by cell phone location data tracking has been known for many years.

The New York Times wrote a 2019 piece titled “Twelve Million Phones, One Dataset, Zero Privacy” which noted that “there were no blackout areas in many sensitive government buildings” and that “we observed thousands of pings inside the Pentagon, on military bases, in FBI headquarters, and in Secret Service facilities across the country.”

It was reported by the Wall Street Journal in a 2021 article on “The Ease of Tracking Mobile Phones of U.S. Soldiers in Hot Spots” that there was “a significant challenge for the U.S. armed forces: how to protect service members, intelligence officers and security personnel in an age where highly revealing commercial data being generated by mobile phones and other digital services is bought and sold in bulk, and available for purchase by America’s adversaries.”

And a Wired article in 2024 found that “Anyone Can Buy Data Tracking U.S. Soldiers and Spies to Nuclear Vaults and Brothels in Germany. More than 3 billion phone coordinates collected by a U.S. data broker expose the detailed movements of US military and intelligence workers in Germany—and the Pentagon is powerless to stop it.”

The letter Thursday urged DoD to "take the following actions” including to “disable the advertising ID on all DoD issued smartphones and issue a policy mandating that DoD personnel disable the advertising ID on all personal phones brought onto DoD facilities or taken to overseas deployments.”

The group of congressional members also suggested that the department “coordinate with the California Privacy Protection Agency to enroll all DoD personnel who are California residents in the state’s universal data broker Delete Request and Opt-out Platform, and coordinate with other states that create similar systems.”

The House and Senate members also asked the Pentagon to “remove web browsers that are designed to facilitate data collection by Google and other advertising companies, such as Google Chrome, from DoD unclassified computers and smartphones.”