Every time you open a weather app, tap through a retail website, or let your phone track a morning run, a tiny packet of data is generated and sold. Your device ID. Your coordinates. The timestamp. Where you were at 6:47 a.m. and again at 7:23 a.m. That data gets bundled with hundreds of millions of similar packets, sold to brokers, resold to advertisers, aggregated into movement profiles, and traded across a largely unregulated global marketplace designed to help brands figure out which billboard to show you next.
It also, as of this week, has an official Pentagon confirmation attached to it: America’s adversaries are buying that data and using it to target deployed US military personnel with missiles, drones, and roadside bombs.
US forces deployed to war zones have been targeted using commercially available location data, according to reports fielded by military officials, in an illustration of how the global surveillance economy is shaping the battlefield. In a letter shared with Reuters by US Senator Ron Wyden, an Oregon Democrat, US Central Command said it had received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater. The message was sent on April 14.
CENTCOM offered no further specifics, but its area of responsibility includes the Gulf, where US forces are facing off against the Iranian military over the Strait of Hormuz. The restraint in the official language is notable. What it describes, stripped of its bureaucratic phrasing, is soldiers being hunted using data that originated in the digital advertising industry.
The First Official Confirmation of Something Experts Have Warned About for Years
More Read
The disclosure was the first official confirmation that US forces had been targeted in an active war zone through commercial data, Wyden and a bipartisan group of legislators said in a letter sent Thursday to the Pentagon.
“Commercial location data can be used to identify where US troops congregate and their pattern of life, which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs, as well as for counterintelligence purposes,” the congressional letter warned.
The word “confirmation” is doing significant work in that sentence. The underlying threat has been documented, demonstrated, and reported on for nearly a decade. What changed this week is that the US military officially acknowledged, in writing, that it is no longer theoretical. The data broker industry’s product has become a weapons-guidance input in active combat zones. The disclosure came from CENTCOM itself, in an April 14 message, confirming it had received multiple threat reports of adversary exploitation of commercial location data to target or surveil American personnel deployed in active military theaters.
More Read
How We Got Here: A Decade of Warnings Ignored
The architecture of the modern data broker industry was built on a straightforward commercial premise. Mobile apps collect location data from users, most of whom have either not read the permission disclosures or do not understand what they mean in practice. That data is sold to intermediaries, who package it with data from thousands of other sources and resell it to advertisers, retailers, financial firms, and anyone else willing to pay. The system was designed, optimized, and legally structured around commercial use cases. Nobody building the infrastructure thought much about what happens when an Iranian proxy force or a state-sponsored intelligence service starts shopping the same marketplace.
As far back as 2016, one US defense contractor was able to leverage commercially available location data to track special operations forces from their bases in the United States to a sensitive staging post in Syria, according to an account first disclosed by the Wall Street Journal. That disclosure caused a brief stir in defense and intelligence circles and then was largely absorbed into the background noise of competing national security concerns.
More recently, journalists at Wired and two German news outlets drew on billions of coordinates collected by a data broker to expose the granular movements of people stationed at or around 11 US military and intelligence sites in Germany. The investigation demonstrated that without hacking a single government system, without recruiting a single intelligence asset, and without triggering any classified security protocol, a determined researcher could reconstruct detailed pattern-of-life profiles for personnel at some of the most sensitive US installations in Europe. All they needed was a commercial data subscription.
The advertising technology industry that produced this capability did not set out to create a national security liability. It set out to sell shoes and streaming subscriptions. But the same granularity that makes location data commercially valuable, the fact that it tracks individuals across time and space with extraordinary precision, is precisely what makes it operationally useful for anyone trying to understand where American soldiers go, when they go there, and what routes they travel.
The Scale of the Problem
To understand why this is so difficult to fix, it helps to understand the scale of what has been built. The global data broker industry generates an estimated $200 billion in annual revenue. Hundreds of companies operate in the space, ranging from large publicly traded firms to small intermediaries with minimal public profiles. The data they collect and resell includes not just GPS coordinates but device identifiers, browsing behavior, app usage patterns, purchase histories, and inferred demographic characteristics. When aggregated across a large enough dataset, even ostensibly anonymized records can be de-anonymized and linked back to specific individuals with high confidence.
US military personnel are not exempt from this system simply by virtue of their service. A soldier stationed at a forward operating base in the Gulf region who uses a fitness tracking app, checks a weather service, or plays a mobile game is generating the same data streams as any civilian. That data flows through the same commercial pipeline. It is subject to the same terms of service, sold to the same brokers, and accessible through the same marketplace. There is no military exception in the data broker ecosystem. There is no flag in the dataset that marks a location ping as belonging to a special operations soldier rather than a suburban commuter.
Senator Wyden has long sought to close what privacy advocates call the data broker loophole, the practice by which government agencies purchase location and behavioral data from commercial brokers to circumvent the Fourth Amendment warrant requirements that would otherwise govern such surveillance. The irony made explicit by this week’s CENTCOM disclosure is that the same loophole that allows US agencies to buy their own citizens’ data without warrants also allows any sufficiently funded adversary to purchase the same data about US military personnel. The market does not ask about the buyer’s nationality or intent.
Who Is Buying the Data
CENTCOM’s April disclosure did not name the specific adversaries involved. The context makes the candidates obvious. CENTCOM’s area of responsibility includes the Gulf, where US forces are currently in active confrontation with Iranian military assets over the Strait of Hormuz. Iran, along with its network of proxy forces across Iraq, Syria, and Yemen, has both the motivation and the documented capability to purchase and exploit commercial data. Russian military intelligence has been publicly linked to systematic exploitation of open-source data for targeting purposes since well before the invasion of Ukraine. Chinese state actors have invested heavily in commercial data acquisition as part of a broader intelligence-gathering strategy that US counterintelligence officials have described as the most sophisticated sustained foreign intelligence operation ever directed against the United States.
None of these actors need to hack a classified system to acquire commercially available location data. They need a credit card and a broker relationship. The entire apparatus of US classification, compartmentalization, and physical security that governs access to military information has a gap the size of the App Store running straight through it.
The Legislative Response and Why It Has Stalled
Senator Wyden has introduced and championed legislation that would close the data broker loophole, including provisions that would prevent agencies from buying location, device, and identity data from commercial brokers to sidestep traditional Fourth Amendment protections, restore independent oversight of surveillance programs, and require greater transparency from the intelligence community. Similar measures have been introduced with bipartisan support in both chambers. The Fourth Amendment Is Not For Sale Act passed the House with bipartisan support in 2024. None of these efforts have become law.
The data broker industry has resisted regulation through the standard toolkit of well-funded lobbying: framing data collection as a consumer benefit, arguing that restrictions would harm the digital economy, and pointing to voluntary industry guidelines as an alternative to statutory requirements. The Interactive Advertising Bureau and the Association of National Advertisers did not return requests for comment on the CENTCOM disclosure. Their silence on a story this significant is its own form of statement.
The argument that commercial data privacy is primarily a consumer issue has now collided with a hard counter-argument: it is also a matter of whether American soldiers come home alive. That reframing does not guarantee legislative action, but it changes the political cost of continued inaction in ways that industry lobbyists will find harder to manage.
What Needs to Happen
The policy responses available to Congress and the Defense Department are not complicated in concept, even if they are contested in practice. Legislation mandating that data brokers verify the identity and nationality of purchasers before selling sensitive location data would raise the barrier to adversarial access. Restrictions on the sale of data derived from devices operating within or near military installations would reduce the exposure at source. Requirements that app developers provide genuinely meaningful consent interfaces, rather than the buried permission toggles that currently govern most data collection, would reduce the volume of military personnel data entering the commercial pipeline in the first place.
The Defense Department has its own obligations here as well. Guidance issued to military personnel about app usage, device management in theater, and the specific data flows generated by consumer applications has historically been inconsistent and inadequately enforced. The assumption that operational security can be maintained through classified channels while personnel freely use commercial smartphones running dozens of data-harvesting applications is no longer tenable in light of this week’s disclosure.
Every soldier with a smartphone has a digital shadow. That shadow has a price tag. Whether the response becomes a breakthrough or another expensive detour will depend on whether the institutions responsible for national security are willing to confront a threat that was built by an industry whose products they use every day. The CENTCOM letter made the threat official. What the government does with that acknowledgment is the question that now sits unanswered in Washington.
The missiles and drones guided by advertising data do not care about quarterly earnings calls. The people they are aimed at deserve better than a marketplace that treats their location as a commodity and their safety as someone else’s problem.
