Lawmakers Warn Foreign Adversaries Are Tracking US Troops Overseas via Commercial Data

On April 14, 2026, U.S. Central Command sent Congress a quiet admission with loud implications: it "has received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater" [1]. The disclosure, extracted through congressional pressure, marks the first official Pentagon confirmation that foreign adversaries have used commercially purchased smartphone data to track American troops in active war zones.

The revelation prompted a bipartisan group of 14 lawmakers — led by Sen. Ron Wyden (D-OR) and Rep. Pat Harrigan (R-NC) — to fire off a letter to the Department of Defense demanding immediate countermeasures [2]. Their message was blunt: the Pentagon "has not taken basic steps to protect U.S. military personnel from the serious counterintelligence and force protection threat posed by the collection and sale of personal information, including cell phone location data, by data brokers" [1].

The Threat: From Advertising Profiles to Missile Coordinates

The mechanics are straightforward. Every smartphone carries an advertising identifier — a unique tracking number that ad-tech firms and data brokers use to monitor a device's movements across apps and services. When a soldier in the Persian Gulf opens a weather app, checks social media, or browses the web, that advertising ID broadcasts a precise GPS coordinate to dozens of data aggregators. Those aggregators package and resell the data on the open market [3].

The resulting datasets can reveal where troops congregate, their daily routines, travel patterns between bases, and their off-duty movements. As Wyden's letter stated, "commercial location data can be used to identify where U.S. troops congregate and their pattern of life, which can be exploited by adversaries to target attacks" [4]. In practice, this means the information needed to plan a drone strike, a roadside bomb, or a targeted assassination is available to anyone with a credit card.

This is not hypothetical. As far back as 2016, a defense contractor demonstrated that commercially available location data could track special operations forces from their bases in the United States to a sensitive staging post in Syria — an abandoned cement factory that served as a covert operations hub [5]. In 2017, the fitness app Strava's global heatmap inadvertently exposed the locations of U.S. military installations across the Middle East, including personnel jogging routes around classified facilities [6]. The running app Polar similarly revealed military personnel locations and potential home addresses [3].

Families Under Threat

The consequences have moved beyond theoretical risk. Service members and their families across at least three military branches — Air Force, Marine Corps, and Navy — have received direct threats from actors linked to Iran's Islamic Revolutionary Guard Corps (IRGC) following U.S. strikes against Iran [7].

These threats arrived via email, social media, text messages, and even in-person inquiries at hotels in Gulf countries. The threatening messages contained personal details including service members' names, their spouses' and children's identities, home addresses, children's school information, and current temporary locations [7].

"It's scary and it's silencing," said Sarah Streyder, executive director of the Secure Families Initiative, describing the chilling effect on military families [7]. Affected individuals declined media interviews, citing safety concerns and fears of retaliation. The U.S. Navy distributed guidance in April 2026 on securing devices and reporting suspicious messages, but the broader systemic vulnerability remains unaddressed [7].

A Decade of Warnings, Months of Action

The Pentagon's response timeline is central to the congressional criticism. After the Strava incident in January 2018, Deputy Defense Secretary Patrick Shanahan issued a directive prohibiting geolocation-sharing apps in designated operational areas [6]. But the policy had a critical gap: it relied on individual soldiers to disable location features on their devices, with commanding officers given discretion over enforcement [8].

Eight years later, basic protections still had not been implemented. CENTCOM told lawmakers it only rolled out the capability to administratively disable location sharing on government-issued smartphones in May 2026 — meaning that until last month, the military lacked even the technical ability to centrally shut off location broadcasts on its own phones [1][3].

More critically, advertising identifiers remain active on government-issued devices despite longstanding recommendations from the National Security Agency and the Cybersecurity and Infrastructure Security Agency to disable them [3]. DISA, the Defense Information Systems Agency, confirmed it is only now "testing" a capability to deactivate these IDs [3]. The lawmakers' letter called this "a direct result of DOD leadership's failure to prioritize this threat and implement common sense cyber defenses" [2].

What $10,000 Buys on the Open Market

The scale of available data is staggering. A 2023 study by Duke University's Sanford School of Public Policy found that researchers could purchase sensitive data about active-duty military members, veterans, and their families from data brokers for as little as $0.12 per record [9]. The team acquired nearly 50,000 service members' records for roughly $10,000, including names, phone numbers, addresses, children's names, marital status, net worth, credit ratings, and — critically — geolocation data tied to sensitive military installations like Fort Bragg and Quantico [10].

Source: Duke University Sanford School of Public Policy

Data as of Nov 6, 2023CSV

The Duke researchers tested broker vetting practices by contacting companies from both a U.S. domain (.org) and a foreign domain (.asia). They found "data broker methods of determining the identity of customers are inconsistent and evidence a lack of industry best-practices" [9]. Some brokers sold the data with essentially no verification of the buyer's identity or intentions.

The data for sale extended beyond location to include information about mental health conditions, personal debts, and religious practices — material that could be used for blackmail or recruitment by foreign intelligence services [10].

The Legal Landscape: Executive Orders and Stalled Bills

The regulatory framework governing this data is a patchwork of incomplete measures. In February 2024, President Biden signed Executive Order 14117, titled "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern" [11]. The order targeted China, Russia, Iran, North Korea, Cuba, and Venezuela, directing the Department of Justice to restrict transfers of sensitive data including precise geolocation information.

The DOJ published final implementing regulations in January 2025, with prohibitions taking effect on April 8, 2025 [12]. Penalties for violations can reach $368,136 in civil fines or up to $1 million and 20 years imprisonment for willful criminal violations [12].

But enforcement gaps persist. The executive order addresses bulk transfers to designated countries of concern but does not regulate the broader data broker ecosystem. Intermediaries, shell companies, and third-country transfers can obscure the ultimate buyer's identity. And the order does nothing to prevent domestic data collection — the foundational activity that makes the data available in the first place.

On the legislative front, the House passed the Fourth Amendment Is Not For Sale Act (FAINSA), which would prohibit the government from purchasing communications and geolocation data that would otherwise require a warrant [13]. The bill passed 219-199 but has not advanced in the Senate [13]. The American Data Privacy and Protection Act (ADPPA), a broader federal privacy bill, has similarly stalled amid industry opposition and jurisdictional disputes between congressional committees [14].

The Constitutional Tension

Civil liberties organizations have identified a paradox at the center of this debate. The ACLU has documented that federal agencies — including the Department of Homeland Security, FBI, IRS, and Drug Enforcement Administration — routinely purchase location data from brokers to bypass the Fourth Amendment's warrant requirement [13][15].

DHS spent millions of taxpayer dollars to buy access to cell phone location data from brokers Venntel and Babel Street [15]. The practice exploits a gap in the 1986 Electronic Communications Privacy Act, which does not cover purchases from data brokers who have no direct relationship with consumers [16].

The Supreme Court's 2018 Carpenter v. United States decision held that accessing historical cell-site location records requires a warrant, but agencies argue this ruling applies narrowly to that specific data type, not to purchases from private brokers [16]. The Brennan Center for Justice has warned that unfettered government access to broker data "can exacerbate existing biases in law enforcement" and enable targeting of marginalized communities, citing documented cases of monitoring Muslim prayer app users and tracking racial justice protesters [16].

This creates what legal scholars describe as a structural conflict of interest: Congress is being asked to regulate an industry whose products the government itself uses extensively. As the Brennan Center's analysis noted, federal agencies have a direct incentive to preserve the data broker loophole that lawmakers now claim threatens national security [16].

Who Profits, and Who Lobbies

The data broker industry generated more than $250 billion in revenue in 2022 [16]. The ecosystem includes not just specialized data brokers like Clearview AI, X-Mode (now Outlogic), and RELX, but also the broader ad-tech infrastructure — mobile app developers, advertising exchanges, and the telecommunications carriers that collect movement data as a byproduct of providing service [16].

Source: OpenSecrets

Data as of Dec 31, 2025CSV

Industry groups have fought privacy legislation at every level. Data brokers lobbied to block California's DELETE Act, which gave consumers limited rights to request deletion of their data from third-party brokers [17]. At the federal level, the industry successfully weakened definitional language in proposed legislation, narrowing which firms would be classified as "data brokers" subject to regulation [14]. Courts have also vacated FCC penalties against wireless carriers for selling consumer location data, further emboldening the industry [17].

The industry's core argument is that location data, when properly anonymized, poses minimal risk and that restricting its flow would cripple legitimate businesses including targeted advertising, urban planning, fraud detection, and academic research. Trade groups contend that the national security risk is better addressed through targeted military operational security measures than through broad commercial regulation that could stifle innovation [14].

What Peer Nations Have Done

The comparison with allied nations is instructive, if imperfect. The European Union's General Data Protection Regulation (GDPR), in effect since 2018, classifies precise location data as personal data subject to strict consent requirements and purpose limitations. Academic analysis has found that most data broker business models are "not compliant with the GDPR" due to fundamental problems in obtaining informed consent [18]. European militaries benefit from this baseline protection — though enforcement remains uneven, and the GDPR was designed for consumer protection, not military operational security.

The United Kingdom, post-Brexit, maintains its own Data Protection Act 2018, modeled on GDPR principles. Israel maintains strict military operational security protocols that go beyond data regulation, including restrictions on social media use and personal device policies for personnel in sensitive roles. Australia has pursued sector-specific privacy reforms, though its approach to data brokers remains less comprehensive than the EU framework [18].

No allied nation has published evidence that GDPR-style regulation has measurably reduced foreign tracking of military personnel — in part because such incidents, if they occur, are classified. But the baseline protection against bulk commercial data sales that European law provides does narrow the attack surface compared to the essentially unregulated U.S. market.

The Pentagon's Internal Measures — and Their Limits

The Department of Defense has not been entirely passive. The 2018 directive on geolocation apps, while limited in enforcement, established the policy principle. Individual commands and units have issued supplemental guidance on personal device use in sensitive areas. The Navy's April 2026 advisory on securing devices represents the most recent iteration [7].

But military analysts point to several structural reasons these measures have proven insufficient. First, the 2018 policy focused on government-issued devices and specific apps, while the commercial data ecosystem collects location information passively through advertising networks embedded in virtually every app. A soldier who disables Strava but uses a mobile game or news app is still broadcasting coordinates [3]. Second, the policy deferred enforcement to commanding officers, creating inconsistent application across units and theaters [8]. Third, personal devices — which fall outside the military's administrative control — generate the same data and are carried by troops into the same sensitive locations.

The fundamental mismatch is between an operational security model built around restricting specific apps and a commercial surveillance infrastructure that operates at the network level, harvesting data from thousands of apps simultaneously through advertising software development kits embedded in their code.

The Steelman Case for Skepticism

Some analysts and industry observers argue that lawmakers are overstating the commercial data threat, or at minimum, using national security framing to advance broad data restrictions that would face greater scrutiny if proposed on domestic privacy grounds alone.

The skeptic's case rests on several points. First, the intelligence community already monitors for commercial data exploitation and has classified countermeasures in place. CENTCOM's disclosure that it has "received multiple threat reports" is itself evidence of active monitoring — the system, in this view, is working. Second, military operational security has always required discipline around communications and location exposure; the smartphone merely adds a new vector to a long-standing challenge. Third, the most prominent incidents — Strava, the 2016 contractor demonstration — were identified and publicized by researchers and journalists, not by adversary attacks, suggesting the threat has been more theoretical than operational.

Industry defenders further argue that the proposed remedies — particularly broad restrictions on data broker activity — would impose significant economic costs on a lawful industry while adversaries could still obtain location data through other means, including satellite imagery, human intelligence, and signals intercept. They contend that targeted operational security measures, properly enforced, would be more effective and less economically disruptive than sweeping regulation [14].

Against this, proponents of regulation note that CENTCOM's threat reports reference actual adversary exploitation, not mere vulnerability assessments. The threats received by military families from IRGC-linked actors included personal details consistent with commercially obtained data [7]. And the ease with which Duke University researchers purchased military data for $0.12 per record suggests that whatever countermeasures exist have not addressed the supply side of the problem [9].

What Comes Next

The bipartisan composition of the congressional letter — with signatories ranging from progressive Democrats like Elizabeth Warren and Ed Markey to conservative Republicans like Scott Perry and Greg Steube — suggests that the political alignment for action may exist [2]. But whether that alignment translates into legislation, executive action, or merely another round of hearings remains uncertain.

The lawmakers have demanded that DoD disable advertising identifiers on all agency smartphones, replace data-collecting web browsers with privacy-focused alternatives, and issue comprehensive guidance for personal device security overseas [3]. These are tactical fixes. The strategic question — whether the United States will regulate the commercial data broker industry that makes this surveillance possible — remains unanswered, caught between national security imperatives, industry lobbying, the government's own appetite for warrantless data access, and an unresolved constitutional debate about what the Fourth Amendment means when private companies collect what the government cannot.