Adversaries are tracking US troops with the same phone-location data advertisers buy

Senator Ron Wyden wants the Pentagon to treat the ad-tech industry as a national security threat. After a fresh CENTCOM admission and a Wired investigation that mapped 11 US sites in Germany from phone data, he has a point that’s getting harder to wave off.

US Central Command has confirmed it received “multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater,” according to an April 14 letter shared with Wyden and reported by Military Times. It’s the first time the Defense Department has publicly admitted that US forces were targeted this way in an active war zone. The data doing the targeting isn’t classified or stolen. It isn’t even hard to get. It’s the same phone-location feed that advertisers buy every day.

That’s the part worth sitting with. A foreign military doesn’t need to hack a soldier’s phone to find out where a unit eats, sleeps, and patrols. The information leaks out the front door of the ad economy, gets pooled by data brokers, and ends up for sale. Reporters at Wired and two German outlets drew on billions of coordinates from a single broker to map the comings and goings of people stationed at or around 11 US military and intelligence sites in Germany. If a newsroom can do that on a journalism budget, so can a state adversary.

How your phone leaks where you are

Start with the app on your screen. Many free apps bundle an ad SDK, a chunk of advertising code from a third party. That code can read your device location in the background and send it to the SDK vendor, who is often in the business of reselling it. You agreed to “location access” once, for a weather widget or a coupon app, and that consent quietly funds a resale market you never see.

The second pipe is subtler. Every time an ad loads, your phone joins a bid stream: a real-time auction where the ad slot is offered to hundreds of potential buyers in milliseconds. Those bid requests can include your coordinates and a device identifier so advertisers can decide what to show you. Most “bidders” never win the auction, but they still receive the data, and some of them are not advertisers at all. They’re collectors who keep every packet.

Both pipes feed the same place. A data broker vacuums up coordinates from dozens of apps and bid-stream taps, stitches them to a persistent advertising ID, and sells the result. The pitch to advertisers is harmless-sounding: reach people who visited a car dealership. The same dataset reaches people who visited a forward operating base. Nothing about the plumbing distinguishes a soldier from a shopper.

The broker pipeline, and why it’s an OPSEC hole

Here’s the uncomfortable math. One coordinate is noise. A week of coordinates is a routine. A routine around a military site is OPSEC failure, the slow kind where small harmless details add up to a targeting package.

Wyden spelled out the stakes plainly. “Commercial location data can be used to identify where U.S. troops congregate and their pattern of life,” he wrote, “which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs, as well as for counterintelligence purposes.” That’s not speculation about a future risk. CENTCOM’s letter describes reports that it already happened.

The threat predates the latest letter by years. As far back as 2016, a US defense contractor was able to track special operations forces from their home bases all the way to a sensitive staging post in Syria, using nothing but commercially available location data. The capability has been on the shelf the whole time. What changed is that adversaries are now reaching for it, and the Pentagon has stopped pretending the gap doesn’t exist. Reuters reported the Pentagon declined to comment when asked directly.

We’ve seen this movie before

The location-data problem keeps resurfacing because nobody closed it the first time. In January 2018, an Australian student named Nathan Ruser noticed jogging routes glowing in the Syrian desert on Strava’s global heatmap. The app’s anonymized fitness data had traced the perimeters and patrol paths of US bases in Iraq, Afghanistan, and Syria, plus a suspected CIA site in Somalia. The Defense Department launched a review and tightened device rules. The ad-data market kept growing anyway.

Then came the brokers themselves. In 2024, privacy advocates handed 404 Media footage of Locate X, a phone-tracking tool built by Babel Street and sold to US agencies like ICE and CBP. Zooming into one Southern abortion clinic, the tool lit up with more than 700 red dots, each a phone, each a person. The advocates got access merely by claiming they were considering government contract work. The same reporting traced devices to a synagogue in Los Angeles, a mosque in Dearborn, and a school in Philadelphia. A tool that can do that to civilians can do it to a barracks.

What’s actually being done

The enforcement record is thin, and it just got thinner. The Federal Trade Commission did move in 2024: it ordered data broker X-Mode Social and its successor Outlogic to stop selling sensitive location data, the agency’s first such action. “With this action, the Commission rejects the premise so widespread in the data broker industry that vaguely worded disclosures can give a company free license to use or sell people’s sensitive location data,” said FTC Chair Lina Khan. Weeks later the FTC barred InMarket from selling precise location data too.

But those are single-company orders, not a market-wide rule. The one rule that might have reshaped the industry, the Consumer Financial Protection Bureau’s proposal to treat data brokers as consumer reporting agencies under the Fair Credit Reporting Act, was withdrawn in May 2025. The status quo stands: there’s no federal law stopping the sale of location data, so anyone with a budget can still buy it. The Defense Department issues OPSEC guidance and restricts devices in some theaters, but guidance can’t unsell data already on the market.

What this means for you

You aren’t deployed to a war zone, but the leak is the same plumbing. The coordinates that map a base also map your commute, your doctor, and your kid’s school, and they’re for sale right now. So do the cheap things. Reset your advertising ID (iOS: Settings, Privacy, Tracking; Android: Settings, Privacy, Ads), then turn it off. Switch app location permissions from “Always” to “While Using” or “Never,” especially for the worst SDK offenders: weather apps, mobile games, and coupon apps that have no real reason to know where you sleep. Delete apps you don’t use at all. None of that claws back data already sold, and that’s the honest limit here: individual hygiene shrinks tomorrow’s footprint, not yesterday’s. The deeper problem is structural. Location data is treated by US law as ordinary commercial information, no different from a browser cookie, even though a month of coordinates is closer to a wiretap. The real fix is a federal rule that recognizes that gap and bars the open-market sale of precise location. The FTC’s one-company orders show the agency understands the harm. They just don’t scale to a market with hundreds of brokers. Until Congress acts, the hole the Pentagon finally admitted to stays open, and it’s open for your phone too, not only a soldier’s.