The Pentagon Knew Enemies Could Track Troops’ Phones for Years. Now They Are

For nearly a decade, the Pentagon was warned—by its own contractors, analysts, and intelligence agencies—that anyone with a credit card could buy a map of where American troops sleep, work, and store nuclear weapons. Now the bill has come due in a war zone.

A newly disclosed letter shows the warnings went unheeded: US Central Command now confirms it has received “multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater”—the first official acknowledgment that the data-broker economy is being used to hunt American forces in the Middle East.

The targeting was first reported by Reuters, which obtained the Centcom letter. But the confirmation lands atop a record that is longer and more damning than the single document suggests.

For the better part of a decade, US lawmakers have heard the same alarms about the dangers of commercially available location data that the Pentagon did—from the same intelligence assessments, from witnesses, from their own colleagues. Yet comprehensive privacy legislation has repeatedly stalled in Washington, and the one narrow fix that did pass—a requirement that data shared with military contractors not be resold—left the broader industry untouched.

One of the earliest warnings came in 2016. At the Joint Special Operations Command compound at Fort Bragg, California, a government technologist briefing senior officers demonstrated how commercial location data—bought, not hacked—could track phones from Fort Bragg and MacDill Air Force Base in Florida, the home stations of America's most elite units, through Turkey and into northern Syria, where they clustered at a covert forward operating base. The same data was available to any advertiser or foreign intelligence service.

Even as the Pentagon was warned that the location-data marketplace was placing its own people in danger, parts of the department were eager to become its customers. The Defense Intelligence Agency disclosed to Congress in 2021 that it uses commercially purchased phone location data—including on Americans—without a warrant, taking the position that none is required. Months earlier, Motherboard reported that the US military was buying location data harvested from popular consumer apps.

In 2023, the Army paid to have the threat spelled out. Researchers at Duke University—working under a grant from the US Military Academy at West Point—set out to buy data on American service members the way a foreign adversary might. They scraped hundreds of data broker websites and found thousands of listings advertising data on military personnel, including datasets titled “Military Families Mailing List” and “Hard Core Military Families.”

The researchers started buying. For as little as 12 cents a record, with almost no vetting, they purchased names, home addresses, health conditions, and financial details on active-duty troops. Posing as a buyer operating through a Singapore-based domain, they also obtained the same kind of data geofenced to Fort Bragg, Quantico, and other installations. One broker offered to skip its identity check if they paid by wire.

A year later, WIRED found the same kind of data flowing through Google's own advertising platform. Working with data obtained by the Irish Council for Civil Liberties—whose investigator had gained access to a US broker’s audience lists by standing up a fake analytics firm—WIRED identified marketing “segments” on Google's Display & Video 360 that singled out US government employees deemed “decisionmakers” working “specifically in the field of national security,” alongside lists targeting people who work for companies licensed to build missiles, space-launch vehicles, and the cryptographic systems that protect classified data.

The Irish Council for Civil Liberties investigator said he expected to have his cover story tested. “When I signed up, there was no questions asked whatsoever,” he told WIRED at the time. “I could have been anybody.”

A previous investigation by WIRED had already shown what that exposure looked like in practice: In late 2024, working with the German outlets Bayerischer Rundfunk and Netzpolitik.org, reporters obtained a “free sample” of location data from a Florida broker—3.6 billion coordinates tied to roughly 11 million phones in Germany over a two-month span.

Inside it were the daily movements of American military and intelligence personnel stationed in the country: 12,313 devices that passed through at least 11 US installations, from the Army's European headquarters at Wiesbaden to the schools where service members’ children are taught. Reporters traced devices inside Büchel Air Base, where US nuclear weapons are believed to be stored in hardened bunkers, and watched others zigzag through an armored-vehicle course at Grafenwöhr—one of the bases that a pair of alleged saboteurs had been arrested for scouting months prior.

Asked about the tracking, a Pentagon spokesperson told WIRED at the time that the department was aware that geolocation services could put personnel at risk and urged service members to remember their training and follow operational security protocols—the same individual-responsibility framing that the Army's own commissioned research had already shown was insufficient.

The warnings also came from inside the Army's own research arm. In a May 2025 technical report, the Army Cyber Institute at West Point found that more than a fifth of the most-visited web domains on the service's stateside unclassified networks were commercial trackers—and that the fixes required “minimal funding or resources.” Among its recommendations: Restrict the installation of Google’s Chrome browser on Army workstations, noting it was the only major browser that had declined to block the third-party cookies used to follow users across the web. A year later, a bipartisan group of lawmakers writing to the Pentagon are now asking for the same thing.

The letter, independently obtained by WIRED and signed by 14 members of both parties, lays out the case against the Pentagon in detail. The department, they wrote, has known about the threat for more than a decade and “failed to adopt commonsense cyber defenses” recommended by its own government's experts. It presses the department's chief information officer, Kirsten Davies, to do the things that have been on the table for years: Disable the advertising ID on military phones, pull Chrome from government devices in favor of privacy-focused browsers, and enroll service members in state data-broker opt-out systems.

Pointedly, the lawmakers press the Pentagon over what it had done about the Army Cyber Institute's recommendations—and how it had used a 2017 law, already on the books, authorizing cyber protection for personnel in positions “highly vulnerable” to attack. The most damning detail is a matter of timing: Centcom had confirmed that it had only rolled out the ability to switch off location sharing on government smartphones this month—roughly 10 years after the first warning.

Earlier this month, the Army told soldiers to start using their own personal phones for government work—the same phones that broadcast advertising IDs and feed location to the very brokers at the heart of the threat. The Army says its own access stops at a walled-off work app, leaving a soldier’s texts, photos, and browsing private. But data brokers face no such walls, as its own researchers have already pointed out.

Sean Vitka, executive director of Demand Progress, a privacy group that has lobbied Congress to rein in the data trade, tells WIRED that the House passed significant legislation two years ago that would have barred the government from subsidizing the industry, only for a handful of surveillance-minded lawmakers in both parties to block it—and for Senate leadership to decline to bring it to a vote, even after the last election.

“Despite the bad-faith claims of policymakers who consistently wield their power to undermine privacy, surveillance is not inherently good for security,” Vitka says. “And the public can now see disturbing evidence proving privacy is not only a core human right but also critical to keeping people safe.”

The Pentagon did not immediately respond to questions for this story.