The Pentagon has officially confirmed what security researchers have warned about for a decade: commercial location data harvested from smartphones is being actively exploited by adversaries to surveil and target US service members in active war zones. In responses to questions from Sen. Ron Wyden, US Central Command reported receiving multiple threat reports of adversaries using this data for pattern-of-life analysis, enabling attacks via missiles, drones, roadside bombs, and counterintelligence operations. This marks the first public acknowledgment of such targeting in an active theater, likely tied to operations in the Middle East involving Iranian threats.[1][2]

This vulnerability is not new. In 2016, contractor Mike Yeagley briefed JSOC leadership, demonstrating how he tracked phones from US special operations hubs in North Carolina and Florida to a covert forward operating base at an abandoned cement factory in Syria near an ISIS stronghold. The briefing caused immediate alarm; officers relocated to a secure room upon realizing the data came from unregulated commercial brokers rather than hacks. Despite this wake-up call, little systemic action followed. A 2024 Wired investigation, partnering with German reporters, purchased a sample of billions of location coordinates and identified thousands of devices pinging at or near sensitive US military and intelligence sites in Germany, revealing entry points, guard schedules, and operational patterns.[3]

The broader, under-discussed pattern is clear: surveillance capitalism has created a thriving open market in granular personal data that state actors and their proxies can purchase at low cost. Data brokers aggregate signals from advertising IDs, apps, and fitness devices, often without meaningful consent or security controls. Sen. Wyden, joined by a bipartisan group of 14 lawmakers including Rep. Pat Harrigan, recently warned the Pentagon's CIO that DOD has failed to implement basic safeguards like disabling ad tracking IDs on service devices, restricting location sharing, or replacing vulnerable browsers such as Chrome. They explicitly called the adtech industry a national security threat.[2]

Mainstream coverage has focused narrowly on the immediate force protection issue, but the implications run deeper. Private-sector tracking creates persistent digital exhaust that adversaries like Iran, China, or Russia can fuse with other intelligence for targeting not just deployed troops but potentially their families stateside or retired personnel. The same datasets that power targeted advertising can de-anonymize movements around sensitive installations, turning commercial surveillance into a distributed intelligence network. Incidents like the Iranian drone strike on a Bahrain hotel housing US and Israeli personnel—where officials reportedly built a "target bank"—hint at how this data may already inform real operations, even if methodologies remain classified.

This represents a profound shift: nation-states no longer need sophisticated SIGINT infrastructure when data brokers democratize access to pattern-of-life intelligence. Despite NSA and CISA recommendations, DOD's slow response reveals institutional reluctance to confront the power of the surveillance economy. Until commercial data flows to adversaries are severed at the source, US service members will remain vulnerable in ways that traditional operational security cannot fully mitigate. The national security community must treat data brokers as de facto intelligence auxiliaries and regulate the underlying ecosystem accordingly.