The Pentagon Knew Enemies Could Track Troops’ Phones for Years. Now They Are | WIREDSkip to main contentMenuSECURITYPOLITICSTHE BIG STORYBUSINESSSCIENCECULTUREREVIEWSMenuAccountAccountNewslettersSecurityPoliticsThe Big StoryBusinessScienceCultureReviewsChevronMoreExpandThe Big InterviewMagazineEventsWIRED InsiderWIRED ConsultingNewslettersPodcastsVideoLivestreamsMerchSearchSearchSecurityMay 28, 2026 12:59 PMThe Pentagon Knew Enemies Could Track Troops’ Phones for Years. Now They AreThe US military has long known that cheap fixes could stop location data from exposing its troops. It adopted almost none—and now says adversaries are using the data to target soldiers during a war.Photo-Illustration: Jobanny Cabrera; Getty ImagesCommentLoaderSave StorySave this storyCommentLoaderSave StorySave this storyFor nearly a decade, the Pentagon was warned—by its own contractors, analysts, and intelligence agencies—that anyone with a credit card could buy a map of where American troops sleep, work, and store nuclear weapons. Now the bill has come due in a war zone.A newly disclosed letter shows the warnings went unheeded: US Central Command now confirms it has received “multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater”—the first official acknowledgment that the data-broker economy is being used to hunt American forces in the Middle East.The targeting was first reported by Reuters, which obtained the Centcom letter. But the confirmation lands atop a record that is longer and more damning than the single document suggests.For the better part of a decade, US lawmakers have heard the same alarms about the dangers of commercially available location data that the Pentagon did—from the same intelligence assessments, from witnesses, from their own colleagues. Yet comprehensive privacy legislation has repeatedly stalled in Washington, and the one narrow fix that did pass—a requirement that data shared with military contractors not be resold—left the broader industry untouched.One of the earliest warnings came in 2016. At the Joint Special Operations Command compound at Fort Bragg, California, a government technologist briefing senior officers demonstrated how commercial location data—bought, not hacked—could track phones from Fort Bragg and MacDill Air Force Base in Florida, the home stations of America's most elite units, through Turkey and into northern Syria, where they clustered at a covert forward operating base. The same data was available to any advertiser or foreign intelligence service.Even as the Pentagon was warned that the location-data marketplace was placing its own people in danger, parts of the department were eager to become its customers. The Defense Intelligence Agency disclosed to Congress in 2021 that it uses commercially purchased phone location data—including on Americans—without a warrant, taking the position that none is required. Months earlier, Motherboard reported that the US military was buying location data harvested from popular consumer apps.In 2023, the Army paid to have the threat spelled out. Researchers at Duke University—working under a grant from the US Military Academy at West Point—set out to buy data on American service members the way a foreign adversary might. They scraped hundreds of data broker websites and found thousands of listings advertising data on military personnel, including datasets titled “Military Families Mailing List” and “Hard Core Military Families.”The researchers started buying. For as little as 12 cents a record, with almost no vetting, they purchased names, home addresses, health conditions, and financial details on active-duty troops. Posing as a buyer operating through a Singapore-based domain, they also obtained the same kind of data geofenced to Fort Bragg, Quantico, and other installations. One broker offered to skip its identity check if they paid by wire.A year later, WIRED found the same kind of data flowing through Google's own advertising platform. Working with data obtained by the Irish Council for Civil Liberties—whose investigator had gained access to a US broker’s audience lists by standing up a fake analytics firm—WIRED identified marketing “segments” on Google's Display & Video 360 that singled out US government employees deemed “decisionmakers” working “specifically in the field of national security,” alongside lists targeting people who work for companies licensed to build missiles, space-launch vehicles, and the cryptographic systems that protect classified data.The Irish Council for Civil Liberties investigator said he expected to have his cover story tested. “When I signed up, there was no questions asked whatsoever,” he told WIRED at the time. “I could have been anybody.”A previous investigation by WIRED had already shown what that exposure looked like in practice: In late 2024, working with the German outlets Bayerischer Rundfunk and Netzpolitik.org, reporters obtained a “free sample” of location data from a Florida broker—3.6 billion coordinates tied to roughly 11 million phones in Germany over a two-month span.Inside it were the daily movements of American military and intelligence personnel stationed in the country: 12,313 devices that passed through at least 11 US installations, from the Army's European headquarters at Wiesbaden to the schools where service members’ children are taught. Reporters traced devices inside Büchel Air Base, where US nuclear weapons are believed to be stored in hardened bunkers, and watched others zigzag through an armored-vehicle course at Grafenwöhr—one of the bases that a pair of alleged saboteurs had been arrested for scouting months prior.Asked about the tracking, a Pentagon spokesperson told WIRED at the time that the department was aware that geolocation services could put personnel at risk and urged service members to remember their training and follow operational security protocols—the same individual-responsibility framing that the Army's own commissioned research had already shown was insufficient.The warnings also came from inside the Army's own research arm. In a May 2025 technical report, the Army Cyber Institute at West Point found that more than a fifth of the most-visited web domains on the service's stateside unclassified networks were commercial trackers—and that the fixes required “minimal funding or resources.” Among its recommendations: Restrict the installation of Google’s Chrome browser on Army workstations, noting it was the only major browser that had declined to block the third-party cookies used to follow users across the web. A year later, a bipartisan group of lawmakers writing to the Pentagon are now asking for the same thing.The letter, independently obtained by WIRED and signed by 14 members of both parties, lays out the case against the Pentagon in detail. The department, they wrote, has known about the threat for more than a decade and “failed to adopt commonsense cyber defenses” recommended by its own government's experts. It presses the department's chief information officer, Kirsten Davies, to do the things that have been on the table for years: Disable the advertising ID on military phones, pull Chrome from government devices in favor of privacy-focused browsers, and enroll service members in state data-broker opt-out systems.Pointedly, the lawmakers press the Pentagon over what it had done about the Army Cyber Institute's recommendations—and how it had used a 2017 law, already on the books, authorizing cyber protection for personnel in positions “highly vulnerable” to attack. The most damning detail is a matter of timing: Centcom had confirmed that it had only rolled out the ability to switch off location sharing on government smartphones this month—roughly 10 years after the first warning.Earlier this month, the Army told soldiers to start using their own personal phones for government work—the same phones that broadcast advertising IDs and feed location to the very brokers at the heart of the threat. The Army says its own access stops at a walled-off work app, leaving a soldier’s texts, photos, and browsing private. But data brokers face no such walls, as its own researchers have already pointed out.Sean Vitka, executive director of Demand Progress, a privacy group that has lobbied Congress to rein in the data trade, tells WIRED that the House passed significant legislation two years ago that would have barred the government from subsidizing the industry, only for a handful of surveillance-minded lawmakers in both parties to block it—and for Senate leadership to decline to bring it to a vote, even after the last election.“Despite the bad-faith claims of policymakers who consistently wield their power to undermine privacy, surveillance is not inherently good for security,” Vitka says. “And the public can now see disturbing evidence proving privacy is not only a core human right but also critical to keeping people safe.”The Pentagon did not immediately respond to questions for this story.CommentsBack to topTriangleYou Might Also LikeHow to find us: Add WIRED.com to your preferred sources in GoogleHow the Canvas hack threatened thousands of schoolsBig Story: I've covered robots for years—this one is eerily lifelikeOrbs, saucers, and flashes on the moon—here’s what’s in the UFO filesTake our survey: What does “home” mean to you?TopicsprivacysurveillancedatasecuritycybersecurityMilitarydepartment of defensedata brokersRead MoreHackable Robot Lawn Mower Unlocks a New NightmarePlus: Meta officially kills encrypted Instagram DMs, the Trump administration targets “violent left wing extremists,” leaked documents reveal Russia's school for elite hackers, and more.Matt BurgessCybercriminal Twins Caught After They Forgot to Turn Off Microsoft Teams RecordingPlus: Instructure’s Canvas ransomware debacle comes to a close, an alleged dark net market kingpin gets arrested, OpenAI workers fall victim to a supply chain attack, and more.Andrew CoutsMeet Rassvet, Russia’s Answer to StarlinkWith the launch of the first 16 satellites, Russia begins construction of a network for satellite internet that aims to cover the entire country by 2030. But getting there won’t be easy.Lucia Bellinello90,000 Screenshots of One Celebrity's Phone Were Exposed OnlineSpyware appears to have captured everything from intimate photos to private messages from the smartphone of European celebrity. They were publicly accessible until a researcher flagged the exposure.Matt BurgessYour iPhone Gets Stolen. Then the Hacking BeginsA bustling underground ecosystem is providing criminals with the tools to unlock iPhones—and wage phishing attacks against their contacts to access bank accounts and more.Matt Burgess‘Creepy’ Listening Tool for Targeted Ads Didn’t Actually Work, FTC SaysThree firms will pay nearly $1 million for selling “Active Listening” technology that they claimed tapped people’s phones for advertising. The FTC alleges the “tech” was just pricey email lists.Maddy VarnerA Bipartisan Amendment Would End Police License Plate Tracking NationwideOne line tucked into a federal highway bill would strip funds from cities and states unless they kill their automated plate tracking programs—effectively banning the tech for all but toll collection.Dell CameronScammers Are Using Your Real Hotel Reservations to Trick You With Spear-Phishing AttacksCustomer data from more than 350 hotels around the world may have been accessed as part of realistic reservation-hijacking scams.Matt BurgessData Brokers’ and AI Firms’ Opt-Out Forms Are Built to Fail, Report FindsA new study finds AI companies, defense firms, and dating apps are among 38 data collectors allegedly using manipulative design to confuse users while collecting their data.Dell CameronDHS Plans Experiment Running ‘Reconnaissance’ Drones Along the US-Canada BorderAutonomous drones and ground vehicles will stream “battlefield intelligence” over 5G along the US-Canada border in a bilateral DHS experiment this fall.Dell CameronDisneyland Now Uses Face Recognition on VisitorsPlus: The NSA tests Anthropic’s Mythos Preview to find vulnerabilities, a Finnish teen is charged over the Scattered Spider hacking spree, and more.Andrew CoutsThousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open WebCompanies like Lovable, Base44, Replit, and Netlify use AI to let anyone build a web app in seconds—and in thousands of cases, spill highly sensitive data onto the public internet.Andy GreenbergWIRED is obsessed with what comes next. Through rigorous investigations and game-changing reporting, we tell stories that don’t just reflect the moment—they help create it. When you look back in 10, 20, even 50 years, WIRED will be the publication that led the story of the present, mapped the people, products, and ideas defining it, and explained how those forces forged the future. WIRED: For Future Reference.More From WIREDSubscribeNewslettersLivestreamsTravelFAQWIRED StaffWIRED EducationEditorial StandardsArchiveRSSSite MapAccessibility HelpReviews and GuidesReviewsBuying GuidesStreaming GuidesWearablesCouponsGift GuidesAdvertiseContact UsManage AccountJobsPress CenterCondé Nast StoreUser AgreementPrivacy PolicyYour California Privacy Rights© 2026 Condé Nast. All rights reserved. WIRED may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad ChoicesSelect international siteUnited StatesLargeChevronItaliaJapónCzech Republic & SlovakiaFacebookXPinterestYouTubeInstagramTiktok

The U.S. military and the Pentagon possessed warnings for nearly a decade regarding the danger of commercial location data exposing troop locations, yet these warnings were largely disregarded, leading to new disclosures about how adversaries are now exploiting this data to target American forces in theaters of war. A newly released letter from US Central Command serves as the first official acknowledgment that the data-broker economy is being utilized to hunt and surveil U.S. personnel in the Middle East.

One of the earliest warnings concerned the potential for commercial location data to track mobile phones from elite units, such as those at Fort Bragg and MacDill Air Force Base, demonstrating how this data could be traced through international routes to forward operating bases. Despite these warnings from contractors, analysts, and intelligence agencies, comprehensive privacy legislation stalled in Washington, leaving the broader industry unregulated. The narrow fix that did pass, requiring data shared with military contractors not be resold, failed to address the larger issue of location data commodification.

The failure to act is further exemplified by internal departmental actions. The Defense Intelligence Agency disclosed in 2021 its use of commercially purchased phone location data, including data on Americans, without a warrant, asserting that warrants were unnecessary. Furthermore, the military had previously purchased location data harvested from popular consumer applications. Research conducted by the Army Cyber Institute at West Point in May 2025 found that more than a fifth of the most-visited web domains on stateside unclassified networks were commercial trackers, and the institute recommended steps like restricting the installation of the Google Chrome browser to block third-party cookies, noting that these fixes required minimal resources.

A significant body of research also focused on the direct exploitation of this data. In 2023, researchers at Duke University, supported by the US Military Academy at West Point, attempted to emulate adversarial practices by scraping data broker websites to purchase information on American service members, including datasets detailing military families and geofenced locations associated with installations like Fort Bragg and Quantico. These researchers were able to acquire personal details, including home addresses and financial information, from brokers, underscoring the vulnerability of military personnel data.

Investigations into the flow of this data have exposed its practical application. Through investigations, such as the one conducted by WIRED with German and other outlets, reporters have traced location data from brokers to reveal the daily movements of American military and intelligence personnel stationed abroad, showing how devices passed through installations and monitored sensitive locations, including those housing nuclear weapons. This data demonstrated that exposure could track movement between bases and even facilities where allegedly hostile activities took place.

The revelations highlight a substantial gap between security concerns and privacy protections. Lawmakers who heard these alarms failed to enact meaningful privacy legislation, and the response from the Pentagon and its experts did not adequately address the recommended safeguards. The letter independently obtained by WIRED detailed the department's knowledge of the threat for over a decade and pressed its chief information officer to implement measures such as disabling advertising IDs on military phones, switching to privacy-focused browsers, and enrolling service members in opt-out systems. The timeline further emphasized the delay, as location sharing controls were only rolled out months after the initial warnings were issued.

The situation is complicated by the internal contradiction regarding data access control. While the Army communicated that access to personal phones is limited to a specific work application, the data brokers operate without such limitations. This discrepancy underscores the argument presented by privacy advocates, such as Sean Vitka, that surveillance is not inherently beneficial for security and that privacy is critical for safety. The ongoing pressure stems from the realization that data brokers, including AI firms, are utilizing manipulative designs in their data collection practices, further complicating efforts to secure the information of government personnel involved in national security matters.