For nearly a decade, the Pentagon was warned—by its own contractors, analysts, and intelligence agencies—that anyone with a credit card could buy a map of where American troops sleep, work, and store nuclear weapons. Now the bill has come due in a war zone.
A newly disclosed letter shows the warnings went unheeded: US Central Command now confirms it has received “multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater”—the first official acknowledgment that the data-broker economy is being used to hunt American forces in the Middle East.
The targeting was first reported by Reuters, which obtained the Centcom letter. But the confirmation lands atop a record that is longer and more damning than the single document suggests.
For the better part of a decade, US lawmakers have heard the same alarms about the dangers of commercially available location data that the Pentagon did—from the same intelligence assessments, from witnesses, from their own colleagues. Yet comprehensive privacy legislation has repeatedly stalled in Washington, and the one narrow fix that did pass—a requirement that data shared with military contractors not be resold—left the broader industry untouched.
One of the earliest warnings came in 2016. At the Joint Special Operations Command compound at Fort Bragg, California, a government technologist briefing senior officers demonstrated how commercial location data—bought, not hacked—could track phones from Fort Bragg and MacDill Air Force Base in Florida, the home stations of America’s most elite units, through Turkey and into northern Syria, where they clustered at a covert forward operating base. The same data was available to any advertiser or foreign intelligence service.
Even as the Pentagon was warned that the location-data marketplace was placing its own people in danger, parts of the department were eager to become its customers. The Defense Intelligence Agency disclosed to Congress in 2021 that it uses commercially purchased phone location data—including on Americans—without a warrant, taking the position that none is required. Months earlier, Motherboard reported that the US military was buying location data harvested from popular consumer apps.
In 2023, the Army paid to have the threat spelled out. Researchers at Duke University—working under a grant from the US Military Academy at West Point—set out to buy data on American service members the way a foreign adversary might. They scraped hundreds of data broker websites and found thousands of listings advertising data on military personnel, including datasets titled “Military Families Mailing List” and “Hard Core Military Families.”
The researchers started buying. For as little as 12 cents a record, with almost no vetting, they purchased names, home addresses, health conditions, and financial details on active-duty troops. Posing as a buyer operating through a Singapore-based domain, they also obtained the same kind of data geofenced to Fort Bragg, Quantico, and other installations. One broker offered to skip its identity check if they paid by wire.
A year later, WIRED found the same kind of data flowing through Google’s own advertising platform. Working with data obtained by the Irish Council for Civil Liberties—whose investigator had gained access to a US broker’s audience lists by standing up a fake analytics firm—WIRED identified marketing “segments” on Google’s Display & Video 360 that singled out US government employees deemed “decisionmakers” working “specifically in the field of national security,” alongside lists targeting people who work for companies licensed to build missiles, space-launch vehicles, and the cryptographic systems that protect classified data.
The Irish Council for Civil Liberties investigator said he expected to have his cover story tested. “When I signed up, there was no questions asked whatsoever,” he told WIRED at the time. “I could have been anybody.”
