Cyber security troops participate in a training exercise at Camp Shelby, Miss., in this undated photo. A bipartisan group of lawmakers is pressing the Pentagon to better protect troops after commercially available location data was allegedly used to track and surveil U.S. forces deployed overseas. (Renee Seruntine/U.S. Air Force)
U.S. service members deployed overseas have been targeted or surveilled using commercially available location data, federal lawmakers said in a Thursday letter to the Pentagon demanding stronger protections for troops.
U.S. Central Command told Congress it had “received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater,” said the letter, which was signed by over a dozen Capitol Hill legislators from both parties.
The lawmakers said the disclosure marked the first time the Defense Department had confirmed that adversaries were using commercial location data to target U.S. military personnel in an active war zone. News of the letter was first reported by Reuters.
The CENTCOM area of responsibility includes the Persian Gulf region, where the U.S. and Iran have been engaged in a war since late February. Although a tenuous ceasefire between the U.S. and Iran is still in effect, talks aimed at ending the war have faltered.
The letter follows reporting by Stars and Stripes about threatening messages sent to U.S. service members assigned to units in the Middle East, including Bahrain.
Those messages, which appeared to come from the Iran-linked hacker group Handala Hack, said U.S. troops were under surveillance and could be hit by drones and missiles. Some messages were sent directly to troops via WhatsApp, Stars and Stripes reported.
Among the 14 signatories of the letter is Rep. Pat Harrigan, R-N.C., a former Army Special Forces officer.
The lawmakers urged the Defense Department to do more to address the risks posed by the commercial data industry, which collects and sells location information gathered from smartphones and apps.
“Commercial location data can be used to identify where U.S. troops congregate and their pattern of life, which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs, as well as for counterintelligence purposes,” the lawmakers wrote.
Among the measures proposed in the letter are disabling advertising IDs on government-issued mobile devices, automatically disabling location-sharing services for personnel deployed in theater and replacing internet browsers that lawmakers said collect large amounts of user data.
“Every day these browsers remain on government-issued devices is another day we are handing our adversaries a weapon against our own troops,” Harrigan told Reuters.
The lawmakers also said they had unsuccessfully sought additional information from military officials about the reported incidents.
When contacted by Stars and Stripes on Thursday, CENTCOM said it had nothing to add to its written responses that were included in the letter.
In those responses, CENTCOM said personnel are permitted to use personal smartphones but are subject to restrictions under the command’s geolocation policy. The command said troops are directed to disable geolocation features when not needed, review privacy settings and limit public sharing of information.
CENTCOM also said the commander ordered the implementation of “FPCON Delta, All Measures” across the theater on Feb. 28, imposing what it described as its “most restrictive geolocation controls.”
In recent years, journalists and researchers have demonstrated how commercially available datasets can be used to track movements near sensitive U.S. military and intelligence facilities.
