The Pentagon Finally Admits That Location Data Is a Battlefield Problem

Pierluigi Paganini
June 01, 2026

The Pentagon confirmed adversaries are using commercial location data to track U.S. troops, exposing risks tied to smartphones and ad-tech networks.

For years, security researchers, privacy advocates, and intelligence analysts have been warning about the same thing: smartphone location data isn’t just an advertising product. It’s surveillance infrastructure that anyone with enough money can access.

Now the Pentagon is saying the quiet part out loud. According to a letter from U.S. Central Command obtained by Senator Ron Wyden and reported by Reuters, American military personnel deployed in active conflict zones have already been targeted using commercially available location data. Not hypothetically. Not as a future risk. It’s happening.

The disclosure matters because it marks the first known official acknowledgment that adversaries are using the commercial data ecosystem to track or surveil U.S. troops in theater. CENTCOM stated that it had received multiple reports involving hostile actors exploiting commercial location data against deployed personnel.

“In a letter shared with Reuters by U.S. Senator Ron Wyden, an Oregon Democrat
, opens new tab, U.S. Central Command said it had “received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater.”” reads the report published by Reuters.”The message, sent on April 14, offered no further specifics, but Centcom’s area of responsibility includes the Gulf, ​where U.S. forces are facing off against the Iranian military over the Strait of Hormuz.”

The details in the letter are revealing.

Asked whether military personnel are prohibited from carrying personal smartphones in theater, CENTCOM answered no. Instead, troops are instructed to limit geolocation exposure through operational security guidance and privacy controls. The problem is that even CENTCOM acknowledges those controls aren’t always enough.

“USCENTCOM’s geolocation risk guidance directs personnel to disable geolocationfunctionality when not needed; periodically review device and application privacy settings;and limit public sharing of information.” states the letter. “The guidance notes that disabling geolocationcapabilities does not always fully disable them on commercial products, requiringpersonnel to implement comprehensive device security measures including privacy settingreviews.”

That’s a polite government way of saying your phone may continue generating useful tracking data even after you think you’ve turned the right switches off.

The command also confirmed that adversaries are actively exploiting the commercial data market.

“USCENTCOM has received multiple threat reports concerningadversary exploitation of commercial location data to target or surveil US personnel in theater.” continues the letter. “The Threat Fusion Cell identified, tracked, and disseminated these threats throughthe USCENTCOM Threat Working Group and to component force protection personnel.Additionally, USCENTCOM has disseminated threat assessments to component forceprotection personnel demonstrating adversary capabilities to exploit commercial locationdata for targeting purposes.”

That sentence should probably have generated more headlines than it did.

Because the issue isn’t some advanced espionage capability reserved for intelligence agencies. The data often comes from ordinary apps, advertising networks, location brokers, and mobile tracking platforms that collect information from millions of devices every day. Once collected, it moves through a sprawling marketplace where buyers frequently have little visibility into who originally gathered it or where it eventually ends up.

Security researchers have warned about this for years. Back in 2018, Strava fitness data exposed sensitive military locations worldwide, as American and allied military personnel unknowingly shared exercise routes near bases in Afghanistan, Iraq, and Syria.

These maps clearly highlight otherwise hidden facilities and troop movements, creating serious security risks. Experts warn such data could help adversaries identify and target military sites, underscoring ongoing privacy issues with fitness trackers.

More recently, researchers demonstrated that commercially available datasets could identify military personnel, intelligence employees, and government contractors with alarming precision. The technology didn’t suddenly become more dangerous. People just kept ignoring the warnings.

Congress appears increasingly frustrated. In their letter to the Pentagon, lawmakers argued that commercial location data can reveal where troops gather, how they move, and what their daily patterns look like. That information can support surveillance operations, intelligence collection, drone targeting, missile attacks, or recruitment efforts by foreign intelligence services.

Government-issued devices reportedly have personalized advertising disabled through mobile device management controls. However, another advertising-related setting remains user configurable. CENTCOM says DISA is testing additional controls and is migrating devices to a new management platform that should allow location services to be fully disabled.

“the Personalized Advertising setting is disabled by group policy on theMobile Device Management Server.” states the letter. “However, Ad Targeting Information is not disabled andcan be edited by a user. DISA is currently testing implementation to disable the AdTargeting Information setting on government-issued cell phones. USCENTCOM is currentlymigrating government-issued mobile devices to a new Mobile Device Management Serverwhich will allow for location services to be completely disabled, estimated completiondate is 6 May 26.”

That effort is welcome. It also raises an uncomfortable question.

If intelligence agencies, lawmakers, privacy researchers, and military cyber units have been discussing this problem for nearly a decade, why are some of these protections only arriving now?

Part of the answer is that the surveillance economy grew faster than security policy.

Location data became so normalized that many organizations stopped treating it as sensitive intelligence. Yet for a deployed soldier, a contractor working near a military base, or an intelligence officer traveling overseas, a smartphone can quietly become a beacon broadcasting behavioral patterns to anyone willing to buy access.

No zero-day required. No spyware required. Just an ad-tech ecosystem that was never designed with operational security in mind.

Or as many security professionals have been saying for years: if an app is free, somebody is still paying for the data. Sometimes that somebody isn’t a marketer.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon