Using a personal smartphone in a combat zone, especially apps with location services enabled, creates a serious, exploitable risk. Adversaries no longer need sophisticated hacking; they can simply buy your location trail from commercial data brokers.
U.S. Central Command (CENTCOM) has acknowledged receiving multiple reports that foreign adversaries are exploiting commercially available cell phone location data to surveil and target American service members in active war zones, as first reported by Reuters. This is particularly concerning in CENTCOM’s area of responsibility, including the volatile Persian Gulf region amid heightened tensions with Iran.
In a letter dated April 14, 2026, and shared with Congress by U.S. Senator Ron Wyden (D-OR) on May 28, 2026, CENTCOM acknowledged receiving multiple threat reports detailing how adversaries are purchasing commercially available location data from data brokers, often with nothing more than a credit card.”
The CENTCOM letter warned that “commercial location data can be used to identify where U.S. troops congregate and their pattern of life, which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs.”
This represents the first official U.S. acknowledgment of such threats in an active conflict zone.
This issue dates back to incidents like the 2018 Strava heatmap that inadvertently exposed U.S. bases and patrol routes. The problem has persisted and worsened with the explosion of ad-tech and data brokers. The Pentagon has issued guidance over the years (e.g., restricting GPS-enabled devices in operational areas), but enforcement and awareness remain challenging, especially with personal devices.
On May 28, 2026, Senator Ron Wyden, Rep. Pat Harrigan (R-NC, former Special Forces), and a bipartisan group of 12 other lawmakers sent a letter to the Pentagon’s Chief Information Officer. In their letter, they sharply criticized the Department of Defense for failing to implement adequate safeguards and urged immediate action, including disabling advertising IDs, restricting location sharing, phasing out vulnerable browsers such as Google Chrome, and enforcing stricter Operational Security (OPSEC).
The letter specifically noted that browsers like Chrome “are built from the ground up to collect and share user data.”
As reported by the New York Post, major adtech companies were contacted for comment. Two large firms did not respond. Google defended its Chrome browser, stating it features “industry-leading security” and that it has “long advocated for stronger rules and safeguards against data brokers.”
The broader implications are clear: adversaries no longer need sophisticated hacking techniques — U.S. service members’ everyday apps are doing the work for them. Protecting troop locations is not merely a technical issue; it is fundamental to maintaining deterrence and ensuring America projects strength rather than exploitable weakness.
Critics argue that decades of weak data privacy regulations and the unchecked growth of the adtech industry have left U.S. forces exposed.
America’s military cannot prevail if its movements are sold on the open market.
