Bipartisan Letter: Adversaries Exploit App Data to Hunt US Troops

A bipartisan group of 14 bipartisan lawmakers told the Pentagon this week that U.S. adversaries are using commercial smartphone advertising data to target American service members in the Middle East. The letter, dated May 28 and addressed to Defense Department Chief Information Officer Kirsten Davies, is what the signatories call the first official confirmation that the data-broker economy is being turned into a targeting tool in an active war zone. U.S. Central Command told lawmakers it “received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater” during the campaign against Iran.

The lawmakers, led by Sen. Ron Wyden, D-Ore., and Rep. Pat Harrigan, R-N.C., are asking the Pentagon to disable the advertising ID on all Defense Department-issued smartphones and to require service members to disable the same setting on personal devices brought onto military facilities or taken overseas. The signers span both parties and include members of the armed services and intelligence committees. A Defense Department official said the department’s policy prohibits commenting on congressional correspondence.

Senators Name ‘Adversary Exploitation’ for the First Time

The letter frames the threat in unusually blunt terms. “The Department of Defense has not taken basic steps to protect U.S. military personnel from the serious counterintelligence and force protection threat posed by the collection and sale of personal information, including cell phone location data, by data brokers,” the letter states, according to Nextgov. The signatories include members of the Senate and House armed services and intelligence committees. The letter ties the warnings directly to Operation Epic Fury, the U.S. military campaign against Iran.

The lawmakers’ language is the first time Congress has formally cited a commercial data flow as a targeting tool in a named war. “That foreign adversaries are still able to buy location data collected from the phones of U.S. personnel serving in military hotspots is a direct result of DOD leadership’s failure to prioritize this threat and implement common sense cyber defenses recommended by federal cybersecurity experts,” the lawmakers wrote. Both Republican and Democratic signatures are on the document.

The May 28 bipartisan letter to the Pentagon was published with the lawmakers’ press release, signed by all the signatories. The signatories are also asking the Pentagon to drop Google Chrome and other advertising-friendly browsers from government-issued devices.

Government Phones in the Field Still Carry the Tracking ID

In written answers sent to Congress in April 2026, CENTCOM confirmed that the advertising ID on government-issued smartphones is “still not disabled.” The setting is the unique identifier Apple and Android assign each device so advertisers can track users across apps, and the National Security Agency and the Cybersecurity and Infrastructure Security Agency both recommend disabling it. The Pentagon’s answer to lawmakers acknowledged the gap.

CENTCOM also told lawmakers in May 2026 that it had rolled out a new capability to administratively disable location sharing on smartphones used in theater, the first time it has had the ability to do so at the command level. The Defense Information Systems Agency, the Pentagon’s IT arm, is separately testing a way to disable the advertising ID itself on government phones. The combination still leaves a gap, the lawmakers’ letter argues: the ad ID survives on every DOD-issued phone, and personal phones brought onto bases or overseas are not covered by any setting at all. The lawmakers’ letter notes that the technical capability to disable the ID is built into both iOS and Android, and asks the Pentagon to use it on every government-issued phone. Wyden’s office told Air & Space Forces Magazine that the Pentagon had not responded to the letter.

One ‘Allow’ Click Can End at a Foreign Adversary

This isn’t sophisticated. Anyone can buy advertising data from data brokers and search it with artificial intelligence tools to quickly find users that live in military housing near bases they are surveilling.

Clayton Swope, a senior fellow at the Center for Strategic and International Studies, told Air & Space Forces Magazine that the same feeds that target ads to consumers can be sorted to find phones that visit a base by day and return to military housing by night. “Did it hang out on a U.S. military base? Did it go and hang out in military housing from 10 p.m. to 6 a.m.?” Swope said. “And then you could figure out from that pattern of life.”

• 14 members of Congress signed the May 28 letter led by Sen. Wyden and Rep. Harrigan.
• 3,000 data brokers operate globally, with more than 500 registered in California.
• 12 cents per record was enough for Duke researchers to buy names, home addresses, health conditions and financial details on active-duty troops.
• 3.6 billion coordinates tied to 11 million phones in Germany included 12,313 devices passing through 11 U.S. installations.

Retired Air Force Brig. Gen. Gregory Touhill, a former federal chief information security officer who is now at Carnegie Mellon University, estimated the 3,000 data broker figure. “These are trackable,” Touhill said. “I call that your digital exposure.” The risk extends to personal phones, iPads, smart watches, fitness trackers and other wearable devices used by service members and their families.

Swope put the difference in stark terms: “It’s very different than the threat that would come from poor cybersecurity hygiene; it really translates more into the physical realm than when you think of your vulnerability in cyberspace,” he said. “It’s taking advantage of information that is available for purchase legally … to do harm to service members.” Swope called denying the ad-tracking prompt the most “sensible” individual step a service member can take.

Researchers have already shown how thin the broker-side vetting is. In 2023, a team at Duke University working under a grant from the U.S. Military Academy at West Point bought names, home addresses, health conditions and financial details on active-duty troops for as little as 12 cents per record, almost no identity check required. The Duke team also obtained the same kind of data geofenced to Fort Bragg, Quantico and other installations, and one broker offered to skip its identity check if they paid by wire. In 2016, a government technologist briefing senior officers at Fort Bragg, North Carolina, demonstrated that commercial location data could be used to track phones from the JSOC compound and MacDill Air Force Base in Florida through Turkey and into northern Syria, where they clustered at a covert forward operating base. The same dataset was available to any advertiser or foreign intelligence service willing to pay. WIRED reported the decade of warnings, including the 2016 demonstration, in late May 2026.

A Decade of Warnings, Mostly Unanswered

The May 2026 letter is the latest in a sequence of warnings about commercial location data that now stretches back a decade. Most of them were filed, shelved and not acted on.

1. 2016: At Fort Bragg, North Carolina, a government technologist demonstrates that commercial location data can map phones from elite U.S. units into covert forward operating bases in Syria.
2. Late 2017: Strava publishes its Global Heat Map of user activity and inadvertently reveals the locations of U.S. military sites in the Middle East and the jogging routes of personnel.
3. August 2018: The Defense Department issues a directive banning apps and devices that share geolocation data “while in locations designated as operational areas.”
4. 2021: The Defense Intelligence Agency tells Congress it buys commercially purchased phone location data, including on Americans, without a warrant.
5. 2023: Duke University researchers under a West Point grant buy data on active-duty service members for as little as 12 cents a record from brokers that do not vet buyers.
6. May 2025: The Army Cyber Institute at West Point finds that more than a fifth of the most-visited web domains on the Army’s unclassified networks are commercial trackers.
7. May 28, 2026: Wyden, Harrigan and 12 other bipartisan lawmakers send the Pentagon the letter naming “adversary exploitation” in theater.

The 2018 directive applied only to “locations designated as operational areas,” and the Strava and Polar fitness app episodes the year before had already shown that a free app could map a base perimeter and the home address of the service member who used it. The lawmakers’ letter points out that the directive’s operational-area scope did not reach U.S. installations or the daily routines of service members and their families. The Army Cyber Institute’s report, which the lawmakers cite, also recommended restricting Google Chrome on Army workstations, a step the letter now asks the Pentagon to enforce on every government-issued device.

The Army Cyber Institute’s report also found that the fixes required “minimal funding or resources,” a framing the lawmakers’ letter repeats when it asks the Pentagon to act without further delay. WIRED first reported the length of the warning chain. The intervening decade produced at least four more official warnings before the May 2026 letter, none of which produced a default-off policy on government phones. The lack of a default-off posture is what the lawmakers’ letter calls the Pentagon’s “failure to adopt commonsense cyber defenses.”

An investigator with the Irish Council for Civil Liberties stood up a fake analytics firm two years after the Duke study and bought audience lists on Google’s Display & Video 360 that singled out U.S. government employees deemed “decisionmakers” working “specifically in the field of national security.” The same listings targeted people at companies licensed to build missiles, space-launch vehicles and the cryptographic systems that protect classified data. The investigator told WIRED he expected his cover story to be tested: “When I signed up, there was no questions asked whatsoever. I could have been anybody.”

The flow of data runs both ways. The Defense Intelligence Agency disclosed to Congress in 2021 that it buys commercially purchased phone location data, including on Americans, without a warrant. A separate 2024 reporting collaboration found the same feeds included 3.6 billion coordinates tied to roughly 11 million phones in Germany over a two-month span, with 12,313 devices passing through at least 11 U.S. installations. The trackers followed American personnel into Büchel Air Base, where U.S. nuclear weapons are believed to be stored, and into the armored-vehicle course at Grafenwöhr, the same base a pair of alleged saboteurs had been arrested for scouting months earlier. Earlier this month, the Army told soldiers to start using their own personal phones for government work, the same phones that broadcast advertising IDs and feed location to the very brokers at the heart of the threat.

Bentivegna’s Instagram Was Hacked the Same Week the Letter Went Out

The same week the letter landed, Chief Master Sergeant of the Space Force John Bentivegna’s official Instagram account was taken over and used to post pro-Iranian propaganda, including audio of the Vietnam-era “Hanoi Hannah” broadcaster with a caption in Arabic that roughly translates to “This is your fate if you get close to the Middle East.” Hackers posted images of Imam Ali holding the Zulfiqar sword and an edit of Iranian national security official Ali Larijani, who died in an Israeli airstrike in mid-March 2026 during the Iran war. Meta, Instagram’s owner, removed the unauthorized content with assistance from a Space Force spokesperson by 1 a.m. EST on Monday.

A hacker had tricked Meta’s AI support assistant into resetting the account password, according to multiple media reports. Bentivegna did not address the hack on Instagram, but he posted on Facebook at around 8:30 p.m. EST on Sunday that “appropriate teams” were working to regain access. In a statement, he said, “Threats we face online are constantly evolving, and no one is immune, from individuals to large organizations.” Experts told outlets that the incident could have been prevented with multifactor authentication, a one-time code sent by SMS or generated by an app.

The Pentagon’s Fix Is Arriving Slowly and in Pieces

The Defense Department has, on the public record, taken two technical steps in 2026. The first is the May rollout of a CENTCOM capability to administratively disable location sharing on government smartphones in theater. The second is the Defense Information Systems Agency’s ongoing test of a way to disable the advertising ID on DOD-issued devices, a test CENTCOM described in its April 2026 answers to lawmakers.

Neither step covers the advertising ID by default, and neither step covers the personal phones that service members carry onto bases and into theater. The lawmakers’ letter calls that gap the core of the problem.

The lawmakers also want the Pentagon to remove web browsers “designed to facilitate data collection by Google and other advertising companies” from DOD-issued devices and to pre-install browsers that block trackers and enforce the Global Privacy Control, a setting already required by law in 12 states. They want DOD personnel to be enrolled in state data-broker opt-out systems. Reuters first reported the lawmakers’ letter and the CENTCOM responses that preceded it. The two CENTCOM responses are the only public confirmation from the Defense Department that adversaries are buying the data.

What Fourteen Lawmakers Want the Pentagon to Do

The letter lays out a series of specific asks, all aimed at cutting the data supply that adversaries can buy. “Instead, DoD should pre-install on DoD devices and require the use by DoD personnel of privacy-focused web browsers that protect users with anti-tracking cyber defenses, such as ad blocking and the Global Privacy Control,” the letter states, according to the text posted on Wyden’s website. The commonsense safeguards the lawmakers describe overlap with the recommendations the Army Cyber Institute made a year earlier.

• Disable the advertising ID on all DOD-issued smartphones.
• Require service members to disable the ad ID on personal phones brought onto DOD facilities or taken to overseas deployments.
• Remove web browsers “designed to facilitate data collection by Google and other advertising companies” from DOD-issued devices.
• Pre-install and require the use of privacy-focused browsers with ad blocking and Global Privacy Control.
• Enroll service members in state data-broker opt-out systems.

The full text of the letter is available in the full letter to the DOD CIO. Wyden’s office told Air & Space Forces Magazine that the Pentagon had not formally responded to the letter. A Defense Department official said the department’s policy prohibits commenting on congressional correspondence. Swope, the CSIS senior fellow, told Air & Space Forces Magazine that the most “sensible” solution is to disable the ad-targeting feature on government smartphones. Denying the ad-tracking prompt on every app, he said, does not remove all risk but cuts off one channel through which the data flows to brokers.

Frequently Asked Questions

What is an advertising ID on a phone?

Both iOS and Android assign each device a unique advertising identifier that ad networks use to track users across apps and build a profile for personalized ads. The lawmakers’ letter cites the National Security Agency and the Cybersecurity and Infrastructure Security Agency as recommending the toggle be disabled by default on government phones. Apple’s iOS puts the setting under Privacy & Security > Tracking; Android puts it under Privacy > Ads.

How does commercial location data end up in the hands of foreign adversaries?

Apps that ask for location permission can pass that data to advertising networks, which in turn sell bundled feeds to data brokers. Two independent investigations, one by Duke University researchers and one by the Irish Council for Civil Liberties, have each shown that brokers will sell identifiable location bundles for pennies per record with little to no vetting, and that the resulting data can be sorted to flag devices that spend nights on military installations.

Is this threat limited to service members deployed overseas?

No. The same data feeds cover personal phones, fitness trackers, smart watches and tablets. Retired Air Force Brig. Gen. Gregory Touhill called that broader exposure “digital exposure” and said the risk extends to family members whose devices share the same routines as the service member’s.

What is the Pentagon doing about it?

According to the lawmakers’ letter, U.S. Central Command rolled out a capability in May 2026 to administratively disable location sharing on smartphones in theater. The Defense Information Systems Agency is testing a way to turn off the advertising ID itself. Neither step is yet default-on, and the Pentagon has not publicly responded to the May 28 letter. Readers who want to reduce their own exposure can follow the steps in the EFF’s step-by-step guide to disabling ad tracking.