Smartphone location data still poses a real security risk for the military and its personnel

Commercially available data can provide a scary level of information.

Every cell phone perpetually generates a specific record of its owner’s location. . Itthen shares that information with a third party. Taken together, and combined with other data available on commercial markets, cell phone records can be used to find soldiers on deployment, at home, and everywhere they traveled in between. While the extent of cell phone tracking in civilian life is better known, a recent Wall Street Journal story explores just how much information about military movements this commercial data can reveal.

Starting with location data tied to phones at a cement factory in Syria, the Journal “tracked the movements of people who appeared to be American special operators and other military personnel,” eventually finding those same devices at Forts Bragg and Hood within the continental United States. That same data, matched to specific though nameless identifiers, could also be found at a base in Kuwait, as well as private residences in the States. 

The data at the cement factory came from 2017 and 2018, and was found inside existing commercial databases. This is not the first time cell phone data has been used to discern the movements and locations of military forces, though it illustrates the specific dangers of commercial data aggregation. 

[Related:How to take back the information you’ve given to all your favorite apps and websites]

Early in 2018, open source analysts, that is, people working with publicly available data, discovered that the location data from popular jogging app Strava revealed details about human behavior on military bases. Perhaps most strikingly, Strava’s jogging data showed that at Incirlik airbase in Turkey, people jogged right around the bunkers storing nuclear weapons. 

This data, though just from one app, hinted at a greater risk. Location data, useful for personal record keeping on a fitness routine, could also be linked to individuals, and could reveal new patterns in aggregate. While the bunkers at Incirlik are known (and visible in both aerial and satellite photography), a group that gained access to Strava’s internal data could identify the specific individuals who ran those jogging routes. That’s  far more actionable slice of information. 

Strava ultimately scaled back the data it released in public heat maps, and built in more privacy protections. The cell phone itself collected the information, and the danger from collection persists so long as people bring cell phones with them wherever they go.

[Related:What you can do to prevent Google—and others—from tracking your phone]

In December 2019, as a way to mitigate some of the risks from personal phones, India’s navy banned smartphones and social media from military bases and ships. Outright bans are effective to some degree — they can stop people from actively broadcasting military locations, which is useful when conducting operations. Yet it’s only a partial approach. So long as the phones ping a nearby cell tower before they are shut off, the collected location data exists in company logs, and can be used later to discern where a given person was.

Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations

In August 2020 the NSA, which in 2018 stopped warrantless collection of location data in response to a court order, issued advice and guidelines for how people in the military can limit their data exposure. The practical steps include turning off location services, minimizing permission given to apps, and even leaving phones at a secure location before going into the field on a sensitive mission. 
Yet as the reporting by the Journal exposed, the existence of data markets, combined with the passive collection of information from cell phones, is enough to create a discoverable trail, even years later. Unless privacy protections can be baked into data collection from the start, and unless third parties are constrained in how they can resell data, it is likely that phones will continue to reveal the locations of people to anyone who can buy or otherwise obtain that data.

Kelsey D. Atherton

Kelsey D. Athertonis a defense technology journalist based in Albuquerque, New Mexico. His work on drones, lethal AI, and nuclear weapons has appeared in Slate, The New York Times, Foreign Policy, and elsewhere.