Selling Them The Rope with Which They Will Hang Us
The apocryphal quotation has proven correct.
Reuters (“Exclusive: Pentagon says US military personnel are reportedly being targeted using location data“):
U.S. forces deployed to war zones have been targeted using commercially available location data, according to reports fielded by military officials, an illustration of how the global surveillance economy is shaping the battlefield.
In a letter shared with Reuters by U.S. Senator Ron Wyden, an Oregon Democrat, U.S. Central Command said it had “received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater.” The message, sent on April 14, offered no further specifics, but Centcom’s area of responsibility includes the Gulf, where U.S. forces are facing off against the Iranian military over the Strait of Hormuz.
The disclosure was the first official confirmation that U.S. forces had been targeted in an active war zone, Wyden and a bipartisan group of legislators said in a letter sent on Thursday to the Pentagon.
“Commercial location data can be used to identify where U.S. troops congregate and their pattern of life, which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs, as well as for counterintelligence purposes,” the letter warned. Wyden said in a statement that it was time to “start treating the adtech industry as a national security threat.”
While Wyden is certainly correct, this is not by any means a new issue. We knew that operational security was compromised by fitness trackers more than a decade ago.
Of course, the fact we’ve allowed widespread harvesting of our geolocation, browsing history, email conversations, and the like as a business model is insane well beyond the ability to track the movement of our military forces.
Location data is widely used in digital advertising, which is a key source of revenue for many tech companies. Such data is typically collected from smartphones or other devices by apps or service providers before being sold to data brokers who collate and resell the data, sometimes via complex networks of intermediaries.
Although the threat to privacy inherent in selling the details of people’s day-to-day movements on the open market has long been a matter of public discussion, its potential as a national security risk has recently drawn concern as well.
As far back as 2016, one U.S. defense contractor was able to leverage commercially available location data to track special operations forces from their bases in the United States to a sensitive staging post in Syria, according to an account first disclosed by the Wall Street Journal.
More recently, journalists at Wired and two German news outlets drew on billions of coordinates collected by a data broker to expose the granular comings and goings of people stationed at or around 11 U.S. military and intelligence sites in Germany.
Two groups that represent digital advertisers, the Interactive Advertising Bureau and the Association of National Advertisers, did not return emails seeking comment.
But, again, this is a well-known issue. Rather obviously, it’s on military leadership to address the well-known operational security issues.
The letter from U.S. lawmakers to the Pentagon said that, given what military officials know about the trade in location data, they should have acted faster to protect their personnel, for example by disabling the unique advertising ID attached to military-issued devices, automatically turning off location sharing on smartphones in the field, and steering staff away from Google’s Chrome web browser toward more privacy-focused alternatives.
For that matter, it wasn’t all that long ago that forces deployed to combat zones simply expected that they would not be in regular contact with the outside world for the duration. But, yes, taking basic security measures seems rather obvious.
One of the letter’s cosigners was U.S. Representative Pat Harrigan, a North Carolina Republican who was formerly a U.S. Army Special Forces officer. Harrigan said that browsers like Chrome “are built from the ground up to collect and share user data” and that every day they remain on government-issued devices “is another day we are handing our adversaries a weapon against our own troops.”
In a statement, Alphabet’s Google said that Chrome had “industry leading security.” The company added that it had “long advocated for stronger rules and safeguards against data brokers.”
Maybe the national security implications will prompt action to protect Americans’ privacy. But I doubt it.
