Location information available for purchase from smartphone apps revealed US military movements in Syria. The information was enough to identify the location of an undeclared US military base in the country.
The important information was harvested from various apps that were installed on the phones of US soldiers, including weather, gaming, and dating apps. The data harvesting also included the devices of special ops personnel.
The Wall Street Journal reports that the security breach was discovered when a US contractor was working on software designed to allow the US to track movements of Syrian refugees.
In 2016, a U.S. defense contractor named PlanetRisk Inc. was working on a software prototype when its employees discovered they could track U.S. military operations through the data generated by the apps on the mobile phones of American soldiers.
At the time, the company was using location data drawn from apps such as weather, games and dating services to build a surveillance tool that could monitor the travel of refugees from Syria to Europe and the U.S., according to interviews with former employees. The company’s goal was to sell the tool to U.S. counterterrorism and intelligence officials.
But buried in the data was evidence of sensitive U.S. military operations by American special-operations forces in Syria. The company’s analysts could see phones that had come from military facilities in the U.S., traveled through countries like Canada or Turkey and were clustered at the abandoned Lafarge Cement Factory in northern Syria, a staging area at the time for U.S. special-operations and allied forces
When PlanetRisk traced telephone signals from U.S. bases to the Syrian cement factory in 2016, it hadn’t been disclosed publicly that the factory was being used as a staging area for U.S. and allied forces. Moreover, the company could monitor the movements of American troops even while they were out on patrol—a serious operational security risk that opened units up to being targeted by enemy forces, according to the people familiar with the discovery.
The WSJ confirmed the claims when it was granted access to historical data for areas where the US military is no longer operating. The publication tracked the movements of people who appeared to be American special operators and other military personnel, just as PlanetRisk had.
Although the issue has been reported to US officials, other companies also collect the same information, including data brokers who sell the data to anyone that can pay for it.
While the US has taken preventative measures, such as banning TikTok from the devices used by personnel in sensitive locations. However, there are so many apps that collect location data makes it next to impossible to block the apps, short of prohibiting US overseas forces from using smartphones at all.
Although Democrat Ron Wyden is working on legislation that would restrict the sale of US data to foreign countries, the easy availability of such data would make it difficult to trace the data to its end buyer.