WASHINGTON—In 2016, a U.S. defense contractor named PlanetRisk Inc. was working on a software prototype when its employees discovered they could track U.S. military operations through the data generated by the apps on the mobile phones of American soldiers.
At the time, the company was using location data drawn from apps such as weather, games and dating services to build a surveillance tool that could monitor the travel of refugees from Syria to Europe and the U.S., according to interviews with former employees. The company’s goal was to sell the tool to U.S. counterterrorism and intelligence officials.
But buried in the data was evidence of sensitive U.S. military operations by American special-operations forces in Syria. The company’s analysts could see phones that had come from military facilities in the U.S., traveled through countries like Canada or Turkey and were clustered at the abandoned Lafarge Cement Factory in northern Syria, a staging area at the time for U.S. special-operations and allied forces.
The discovery was an early look at what today has become a significant challenge for the U.S. armed forces: how to protect service members, intelligence officers and security personnel in an age where highly revealing commercial data being generated by mobile phones and other digital services is bought and sold in bulk, and available for purchase by America’s adversaries.
Sen. Ron Wyden (D., Ore.) is among those seeking to require the U.S. government to get a warrant before accessing commercial data on Americans.
Photo: Caroline Brehman/Congressional Quarterly/Zuma Press
The U.S. government has built robust programs to track terrorists and criminals through warrantless access to commercial data. Many vendors now provide global location information from mobile phones to intelligence, military and law-enforcement organizations.
But those same capabilities are available to U.S. adversaries, and the U.S.—having prioritized a free and open internet paid for largely through digital advertising with minimal regulation of privacy—has struggled to effectively monitor what software service members are installing on devices and whether that software is secure.
Privacy advocates across the political spectrum are alarmed at government purchases of such data, whether at home or abroad. Senate Democrat Ron Wyden was joined by Republican Rand Paul last week in introducing “The Fourth Amendment Is Not for Sale Act,” a bill Mr. Wyden’s team drafted to require the U.S. government to obtain a warrant before accessing commercial data on Americans.
The move, which has broad support, would have a ripple effect across the digital advertising ecosystem—which relies heavily on identifying, tracking and profiling consumers. Nevertheless, Mr. Wyden said he is also working on separate legislation that would restrict the sale of U.S. data, including mobile phone information, to foreign buyers.
“Our country’s intelligence leaders have made it clear that putting Americans’ sensitive information in the hands of unfriendly foreign governments is a major risk to national security,” he said.
When PlanetRisk traced telephone signals from U.S. bases to the Syrian cement factory in 2016, it hadn’t been disclosed publicly that the factory was being used as a staging area for U.S. and allied forces. Moreover, the company could monitor the movements of American troops even while they were out on patrol—a serious operational security risk that opened units up to being targeted by enemy forces, according to the people familiar with the discovery.
When it saw evidence of U.S. missions in the commercial data, the company raised its concerns with U.S. officials, who were alarmed by the possibilities that others could track American soldiers, according to the people. PlanetRisk was working on a tracking tool with the aim of bringing it to the federal defense and intelligence market. The company, which was beaten to market by other competitors and never finished the work, has since been split up, its pieces sold to other defense contractors.
The Journal obtained location data for devices that appeared at U.S. facilities including Fort Hood in Texas.
Photo: Bronte Wittpenn/Austin American-Statesman/Reuters
The Wall Street Journal obtained location data for devices present at the same cement factory in 2017 and 2018 from a commercial data broker and analytics company that wished to remain anonymous. The Journal tracked the movements of people who appeared to be American special operators and other military personnel, just as PlanetRisk had. The U.S.-based company typically works in the commercial market on corporate research but was able to pull historical mobile phone movements inside Syria from its data set and provide it to the Journal.
Devices appeared at U.S. facilities such as Fort Bragg in N.C., Fort Hood in Texas or tiny desert outposts such as the U.S.-run Camp Buehring in Kuwait before later traveling to the Lafarge Cement Factory in northern Syria. They would reappear back in the U.S.—often at private residences—presumably the homes of military personnel.
Mobile Phones Signal U.S. Troop Movements
A data broker, at The Wall Street Journal’s request, searched its database of phone signals at U.S. military installations in Syria and the Middle East, some originating at bases in the states. U.S. forces have since withdrawn from Syria.
Tracking phone apps
Different phones
Lafarge Cement
Factory, Syria
Fort Campbell, Ky., U.S.
July 2017–Aug ’17
Sept. 2017
Turkmenistan
Harir Airport
Sept. 2017
Erbil International Airport Oct. 2017
Rukban Refugee Camp
Aug. 2017
Camp Buehring, Kuwait
Nov. 2017–Jan. ’18;
March 2018-May ’18
Ali Al Salem Air Base, Kuwait
Jan. 2018
Training Camp Al Hamra
Sept. 2017
Saudi
Arabia
Tracking phone apps
Different phones
Lafarge Cement
Factory, Syria
Fort Campbell, Ky., U.S.
July 2017–Aug ’17
Sept. 2017
Turkmenistan
Harir Airport
Sept. 2017
Erbil International Airport Oct. 2017
Rukban Refugee Camp
Aug. 2017
Camp Buehring, Kuwait
Nov. 2017–Jan. ’18;
March 2018-May ’18
Ali Al Salem Air Base, Kuwait
Jan. 2018
Training Camp Al Hamra
Sept. 2017
Saudi
Arabia
Tracking phone apps
Different phones
Lafarge Cement
Factory, Syria
Fort Campbell, Ky., U.S.
July 2017–Aug ’17
Sept. 2017
Turkmenistan
Harir Airport
Sept. 2017
Erbil International Airport Oct. 2017
Rukban Refugee Camp
Aug. 2017
Camp Buehring, Kuwait
Nov. 2017–Jan. ’18; March 2018-May ’18
Ali Al Salem Air Base, Kuwait
Jan. 2018
Training Camp Al Hamra
Sept. 2017
Saudi
Arabia
Tracking phone apps
Different phones
Lafarge Cement
Factory, Syria
Saudi
Arabia
Fort Campbell,
Ky., U.S.
July 2017–Aug. ’17
Harir Airport
Sept. 2017
Lafarge Cement
Factory, Syria
Rukban Refugee Camp
Lafarge Cement
Factory, Syria
Sept. 2017
Erbil International Airport, Iraq
Camp Buehring, Kuwait
Nov. 2017-Jan. ’18
Lafarge Cement Factory, Syria
Camp Buehring, Kuwait
March 2018-
May ’18
Lafarge Cement Factory, Syria
Ali Al Salem Air Base, Kuwait
Training Camp Al Hamra, U.A.E.
Sept. 2017
Lafarge Cement Factory, Syria
Such data sets don’t contain the names of individuals. Rather, devices have an alphanumeric identifier designed for advertisers. But a device’s movement through the world can reveal clues about its identity. The Journal is reporting on the movement of phones between known military facilities in a region the U.S. has since departed.
The U.S. government has created special classes to teach operational security to those in sensitive positions, according to people familiar with the matter. It has banned service members from wearing fitness trackers at sensitive sites; in 2018 these were shown to reveal the internal layout of secret military facilities the world over through the running routes of soldiers.
The Department of Defense “is aware of the risks posed by geolocation tracking capabilities, including via commercial data, and issued policy on the use of geolocation-capable devices and applications in the summer of 2018,” said Pentagon spokeswoman Candice Tresch.
“This policy, and its implementing risk guidance, protects DoD personnel and operations while still allowing flexibility to benefit from geolocation capabilities in certain low-risk situations,” the spokeswoman said.
And at a policy level, the U.S. has taken some steps to limit the risk—cracking down on the popular Chinese-owned app TikTok on the mobile phones of government employees and forcing a Chinese company to divest itself of the popular dating app Grindr in a recognition of the dangers of Chinese-owned companies having dossiers on the U.S. population.
China and other nations “have rightfully deemed data as a strategic national asset that needs to be protected so it can’t be used against their people,” said Mike Yeagley, who was vice president for global defense at PlanetRisk during the project in 2016 and has advised U.S. government agencies on technology and data.
But in the U.S., digital data is treated as a plentiful, commercially valuable commodity. “We’re not going to change the convenience of apps and mobility,” said Mr. Yeagley. “That doesn’t mean that we can’t build our own firewall to protect ourselves against the malicious adversaries who will take advantage of our liberal democratic attitudes to use against our people.”
China has by and large tackled the challenge by banning the export of any data on its citizens to any other country and sharply limiting how companies are allowed to operate in China, including a recent crackdown on the ownership of internet-enabled Tesla automobiles by officials in sensitive positions. Location brokers say obtaining Chinese consumer data is nearly impossible.
Europe has passed a comprehensive privacy law that has limited some ways in which its citizens are monitored through commercial services—limiting the ability of data brokers to collect in Europe. It is also difficult to collect data from European countries subject to the General Data Protection Regulation, the landmark European data-privacy regulation that came into effect in 2018.
The U.S. has taken some steps to limit risk by cracking down on the Chinese-owned app TikTok on mobile phones of government employees.
Photo: tingshu wang/Reuters
The U.S., by contrast, has few data protections built into its domestic laws—and the result has been that adversaries can monitor a huge swath of the U.S. population through the commercial data bought and sold by U.S. companies—a major risk for intelligence officers, law enforcement and military personnel operating in dangerous environments.
Last year, the National Security Agency addressed the issue in a public bulletin to all military and intelligence-community personnel, urging service members to disable location tracking and other commercial data collection on their phones.
“Location data can be extremely valuable and must be protected,” the NSA bulletin warned. “It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations.”
The Federal Bureau of Investigation has created a 300-page “Digital Exhaust Opt Out Guide” that teaches agents and other U.S. law-enforcement personnel how to opt out of digital tracking. The guide encourages law-enforcement officials to suppress pictures of their homes in online real-estate listings, remove personal data from social media and online people search websites, use special browser add-ons for extra privacy when browsing the web and limit connections on social-media sites.
Write to Byron Tau at [email protected]
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
