For years, the national security community has quietly acknowledged an uncomfortable truth: the same data brokers who help Target sell you diapers can help adversaries track American troops to their bedrooms. This week, the Pentagon confirmed that U.S. service members have been targeted using commercially available location data harvested from advertising networks, and Senator Ron Wyden of Oregon did something unusual—he said the obvious thing out loud, calling the ad industry a "national security threat."

The admission is significant not for what it reveals, but for what it finally acknowledges. The vulnerability has been documented for years. In 2018, fitness app Strava inadvertently exposed the locations of secret military bases through its global heatmap. In 2021, researchers demonstrated they could track individual devices at sensitive facilities using data purchased legally from brokers. The Pentagon has issued guidance, the intelligence community has fretted, and precisely nothing structural has changed.

The architecture of exposure

The problem is elegantly simple. Every smartphone running ad-supported apps broadcasts a unique identifier and precise location data to dozens of intermediaries in milliseconds. This information flows through a sprawling ecosystem of exchanges, brokers, and aggregators—most of whom will sell to anyone with a credit card and a plausible business justification. Foreign intelligence services, or their cutouts, need not hack anything. They simply buy.

The scale is staggering. A single data broker may hold location histories for hundreds of millions of devices, updated in near-real-time. Cross-reference this with other purchased datasets—home addresses, workplace locations, travel patterns—and identifying individual service members becomes trivial. The Pentagon has tried app bans and device restrictions, but the data often leaks through family members' phones, personal devices used off-base, or the ambient collection that occurs whenever someone walks past a beacon.

Why nothing changes

Wyden has been warning about this for years, but his latest statement carries new weight because it names the industry rather than the abstract "data economy." The advertising lobby is formidable, and the surveillance-based business model underpins much of the consumer internet. Meaningful regulation would require either banning the sale of precise location data—which would crater the programmatic advertising market—or creating a government registry of sensitive personnel whose data brokers must scrub, which raises its own problems.

The defense establishment has preferred technological patches: encrypted phones, classified networks, operational security briefings. These help at the margins but do not address the fundamental issue that American law treats location data as a commodity, not a vulnerability. Europe's GDPR has forced some constraints; the U.S. has resisted comparable measures.

Our take

Wyden is right, and his willingness to name the threat matters. The advertising industry's data practices are not merely a privacy nuisance—they are an active intelligence gift to adversaries. The Pentagon can issue all the guidance it wants, but until Congress decides that tracking American soldiers is not an acceptable business model, the vulnerability will persist. The question is whether lawmakers have the appetite to pick a fight with an industry that funds their campaigns and powers the internet they use daily. History suggests they do not, which means the next Strava-style exposure is not a matter of if, but when.