Mobile phones of U.S. soldiers in hot spots easily trackable

(by Byron Tau, The Wall Street Journal) WASHINGTON — In 2016, a U.S. defense contractor named PlanetRisk Inc. was working on a software prototype when its employees discovered they could track U.S. military operations through the data generated by the apps on the mobile phones of American soldiers.

At the time, the company was using location data drawn from apps such as weather, games and dating services to build a surveillance tool that could monitor the travel of refugees from Syria to Europe and the U.S., according to interviews with former employees. The company’s goal was to sell the tool to U.S. counterterrorism and intelligence officials.

But buried in the data [from the apps] was evidence of sensitive U.S. military operations by American special-operations forces in Syria. The company’s analysts could see phones that had come from military facilities in the U.S., traveled through countries like Canada or Turkey and were clustered at the abandoned Lafarge Cement Factory in northern Syria, a staging area at the time for U.S. special-operations and allied forces.

The discovery was an early look at what today has become a significant challenge for the U.S. armed forces: how to protect service members, intelligence officers and security personnel in an age where highly revealing commercial data being generated by mobile phones and other digital services is bought and sold in bulk, and available for purchase by America’s adversaries.

(by Kathryn Tam, WSJ)

The U.S. government has built robust programs to track terrorists and criminals through warrantless access to commercial data. Many vendors now provide global location information from mobile phones to intelligence, military and law-enforcement organizations [and sell the information to others as well?].

But [our enemies have access to the same information, and the military] has struggled to effectively monitor what software service members are installing on devices and whether that software is secure. …..

When PlanetRisk traced telephone signals from U.S. bases to the Syrian cement factory in 2016, it hadn’t been disclosed publicly that the factory was being used as a staging area for U.S. and allied forces. Moreover, the company could monitor the movements of American troops even while they were out on patrol—a serious operational security risk that opened units up to being targeted by enemy forces, according to the people familiar with the discovery.

When it saw evidence of U.S. missions in the commercial data, the company raised its concerns with U.S. officials, who were alarmed by the possibilities that others could track American soldiers, according to the people. PlanetRisk was working on a tracking tool with the aim of bringing it to the federal defense and intelligence market. The company, which was beaten to market by other competitors and never finished the work, has since been split up, its pieces sold to other defense contractors. …..

[Since then], the U.S. government has created special classes to teach operational security to those in sensitive positions, according to people familiar with the matter. It has banned service members from wearing fitness trackers at sensitive sites; in 2018 these were shown to reveal the internal layout of secret military facilities the world over through the running routes of soldiers.

The Department of Defense “is aware of the risks posed by geolocation tracking capabilities, including via commercial data, and issued policy on the use of geolocation-capable devices and applications in the summer of 2018,” said Pentagon spokeswoman Candice Tresch. …

And at a policy level, the U.S. has taken some steps to limit the risk—cracking down on the popular Chinese-owned app TikTok on the mobile phones of government employees and forcing a Chinese company to divest itself of the popular dating app Grindr in a recognition of the dangers of Chinese-owned companies having dossiers on the U.S. population.

China and other nations “have rightfully deemed data as a strategic national asset that needs to be protected so it can’t be used against their people,” said Mike Yeagley, who was vice president for global defense at PlanetRisk during the project in 2016 and has advised U.S. government agencies on technology and data.

But in the U.S., digital data is treated as a plentiful, commercially valuable commodity. “We’re not going to change the convenience of apps and mobility,” said Mr. Yeagley. “That doesn’t mean that we can’t build our own firewall* to protect ourselves against the malicious adversaries who will take advantage of our liberal democratic attitudes to use against our people.” [*However, will a firewall prevent mobile carriers from selling users’ data?]

China has by and large tackled the challenge by banning the export of any data on its citizens to any other country and sharply limiting how companies are allowed to operate in China, including a recent crackdown on the ownership of internet-enabled Tesla automobiles by officials in sensitive positions.
Location brokers [buyers and sellers of location data] say obtaining Chinese consumer data is nearly impossible. (Note: The Communist government tracks its own citizens – just doesn’t want others to do so.)

Europe has passed a comprehensive privacy law that has limited some ways in which its citizens are monitored through commercial services—limiting the ability of data brokers to collect in Europe. It is also difficult to collect data from European countries subject to the General Data Protection Regulation, the landmark European data-privacy regulation that came into effect in 2018.

The U.S., by contrast, has few data protections built into its domestic laws—and the result has been that adversaries can monitor a huge swath of the U.S. population through the commercial data bought and sold by U.S. companies—a major risk for intelligence officers, law enforcement and military personnel operating in dangerous environments.

Last year, the National Security Agency (NSA) addressed the issue in a public bulletin to all military and intelligence-community personnel, urging service members to disable location tracking and other commercial data collection on their phones.

“Location data can be extremely valuable and must be protected,” the NSA bulletin warned. “It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations.”

The FBI has created a 300-page “Digital Exhaust Opt Out Guide” that teaches agents and other U.S. law-enforcement personnel how to opt out of digital tracking. The guide encourages law-enforcement officials to suppress pictures of their homes in online real-estate listings, remove personal data from social media and online people search websites, use special browser add-ons for extra privacy when browsing the web and limit connections on social-media sites.

Published at wsj .com. Reprinted here for educational purposes only. May not be reproduced on other websites without permission from The Wall Street Journal.

Questions

1. Describe the project U.S. defense contractor PlanetRisk was working on in 2016.

2. What was the goal of the project?

3. What discovery did PlanetRisk employees make? Be specific.

4. What has the U.S. military and government done since then in response to the discovery? (List at least 3.)

5. Re-read paragraphs 12-15.
a) What steps has the European Union taken to protect citizens’ cell phone data?
b) There is no detailed information in the article on China’s communist government’s policy on military use of smart phones, apps, etc.. But what has the Chinese government done to block marketing/data companies from obtaining consumer data?

6. Last year, the National Security Agency (NSA) issued a public bulletin to all military and intelligence-community personnel, urging service members to disable location tracking and other commercial data collection on their phones.
a) What do you think? Should this be a request or an order? Should special ops on a mission have non-military related apps on their phones?
b) What steps do you think individual military personnel could take to prevent enemies from obtaining any info from their phones?
c) Ask a family member / friend in the military his/her opinion.

Background

From the WSJ article above:

Privacy advocates across the political spectrum are alarmed at government purchases of such data, whether at home or abroad. Senate Democrat Ron Wyden was joined by Republican Rand Paul last week in introducing “The Fourth Amendment Is Not for Sale Act,” a bill Mr. Wyden’s team drafted to require the U.S. government to obtain a warrant before accessing commercial data on Americans.

The move, which has broad support, would have a ripple effect across digital advertising…—which relies heavily on identifying, tracking and profiling consumers. Nevertheless, Mr. Wyden said he is also working on separate legislation that would restrict the sale of U.S. data, including mobile phone information, to foreign buyers.

“Our country’s intelligence leaders have made it clear that putting Americans’ sensitive information in the hands of unfriendly foreign governments is a major risk to national security,” he said.

and

The Wall Street Journal obtained location data for devices present at the same cement factory from 2017 and 2018 from a commercial data broker and analytics company that wished to remain anonymous. The Journal tracked the movements of people who appeared to be American special operators and other military personnel, just as PlanetRisk had. The U.S.-based company typically works in the commercial market on corporate research but was able to pull historical mobile phone movements inside Syria from its data set and provide it to the Journal.

Devices appeared at U.S. facilities such as Fort Bragg in N.C., Fort Hood in Texas or tiny desert outposts such as the U.S.-run Camp Buehring in Kuwait before later traveling to the Lafarge Cement Factory in northern Syria. They would reappear back in the U.S.—often at private residences—presumably the homes of military personnel.

Such data sets don’t contain the names of individuals. Rather, devices have an alphanumeric identifier designed for advertisers. But a device’s movement through the world can reveal clues about its identity. The Journal is reporting on the movement of phones between known military facilities in a region the U.S. has since departed.

Resources

Did you know?  Fitness app exposed location of military bases (Jan. 2018)

Get Free Answers

Daily “Answers” emails are provided for Daily News Articles, Tuesday’s World Events and Friday’s News Quiz.