But buried in the data [from the apps] was evidence of sensitive U.S. military operations by American special-operations forces in Syria. The company’s analysts could see phones that had come from military facilities in the U.S., traveled through countries like Canada or Turkey and were clustered at the abandoned Lafarge Cement Factory in northern Syria, a staging area at the time for U.S. special-operations and allied forces.

The discovery was an early look at what today has become a significant challenge for the U.S. armed forces: how to protect service members, intelligence officers and security personnel in an age where highly revealing commercial data being generated by mobile phones and other digital services is bought and sold in bulk, and available for purchase by America’s adversaries.

The U.S. government has built robust programs to track terrorists and criminals through warrantless access to commercial data. Many vendors now provide global location information from mobile phones to intelligence, military and law-enforcement organizations [and sell the information to others as well?].

But [our enemies have access to the same information, and the military] has struggled to effectively monitor what software service members are installing on devices and whether that software is secure. …..

When PlanetRisk traced telephone signals from U.S. bases to the Syrian cement factory in 2016, it hadn’t been disclosed publicly that the factory was being used as a staging area for U.S. and allied forces. Moreover, the company could monitor the movements of American troops even while they were out on patrol—a serious operational security risk that opened units up to being targeted by enemy forces, according to the people familiar with the discovery.

When it saw evidence of U.S. missions in the commercial data, the company raised its concerns with U.S. officials, who were alarmed by the possibilities that others could track American soldiers, according to the people. PlanetRisk was working on a tracking tool with the aim of bringing it to the federal defense and intelligence market. The company, which was beaten to market by other competitors and never finished the work, has since been split up, its pieces sold to other defense contractors. …..

[Since then], the U.S. government has created special classes to teach operational security to those in sensitive positions, according to people familiar with the matter. It has banned service members from wearing fitness trackers at sensitive sites; in 2018 these were shown to reveal the internal layout of secret military facilities the world over through the running routes of soldiers.

The Department of Defense “is aware of the risks posed by geolocation tracking capabilities, including via commercial data, and issued policy on the use of geolocation-capable devices and applications in the summer of 2018,” said Pentagon spokeswoman Candice Tresch. …

And at a policy level, the U.S. has taken some steps to limit the risk—cracking down on the popular Chinese-owned app TikTok on the mobile phones of government employees and forcing a Chinese company to divest itself of the popular dating app Grindr in a recognition of the dangers of Chinese-owned companies having dossiers on the U.S. population.

China and other nations “have rightfully deemed data as a strategic national asset that needs to be protected so it can’t be used against their people,” said Mike Yeagley, who was vice president for global defense at PlanetRisk during the project in 2016 and has advised U.S. government agencies on technology and data.

But in the U.S., digital data is treated as a plentiful, commercially valuable commodity. “We’re not going to change the convenience of apps and mobility,” said Mr. Yeagley. “That doesn’t mean that we can’t build our own firewall* to protect ourselves against the malicious adversaries who will take advantage of our liberal democratic attitudes to use against our people.” [*However, will a firewall prevent mobile carriers from selling users’ data?]

China has by and large tackled the challenge by banning the export of any data on its citizens to any other country and sharply limiting how companies are allowed to operate in China, including a recent crackdown on the ownership of internet-enabled Tesla automobiles by officials in sensitive positions.
Location brokers [buyers and sellers of location data] say obtaining Chinese consumer data is nearly impossible. (Note: The Communist government tracks its own citizens – just doesn’t want others to do so.)

Europe has passed a comprehensive privacy law that has limited some ways in which its citizens are monitored through commercial services—limiting the ability of data brokers to collect in Europe. It is also difficult to collect data from European countries subject to the General Data Protection Regulation, the landmark European data-privacy regulation that came into effect in 2018.

The U.S., by contrast, has few data protections built into its domestic laws—and the result has been that adversaries can monitor a huge swath of the U.S. population through the commercial data bought and sold by U.S. companies—a major risk for intelligence officers, law enforcement and military personnel operating in dangerous environments.

Last year, the National Security Agency (NSA) addressed the issue in a public bulletin to all military and intelligence-community personnel, urging service members to disable location tracking and other commercial data collection on their phones.

“Location data can be extremely valuable and must be protected,” the NSA bulletin warned. “It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations.”

The FBI has created a 300-page “Digital Exhaust Opt Out Guide” that teaches agents and other U.S. law-enforcement personnel how to opt out of digital tracking. The guide encourages law-enforcement officials to suppress pictures of their homes in online real-estate listings, remove personal data from social media and online people search websites, use special browser add-ons for extra privacy when browsing the web and limit connections on social-media sites.

Published at wsj .com. Reprinted here for educational purposes only. May not be reproduced on other websites without permission from The Wall Street Journal.