The Pentagon Knew Enemies Could Track Troops’ Phones for Years. Now They Are
The Pentagon Knew Enemies Could Track Troops’ Phones for Years. Now They Are
五角大楼多年来一直知道敌人可以追踪美军手机,现在这种情况正在发生
For nearly a decade, the Pentagon was warned—by its own contractors, analysts, and intelligence agencies—that anyone with a credit card could buy a map of where American troops sleep, work, and store nuclear weapons. Now the bill has come due in a war zone. 近十年来,五角大楼一直受到警告——来自其自身的承包商、分析师和情报机构——任何拥有信用卡的人都可以买到一张地图,上面标明了美军士兵睡觉、工作以及储存核武器的地点。现在,这一隐患已在战区演变为现实。
A newly disclosed letter shows the warnings went unheeded: US Central Command now confirms it has received “multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater”—the first official acknowledgment that the data-broker economy is being used to hunt American forces in the Middle East. 一封新披露的信件显示,这些警告被置若罔闻:美国中央司令部现已证实,其已收到“多份关于对手利用商业位置数据在战区定位或监视美军人员的威胁报告”——这是官方首次承认数据经纪人经济正被用于在中东地区搜寻美军。
The targeting was first reported by Reuters, which obtained the Centcom letter. But the confirmation lands atop a record that is longer and more damning than the single document suggests. 这种针对性追踪最初由路透社报道,该媒体获得了中央司令部的这封信。但这一证实背后,是一段比这份单一文件所暗示的更为漫长且令人震惊的记录。
For the better part of a decade, US lawmakers have heard the same alarms about the dangers of commercially available location data that the Pentagon did—from the same intelligence assessments, from witnesses, from their own colleagues. Yet comprehensive privacy legislation has repeatedly stalled in Washington, and the one narrow fix that did pass—a requirement that data shared with military contractors not be resold—left the broader industry untouched. 在过去近十年里,美国立法者与五角大楼一样,听到了关于商业位置数据危险性的相同警报——来自同样的情报评估、证人证词以及他们自己的同事。然而,全面的隐私立法在华盛顿一再陷入僵局,而唯一通过的一项狭窄的补救措施——要求与军事承包商共享的数据不得转售——却未能触及更广泛的行业。
One of the earliest warnings came in 2016. At the Joint Special Operations Command compound at Fort Bragg, California, a government technologist briefing senior officers demonstrated how commercial location data—bought, not hacked—could track phones from Fort Bragg and MacDill Air Force Base in Florida, the home stations of America’s most elite units, through Turkey and into northern Syria, where they clustered at a covert forward operating base. The same data was available to any advertiser or foreign intelligence service. 最早的警告之一出现在2016年。在加利福尼亚州布拉格堡的联合特种作战司令部大院内,一名政府技术人员在向高级军官简报时演示了商业位置数据(通过购买而非黑客手段获取)如何追踪手机:从布拉格堡和佛罗里达州的麦克迪尔空军基地(美国最精锐部队的驻地)出发,穿过土耳其,进入叙利亚北部,最终聚集在一个秘密的前进作战基地。同样的数据,任何广告商或外国情报机构都可以获取。
Even as the Pentagon was warned that the location-data marketplace was placing its own people in danger, parts of the department were eager to become its customers. The Defense Intelligence Agency disclosed to Congress in 2021 that it uses commercially purchased phone location data—including on Americans—without a warrant, taking the position that none is required. Months earlier, Motherboard reported that the US military was buying location data harvested from popular consumer apps. 尽管五角大楼被警告称位置数据市场正使其人员处于危险之中,但该部门的一些分支机构却急于成为其客户。美国国防情报局在2021年向国会披露,其在没有搜查令的情况下使用商业购买的手机位置数据(包括针对美国人的数据),并认为无需搜查令。几个月前,Motherboard报道称,美军一直在购买从流行消费类应用程序中收集的位置数据。
In 2023, the Army paid to have the threat spelled out. Researchers at Duke University—working under a grant from the US Military Academy at West Point—set out to buy data on American service members the way a foreign adversary might. They scraped hundreds of data broker websites and found thousands of listings advertising data on military personnel, including datasets titled “Military Families Mailing List” and “Hard Core Military Families.” 2023年,陆军出资对这一威胁进行了深入调查。杜克大学的研究人员在西点军校的资助下,试图以外国对手可能采取的方式购买美国军人的数据。他们抓取了数百个数据经纪人网站,发现了数千条兜售军事人员数据的列表,其中包括名为“军人家庭邮寄名单”和“核心军人家庭”的数据集。
The researchers started buying. For as little as 12美分 a record, with almost no vetting, they purchased names, home addresses, health conditions, and financial details on active-duty troops. Posing as a buyer operating through a Singapore-based domain, they also obtained the same kind of data geofenced to Fort Bragg, Quantico, and other installations. One broker offered to skip its identity check if they paid by wire. 研究人员开始购买。每条记录仅需12美分,几乎无需任何审查,他们就买到了现役军人的姓名、家庭住址、健康状况和财务细节。他们伪装成通过新加坡域名运营的买家,还获得了针对布拉格堡、匡提科和其他军事设施的地理围栏数据。一名经纪人甚至表示,如果通过电汇付款,可以免除身份验证。
A year later, WIRED found the same kind of data flowing through Google’s own advertising platform. Working with data obtained by the Irish Council for Civil Liberties—whose investigator had gained access to a US broker’s audience lists by standing up a fake analytics firm—WIRED identified marketing “segments” on Google’s Display & Video 360 that singled out US government employees deemed “decisionmakers” working “specifically in the field of national security,” alongside lists targeting people who work for companies licensed to build missiles, space-launch vehicles, and the cryptographic systems that protect classified data. 一年后,WIRED发现同样的数据正在通过谷歌自己的广告平台流动。通过与爱尔兰公民自由委员会(ICCL)合作——该组织的调查员通过建立一家虚假的分析公司获得了美国经纪人的受众列表——WIRED在谷歌的Display & Video 360上识别出了营销“细分群体”,这些群体专门针对被视为“决策者”且“专门从事国家安全领域”的美国政府雇员,以及针对为制造导弹、航天运载工具和保护机密数据的加密系统提供许可的公司工作的员工列表。
The Irish Council for Civil Liberties investigator said he expected to have his cover story tested. “When I signed up, there was no questions asked whatsoever,” he told WIRED at the time. “I could have been anybody.” 爱尔兰公民自由委员会的调查员表示,他本以为自己的掩护身份会受到考验。“当我注册时,对方根本没有任何询问,”他当时告诉WIRED。“我可能是任何人。”
A previous investigation by WIRED had already shown what that exposure looked like in practice: In late 2024, working with the German outlets Bayerischer Rundfunk and Netzpolitik.org, reporters obtained a “free sample” of location data from a Florida broker—3.6 billion coordinates tied to roughly 11 million phones in Germany over a two-month span. WIRED之前的一项调查已经展示了这种暴露在实践中意味着什么:2024年底,记者与德国媒体Bayerischer Rundfunk和Netzpolitik.org合作,从佛罗里达州的一家经纪人那里获得了位置数据的“免费样本”——在两个月的时间跨度内,涉及德国约1100万部手机的36亿个坐标。
Inside it were the daily movements of American military and intelligence personnel stationed in the country: 12,313 devices that passed through at least 11 US installations, from the Army’s European headquarters at Wiesbaden to the schools where service members’ children are taught. Reporters traced devices inside Büchel Air Base, where US nuclear weapons are believed to be stored in hardened bunkers, and watched others zigzag through an armored-vehicle course at Grafenwöhr—one of the bases that a pair of alleged saboteurs had been arrested for scouting months prior. 其中包含了驻德美军和情报人员的日常行踪:12,313台设备至少经过了11个美国军事设施,从位于威斯巴登的陆军欧洲总部,到军人子女就读的学校。记者追踪到位于比歇尔空军基地内的设备,据信美国核武器就储存在那里的加固掩体中;他们还观察到其他设备在格拉芬沃尔的装甲车训练场穿梭——几个月前,两名涉嫌破坏者因侦察该基地而被捕。
Asked about the tracking, a Pentagon spokesperson told WIRED at the time that the department was aware that geolocation services could put personnel at risk and urged service members to remember their training and follow operational security protocols—the same individual-responsibility framing that the Army’s own commissioned research had already shown was insufficient. 当被问及这种追踪时,五角大楼发言人当时告诉WIRED,该部门意识到地理定位服务可能会使人员处于危险之中,并敦促军人牢记训练内容并遵守操作安全协议——这与陆军自身委托的研究已经证明是无效的“个人责任论”如出一辙。
The warnings also came from inside the Army’s own research arm. In a May 2025 technical report, the Army Cyber Institute at West Point found that more than a fifth of the most-visited web domains on the service’s stateside unclassified networks were commercial trackers—and that the fixes required “minimal funding or resources.” Among its recommendations: Restrict the installation of Google’s Chrome browser on Army workstations, noting it was the only major browser that had declined to block the third-party cookies used to follow users across the web. A year later, a bipartisan group of lawmakers writing to the Pentagon are now asking for the same thing. 警告也来自陆军内部的研究部门。在2025年5月的一份技术报告中,西点军校的陆军网络研究所发现,陆军在美国国内非机密网络中访问量最大的网页域名中,超过五分之一是商业追踪器——而解决这些问题所需的“资金或资源极少”。其建议包括:限制在陆军工作站上安装谷歌Chrome浏览器,并指出它是唯一拒绝阻止用于跨网站追踪用户的第三方Cookie的主要浏览器。一年后,一群两党议员在写给五角大楼的信中,现在也提出了同样的要求。