U.S. Defense contractor Planet Risk, Inc. discovered sensitive U.S. mission data buried in app data that is sold to data brokers. The data was pulled from popular apps such as weather, games, dating services, and social media apps that collect a user’s location.
The sensitive data showed U.S. troops traveling to Syria from abroad and gathering at Lafarge cement factory in northern Syria. The contractor was working on a software prototype when its employees came across the sensitive data. Byron Tau of The WSJ writes (abridged):
WASHINGTON—In 2016, a U.S. defense contractor named PlanetRisk Inc. was working on a software prototype when its employees discovered they could track U.S. military operations through the data generated by the apps on the mobile phones of American soldiers.
At the time, the company was using location data drawn from apps such as weather, games and dating services to build a surveillance tool that could monitor the travel of refugees from Syria to Europe and the U.S., according to interviews with former employees. The company’s goal was to sell the tool to U.S. counterterrorism and intelligence officials.
But buried in the data was evidence of sensitive U.S. military operations by American special operations forces in Syria. The company’s analysts could see phones that had come from military facilities in the U.S., traveled through countries like Canada or Turkey and were clustered at the abandoned Lafarge Cement Factory in northern Syria, a staging area at the time for U.S. special-operations and allied forces.
The discovery was an early look at what today has become a significant challenge for the U.S. armed forces: how to protect service members, intelligence officers and security personnel in an age where highly revealing commercial data being generated by mobile phones and other digital services is bought and sold in bulk, and available for purchase by America’s adversaries.