NDAA Proposal Targets Troop Mobile Data Risk After CENTCOM Warning

A proposed provision for the FY2027 National Defense Authorization Act (NDAA) would require the Pentagon to test technologies aimed at reducing U.S. troops’ exposure to commercial mobile surveillance, after U.S. Central Command (CENTCOM) told Congress that adversaries had exploited commercial location data to target or surveil U.S. personnel during Operation Epic Fury.

The proposal, prepared for congressional distribution by Joe Weil and Mike Yeagley of Unplugged and obtained by The Epoch Times, would direct the defense secretary to establish a pilot program for “mobile device force protection technologies” intended to reduce operational exposure from application-generated signals.

The draft proposal says a servicemember’s phone can become a “targeting feed for adversaries” because data collected by applications can pass through third-party networks and be reassembled into a trackable identity.

CENTCOM told Congress on April 14 that it had received “multiple threat reports” concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater during Operation Epic Fury, according to a May 28 letter led by Sen. Ron Wyden (D-Ore.) and Rep. Pat Harrigan (R-N.C.).

The draft text would require tested technologies to identify applications generating force-protection-relevant signals, determine where those signals are sent, characterize the categories of information transmitted, distinguish legitimate app functions from analytics, diagnostics, advertising, profiling, and related exploitation activity, and generate commander-level reporting.

Related Stories

US Embassy in China Warns US Government-Affiliated Chinese Americans Traveling to China of Being Targeted by the CCP

OpenAI Exposes China-Linked Campaigns Targeting US Data Centers

The technologies would also have to actively control application-generated transmissions, including by blocking or throttling signals leaving a device, according to the proposal.

“DoD has now confirmed to Congress that foreign adversaries are exploiting commercially available location data to target U.S. military personnel in war zones,” the lawmakers wrote.

CENTCOM’s written response, attached to the letter, said personnel were not prohibited from possessing or using personal smartphones in the CENTCOM area of responsibility. It said the command maintained restrictions on geolocation features through Command Policy Letter No. 25-10, dated Dec. 4, 2025.

The response said CENTCOM guidance directs personnel to disable geolocation functionality when not needed, review device and application privacy settings, and limit public sharing of information. It also said disabling geolocation capabilities does not always fully disable them on commercial products.

CENTCOM told Congress that the command’s Threat Fusion Cell identified, tracked, and disseminated the threats through a threat working group and to component force-protection personnel.

His office said Harrigan supports FY2027 NDAA language addressing the issue.

When asked what immediate steps the DoW should take, Harrigan’s office said troops in deployed high-threat environments should stop using vulnerable apps and software and move to encrypted devices, apps, servers, and browsers that do not sell or disclose troop data.

The May 28 letter was signed by a bipartisan group of lawmakers, including Wyden, Harrigan, Sen. Martin Heinrich (D-N.M.), Sen. Elizabeth Warren (D-Mass.), Sen. Edward Markey (D-Mass.), Sen. Alex Padilla (D-Calif.), Rep. Elijah Crane (R-Ariz.), Rep. Robert Garcia (D-Calif.), and others.

The DOJ said in 2025 that its Data Security Program is intended to prevent China, Russia, Iran, and other foreign adversaries from using commercial activities to access and exploit U.S. government-related data and Americans’ sensitive personal data for espionage, surveillance, counterintelligence, artificial-intelligence development, military capabilities, and other national-security harms.

In its final rule implementing Executive Order 14117, the department said countries of concern can use access to U.S. government-related data or Americans’ bulk sensitive personal data to track and build profiles on U.S. individuals, including military members, federal employees, and contractors, for blackmail, espionage, and other illicit purposes.

The rule said China “aggressively obtains and exploits data on U.S. persons through both commercial means and theft” and has growing artificial-intelligence capabilities, creating what the DOJ described as a significant risk that Beijing could exploit government-related data or Americans’ bulk sensitive personal data to harm U.S. national security.

U.S. prosecutors have also alleged Chinese military involvement in major data thefts. In 2020, the DOJ charged four members of China’s People’s Liberation Army with hacking Equifax and stealing sensitive personally identifiable information of about 145 million Americans. The FBI described the breach as the largest known theft of personally identifiable information carried out by state-sponsored actors.

The proposed NDAA provision focuses on a narrower operational problem: whether the Pentagon can measure and reduce signals generated by mobile applications before those signals become commercially available or are combined with other data sources.

A defense official responding for CENTCOM on background declined to discuss force-protection measures for operational security reasons.

“Generally speaking, we continue to take all appropriate measures to ensure the safety and well-being of our forces,” the official said.

The Epoch Times also sought comment from the Pentagon and the Army Reserve, neither of which responded by press time.

CENTCOM’s April 14 written response to Congress said the command’s threat assessments inform force-protection measures across the area of responsibility.