DOD service members, others face security risks from publicly accessible digital data

A new Government Accountability Office (GAO) audit report warns that the Department of Defense (DOD) is unprepared for the growing national security risks created by the enormous amount of personal digital information that is generated by service members, defense platforms, and official communications.

The audit found that publicly accessible data – from social media posts to commercial geolocation records – can be aggregated into detailed “digital profiles” that expose U.S. personnel, military operations, and senior leaders to targeting, coercion, and disruption.

“Today’s digital communication has transformed the once popular military slogan ‘loose lips sink ships’ into ‘loose tweets sink fleets,’” GAO said. “The message that careless speech can undermine national security remains especially applicable in the age when we are compelled to have a digital identity.”

Congress’ investigative arm said “massive amounts of traceable data about military personnel and operations now exist due to the digital revolution. Public accessibility of this data enables malicious actors to exploit critical information and jeopardize DOD’s mission and the safety of its personnel.”

This data can be correlated with commercially available information (CAI) sold by data brokers that has been de-anonymized – stripped of direct identifiers such as names or email addresses – and combined with other datasets to re-identify individuals.

This process relies on quasi-identifiers like location, gender, birth date, or device IDs, which, when cross-referenced with other information, can uniquely identify people. For example, a combination of birth date, gender, and ZIP code can be enough to pinpoint an individual, even in anonymized datasets.

In January, Gravy Analytics, a prominent location data broker, disclosed that a significant data breach potentially exposed through de-anonymization the precise location information of millions of individuals.

In September, the House passed its version of the Fiscal Year 2026 Intelligence Authorization Act which contains a provision that would require the Director of National Intelligence to designate an official to oversee acquisitions of  CAI.

House Permanent Select Committee on Intelligence Chairman Rick Crawford said the House bill would “ensure IC entities responsibly purge commercially available information and publicly available information pertaining to U.S. persons’ information incidentally gathered.”

“Advances in technology have made the accessibility to this information easier and more efficient,” GAO warned. “Specifically, data generated by personnel and defense platforms – also known as digital footprints – can be gained through public websites, stolen and posted on the dark web, or acquired and sold by data brokers from anywhere in the world.”

“These digital footprints, when aggregated into a digital profile, can threaten military operations; the privacy and personal safety of service members, civilian employees, contractors, and family members; and ultimately our national security,” the government watchdog said.

GAO found that the Pentagon lacks coherent, department-wide policies for mitigating these threats and has not fully coordinated among key security offices responsible for counterintelligence, force protection, insider threat prevention, mission assurance, and critical program protection.

While some offices have issued guidance addressing elements of the problem, the report says these efforts are “narrowly focused,” siloed, and insufficient to match the scale of the risk.

The watchdog describes a digital environment in which everyday activity – web browsing, location-sharing apps, personal devices, online purchases, fitness trackers, public affairs releases, and even ship and aircraft telemetry – creates traceable data points.

When combined, those data points can reveal operational patterns, identify sensitive units, expose family members, reveal classified capabilities, or enable foreign intelligence services to monitor and manipulate military personnel.

The report includes several notional threat scenarios illustrating how aggregated open source information could be weaponized.

In one scenario, press releases, family member social media posts, and commercial ship tracking sites combine to reveal the movements and internal structure of a deployed aircraft carrier, giving an adversary enough insight to attempt sabotage or target the vessel with uncrewed systems.

In another, manuals, training photos, and leaked materials found on the surface web and dark web could allow an adversary to reverse engineer military equipment or exploit technical vulnerabilities.

A third scenario shows how data broker records, public affairs photos, and social media accounts could be used to identify a service member’s family and potentially coerce the service member through threats or harassment.

GAO also highlighted risks to senior military officials. A hypothetical case involving a keynote speaker at a defense conference shows how press releases, QR code scams, hotel check-ins posted on social media, and permissions granted to a child’s mobile app could create a precise, real-time profile of a leader’s travel, habits, contacts, and vulnerabilities that provide a sophisticated adversary an opportunity for surveillance or attack.

Despite the scope of the threat, GAO found that the Office of the Secretary of Defense (OSD) has not carried out a full assessment of existing policies across the security enterprise.

Three OSD offices – the Under Secretary of Defense for Intelligence and Security, the Chief Information Officer, and the Assistant to the Secretary of Defense for Public Affairs – have published guidance touching on digital ecosystem risks or social media use.

But GAO found that these documents do not meaningfully address the range of dangers posed by commercial data collection, personal device use, digital tracking technologies, or the aggregation of data into comprehensive profiles.

Two other OSD offices responsible for force protection, mission assurance, and program protection had issued no guidance at all.

GAO says coordination among these offices is limited. Officials often “deferred responsibility” to other components, arguing that digital profile risks fell outside their respective mandates.

The report notes that the Pentagon’s top level Defense Security Enterprise Executive Committee – which is designed to coordinate cross-cutting security issues – has never reviewed the digital profile threat, focusing instead on personnel vetting reforms.

Defense components have taken uneven steps to educate service members and to reduce risk. GAO found that most of the ten components reviewed, including the armed services, U.S. Cyber Command, U.S. Special Operations Command, National Security Agency, and Defense Intelligence Agency, have provided some form of training or awareness materials addressing the digital environment.

However, GAO said, this training overwhelmingly focuses on operations security (OPSEC) and does not adequately address digital profile vulnerabilities across other critical security areas.

Only a minority of training documents referenced counterintelligence or force protection risks associated with publicly accessible data, and none addressed insider threat or program protection implications.

GAO also found that most components failed to conduct required assessments across the full range of security disciplines. Eight of the ten reviewed focused almost exclusively on OPSEC, leaving gaps in evaluations of insider threat exposure, force protection vulnerabilities, and mission assurance risks.

Officials told GAO that without department-wide policy direction, components were unsure how to incorporate digital profile analysis into formal assessments.

The report warns that adversaries from nation-state intelligence services to criminal groups have already demonstrated the ability to exploit commercial data brokers, social media platforms, and online activity to track individuals, identify units, and gather operational intelligence.

In some cases, GAO’s own investigators were able to replicate these techniques using publicly available information.

To close the gaps, GAO has made 12 recommendations, including department-wide assessments of existing policies, updated guidance incorporating all relevant security areas, improved cross-functional collaboration, expanded training, and comprehensive security assessments. The Pentagon concurred with all but one recommendation.

Article Topics

data privacy  |  Department of Defense  |  digital identity  |  GAO (Government Accountability Office)  |  military  |  national security  |  U.S. Government