The Pentagon announced Monday that U.S. military personnel are no longer allowed to use "geolocation capabilities" on personal or government devices, such as iPhones and fitness-tracking devices, during operational deployments and at the discretion of commanders any other time.
"The rapidly evolving market of devices, applications, and services with geolocation capabilities presents a significant risk to the Department of Defense personnel on and off duty, and to our military operations globally," according to an Aug. 3 memo from Patrick Shanahan, the deputy secretary of defense.
Geolocation capabilities can expose personal information, locations, routines, and numbers of Defense Department personnel, and "potentially create unintended security consequences and increased risk to the joint force and mission," the memo states.
"Therefore, effective immediately, Defense Department personnel are prohibited from using geolocation features and functionality on government- and non-government-issued devices, applications, and services while in locations designated as operational areas," according to the memo.
Operational areas are places where "military personnel are there for a very specific purpose or mission" such as Operation Inherent Resolve or Operation Freedom's Sentinel, according to Maj. Audricia Harris, a DoD spokeswoman.
The announcement comes after news stories surfaced earlier this year that fitness apps such as Polar Flow and Strava have been inadvertently giving away locations and habits of U.S. service members on installations around the world. These apps use GPS so cyclists and runners can track their exercise routes.
Combatant commanders may authorize the use of geolocation capabilities on non-government devices, applications, and services in operational areas after conducting a "threat-based comprehensive Operations Security (OPSEC) survey," according to the memo.
Commanders may also authorize these capabilities on government-issued devices in operational areas "based on mission necessity" as long as they consider risks to operational security, the memo states.
For all other locations, such as installations in the United States and abroad, "the heads of DoD components will consider the inherent risks associated with geolocation capabilities on devices, applications, and services, both non-government and government-issued, by personnel both on and off duty," the memo states.
In cases where these capabilities pose a "threat to personnel and operations," commanders and supervisors will provide OPSEC training and "apply a tiered structure for categorizing location and operations sensitivity while incorporating risk factors to ensure restrictions are consistently and rationally applied," the memo states.
In other words, commanders may decide to restrict the use of geolocation capabilities on devices on areas of installations where "sensitive activities" are conducted, Harris said.
Within 30 days of the memo's release, the DoD chief information officer and the under secretary of defense for intelligence will jointly develop geolocation risk management guidance and training to inform commanders and heads of DoD components when making risk decisions regarding these devices, according to the memo.
Annual Cybersecurity Awareness training will also be updated to assist DoD personnel in "identifying and understanding risks posed by geolocation capabilities embedded in devices and applications."
-- Matthew Cox can be reached at firstname.lastname@example.org.