Military OPSEC training has a blind spot. Data brokers found it first.

What the GAO found

The Government Accountability Office report released in January 2026 examined OPSEC training across ten major Department of Defense components. The findings were consistent across all ten.

Training materials focused overwhelmingly on social media. What to post. What not to post. How to adjust privacy settings. How to avoid sharing unit movements or deployment timelines online.

None of the training documents reviewed addressed data brokers. Not counterintelligence risk from commercially available data. Not force protection implications of purchased location histories. Not the insider threat surface created when an adversary can buy a precise daily movement pattern for a personnel officer at a sensitive installation for the cost of a fast food meal.

GAO found that without department-wide policy direction, individual components were unsure how to incorporate commercial data exposure into formal security assessments. The training that exists is not wrong. It is solving a smaller version of the problem than the one that currently exists.

What data brokers actually sell

A data broker is a company that aggregates personal information from public records, commercial transactions, app location data, loyalty programs, social media, and other sources, and sells it to anyone willing to pay. How data brokers specifically expose military families covers the structural picture. What follows is what an active sale catalogue looks like.

The information available on active duty personnel through commercial brokers is not limited to what they post on social media. It includes home address and historical addresses. Daily movement patterns derived from mobile device location data. Financial data including income estimates, debt levels, and spending categories. Family member names, ages, and addresses. Vehicle registration. Employment history. Voter registration. In many cases, precise GPS coordinates updated continuously through data purchased from mobile apps.

This is not the only channel. The way phone carriers themselves sell real-time location data operates in parallel: the data accumulates through the SIM whether or not the user installs anything, then gets resold downstream.

The data does not require a social media profile. It does not require the individual to have made a post, shared a location, or done anything visible. It accumulates as a byproduct of living a modern life in the United States: grocery loyalty cards, navigation apps, weather apps, fitness trackers, and any app that requests location permission and sells that data to a broker.

The Gravy Analytics breach

On January 7, 2026, location data broker Gravy Analytics disclosed a significant data breach. Gravy Analytics aggregates precise location data from mobile devices at scale and sells it to government agencies, advertisers, and other clients. The breach exposed the location histories of millions of individuals.

Among the categories of data identified: location pings from devices near military installations, government buildings, and sensitive infrastructure. Gravy Analytics does not collect this data by targeting military personnel. It collects it by buying location data from apps that their users never knew were selling it. This is the same economic model behind free apps and free VPNs: the product is free because the user is the inventory.

The military personnel whose movements appeared in the Gravy Analytics dataset did not make a security mistake. They used a weather app.

The adversarial use case

A nation-state intelligence service does not need to hack a military network to begin building a targeting package on a specific service member or their family.

They need a name. The commercial data broker ecosystem provides the rest. Home address. Physical description from DMV records in states where they are accessible. Family members and their locations. Daily routine from months of location history. Financial pressure points that might indicate vulnerability to recruitment or coercion. Workplace location and estimated arrival and departure times. The threat model for diplomats and expats in high-risk environments maps to this exactly: the same data, used the same way, against people with the same kind of exposure.

This is not theoretical. Chinese intelligence services have been documented purchasing commercially available data on US military and government personnel as part of targeting operations. The 2025 Salt Typhoon telecom breach gave Chinese intelligence access to call records and location data from major US carriers. Commercial data brokers offer a parallel channel that requires no hacking at all.

What the training gap costs

A soldier who follows every OPSEC guideline on social media, who never posts deployment information, who locks down every privacy setting on every platform, is still exposed through commercial data infrastructure he has never been told about and cannot fully opt out of.

His spouse, who has no security clearance and has received no OPSEC training, may have a more complete commercial data profile than he does. Her location data, her daily movement patterns, her workplace and her children’s school: all potentially available to anyone willing to pay a data broker.

Military family members are not security personnel. They are not expected to maintain threat models. They are not trained to assess which apps to avoid or which data to protect. The OPSEC guidance that exists for military spouses focuses on what to post on Facebook. It does not address the dozens of data brokers who already have her location history from the last eighteen months.

What exists as a partial solution

The Defense Department has taken some steps. The 2023 executive order on commercial spyware addressed one slice of the problem. The FY2026 Intelligence Authorization Act contains provisions directing the Director of National Intelligence to oversee commercial data acquisition. Some individual service branches have begun issuing guidance on data broker opt-out procedures.

None of it is systematic. Opt-out procedures require submitting individual requests to dozens of brokers, most of whom make the process deliberately difficult, and the opt-out expires and must be renewed. Services like DeleteMe exist specifically to automate this process, and they are the closest thing to a scalable solution currently available for individuals.

The structural problem remains. The training addresses the visible surface. The exposure lives underneath it.

Frequently asked questions

Can military personnel opt out of data broker databases?

Yes, partially. Most major brokers are required to honour opt-out requests under state privacy laws in California, Virginia, and other states. The process requires submitting individual requests to each broker, which number in the dozens for a complete opt-out. The opt-out is not permanent and must be renewed. Services that automate the process on a subscription basis are the most practical option for sustained removal.

Does this affect military family members too?

Yes, and in some respects more directly. Military spouses and children have received no OPSEC training and are not typically considered part of the security perimeter. Their home addresses, location histories, and daily routines are commercially available through the same broker ecosystem and may be easier to access than the service member’s own profile.

Which apps are most likely to sell location data to brokers?

Any free app that requests location permission. Weather apps, navigation apps, games, retail apps, and fitness trackers are among the most common sources. The app’s privacy policy typically discloses data sharing in language that makes the practice easy to miss. The simplest approach is to deny location permission to every app that does not need it to function, and to use “while using” rather than “always” for apps that do.

Is this a new problem?

The data broker ecosystem has existed for decades. What changed is the precision and volume of location data now available, driven by the proliferation of smartphones and the economic model of free apps. The GAO report confirmed in January 2026 that military training has not kept pace with that change.

---

The soldier locks down his Instagram. The data broker sells his morning run route, his children’s school, and his wife’s workplace to anyone with a credit card. OPSEC training never mentioned the second part.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.