“Red force tracker” is a term bandied about in military intelligence circles, a kind of fantastical technology that perfectly tracks the movements of every enemy all the time. It’s the kind of tool that exists in strategy video games, acquired at great expense or with cheat codes, and the sort of technology that is impossible to implement in real life. Or, at least, it would have been before everyone — from the highest-ranking generals to the most ubiquitous private — carried an always-online device that tracked their individual movements and contained every communication they ever made.
In light of this, it is unsurprising that the Army in late December 2019 banned the installation and use of TikTok, a popular video-making and -sharing app, from all government-owned phones. Now, in the wake of the United States’ targeted killing of Iranian general Qasem Soleimani and the planned movement of more troops into the Middle East, it’s important to think about what kind of potentially revealing information about high-value personnel may be revealed from seemingly innocuous sources and what steps should be taken.
A combination of real-world and virtual actions are likely to follow in the aftermath of the U.S. killing of Qassem Soleimani, and experts warn that cyberattacks are likely to be the best-case scenario.
TikTok is a social networking service especially popular among members of Generation Z, and had previously been used by military recruiters as a way to reach teens and young adults. It is also, according to at least one lawsuit, used to harvest and funnel individual identifying information, against the consent or knowledge of its users.
That TikTok is created by the China-based ByteDance also adds an air of international compromise to the whole affair. But the problem of compromise by smartphone is hardly limited to the apps made by one country, and persists so long as uniformed people share information through social media.
The Army’s ban of the app’s use and installation followed a Navy ban on the same, and cited cybersecurity risks at the heart of the technology as the justification. Bans on foreign-made commercial technologies in military are not uncommon; in 2017, the Navy found cybersecurity risks in popular hobbyist drones made in China and the Army proceeded to ban those drones entirely.
The ban on TikTok only extends to government-owned phones and not personal devices, though the Army’s guidance extended caution to service members using TikTok on personal phones, especially when it comes to unsolicited messages.
In the past, the intelligence services of nations including Iran have used social media to compromise secure networks, sometimes by luring people into installing harmful malware, other times simply building profiles to aid in future attempts to compromise networks.
All social media use comes with the risk that information published online may lead back to identification of the individual that published it. Open-source analysis, especially, highlights common tools for finding identifying information in shared video. TikTok is just one among many apps that collect information on users and leave that information vulnerable, though the fact that it is connected to China has added weight and urgency to congressional investigations into the risk it poses.
Apps, though, are just software. They are software with access to data stored on phones, and often with protocols that passively connect to specific company-run servers, but still software. The sensors that track individual movements, the devices that collect and transmit information, are the hardware of the phones themselves. When popular run-tracking app Strava published a map of running routes in early 2018, it took hardly any time at all for people to connect the running patterns of individuals to satellite footage of under-publicized military installations. The information implied in that data collection includes individual names, which could explode common knowledge like “soldiers patrol this base at these hours” into “this specific soldier, of this specific rank, patrolled this base from this time to this time, and here is the information one might need to find that soldier’s relatives at home.”
So long as commercial smartphones persist in common use, downloaded apps will threaten to reveal the information of service members that use them. This is hardly a problem limited to the United States.
For an innocuous use, recently published documents reveal the launch of the Pokemon Go smartphone app in Canada in 2016 led to a military investigation into why smartphones were guiding people to unusual corners of military bases at weird hours.
In December 2019, the Indian Navy banned the use of smartphones and social media apps like Facebook, Instagram, and WhatsApp from naval bases and ships. This ban followed the bust of an espionage ring accused of leaking sensitive information to Pakistan, and it suggests one possible answer to smartphone use in times of military crisis.
As the United States moves more forces into Iraq, those service members bring with them potentially compromised devices that could provide a sophisticated adversary the means to covertly track and identify the unit. If the risk is deemed great enough, a ban on apps may be insufficient. A total prohibition on the self-tracking phones, which carry the apps, may be the options militaries pursue instead.