Army intelligence soldiers were forced to download an app that could access all their personal information

"This is serious operational security not being considered."

Share

Soldiers in the 504th Military Intelligence Brigade were told last month it was mandatory to download an app to their personal devices that would allow leaders to keep them up-to-date on training schedules and weather updates.

The app did far more, however, providing soldiers’ precise locations, contact listings, and the ability to modify their calendar — raising major security concerns for soldiers that often work with top-secret intelligence.

The brigade, stationed at Fort Hood, Texas, worked with Straxis, LLC to develop the app, which the Washington Post reports was sold to soldiers as a way to “solve a lot of their communication issues.” 504th Military Intelligence Brigade officials told Task & Purpose that Straxis has “provided technology solutions for over a decade,” and has “a proven track record and mobile platform that met our requirements.”

The officials said that the initial decision to make the app mandatory “was to ensure all soldiers across the formation would be immediately updated on time sensitive issues. After further discussion, a decision was made to only highly encourage the use of the app.”

According to the Post, which spoke with soldiers from the unit, the directive was given by commander Col. Dietra L. Trotter.

Operational security concerns for U.S. service members’ use of social media apps aren’t new — in 2017 it was revealed that fitness tracking app Strava had data that showed troop positions in the Middle East, which led to a crackdown from the Pentagon on service members using geolocation services.

A screen-shot of the app permissions posted by @sgtjanedoe on Twitter shows that the app can find and modify contacts; read the user’s USB storage; and view the user’s network connections.

Screenshot of App PermissionsTwitter via @sgtjanedoe

As the Post notes, intelligence soldiers “specialize in siphoning enemy communications and groom sources to deliver information.”

“Just being in intelligence, we are trained to be extremely paranoid of everything,” an NCO in the unit told the Washington Post. “This is serious operational security not being considered.”

A Straxis spokesperson told Task & Purpose that the information on the app “is controlled by the client.”

“The client can control permissions settings,” the spokesperson said in an email. “These are standard permission settings that are required by Apple/Google for feature functionality. All users have the option to allow or decline permissions. The app displays public information but does not pull user data off their phone. For example, the app gives the user the ability to add an event to their calendar but the app does not pull any user calendar data.”

The Post reported, however, that there was “a failure of confidence it was secure.”

According to a Facebook post by USAWTFM, the brigade commander “gave an order to her formation that said due to a communication issue within the formation, all personnel assigned or attached to the Brigade will install the BDE app on their phone. That compliance will be validated by the unit Commanders no later than 12 November. The went to the BDE Legal who advised that this was legal.”

On Twitter, @sgtjanedoe linked out to a Reddit post titled, “Can leadership check my phone?” That post has since been deleted, but Jane’s tweet with the original link said that the Redditer claimed “the Brigade is ordering soldiers to download and making it be an inspectable item on their personal cell phones.”

The 504 MI BDE officials denied that leadership issued a directive that soldiers’ personal phones were to be inspected to ensure that the app was downloaded.

“The command has taken steps to ensure that leaders at all levels understand that soldiers’ personal phones cannot be inspected to see if the app was downloaded,” the officials said.

“Our senior cyber security technicians work routinely with Straxis developers to install tailored security protocols to ensure personal information remains protected and in compliance with U.S. privacy laws,” the 504th officials said. “Also, the information on the application is general in nature and is aggregated from public .mil sites, and other public resources/links to other valuable resources (suicide prevention lifeline, SHARP, etc).”

On Wednesday, soldiers in the unit told the Post, Trotter “called another formation…to address the controversy, admonishing whomever talked about the issue online.”