The rise of location data brokers has exposed a persistent blind spot for defense planners and operational security teams. Companies that assemble and sell mobile device location signals can create surprisingly detailed movement profiles. When those profiles include visits to military bases, training sites, or the homes of service members, the consequences move quickly from privacy violation to operational risk.

The Gravy Analytics family of products, including the Venntel brand, sits at the center of recent scrutiny. Reporting and public records indicate that Venntel has been a supplier of historical and near-real-time location records to a range of government customers, and that its parent or affiliate companies amassed vast numbers of signals each day. Those commercial relationships and data holdings drew regulatory attention because they could be used to identify people who visited sensitive sites.

Regulators have acted. In December 2024 the Federal Trade Commission announced an enforcement action and in January 2025 finalized an order that bars Gravy Analytics and its Venntel unit from selling or using what the agency defines as sensitive location data, specifically including military installations on that list. The orders require deletion or deidentification of historic data, the creation of a sensitive location data program, and limits on resale and disclosure except in narrowly defined law enforcement or national security situations. Those rulings mark a significant regulatory acknowledgment that granular location trade poses national security and privacy harms.

Beyond regulatory filings, investigative reporting and security research revealed how extensive the underlying datasets can be. A 2025 security reporting cycle surfaced a large dataset and analysis showing that billions of mobile location points included device presence at high value government and military sites, both in the United States and overseas. In one public sample set and related analysis, researchers identified data points that aligned with national capitals and military compounds. The exposure made clear that aggregation and resale of ad-tech era location signals can be repurposed for surveillance and even tactical targeting.

How does this happen? Two technical pathways dominate. First, bidstream or real-time bidding pipelines in mobile advertising leak location signals when advertising SDKs request auctions for ad impressions. Second, software development kits embedded in apps harvest GPS and network-derived location and then pass those signals to aggregators and resellers. Brokers can stitch those feeds together, enrich them, and sell access to device identifiers or constructed audiences. App developers, advertisers, and many downstream buyers are often unaware how widely that granular data circulates.

For the defense community the implications are concrete. Tactics and routines become discoverable at scale. Unit movements, training rhythms, and the presence of cleared personnel at off-base locations can be inferred from aggregated device traces. Foreign intelligence services and nonstate actors can harvest the same commercial pools that contractors and domestic agencies use. Even if a broker claims data is anonymized, reidentification is straightforward when location traces cross home, work, and unique travel patterns. These are not hypothetical vulnerabilities, they are practical vectors for operational compromise.

Immediate mitigations that defense organizations should adopt include:

  • Restrict and inventory personal device use in sensitive locations. Enforce device-free zones in tactical and planning spaces and issue hardened comms alternatives for necessary mobile connectivity.
  • Expand mobile device management and endpoint controls to include telemetry that flags unknown SDKs and suspicious ad network traffic. Treat mobile telemetry as part of force protection sensors.
  • Harden supply chain and acquisition language. Require vendors and contractors to attest that they do not purchase or use commercial location-broker data for defense work, and include audit rights and evidence of data provenance.
  • Educate personnel. Provide clear, mandatory guidance on app permissions, the risks of consumer apps when used in proximity to sensitive sites, and the limits of “anonymization.”

Longer term, DoD and allied ministries should consider a layered strategy that pairs technical controls with policy and legal reform. Technical measures include hardened geofencing and RF containment systems at bases, stronger endpoint controls on contractor devices, and the use of privacy-respecting telemetry for needed situational awareness. Policy measures should close procurement loopholes that allow agencies and contractors to buy third-party location feeds without rigorous oversight. Finally, legislative or regulatory guardrails that restrict the commercial sale of sensitive location data would reduce the available attack surface for adversaries. The FTC actions against Gravy Analytics and Venntel show that regulation can close some windows, but a comprehensive defense posture requires operational, contractual, and legal changes.

Practically speaking, defense cyber teams should assume that commercial location pools will remain available in some form for the foreseeable future. That means threat models must incorporate broker-sourced signals, red-team exercises should simulate adversary use of commercial datasets, and unit-level OPSEC needs updated checklists that cover mobile app hygiene and contractor device policies. Adopting these measures now will reduce attack vectors that are cheap for an adversary to exploit and expensive to remediate after a compromise.

The Gravy Analytics episode is a wake-up call. It exposes how benign commercial ecosystems can leak into the kinetic domain and how privacy infringements can map directly to force protection failures. Defense planners, acquisition officers, and cyber operators must treat location data brokers as a strategic threat vector and align technical and policy responses accordingly. The alternative is to tolerate a persistent, monetized surveillance layer overlaid on military life and infrastructure. That is a risk we can and should close.