But the soldiers — many of whom have jobs in interrogation, human intelligence and counterintelligence — soon noticed that the app’s terms of service said it could collect substantial amounts of personal data and that the developer has a presence overseas.
That caused widespread concern that a hack could put individuals and missions worldwide at risk, soldiers in the unit said.
“We do top-secret work,” said one noncommissioned officer, who like others spoke on the condition of anonymity out of fear of retribution by their chain of command. “If our personal information is being put out there to a foreign power, what can they get from our brigade?”
Intelligence soldiers specialize in siphoning enemy communications and groom sources to deliver information about their foes, like their location and what weapons or capabilities they may have.
When they deploy, some soldiers grow their hair out and wear civilian clothes to obscure their military roles and don’t disclose their work outside of close family, another noncommissioned officer in the 504th said.
The app’s permissions — which suggested it could pull GPS location data, photos, contacts and even rewrite memory cards — frustrated soldiers who have taken extreme precautions they felt were glossed over by Trotter and other senior leaders.
“Just being in intelligence, we are trained to be extremely paranoid of everything,” the soldier said. “This is serious operational security not being considered.”
The worst-case scenario, he said, was “our cover might be blown.” Senior leaders checked the phones of subordinates to ensure they had the app installed, soldiers in the unit said.
Adversarial governments and intelligence agencies prize gateways to people who collect and manage classified information, said David Forscey, the managing director of the Aspen Institute’s Cybersecurity Group.
Sensitive information like loan debts, history of drug use or even a trail of adultery through dating apps are all pieces of information that can be used to blackmail soldiers or coerce them to hand over classified information, he said.
“One reason drug use is a question in background investigations is the U.S. wants to see what people could have to compromise you,” Forscey said.
Even if secrets gathered from a soldier aren’t apparent now, they could be useful later if correlated with other data, Forscey said.
For instance, he said, there is belief that a massive Chinese hack of U.S. security clearances may have been paired with theft of medical information in the Anthem hack to find U.S. officials with access to classified information who may also have big hospital bills — making them a prime target for exploitation.
And if a soldier leaves the military and enters the CIA or another agency, “it would be useful for China to know who they are and what they look like.”
That is why U.S. officials should balance the risk of divulging sensitive information with the potential payoff, he said, which was not clear for an app that delivers rudimentary updates, like training changes or weather cancellations.
The app developer, Straxis LLC, is based in Tulsa but has a subsidiary in southern India. User data wasn’t stored on foreign servers and third parties do not have access to data, a company spokesperson said.
Straxis later told Task and Purpose that information app’s information “is controlled by the client” and are “standard permission settings that are required by Apple/Google for feature functionality.”
While the app said permissions could be disabled and the company said user data was not collected, the soldiers said there was a failure of confidence it was secure.
Questions about security reviews during development and development costs were referred to the 504th Military Intelligence Brigade, which did not address them or make Trotter available.
The concern among service members circulated on Army Reddit and the Army WTF! moments Facebook page, a popular digital hangout for soldiers. Soldiers deleted the app in revolt. Trotter called another formation Wednesday to address the controversy, admonishing whomever talked about the issue online, soldiers in the unit said.
The app was later removed from both Apple’s App Store and the Google Play Store.
“We are confident that the appropriate security protocols are in place to protect our Soldiers’ personally identifiable information,” the unit said, calling the app an unclassified communications tool. Straxis, the brigade said, had developed similar apps for other units.
The app was removed for a “preplanned maintenance update” and will return to the app stores, the unit said, although it did not explain the timing of the removal right after the outcry within the unit.
On Wednesday, the brigade said the soldiers had no “formal obligation” to download the app.
A day later, it reversed course, conceding the app was originally “mandatory,” but following “further discussion and feedback” from unit soldiers, the brigade decided it would only “highly encourage” use of the app.
The soldiers also were frustrated over the legal review of an order to install an app on personal smartphones. Trotter told the soldiers that her decision was reviewed by Army attorneys, they said, but it was unclear to soldiers if Trotter could mandate an app on their privately owned devices.
One soldier said he was often away from his wife, and they sent intimate photos to each other. He could not be sure if they would land onto a server monitored by his commanders.
“I don’t want someone else looking at my wife’s [breasts],” he said.
The military has recently blundered in cyberspace, including an issue where troops with fitness apps unwittingly broadcast location data at secret bases worldwide.
And between July 2017 and January 2018, the Army accidentally emailed spreadsheets containing sensitive information about immigrant recruits from China and Russia to some recruits themselves.
This story has been updated.