Sensitive personal information of active and veteran military members is being sold by U.S. data brokers that could pose a potential threat to national security, according to a recent report by Duke University.
“It is not difficult to obtain sensitive data about active-duty members of the military, their families, and veterans, including non-public, individually identified, and sensitive data, such as health data, financial data, and information about religious practices,” the Nov. 6 report said. The research team purchased details via data brokers for as low as 12 cents per record. Even the location data of military members were available for purchase.
“Access to this data could be used by foreign and malicious actors to target active-duty military personnel, veterans, and their families and acquaintances for profiling, blackmail, targeting with information campaigns, and more,” the report warned. The information in the dataset included:
- Personal details like name, home address, email, specific branch and/or agency (active duty only), wireless phone numbers, age, gender, ethnicity, language, occupation, and levels of education.
- Family information like marital status, presence of children at home, numbers of children, ages of children, sexes of children.
- Ideological information like political affiliation, religion, interest in charitable donations, interest in current affairs/politics.
- Financial information like income, net worth, credit rating, homeowner/renter status, home value, and interest in gambling/casinos.
- Medical details like ailments and health conditions.
“Several data broker websites advertise data on military families, with dataset titles such as ‘Military Families Mailing List’ and ‘Hard Core Military Families,’” the report said.
None of the datasets purchased by the team were anonymized, even when brokers provided sensitive information to unverified buyers.
The datasets cost between $0.12 and $0.32 per record when buying roughly 5,000 to 15,000 records at a time. For much larger purchases, the costs go down to as little as $0.01.
In an interview with public media outlet Marketplace, Justin Sherman, a senior fellow at Duke University’s Sanford School of Public Policy who led the study, gave an example of how financial data collected from such brokers could be weaponized against the country.
“If you’re trying to identify people in debt, that could be really, really dangerous from a national security perspective if you can identify, target, and then blackmail particular people,” he said.
For their analysis, the team scraped through 533 data brokers’ websites, contacted 12 of them, and eventually bought from three sellers.
Uncontrolled Data Brokerage Industry
The study highlighted the issue of an absence of government control over the data brokering industry. “We found a lack of robust controls when asking some data brokers about buying data on the U.S. military,” the study said.
One broker told the research team that they would have to verify their identity before selling data on military personnel. However, this restriction was applicable when paying for data via credit card. For wire payments, such restrictions were not in place. The team then paid by wire and the broker provided the data without any identity verification.
One broker refused to sell geolocation data around sensitive locations like military sites. However, this broker was willing to sell geolocation data in other regions of the United States. Two brokers refused to sell owing to the research team not being a verified business.
The team also bought datasets while using an IP address from another country. “Our team selected Singapore in our initial grant proposal because of its tech industry and important geopolitical position between the U.S. and China. All of the brokers responded to our requests.”
“For several of the brokers … the controls in place were primarily focused on requiring confidentiality around the data purchasing itself and to make certain the customer was a company.”
The report called on Congress to pass a “comprehensive U.S. privacy law,” with strong controls on the American data brokerage industry. It also asked the Defense Department to “assess the risks from data brokerage in its contracts.”
“For example, the Department of Defense could reserve the right to restrict a contractor’s sale of any data, related to the contract or otherwise, to external entities throughout the contract period and restrict the future sale of data to entities that was obtained due to the contract.”
Threat to Security
The study has triggered alarm bells among U.S. lawmakers.
“This report further solidifies the need to address this gaping hole in the protection of U.S. servicemembers,” said Sen. Bill Cassidy (R-La.), according to NBC News. “We must act in the interest of national security and protect those who defend our nation.”
Sen. Ron Wyden, (D-Ore.) called the findings a “sobering wake-up call for policymakers that the data broker industry is out of control and poses a serious threat to U.S. national security.”
A January 2022 report from the Office of the Director of National Intelligence also raised similar concerns. It focused on the threat posed by “Commercially Available Information” (CAI).
“The volume and sensitivity of CAI have expanded in recent years, mainly due to the advancement of digital technology, including location-tracking and other features of smartphones and other electronic devices, and the advertising-based monetization models that underlie many commercial offerings available on the Internet,” it said.
Since CAI is available to the general public, including adversaries of the United States, such data raise counter-intelligence risks for the U.S. Intelligence Community, the report stated.