Buying personal information of active and retired U.S. military personnel and their families from data brokers is easy and inexpensive and poses a national security risk if the data is acquired by foreign actors, according researchers at Duke University.
A 12-month study by the university’s School of Public Policy found it was possible to buy the data from multiple U.S.-based data brokers for as little as 12 to 32 cents per record – and as little as 1 cent each for large purchases of records – and that the sensitive information included everything from names, home and email addresses, phone numbers, and political affiliation to age, income, net worth, home value, credit rating, religion, and health details.
Some even offered to sell geolocation information. The researchers were able to buy between 4,951 and 15,000 identifiable records at a time from brokers after contacting them using both .org and .asia domains – the latter linked to an IP address in Singapore – and with little to no verification needed.
The study looked at not only how easy and cheap it was to acquire the information, but also highlighted how easy it would be for foreign adversaries or cybercriminals to do the same and the risks that come with that.
Intelligence services of foreign governments could use the sensitive data to exploit members of the military in multiple ways, from coercing or blackmailing them to outing their sexual orientations, releasing information that damages their reputations, following personnel, and targeting them with specific messages.
“In short, an industry that builds and sells detailed profiles on Americans could be exploited by hostile actors to target military servicemembers and veterans, as a subset of the U.S. population,” the researchers wrote in the 51-page study released this week. “Many veterans often still know currently classified information, even if they are no longer active-duty members of the military. The data brokerage ecosystem poses risks to national security by compiling large, detailed datasets on U.S. military personnel and subsequently selling that data on the open market.”
The study, which was sponsored by the U.S. Military Academy at West Point, highlights the relatively unregulated and highly controversial nature of data brokers, who collect and aggregate massive amounts of personal information of people around the world and sell or license it. It’s a big business, with some reports saying it could grow from $319 billion in 2021 to more than $545 billion in 2031, with about 4,000 brokers worldwide.
Some brokers are such well-known companies like Oracle and Experian, while others are smaller with much lower profiles, according to the Duke study. However, they essentially all do the same thing, which is make personal information available to those who want to buy it.
Federal and state governments are looking for ways to rein in data brokers. The California State Assembly recently passed a bill that makes it easier for residents to keep data brokers from collecting and selling their personal data. In addition, the Consumer Financial Protection Bureau (CFPB) is considering tighter regulations on the information data brokers can sell, such as a person’s Social Security number, income, or criminal history record, particularly in the age of AI.
“While these firms go by many labels, many of them work to harvest data from multiple sources and then monetize individual data points or profiles about us, sometimes without our knowledge,” CFPB Director Rohit Chopra said during White House roundtable discussion. “These data points and profiles might be monetized by sharing them with other companies using AI to make predictions and decisions.”
Duke conducted a study about data brokers in 2021, finding that the companies create data packages about specific groups of people that “focus on individuals with shared characteristics, ranging from datasets on heavy coffee drinkers or avid podcast listeners to datasets on students, first responders, and elderly Americans.” During that study, they learned of multiple brokers who sold data about military members and veterans.
They found 7,728 hits for the word “military” and 6,776 for “veteran” across 533 data brokers’ websites. During the study, they contacted 12 about buying such records and eventually bought information from three. The researchers found a lack of controls for verifying who was buying the information. One broker waived the verification process if the buyers agreed to pay by wire rather than a credit card.
Having such military-related information available for easy purchase represents a national security threat in a range of ways, including those that threaten the military members themselves and could lead to a disclosure of national secrets.
“Much attention has been paid to questions surrounding social media platforms, foreign governments (e.g., the Chinese and Russian governments), and known cases and risks of running targeted advertisements to U.S. persons,” the researchers wrote. “Yet, the research community and policymakers have paid little attention to how the large data packages compiled and sold by data brokers, including those that encompass military personnel and political data, could be exploited by foreign states and malign actors.”
They highlighted the dangers of location data, including enabling foreign agents to track military personnel and possibly catching them in situations – going to a gambling venue or meeting someone for an affair – that could compromise them.
Such data also could be used to estimate the size of military population or troop buildup in specific areas, identify an off-base place where troops congregate, or identify when a targeted person is using tradecraft to avoid being detected.
“For instance, a person who has stated they are headed to one location and instead visits another could be identified as an intelligence operative or someone working in another sensitive national security area,” they wrote.
The researchers recommended Congress pass comprehensive privacy laws that put strong controls on data brokers and supplement such a law with national security focused controls, and said the Defense Department should assess how the data it holds about military personnel flows into data brokers. There also needs to be new regulations and enforcements by regulatory agencies and sufficient funding from Congress.
Recent Articles By Author