Data brokers are selling US service members’ secrets, researchers find
Vast amounts of highly sensitive data on American military service members are up for sale by data brokers, according to a new report examining the national security implications of the practice.
The research sheds light on the secretive data broker industry, which gathers exceptionally granular personal information on individual consumers, often selling the data to marketers. The largely unregulated and controversial industry has quickly expanded in recent years, recently spurring California to enact a law allowing consumers to bar data brokers from gathering and selling their information with the push of a button.
While most concerns about the industry focus on privacy, the researchers at Duke University’s Sanford School of Public Policy put a spotlight on how it could be a threat to the nation. Using a .asia domain name, they purchased huge amounts of data from brokers for as little as 12 cents per service member.
The researchers set up a server in Singapore where the brokers transferred private data about active-duty service members, veterans, and their families, including sensitive health and financial information, according to the report.
They also sold bulk data for people within geofenced military facilities such as Fort Bragg and Quantico.
The researchers ultimately bought data from three brokers using both .org and .asia domains, “doubling down on the national security question,” according to lead researcher Justin Sherman. Sherman is the founder and CEO of Global Cyber Strategies, a research and advisory firm, as well as a senior fellow at the Duke policy school.
The data sets all contained individually identified data attached to veterans’ and service members’ names for a cost ranging from 12 cents to 32 cents per record. The report authors did not buy mental health or location data, though that information is also for sale and easily obtainable.
Sherman said a few of the contacted data brokers asked his team for a company name, and others asked for a marketing sample, but waived the requirement when told the researchers only wanted to look at the data rather than using it for marketing. One broker required no identity verification at all.
A national security threat
Dangers in these practices abound, Sherman said, pointing to the fact that foreign adversaries collecting data would be constrained by ethics far less than his team was.
“The Russian intelligence agencies do not have a ban on being deceptive so, in some ways, the study we've done is actually kind of the floor of what you could do as a foreign actor,” Sherman said, pointing out that Russian or Chinese spies could also set up shell companies or hack into systems to retrieve the data. In fact, in 2017 the Chinese military hacked the credit reporting agency and data broker Equifax.
“Clearly there is foreign interest in this type of data,” Sherman added.
Because the data for sale includes information about an individual’s mental health conditions, personal debts, and other highly sensitive information, it could theoretically be used to blackmail or otherwise compromise active duty military personnel, Sherman said.
A breakdown of health records provided by one data broker. Credit: Duke University Sanford School of Public PolicyHis team was able to buy information documenting ailments as specific as Alzheimer’s disease, poor bladder control and hearing difficulty.
Sherman said the data his team bought on service members and veterans included full names; home addresses; emails; phone numbers; the number of children in the home; estimated ages of children; and marital status, in addition to information about health conditions, finances and religion.
He said some data sets included a column labeled “casino,” which his team was unable to get an explanation for but may be related to gambling history.
While the researchers did not buy phone location data, many of the brokers the team approached offered it along with web search histories, Sherman said.
Will Congress regulate the industry?
“The researchers’ findings should be a sobering wake-up call for policy makers that the data broker industry is out of control and poses a serious threat to U.S. national security,” Senator Ron Wyden (D-OR) said in a prepared statement.
Wyden, who recently introduced legislation to protect Americans’ data from being exploited by unfriendly foreign nations, said the research is one more signal that the U.S. needs a “comprehensive solution” to safeguarding Americans’ data from unfriendly nations, “rather than focusing on ineffective Band-Aids like banning TikTok.”
Report co-author Brady Kruse said researchers were stunned by the ease with which they bought data, particularly with the .asia domain names.
He added that the lack of interest the brokers showed in knowing who their buyers were left him aghast.
“A few brokers even acknowledged that we were hard to verify and still sold data to us,” he said.
The public’s focus on data brokers through a consumer privacy lens overshadows the profound risks the “highly unregulated industry” poses to national security, Sherman said. But he said little will change until Congress acts.
“There are some things that DOD [Department of Defense] can do and there are some things regulators can do,” he said. “But at the end of the day, this is really a congressional problem to rein this kind of practice in.”
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.