Sensitive personal information of active and veteran military members is being sold by U.S. data brokers that could pose a potential threat to national security, according to a recent report by Duke University.
- Personal details like name, home address, email, specific branch and/or agency (active duty only), wireless phone numbers, age, gender, ethnicity, language, occupation, and levels of education.
- Family information like marital status, presence of children at home, numbers of children, ages of children, sexes of children.
- Ideological information like political affiliation, religion, interest in charitable donations, interest in current affairs/politics.
- Financial information like income, net worth, credit rating, homeowner/renter status, home value, and interest in gambling/casinos.
- Medical details like ailments and health conditions.
None of the datasets purchased by the team were anonymized, even when brokers provided sensitive information to unverified buyers.
The datasets cost between $0.12 and $0.32 per record when buying roughly 5,000 to 15,000 records at a time. For much larger purchases, the costs go down to as little as $0.01.
“If you’re trying to identify people in debt, that could be really, really dangerous from a national security perspective if you can identify, target, and then blackmail particular people,” he said.
Uncontrolled Data Brokerage Industry
The study highlighted the issue of an absence of government control over the data brokering industry. “We found a lack of robust controls when asking some data brokers about buying data on the U.S. military,” the study said.One broker told the research team that they would have to verify their identity before selling data on military personnel. However, this restriction was applicable when paying for data via credit card. For wire payments, such restrictions were not in place. The team then paid by wire and the broker provided the data without any identity verification.
One broker refused to sell geolocation data around sensitive locations like military sites. However, this broker was willing to sell geolocation data in other regions of the United States. Two brokers refused to sell owing to the research team not being a verified business.
The team also bought datasets while using an IP address from another country. “Our team selected Singapore in our initial grant proposal because of its tech industry and important geopolitical position between the U.S. and China. All of the brokers responded to our requests.”
“For several of the brokers … the controls in place were primarily focused on requiring confidentiality around the data purchasing itself and to make certain the customer was a company.”
The report called on Congress to pass a “comprehensive U.S. privacy law,” with strong controls on the American data brokerage industry. It also asked the Defense Department to “assess the risks from data brokerage in its contracts.”
“For example, the Department of Defense could reserve the right to restrict a contractor’s sale of any data, related to the contract or otherwise, to external entities throughout the contract period and restrict the future sale of data to entities that was obtained due to the contract.”
Threat to Security
The study has triggered alarm bells among U.S. lawmakers.Sen. Ron Wyden, (D-Ore.) called the findings a “sobering wake-up call for policymakers that the data broker industry is out of control and poses a serious threat to U.S. national security.”
“The volume and sensitivity of CAI have expanded in recent years, mainly due to the advancement of digital technology, including location-tracking and other features of smartphones and other electronic devices, and the advertising-based monetization models that underlie many commercial offerings available on the Internet,” it said.
Since CAI is available to the general public, including adversaries of the United States, such data raise counter-intelligence risks for the U.S. Intelligence Community, the report stated.