Researchers find sensitive personal data of US military personnel for sale online
(CNN) — Sensitive personal information like the apparent home addresses and health conditions of thousands of active-duty US military personnel can be bought cheaply online from so-called data brokers, according to a study published Monday by Duke University researchers.
The researchers could shop for data on servicemembers based on geolocation, including whether they lived or work near Fort Bragg, Quantico or other sensitive military locations. In some cases, they were able to buy the data for as cheap as $0.12 per record.
The study points to longstanding national security concerns from US officials and outside experts that a foreign intelligence service, for example, could build a picture of the whereabouts and vulnerabilities of US military members simply by shopping for the information online. Scammers could also use the data to stalk or blackmail military families, the researchers concluded.
The researchers were taking advantage of a vast data-broker ecosystem in the US that spans everything from major credit reporting agencies to obscure analytics firms to mobile apps that quietly sell users’ location data. There are still few legal restrictions in the US on buying and selling such data.
“It was way too easy to obtain this data: a simple domain, 12 cents a service member, and no background checks on our purchases,” said Justin Sherman, a senior fellow at Duke’s Sanford School of Public Policy who runs its data brokerage research project.
“If our research team, subject to university research ethics and privacy processes, could do this in an academic study, a foreign adversary could get data in a heartbeat to profile, blackmail, or target military personnel,” Sherman told CNN.
Data brokers purchase people’s personal information, including Social Security numbers, names, addresses, income, employment history, criminal background and other items, which can then be used to conduct legitimate information surveys, such as background checks and credit checks.
But they have come under growing scrutiny from regulators. In August, the Consumer Financial Protection Bureau said it was exploring new rules that would bar data brokers from selling certain information except for specific circumstances.
The Federal Trade Commission is currently considering new regulations to crack down on data brokers.
“We cannot comment on any company’s specific practices,” an FTC spokesperson said. “However, we have repeatedly raised concerns about the practices of data brokers and their potential impact on consumer privacy. We are prepared to take action against any company that fails to safeguard consumer data and follow applicable laws such as the Fair Credit Reporting Act.”
Senator Ron Wyden, an Oregon Democrat who has sponsored legislation to impose restrictions on data brokers, called the Duke study “a sobering wake-up call for policy makers that the data broker industry is out of control and poses a serious threat to US national security.”
“The United States needs a comprehensive solution to protect Americans’ data from unfriendly nations rather than focusing on ineffective Band-Aids like banning TikTok,” Wyden said in a statement to CNN.
“The Department [of Defense] takes the privacy interests of its personnel very seriously,” Timothy Gorman, a spokesperson for the Office of the Secretary of Defense, said in a statement to CNN in response to the Duke study. “There is a large and growing amount of commercially available information, which raises concerns on privacy interests, civil liberties interests, national security implications, threats to service members from our adversaries, and operational security risks.”
The Pentagon, Gorman added, “has a responsibility to protect the privacy interests of individuals and will continue to stress with our personnel the importance of maintaining, training, and implementing robust safeguards to protect the privacy interests of our people.”
The Pentagon and US intelligence community have long been concerned about how foreign spies might exploit the market for personal data on Americans.
The vast amount of personal data for sale online is an “increasingly powerful” tool for intelligence gathering by US and foreign spying agencies but also represents a privacy risk to ordinary people, said a US intelligence report declassified this year.
The Pentagon in 2018 announced a ban on deployed personnel using fitness trackers, smartphones and potentially even dating apps that use geolocating features. That followed a review of such practices after Strava, a fitness tracking app, may have inadvertently revealed the locations of security forces around the world.