You can buy personal info of US military staff from data brokers for just 12 cents a pop
Health records, financial situations, religious leanings, it's all out there, or so this study says
The sensitive personal information of American military personnel and their families is on sale from US data brokers for a pittance, Duke University academics have found.
That personal data, sold for as little as $0.12 per record, is said to pose a threat because it could be acquired by foreign adversaries for malicious purposes – such as blackmail, operational targeting, or mapping sensitive military sites.
The Duke research team – Justin Sherman, Hayley Barton, Aden Klein, Brady Kruse, and Anushka Srinivasan – obtained military folks' health data, financial details, and information about their religious practices from US data brokers. Nosy types could also augment this with location data, as an extra threat.
The researchers describe their findings in a report titled: "Data Brokers and the Sale of Data on US Military Personnel: Risks to Privacy, Safety, and National Security."
The study, funded by a grant from the American military, follows from a proposal submitted by the scholars to the US Military Academy at West Point in 2021, in the wake of an August 2021 report [PDF] by one of the authors, Justin Sherman, who is currently a senior fellow at Duke University's Sanford School of Public Policy.
The 2021 report also found that US data brokers sell information about active duty military personnel. As noted in that report, the buying and selling of people's information is "virtually unregulated" in the US, and there's very little in federal or state law to prevent such sales to foreign entities. The info can be sourced from all manner of places, from phone apps and smart home devices, to payment transactions and public records.
Sherman testified before a US Senate subcommittee hearing about the issue on December 7, 2021. And he did so again during a House subcommittee hearing on April 19 this year.
Data privacy and national security concerns have long been intertwined with apps - as the US military has found out with fitness applications that show military base locations. The latest research report says that the 2020 scrutiny of TikTok – software banned by the US Army and subsequently assailed by the Trump administration – reignited the debate.
- What do the US midterm election results mean for a federal privacy law?
- Watchdog vows crackdown on 'harmful' world of surveillance-by-data-broker
- Big Tech loves talking up privacy – while trying to kill privacy legislation
- A federal watchdog to police Big Tech? Yeah, that'll do the trick, senators...
The current report argues the data brokerage industry itself represents a threat to national security. "Foreign and malign actors with access to these datasets could uncover information about high-level targets, such as military servicemembers, that could be used for coercion, reputational damage, and blackmail," it argues.
The report calls for Congress to pass a comprehensive federal privacy law – a feat US lawmakers have not managed despite years of advocacy from activists, lawyers, ands much of the technology industry.
Military claims it's taking this 'very seriously,' again
In an email to The Register, a spokesperson for the US Defense Department wrote that privacy matters to the military.
"The Department takes the privacy interests of its personnel very seriously," the spokesperson claimed. "There is a large and growing amount of commercially available information, which raises concerns on privacy interests, civil liberties interests, national security implications, threats to service members from our adversaries, and operational security risks.
"The DoD has a responsibility to protect the privacy interests of individuals and will continue to stress with our personnel the importance of maintaining, training, and implementing robust safeguards to protect the privacy interests of our people."
Dr Lukasz Olejnik, independent privacy researcher and consultant, and author of Philosophy of Cybersecurity, told The Register in an email that the Duke University study is very significant.
"This study is certainly a bombshell, considering how important privacy is today on the one hand, and on the other – how respected the military or veterans in the US are," Olejnik observed.
"This excerpt from the conclusion is particularly spot on: the data consist of 'individually identified, and non-public information.' And are available on the cheap. This confluence of privacy invasion, military risk, and availability to foreign services is a powerful mix."
This study is certainly a bombshell, considering how important privacy is today
Olejnik expressed skepticism, however, that the findings will hasten the glacial legislative process for privacy in the US.
"I doubt that it will have an effect on the proposal for a comprehensive federal Privacy Act soon," he added. "First of all, if such an Act was to be put forward, it would happen after the elections next year (and subject to the result).
"Second, the US legal data protection culture has a traditional preference in fragmentation. Specific Acts are issued for specific spheres, with the infamous issuance of a single-issue regulation for video tape rentals, the Video Privacy Protection Act."
In that spirit, Olejnik wryly suggested the US might end up pushing narrowly focused legislation called the Military Data Privacy Protection from Certain Brokers Act.
The Register proposes the Privacy Act for the Military, Elderly, Children, Billionaires, and Government Employees, But Not For Unworthy Wage-Earning Adult Citizens.
On a more serious note, Olejnik suggested, it's time to get moving on federal privacy rules. ®