The US military’s privacy problem in three charts

This article is from The Technocrat, MIT Technology Review’s weekly tech policy newsletter about power, politics, and Silicon Valley. To receive it in your inbox every Friday, sign up here. Highly personal and sensitive data about military members, such as home addresses, health and financial information, and the names of family members and friends, is…
The US military’s privacy problem in three charts

That’s the finding of a new report from Duke University researchers that shows how data brokers are selling this sort of information with minimal vetting to customers both domestically and overseas—creating major privacy and national security risks. I wrote about the report for a story this week. 

The research was concerning to members of Congress, including Senators Elizabeth Warren and Ron Wyden, who commented in the piece. Then on November 7, Senator John Cornyn cited my story in a hearing on the harms of social media.

If you want to learn more about the study and what it means for US national security, take a read through my piece.

But I want to give you a more in-depth sense of just what kinds of data is for sale by these brokers, as well as their economic model, using charts. (All charts are based on data provided by the Duke researchers and available in the report.)

First, take a look at just how personal the information is that the researchers were able to purchase—from people’s net worth to whether they have diabetes. The Duke team purchased a total of eight different data sets from three brokers (which they don’t identify by name in the report). The chart below is sorted by data set, and you can see that some information, like emails and home addresses, is widely accessible through multiple providers. I, for one, was surprised to see how frequently information about their children and homeowner status came up.

(If you click on the chart, you’ll be taken to interact with it and see more information about which data was given to buyers with emails both domestic and foreign.)

Another “concerning” finding, to use the lead researcher’s word, was the brokers’ willingness to sell this information to clients outside the US. The researchers, who were particularly interested in the national security risk created by the industry, set up an email address from a US-based domain, and one from an Asia-based domain, which they sent from an IP address in Singapore. As I detail in the story, these brokers conducted minimal vetting regardless of where the inquiry came from, and almost all of them ultimately provided many of the same types of information no matter the geographic source of the request.

Here, I’ve broken out what types of data were available based on the origin of the request. It’s worth noting that these results are just a reflection of the data the researchers purchased and do not provide a comprehensive view of what the industry sells and to whom. That is to say, just because the researchers did not get health data when inquiring from an Asia-based domain doesn’t mean it’s not possible to purchase this data through other providers. Additionally, the specific fields do vary across the different categories.