It’s shockingly easy to buy sensitive data about US military personnel
The year-long study, which was funded in part by the US Military Academy at West Point, highlights the extreme privacy and national security risks created by data brokers. These companies are part of a shadowy multibillion-dollar industry that collects, aggregates, buys, and sells data, practices that are currently legal in the US. Many brokers advertise that they have hundreds of individual data points on each person in their database, and the industry has been criticized for exacerbating the erosion of personal and consumer privacy.
The researchers say they were “shocked” at the ease with which they were able to obtain highly sensitive data about members of the military. “In practice, it seems as though anyone with an email address, a bank account, and a few hundred dollars could acquire the same type of data that we did,” Hayley Barton, a coauthor of the study and a graduate student researcher, says.
The authors hope the study serves as a warning to US lawmakers and are calling on Congress to pass a comprehensive privacy law that restricts the data broker industry.
“What we really need is regulation of this ecosystem,” the report’s lead author, privacy researcher Justin Sherman, says. “At the end of the day, this is a congressional problem—because we need new legal authorities to deal with these risks, and regulatory agencies need more resources.”
Senator Elizabeth Warren, who has reviewed the report and serves on the US Senate Armed Services Committee, broadly agrees. “Data brokers are selling sensitive information about service members and their families for nickels without considering the serious national security risks,” Warren, a Massachusetts Democrat, said in a statement to MIT Technology Review. “This report makes clear that we need real guardrails to protect the personal data of service members, veterans, and their families.”
Selling sensitive information
The danger posed by commercially available data about active-duty military members is not a new problem. For example, in 2018, data about running routes recorded in the fitness tracking app Strava revealed the location of US military bases and patrol routes overseas.
The Duke researchers had previously come across data brokers advertising the sale of information about military personnel, says Sherman, so they wanted to evaluate the national security risks of this industry.
Sherman also notes that data brokers have claimed to have strong vetting processes that prevent data from being sold to criminal or otherwise dangerous parties and to ensure that the data they sell is used responsibly. But their research showed this to be the exception, not the rule.