image

Military Personnel data sold for Pennies

Want to buy invasive personal details about an active-duty service member who works on a specific military base? You better have $0.12, because according to a new study that’s all it costs. The good news is the unregulated data brokers who sell that information probably won’t ask you any pesky questions about your plans.

New research from Duke University finds data brokers are selling personally identifiable information about active-duty members of the military, their families, and veterans at the cost of just pennies per person. The data included highly sensitive information about individuals, but it’s more than a privacy problem. The researchers found that many data brokers were happy to sell information to unidentified people from other countries with zero vetting, which could expose the information to foreign or malicious actors. In other words, data brokers may pose a serious national security threat.

“It makes up a multi-billion dollar industry that collects and sells data on pretty much every American, and, of course, that includes members of the military and their family,” said Justin Sherman, a senior fellow at Duke University’s Sanford School of Public Policy, and lead author of the report. “It was shockingly easy to get access to very sensitive identifiable information that isn’t public.”

Over the course of a year, researchers at Duke identified data brokers that advertised information for sale about members of the military and veterans. The researchers approached 12 data brokers about buying the data and were able to purchase sweeping records on tens of thousands of military service members for $0.12 to $0.32 per person. (The study doesn’t include the names of data brokers to avoid potential legal liability.) The data included names, home addresses, emails, political affiliations, genders, ages, religions, incomes, net worths, credit ratings, occupations, health information, religious affiliations, marital status, and the presence of children in the home.

“We bought data about service members’ children,” Sherman said. “It’s hard to wrap your head around the scale of data brokerage and how many things it touches.”

To test national security questions, the authors approached the data brokers posing as foreign buyers, using a Singaporean IP address and a .asia domain name. In most cases, the data brokers didn’t show any apprehension, or do anything to vet the buyer’s identity or intended purposes. For example, using the .asia domain, the researchers bought data that was geofenced to Fort Bragg, Fort AP Hill, and Quantico, and general geofenced data for Washington, DC, Maryland, and Virginia.

According to the researchers, this could allow foreign actors to target active-duty military members, veterans, and their families with blackmail, targeting with information campaigns, and more.

“One of the main points is it was perfectly legal for us to buy this data, and it was perfectly legal for the data brokers to sell it,” said Hayley Barton, a co-author of the study and a graduate student at Duke University. “Anyone with an email address can go out and do the exact same thing.”

Data brokerage is a shadowy business with hundreds if not thousands of individual companies that collect, analyze, repackage, and sell data about every aspect of people’s lives. Data brokers are fundamentally unregulated, except for a few laws that require data brokers to register with certain states and a recent California law that will force data brokers to delete your information upon request. On the federal level, there are practically no laws about privacy whatsoever, despite decades of trying and a flurry of recent activity that, so far, has gone nowhere.

“It’s a congressional issue at the end of the day,” Barton said. “This is a systemic problem, and the solution is for Congress to pass legislation around this issue and actually fund regulators like the FTC to actually do enforcement.”

As a consumer, you almost never interact with data brokers directly, but they’re constantly having an impact on your life. Data brokers are used in decisions for hiring, housing, insurance, and law enforcement.

Often, the refrain from privacy skeptics is “I’ve got nothing to hide.” One of the reasons for that misconception is a worldwide misunderstanding of what data is available. If you can think of a detail, any detail, about a person’s life, there’s a good chance data brokers have it for sale. Part of the problem — thanks to successful PR campaigns on behalf of the tech industry and the opaque nature of technology itself — is that people tend to think of “data” as the things we type into forms or click on. That couldn’t be farther from the truth.

“The prediction and inference data brokers make can be very sophisticated,” Sherman said. Data brokers can learn about you through complex pattern analysis, but there are plenty of simple ways to figure out your secrets. Geolocation data, for example, is as good as someone following you around 24 hours a day with a notepad and writing down everything you do. Think of the clinics you visit, the places you go to worship, the kinds of bars or restaurants you go to, the places where you buy your groceries, or where you drop your kids off at school.

“Or it can be as simple as identifying your zip code and making predictions about your race and income,” Sherman said.

If you’re applying for a job and the HR department gets information from a data broker that says you have serious mental health problems, it doesn’t really matter if it’s true: you’ll get hurt either way.