Another report from the Sanford Cyber Policy Program has been making headlines this week. Building off of the powerful impact of their mental health data broker report in February, the data broker team, led by Justin Sherman, a senior fellow at Sanford, turned their focus to a major target of data brokers: U.S. military members.
Along with Sherman, this new report was co-authored with Sanford students Hayley Barton, Aden Klein, Brady Kruse, and Anushka Srinivasan. The authors analyzed hundreds of data broker websites, searching for specific terms like “military” or “veteran”, then contacting data brokers directly to inquire about and purchase data including sensitive information about service members.
“I’ve been thrilled to see such a bipartisan, supportive response to our report. There is not enough attention to the intersection of data brokerage, US privacy law, and national security, and an enormous credit goes to the student co-authors of the report for their research on this problem. Duke’s work on the data brokerage ecosystem continues to have a strong impact in the media and on public policy to protect Americans, including the military and beyond, from data sale and exploitation,” said Sherman.
As one of the first reports to tackle this topic, here are some important points to note.
Major Takeaways From Report
- It is not difficult to obtain sensitive data about active-duty members of the military, their families, and veterans, including non-public, individually identified, and sensitive data, such as health data, financial data, and information about religious practices. The team bought this and other data from U.S. data brokers via a .org and a .asia domain for as low as $0.12 per record. Location data is also available, though the team did not purchase it.
- Data broker methods of determining the identity of customers are inconsistent and evidence a lack of industry best-practices.
- Currently, these inconsistent practices are highly unregulated by the U.S. government.
- The inconsistencies of controls when purchasing sensitive, non-public, individually identified data about active-duty members of the military and veterans extends to situations in which data brokers are selling to customers who are outside of the United States.
- Access to this data could be used by foreign and malicious actors to target active-duty military personnel, veterans, and their families and acquaintances for profiling, blackmail, targeting with information campaigns, and more.
As the report continues to receive the spotlight, media and policymakers have taken notice. Here are just a few so far.
Media Coverage Highlights:
“Cassidy, Warren React to New Report Highlighting the Gaping Hole in the Protection of U.S. Service Members’ Data” – Senate.gov, November 6, 2023
“Researchers find sensitive personal data of US military personnel is for sale online” – CNN, November 6, 2023
“U.S. service members’ data is easy and cheap to purchase online, study finds” – NBC News, November 6, 2023
“Brokers Sell Military Members’ Data for Pennies, Study Finds” – Bloomberg, November 6, 2023
“For Less Than $1, Anyone Can Buy A Military Vet’s Financial And Health History” – Forbes, November 6, 2023
“For sale: Data on US servicemembers — and lots of it” – Politico, November 6, 2023
“Data Brokers Sell Secrets About Military Personnel for Pennies” – Gizmodo, November 6, 2023
“Security threat: U.S. military personnel’s personal data is easy to buy at low cost, researchers say” – Washington Times, November 6, 2023
“Study: U.S. military members’ personal data being sold by online brokers” – Axios, November 6, 2023
“Researchers say service members’ personal information is easy to buy online” – The Hill, November 6, 2023
“Data Brokers Are Selling Service Member Information for Pennies. It’s a National Security Risk, Study Says” – Military.com, November 6, 2023
