security

Sale of military members' data could be a national security risk – Marketplace


Remember when President Donald Trump tried to ban TikTok? He called attention to the risk that American users’ data could fall into the hands of Chinese authorities who have ties to the app’s owners.

A judge blocked the ban, but even if he hadn’t, experts say so much of our personal information is available to buy from run-of-the-mill data brokers. That includes information on Americans serving in the military, which can have big consequences for national security.

Marketplace’s Lily Jamali spoke to Justin Sherman, senior fellow at Duke University’s Sanford School of Public Policy, about a new study he led in which his team tried buying just that kind of data. He said it wasn’t all that hard.

The following is an edited transcript of their conversation.

Justin Sherman: We were able to purchase a range of data about active-duty military service members, their families, their acquaintances, as well as some veterans. This spans data about people’s health conditions, data about people’s finances, whether they’re in debt, whether they have a mortgage, as well as pretty personal demographic information, such as religion or how many children you have in the home and what the estimated ages of those children are. We really walked away with the sense that this data is, in many cases, very clearly linked to a person by name. And this is also a lot of sensitive data that many service members probably don’t suspect is out there for sale by these data brokers.

Lily Jamali: So, to do this, Justin, your team approached 12 different data brokers to buy data, first using a U.S.-based website and then later with a “.asia” domain name. Why that domain name?

Sherman: We wanted to see if there’s a difference between contacting a data broker with a U.S. website and asking to buy data about people in the U.S. military and doing that from what’s very clearly not a U.S. website. So, in this case, we set up a website ending in .asia and wanted to see if the sales process would be different. Is there a restriction on selling military data? Are there more background checks involved? And the unfortunate answer to that question is no. We were able to buy basically the same data through the .asia website that we did through the, the U.S.-based .org website we set up.

Readers Also Like:  Microsoft is shutting down some important security tools - but there's ... - TechRadar

The cherry on top of this entire phase of the research project was, we had set up a secure server in Singapore, to which these brokers transferred the data when we bought it via the .asia website, and they literally sent these U.S. service members’ data overseas to that server. We of course immediately then downloaded it and removed it, and we have a lot of controls around that, but it just underscores that there wasn’t any thinking about whether there was a risk there or any general obligation to think about privacy or national security. That clearly was not the case.

Jamali: In one case, you got names, home addresses, emails and cellphone numbers on 5,000 active-duty service members and veterans in the Washington, D.C., area. You bought that data for 32 cents per record, all without background checks.

Sherman: The data brokers we purchased from did not vet who we were. We even had one broker that — and even as someone studying this, I found this a little shocking — said to us that if we were to pay by credit card for the data set, we would have to go through their background check process and do identity verification. We could do that or we could pay by wire transfer. We paid by wire and we did not have to do a background check, and we got the data set from this, this company. So, it very much did underscore the fact that, not only is this data out there without regulation, but a lot of these companies also don’t have “know your customer” controls and they don’t have basic background checks. If you’re trying to prevent harm, you want to vet people before you give them really sensitive information. That’s another reason why some of these industry practices can lead to real harm.

Readers Also Like:  PSA Network announces addition of SAFR to technology partners - SECURITY SYSTEMS NEWS

Jamali: What are the national security implications of this data on active-duty service members, as well as veterans, being so readily available?

Sherman: Foreign spy agencies are really interested in people who have security clearance or people who are involved in national security. Because if you want someone to leak secrets or to tell you what’s going on or act a certain way, you’re going to target people who work in the military or work in the government. The fact that it was so easy for us to buy this and get data linked to specific people suggests that it would be really easy for a foreign actor to do the exact same thing and to get data you might not get elsewhere. Financial data, for instance. If you’re trying to identify people in debt, that could be really, really dangerous from a national security perspective if you can identify, target and then blackmail particular people.

Jamali: It sounds like pretty much anyone with a little bit of know-how can buy this kind of data.

Sherman: Some data brokers are going to put a higher bar in place for the amount of money you need to spend or if you need a background check, but there are plenty of data brokers where all you need is an email and a credit card and that is enough to buy highly sensitive data about Americans and even members of the military.

Jamali: That’s terrifying.

Sherman: It’s very scary. And for anyone listening to this who might be concerned and thinks, “Well I’m not in the military, but what about my data?” we have other studies we’ve done and other studies coming out that show that we could have done this exact same study on any other demographic group. We could have done this for police officers, judges, survivors of gendered violence. And the terrifying reality is that we probably would be able to get very similar, sensitive data about those people because it’s out there.

Readers Also Like:  Ransomware strains are getting quicker and sharper than ever before - TechRadar

More on this

Justin Sherman and I talked about some of the specific ways data brokers slice and dice the personal information they sell. The report that he and his colleagues have been working on, which comes out Monday, names some categories that  got our attention, one of which is “Habits.”

Those habits include “Veterans that own a motorcycle” and “Military readers.”

“Careers” is another category. “Veteran owned construction companies” is a data set mentioned in the report.

The team at Duke also cites an advertisement from one broker about veterans who are “responsive to one or a variety of causes.” The ad states that “giving back and helping others is something that is in the heart and soul,” adding that you can “already see them opening up their wallet for your offer today.”



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.