Data brokers are collecting and selling service member data -- including health, family, geographic and military service information -- for pennies and dimes, according to a recent study from Duke University.
Over a 12-month study and to better understand the problem, the university's data brokerage research project bought data from sites that collect and sell personal information. Some of those sites curated their search criteria to military demographics like branch, duty and veteran status.
Researchers found that the unregulated, multibillion-dollar industry poses a significant risk to national security -- and current U.S. policy isn't doing enough to curtail it.
"It is not difficult to obtain sensitive data about active-duty members of the military, their families, and veterans, including non-public, individually identified, and sensitive data, such as health data, financial data, and information about religious practices," the study, which was published earlier this month, found.
The data broker ecosystem, which includes companies like Oracle and Experian, gathers information "on virtually every American," according to the project, with the intent of aggregating it and selling it.
Part of that accessibility comes from the low price that the data brokers sell their information at. The research team bought data from U.S. data brokers for as low as $0.12 per record in some cases. Researchers purchased tens of thousands of datasets from the brokers, and noted that "identifiable datasets pertaining to the U.S. military can be purchased for as little as $0.01 per military service member for much larger purchases."
Outside of being an invasion of privacy for service members and their families, the study found that the sale of this information could be used by foreign intelligence services to compromise, blackmail and then coerce troops by "outing servicemembers' sexual orientations, releasing information that damages servicemembers' reputations, stalking and tailing personnel, or microtargeting personnel with particular messages."
"This includes buying data from brokers directly or through front organizations, hacking into data brokers' servers, or compromising the servers of data brokers' clients that have acquired data," the study said.
Other data that the study warned could be collected is on mental health conditions, credit scores, and information about service members' families -- all of which could be used to target personnel.
Ally Armeson, the executive director of programs for the Cybercrime Support Network, described personal safeguards for service members, veterans and their families to protect themselves from the practice despite its unregulated and shady nature.
"Protecting one's personal data from data brokers is crucial in today's digital age, especially for service members, their families, and veterans," Armeson told Military.com on Monday. Her recommendations include:
- Limit personal information sharing. Be cautious about the personal information you share online, particularly sensitive details like Social Security numbers and deployment specifics.
- Review privacy settings. Regularly check the privacy settings on your social media accounts and online profiles to ensure they are set to "private" or "friends-only" to restrict access to your data.
- Monitor your online presence. Regularly search for your name and profiles to identify and correct any inaccurate or sensitive information.
- Limit third-party app permissions. Be cautious about the permissions you grant, as some may access and share your data without your knowledge.
- Opt out of data broker services. Follow procedures on broker websites to request the removal of your information from their databases.
Individual efforts can go only so far, and the Duke University study pointed to lack of government protections as a primary shortcoming when it comes to regulating the data brokerage ecosystem.
Increased attention has been given to data protection in the U.S. For example, over the past year, the China-affiliated social media app TikTok has caused significant concern on Capitol Hill about data collection.
But there have been other examples of data collection that have gotten somewhat less attention.
Some branches in the Defense Department have turned to wearable technology to better assess and give troops the tools to manage their own health.
The Duke study said that fitness wearables -- rings and bracelets, for example -- collect health data on the wearer. That data could get swept up in the "unregulated sharing" of information that data brokers thrive on.
The Strava fitness app, which uses maps and a GPS function to show running and walking routes, was prohibited by the Pentagon in 2018 on deployments after it gave away locations of military facilities abroad, according to The Guardian.
But the study found that data location can be just as harmful at home.
"Foreign and malign actors could use location datasets to stalk or track high-profile military or political targets," the study said. "These movements could reveal sensitive locations -- such as visits to a place of worship, a gambling venue, a health clinic, or a gay bar -- which again could be used for profiling, coercion, blackmail, or other purposes."
The study made recommendations for lawmakers and military personnel to consider, which include passing comprehensive U.S. privacy laws that can control data brokers. It pointed to a non-passed 2022 Data Privacy and Protection Act as an example of -- if passed -- a law that would prohibit data brokers from sharing individuals' data without affirmative expressed consent.
"Such provisions could introduce new controls around the collection and use of personal data about Americans, and in doing so encompassing members of the U.S. military and their families," it said.
For the Pentagon, the study said it should be wary of data brokerage within its contracts and, because "the full list of data sources drawn on by data brokers is unclear," it may include official sources linked to industries like privatized on-base housing.
Armeson also recommended that leaders at the unit level, who can "play a critical role in protecting the military community from data brokers and privacy violations," should consider increased education and training focused on those practices, as well as general operational security enforcement, within their formations.
-- Drew F. Lawrence can be reached at firstname.lastname@example.org. Follow him on X @df_lawrence.