Brokers Sell Military Members’ Data for Pennies, Study Finds

Data brokers are selling the sensitive data of active US military personnel for as little as 12 cents, a practice that researchers and lawmakers say raises serious national security concerns.

A month-long study by researchers at Duke University found hundreds of data brokers selling information related to active-duty military members, with data sets that included their names and home addresses.

As part of the study, researchers were able to purchase sensitive data about individually identified military personnel and members of their families, such as specific health conditions, religious practices, and financial information. They also found active service members’ location data sourced through mobile applications for sale, though they did not buy that information.

The availability of this kind of information poses a number of national security concerns. NATO’s Strategic Communications Center of Excellence has warned that such data could be used to blackmail personnel or even identify troop movements.

“It’s difficult to quantify what the risk would be, but our research does demonstrate that risks exists, and that there are gaps in regulation and what’s available to be sold,” said Hayley Barton, a graduate student at Duke University and co-author of the report.

To understand the landscape for buying US military member data, the Duke team contacted 12 brokers not named in the report, identifying themselves as researchers in their communications and via the websites they provided to sales associates.

They found that brokers implemented few controls for purchasing the data.

Easily Accessible

Roughly half of the brokers required the researchers to speak to a representative on the phone before purchasing data, and only two refused to sell them information based on the lack of what the data brokers deemed a lack of a credible online business presence.

Barton said the ease with which the team was able to buy sensitive data was “shocking.”

“None of the data that we bought attempted to hide or obscure any identity at all,” said Barton.

The researchers were able to buy thousands of identifiable records at a time costing between 12 and 32 cents per military member, with one set including contact information as well as a checklist of health conditions for some 15,000 military personnel.

While some brokers seemed to be aware of the sensitive nature of the information they were selling, they expressed a willingness to work around restrictions, the study found. For instance, one seller was unwilling to sell data from inside a military base but was willing to sell data about people visiting facilities.

Study co-author Justin Sherman, a senior fellow at Duke who runs the data brokerage research project, called it “ridiculous” to think that would safeguard service members’ data.

The true scope of the sale of US service member and veteran data is difficult to ascertain. Duke’s researchers found more than 7,000 results for data sets mentioning the term “military” when searching across 533 data brokers registered in the states of California and Vermont, states that only narrowly define who qualifies as a data broker.

Threats to national security are just part of an array of harms posed by the largely unregulated industry that have caught the attention of lawmakers and regulators. This summer, the White House hosted a round-table on data broker harms, accompanied by a Consumer Financial Protection Bureau proposal that would apply the Fair Credit Reporting Act to those that aggregate and resell financial data.

Legislative Gap

Members of Congress have unleashed a slew of bills aimed at data brokers and their services, though few have made it out of committee. That includes a bill from Sens. Bill Cassidy (R-La.) and Elizabeth Warren (D-Mass.) that would prevent data brokers from selling lists of military service members to adversarial nations.

“This report further solidifies the need to address this gaping hole in the protection of U.S. service members,” Cassidy wrote in an emailed statement to Bloomberg Law. “Our legislation defends the men and women in uniform from having their personal information sold to our enemies like China and Russia. We must act in the interest of national security and protect those who defend our nation.”

Warren, the legislation’s other co-sponsor, expressed similar concerns about the results of the study.

“Data brokers are selling sensitive information about service members and their families for nickels without considering the serious national security risks,” Warren wrote in an emailed statement. “This report makes clear that we need real guardrails to protect the personal data of service members, veterans, and their families.”

The Duke report shows that even that bill may have limitations. The research team was able to buy sensitive US service member data geofenced to military sites, including North Carolina’s Fort Liberty—formerly Fort Bragg— using a ".asia” domain. They then transferred the information to a server in Singapore. Given the lax identity checks used in the process, Barton said that there’s no reason to think that an adversarial nation-state couldn’t set up a fake company to do the same thing.

Sherman said the research highlights a “gap” in policy discussions in which “privacy conversations generally are not about national security or don’t think about national security” and “lots of national security data conversations, get focused on a single app or focused on a single company and don’t also think about how U.S. companies and unregulated, unethical U.S. business practices can be a source of national security risk.”

Existing federal laws to protect Americans’ personal information are few and far between. The Health Insurance Portability and Accountability Act, known as HIPAA, restricts how hospitals and other covered entities share patients’ data in the US. But the rapid rise in telehealth and health-related apps has increased the number of uncovered sources for data brokers to tap.

A separate Duke study from February found that data brokers were selling sensitive mental health data with similarly lax standards. The data broker selling military health member health data didn’t disclose their source to the researchers.

The most effective way to rein in the harms of the data broker industry is for Congress to pass comprehensive privacy legislation, the researchers said. Bills have stalled in Congress despite repeated urging from President Joe Biden, most recently when he signed an executive order on artificial intelligence.

“This underscores why we need to get beyond this after-the-fact, Band-Aid approach to privacy,” said Sherman.