According to a study conducted by Duke University researchers and published on Monday, it is possible to purchase sensitive personal information of thousands of active-duty US military personnel from data brokers at a low cost. This information includes apparent home addresses and health conditions. The researchers found that they could easily acquire data on servicemembers by using geolocation, such as identifying if they lived or worked near sensitive military locations like Fort Bragg or Quantico. In certain instances, they were able to purchase this data for as little as $0.12 per record.
US officials and experts have raised concerns about national security due to the potential for foreign intelligence services to gather information on the location and vulnerabilities of US military personnel through online shopping. Researchers have also determined that scammers could use this data to stalk or blackmail military families. To conduct their study, the researchers made use of the extensive data-broker ecosystem in the US, which includes major credit reporting agencies, lesser-known analytics firms, and mobile apps that discretely sell user location data. It is important to note that there are limited legal restrictions in the US regarding the purchasing and selling of such data.
Justin Sherman, a senior fellow at Duke Sanford School of Public Policy, expressed concern about how easily the data could be obtained. He noted that with just a simple domain and 12 cents per service member, there were no background checks on purchases. Sherman warned that if his research team, which adheres to university research ethics and privacy processes, could obtain this data in an academic study, a foreign adversary could acquire it just as quickly to profile, blackmail, or target military personnel.
Data brokers acquire personal information from individuals, such as Social Security numbers, names, addresses, income, employment history, criminal background records, and other relevant details. This information can be utilized for legitimate purposes, such as conducting background checks and credit assessments. However, data brokers are currently facing increased scrutiny from regulators. The Consumer Financial Protection Bureau announced in August that it is considering implementing new regulations that would prohibit data brokers from selling certain information, unless specific circumstances apply.
The Federal Trade Commission is currently deliberating new regulations aimed at curbing the activities of data brokers.
An FTC representative stated, "We are unable to provide comments on the specific practices of any company. However, we have consistently expressed concerns about the practices of data brokers and their potential implications for consumer privacy. We are ready to take action against any company that neglects to protect consumer data and adhere to relevant laws, such as the Fair Credit Reporting Act."
"If policy makers are looking for a wake-up call, the Duke study definitely delivers. It reveals that the data broker industry has spiraled out of control, posing a significant threat to US national security," stated Senator Ron Wyden, an Oregon Democrat who has actively supported legislation to place restrictions on data brokers. In response to the study, Wyden emphasized the necessity for a comprehensive solution to safeguard Americans' data from unfriendly nations, rather than relying on ineffective measures such as the prohibition of TikTok.
CNN has reached out to the Officer of the Department of Defense's Chief Information Officer, responsible for handling Pentagon tech policy issues, for their input on the research.
The Pentagon and the US intelligence community have consistently expressed apprehension regarding potential exploitation of the American personal data market by foreign spies.
A recently declassified US intelligence report states that the extensive availability of personal data for purchase on the internet has become a valuable resource for US and foreign intelligence agencies, enabling them to gather intelligence more effectively. However, this vast amount of personal data also poses a privacy risk to ordinary individuals. In response to this concern, the Pentagon introduced a ban in 2018 that prohibits deployed personnel from using fitness trackers, smartphones, and potentially even dating apps that utilize geolocation features. This decision was made following a thorough examination of the issue, prompted by the unintentional disclosure of the locations of security forces globally by a fitness tracking app called Strava.