Third parties selling personal data has always been a concern, but for certain vulnerable populations like military service members, this practice can quickly escalate into a national security threat. A recent study conducted by researchers from Duke University highlighted the alarming lack of measures taken by data brokers to prevent unidentified or potentially malicious actors from purchasing personal data on members of the military, even when the purchaser is actively pretending to be a foreign agent.
In a 2021 Duke study led by the same researchers, it was revealed that data brokers actively advertised their access to and willingness to sell information on US military personnel. Building upon this earlier study, researchers decided to delve deeper into the practices of data brokers by adopting undercover methods. They used wiped computers, virtual private networks (VPNs), burner phones purchased with cash, and other identity obfuscation techniques to disguise their true identities. Their objective was to scrape the websites of data brokers and identify those that were likely to have available data on servicemembers. They then attempted to make purchases from these brokers, posing as two different entities: datamarketresearch.org and dataanalytics.asia. Shockingly, with little to no vetting, several brokers not only transferred the requested data to datamarketresearch but also to the server of the .asia domain located in Singapore. Each record only cost between 12 to 32 cents.
The sensitive information made available for purchase included health records, financial information, and even location data. Although the research team at Duke decided not to purchase location data, it remains unclear whether this decision was driven by financial constraints or ethical considerations. However, the report warns that access to such data could be exploited by foreign and malicious actors to target active-duty military personnel, veterans, as well as their families and acquaintances. These individuals could be subjected to profiling, blackmail, information campaigns, and other forms of targeted attacks. Moreover, at an individual level, this data breach also leaves military personnel vulnerable to identity theft or fraud.
This significant gap in our national security apparatus can be attributed, in part, to the absence of comprehensive federal regulations governing individual data privacy and the business practices of data brokers. Recognizing this dire need for more stringent measures, Senators Elizabeth Warren, Bill Cassidy, and Marco Rubio introduced the Protecting Military Service Members’ Data Act in 2022. The goal of this legislation is to empower the Federal Trade Commission with the authority to block data brokers from selling military personnel information to adversarial nations. However, despite garnering bipartisan support, the bill has yet to progress beyond the introduction phase, even after being reintroduced in March 2023.
It is imperative that policymakers and regulatory bodies address this pressing issue of data privacy and the unchecked practices of data brokers. The safety and security of military service members should be prioritized, as their personal data falling into the wrong hands could have severe national security implications. The Protecting Military Service Members’ Data Act serves as a critical step towards addressing this issue, but its stagnation in the legislative process demonstrates the need for increased attention and action.
In addition to comprehensive federal regulations, it is crucial for data brokers themselves to adopt stricter protocols and verification processes to ensure the protection of sensitive information, especially when it concerns military personnel. The unchecked sale of personal data highlights the urgency for data brokers to implement robust security measures and prioritize the ethical handling of data. This includes identifying potential threats and conducting thorough screenings of purchasers to prevent the inadvertent transfer of sensitive information to malicious actors.
Ultimately, safeguarding personal data and national security requires a multi-faceted approach involving both government intervention and corporate responsibility. The urgency of the situation demands immediate action to protect military service members and prevent the exploitation of their personal information.