Report on US military online data raises alarm

Karah Rucker | Anchor

DATA BROKERS ARE RELEASING SENSITIVE INFORMATION ABOUT U.S. SERVICE MEMBERS FOR ANYONE WITH A FEW BUCKS AND AN EMAIL ADDRESS.

THAT’S ACCORDING TO A NEW STUDY PUBLISHED BY DUKE UNIVERSITY.

NOT ONLY DID THEY ACCESS THOUSANDS OF MILITARY MEMBERS’ PERSONAL RECORDS –

BUT THEY DID SO USING DOMAINS FROM THE U.S. AND **OUTSIDE THE U.S.

THE STUDY IS SPARKING NEW CONCERNS OVER ACCESSIBILITY TO AMERICANS DATA ONLINE.

ORACLE, EQUI-FAX, EXPERIAN, AND CORE-LOGIC ARE SOME OF THE MORE POPULAR DATA BROKERS.

THEY HAVE MILLIONS OF PERSONAL DATA RECORDS THEY OBTAIN BY PURCHASING IT FROM CREDIT CARD PROVIDERS –

COLLECTING COURT RECORDS, DMV RECORDS, VOTER REGISTRATIONS, AND OTHER PUBLIC INFORMATION.

THIS CAN INCLUDE NAMES, HOME ADDRESSES, GEO-LOCATION, FAMILY MEMBERS INCLUDING CHILDREN, CONTACT INFO, AND SALARIES. 

THE DATA BROKERS COMPILE IT.

STORE IT.

AND SELL IT.

WHO CAN BUY IT?

ACCORDING TO A CO-AUTHOR OF THE STUDY  –

“PRACTICALLY ANYBODY.”

AND FOR CHEAP.

A “CUSTOMER” CAN SPECIFICALLY SEEK OUT **MILITARY-RELATED DATA FROM MORE THAN 500 DATA BROKERS’ WEBSITES.

IN THIS STUDY –

RESEARCHERS PURCHASED EIGHT DATA SETS FROM THREE DIFFERENT BROKERS. 

EACH BROKER RELEASED BETWEEN 5 AND 15 THOUSAND “IDENTIFIABLE RECORDS”.

IN SOME CASES – THIS INCLUDED THE AGES AND SEX OF CHILDREN OF ACTIVE-DUTY MILITARY MEMBERS IN WASHINGTON D.C., MARYLAND, AND VIRGINIA.

THE FINAL COST?

BETWEEN 12 AND 32 **CENTS PER RECORD.

SOME LAWMAKERS –  ARE CALLING FOR ACTION.

SOME WANT NEW PRIVACY LAWS TO RESTRICT THE INDUSTRY.

SENATOR ELIZABETH WARREN READ DUKE UNIVERSITY’S STUDY AND EXPRESSED HER CONCERNS OVER THEIR FINDINGS.

 Elizabeth Warren:

“Data brokers are selling sensitive information about service members and their families for nickels without considering the serious national security risks. This report makes clear that we need real guardrails to protect the personal data of service members, veterans, and their families.”

THE VETTING PROCESS – 

RESEARCHERS SAY WAS SLIM-TO-NONE.

EVEN WHEN THEY WERE PURCHASING U.S. MILITARY DATA FROM **OUTSIDE THE COUNTRY.

RESEARCHERS **SUCCESSFULLY USED DOT-ASIA EMAIL ADDRESSES WITH I-P ADDRESSES IN SINGAPORE TO OBTAIN DATA ON U.S. MILITARY MEMBERS.

RESEARCHERS SAY ONE BROKER RECOMMENDED PAYING FOR THE DATA BY WIRE TRANSFER RATHER THAN BY CREDIT CARD IN ORDER TO AVOID ANY BACKGROUND CHECK TO ACCESS THE DATA.

THE LEAD AUTHOR OF THE STUDY SAID QUOTE –

“We were able to buy data from brokers without any vetting, even though it pertained to members of the military, even though we were using a .asia domain, even though we wanted data sent out of the country.

“At the end of the day, this is a congressional problem—because we need new legal authorities to deal with these risks.”

The team first scraped the web to get a view of how many of the thousands of data brokers in the US advertise the availability of personal data on the country’s service members. It found “7,728 hits for the word ‘military’ and 6,776 hits for the word ‘veteran’ across 533 data brokers’ websites,” according to the paper. Major data brokers including Oracle, Equifax, Experian, CoreLogic, LexisNexis, and Verisk all advertised military-related data.

To determine the scope of the national security risk, the researchers specifically wanted to test whether brokers would sell data to buyers outside the US. 

“We were able to buy data from brokers without any vetting, even though it pertained to members of the military, even though we were using a .asia domain, even though we wanted data sent out of the country,” says Sherman—a finding he calls “really concerning.” “At the end of the day, this is a congressional problem—because we need new legal authorities to deal with these risks

The US Department of Defense did not respond to our multiple requests for comment. 

The authors hope the study serves as a warning to US lawmakers and are calling on Congress to pass a comprehensive privacy law that restricts the data broker industry. 

Senator Elizabeth Warren, who has reviewed the report and serves on the US Senate Armed Services Committee, broadly agrees. “Data brokers are selling sensitive information about service members and their families for nickels without considering the serious national security risks,” Warren, a Massachusetts Democrat, said in a statement to MIT Technology Review. “This report makes clear that we need real guardrails to protect the personal data of service members, veterans, and their families.”

 one of the brokers even sold the researchers data about the ages and sex of children of active-duty military members living in Washington, DC, Maryland, and Virginia, and whether they had children living in their homes. This data set, which also included the  the ages and sex of children of active-duty military members living in Washington, DC, Maryland, and Virginia, and whether they had children living in their homes. 

 members’ home addresses, was sold to the researchers when they inquired from both US- and Asia-based domains. 

In practice, it seems as though anyone with an email address, a bank account, and a few hundred dollars could acquire the same type of data that we did,” Hayley Barton, a coauthor of the study and a graduate student researcher, says.

In the end, the researchers purchased eight data sets from three different brokers, each containing between 4,951 and 15,000 identifiable records, via email addresses with US- and Asia-based domains. The final cost was $0.12 to $0.32 per record for each service member. The researchers did not sign any nondisclosure agreements. 

Using a .asia domain name and email address and a Singaporean IP address, the researchers were able to obtain individually identified information on active-duty service members, and data about their marital status, homeowner/renter status, ethnicity, language, religion, and credit rating, among many other data points.