Sales by brokers of US military personnel overseas spark national security fears

Written by Suzanne Smalley

The multi-billion dollar data brokerage industry is largely unregulated and poses a serious threat to national security by publishing and selling information it has collected on military personnel, cybersecurity experts and a US senator.

Justin Shermanmember of the Cyber ​​Statecraft Initiative of the Atlantic Council and cyberpolicy fellow of the Duke Tech Policy Lab, has been tracking – and sounding the alarm – data broker practices for the past year. He said three major data brokerage firms — Axciom, LexisNexis and NielsenIQ — specifically market data on current or former military personnel.

Data for sale can include individual web searches, family members, home addresses, and even real-time GPS locations. LexisNexis markets the fact that it can look up an individual and identify if they are an active duty military member, Sherman said.

A US senator tries to stop the practice. In the coming weeks, Bill Cassidy, R-La., plans to unveil legislation that will make it illegal for data brokers to sell military personnel data to adversarial countries, including China and Russia.

Cassidy highlighted his national security concerns about the data brokerage industry at a Senate finance committee in December hearing. the The Senate session also included testimony from Sherman.

“There is nothing stopping data brokers from selling service members’ personal information to adversaries like China and Russia,” Cassidy told CyberScoop in a prepared statement. “It is dangerous and threatens our national security. We must ensure that consumers, especially members of our service, have the opportunity to protect their data online. »

Senators Jon Ossoff, D-Ga., and Ron Wyden, D-Ore., also recently introduced legislation targeting data brokers, with Wyden specifically proposing a ban on the sale of personal data to hostile foreign companies and governments. .

Sherman has called for a complete overhaul of the data brokerage industry since last year, when he released a report that claimed there was “virtually nothing in US law preventing data brokers from sell information about U.S. individuals to foreign entities”.

He said foreign actors such as the Russian Internet Research Agency could easily exploit readily available data on military personnel and their families to support information operations, coercion, blackmail or intelligence gathering of foreign governments.

Many data brokers even market and sell pre-packaged databases on specific population subgroups, including military personnel, Sherman said, and there are no reporting or enforcement mechanisms to even know when it happens.

“There is a multi-billion dollar, virtually unregulated industry of data brokers who compile massive records on Americans and then sell them on the open market,” Sherman said in an interview. “It’s a huge national security risk…It’s too easy for a foreign actor to walk through the front door and buy sensitive data about US citizens.”

Sherman said data brokers collect and sell a wide variety of personal data, including individual mental health issues, credit card purchase histories, internet search histories, GPS locations and preferences. policies and compiles them into profiles that include thousands of data points about individuals – what Sherman called an “insane level of granularity”.

The protections of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) — federal laws that respectively protect sensitive student and health care records from disclosure without consent — do protect individuals from data brokers.

“HIPAA and FERPA generally do not protect personal health and education data from data brokers because they only cover specific entities that collect this information, leaving out many mental health applications, companies education marketing and midstream businesses,” Sherman mentioned.

Worse, he said, there is little or no vetting process in place to determine who brokers are selling to or how the data is used once sold.

“The Chinese and Russian governments, for example, constantly use shell companies and shell companies and nominally non-state-affiliated companies to acquire technology to recover data. So it would be very inexpensive to do the same thing…broker in the United States and buy all this sensitive information about the people they want to profile or target,” Sherman said.

“It seems pretty easy for someone to set up a front company – say a foreign government – and then buy all this information.”

Justin Sherman, Atlantic Council

The Ministry of Defense declined to provide an official for an interview, but released a statement through a spokesperson, saying via email that it was “aware of this issue and was undertaking a series of initiatives to support the efforts of our staff and retirees to secure their personal lives”. information.”

Spokespersons for Axciom and NielsenIQ did not respond to an email seeking comment. A spokesperson for LexisNexis shared a statement saying the company uses military personnel data to “help banks and other financial companies comply with federal laws that protect military personnel…Beyond this tightly controlled use , which protects the military, our products only use military status data.

Data brokers have already been implicated in several high-profile incidents. Sherman said the July 2020 killing of federal judge Esther Salas’ son on the doorstep of her New Jersey home was facilitated by a data broker who sold the judge’s address to the shooter. In a New York Times op-ed on the incident decried by Salas the fact that judges’ addresses and photos of their homes and vehicle license plates can be easily obtained online and from data brokers.

“In my case, this deranged shooter was able to create a complete dossier of my life: he walked through my neighborhood, mapped my routes to work and even learned the names of my best friend and the church I attend” , wrote Salas. “It was all completely legal. This access to such personal information allowed this man to take our only child from my husband, Mark, and me.

Exposed data on military personnel can also pose other problems. In January 2018, journalists and researchers discovered that fitness enthusiasts using the popular “athlete social network” known as Strava had inadvertently revealed the existence of secret military bases and even a CIA black site by posting diet heatmaps individual training.

Daniel Kahn Gillmor, senior technologist at the American Civil Liberties Union, said individuals, including military personnel, should be concerned about their location data being shared by data brokers every time they use an app. cartography such as Strava, Waze or Google Maps.

“Companies running these apps are also tasked with maximizing profits for their shareholders, and they’re sitting on a stack of data,” Gillmor said. “Someone comes in and says, ‘Hey, you already have this data. We would give you more money for it. … What keeps them from saying no?

Comments are closed.