Many probably already know that virtually every website frequented is collecting personal information and selling it to third parties who turn it into targeted marketing. What might not be known is that this process is highly unregulated, and that bad actors are easily able to buy personal information and do with it what they will.
That can include exploitation that risks U.S. national security, according to a report published this month by Duke University.
“It is not difficult to obtain sensitive data about active duty members of the military, their families, and veterans, including non-public, individually identified and sensitive data, such as health data, financial data and information about religious practices,” according to the report.
Funded by the U.S. Military Academy at West Point, researchers spent a year exploring the kinds of data on service members and veterans that brokers are collecting and selling, and whether foreign adversaries could exploit any of that information.
Companies like software giant Oracle, or credit reporting bureaus Equifax, TransUnion and Experian all sell data, as do lesser known companies like Acxiom and Verisk.
Researchers approached 12 different companies attempting to buy data sets compiled based on keywords like “military” or “veteran.” Eventually, multiple troves of active duty service member data, and data on their families, were purchased for as little as $0.12 per file.
The team had varying experiences buying the data. Some brokers wanted to verify their identities, or wanted an explanation of what they intended to do with the data.
Others wanted the researchers to sign nondisclosure agreements preventing them from discussing with anyone how they got the data. Others just handed over the information with no conditions.
“All datasets that we purchased included individual, personally identifiable information on military personnel in the United States,” including names and addresses, according to the report. “None of these datasets were anonymized nor aggregated, even when providing sensitive information (such as net worth, religion or health) and without verifying the purchaser’s identity.”
The unregulated nature of data brokering is one of the report’s biggest concerns, in that there are no industry rules for how these transactions take place or for vetting the individuals purchasing the data.
“In short, an industry that builds and sells detailed profiles on Americans could be exploited by hostile actors to target military service members and veterans, as a subset of the U.S. population,” according to the report. “Many veterans often still know currently classified information, even if they are no longer active duty members of the military.”
Bad actors with a pile of active duty troops’ personal information can contact members and exploit them for their military or national security knowledge.
Sextortion schemes are an example of such targeting, where someone posing as a potential sexual partner can goad a target into making a pornographic video, then threaten to post it online or send to family members if their demands are not met.
These scams infamously target troops, whose private conduct can be subject to military regulations and could thus get them kicked out of their respective service.
But there is room to exploit these service members for information as well.
“Foreign and malign actors with access to these datasets could uncover information about high-level targets, such as military service members, that could be used for coercion, reputational damage, and blackmail,” the researches wrote.
That could include their credit scores, sexual orientation, mental or sexual health status and gambling activity.
The report recommends creating federal laws that not only require affirmative consent to collect and sell consumers’ information, but specifically restricting the practice for government employees, including service members.
“Until there are changes in the way this data is gathered, shared, analyzed, licensed and sold, these risks will persist,” the report concludes.
Meghann Myers is the Pentagon bureau chief at Military Times. She covers operations, policy, personnel, leadership and other issues affecting service members.
Read the full article here