Data Brokers and the Sale of Data on U.S. Military Personnel
Risks to Privacy, Safety, and National Security
By: Justin Sherman, Hayley Barton, Aden Klein, Brady Kruse, and Anushka Srinivasan
The data brokerage ecosystem is a multi-billion-dollar industry comprised of companies gathering, inferring, aggregating, and then selling, licensing, and sharing data on Americans as well as providing technological services based on that data. After previously discovering that data brokers were advertising data about current and former U.S. military personnel, this study sought to understand (a) what kinds of data that data brokers were gathering and selling about military servicemembers and (b) the risk that a foreign actor, such as a foreign adversary government, could acquire the data to undermine U.S. national security. This study involved scraping hundreds of data broker websites to look for terms like “military” and “veteran,” contacting U.S. data brokers from a U.S. domain to inquire about and purchase data on the U.S. military, and contacting U.S. data brokers from a .asia domain to inquire about and purchase the same. It concludes with a discussion of the risks to U.S. military servicemembers and U.S. national security, paired with policy recommendations for the federal government to address the risks at hand.
- It is not difficult to obtain sensitive data about active-duty members of the military, their families, and veterans, including non-public, individually identified, and sensitive data, such as health data, financial data, and information about religious practices. The team bought this and other data from U.S. data brokers via a .org and a .asia domain for as low as $0.12 per record. Location data is also available, though the team did not purchase it.
- Data broker methods of determining the identity of customers are inconsistent and evidence a lack of industry best-practices.
- Currently, these inconsistent practices are highly unregulated by the U.S. government.
- The inconsistencies of controls when purchasing sensitive, non-public, individually identified data about active-duty members of the military and veterans extends to situations in which data brokers are selling to customers who are outside of the United States.
- Access to this data could be used by foreign and malicious actors to target active-duty military personnel, veterans, and their families and acquaintances for profiling, blackmail, targeting with information campaigns, and more.
Justin Sherman is a senior fellow at Duke University’s Sanford School of Public Policy and leads its data brokerage research project.
Hayley Barton is a Master of Public Policy (MPP) and Master of Business Administration (MBA) student at Duke University and a research assistant on Duke’s data brokerage research project.
Aden Klein is a senior at Duke University and a research assistant on Duke’s data brokerage research project.
Brady Kruse is an MPP student at Duke University and a research assistant on Duke’s data brokerage research project.
Anushka Srinivasan is a sophomore at Duke University and a former research assistant on Duke’s data brokerage research project.
The authors would like to thank the multiple reviewers for their comments on earlier versions of this study. The authors would also like to especially thank Professor David Hoffman, the Principal Investigator (PI) for the grant, and Professor Ken Rogerson for their support throughout the duration of this work.
This research was sponsored by the United States Military Academy (USMA) and was accomplished under Cooperative Agreement Number W911NF-22-2-0099. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the United States Military Academy or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints of the final, public research products published by Duke University for Government purposes notwithstanding any copyright notation herein.