For sale: Data on US servicemembers — and lots of it

New research funded by West Point exposes a U.S. security vulnerability, and what many see as a gap in federal law.

For sale: Data on US servicemembers — and lots of it

Active-duty members of the U.S. military are vulnerable to having their personal information collected, packaged and sold to overseas companies without any vetting, according to a new report funded by the U.S. Military Academy at West Point.

The report highlights a significant American security risk, according to military officials, lawmakers and the experts who conducted the research, and who say the data available on servicemembers exposes them to blackmail based on their jobs and habits.

It also casts a spotlight on the practices of data brokers, a set of firms that specialize in scraping and packaging people’s digital records such as health conditions and credit ratings.

“It’s really a case of being able to target people based on specific vulnerabilities,” said Maj. Jessica Dawson, a research scientist at the Army Cyber Institute at West Point who initiated the study.

Data brokers gather government files, publicly available information and financial records into packages they can sell to marketers and other interested companies. As the practice has grown into a $214 billion industry, it has raised privacy concerns and come under scrutiny from lawmakers in Congress and state capitals.

Worried it could also present a risk to national security, the U.S. Military Academy at West Point funded the study from Duke University to see how servicemembers’ information might be packaged and sold.

Posing as buyers in the U.S. and Singapore, Duke researchers contacted multiple data-broker firms who listed datasets about active-duty servicemembers for sale. Three agreed and sold datasets to the researchers while two declined, saying the requests came from companies that didn’t meet their verification standards.

In total, the datasets contained information on nearly 30,000 active-duty military personnel. They also purchased a dataset on an additional 5,000 friends and family members of military personnel.

“If researchers are able to purchase this, acting in ethical ways, subject to university ethics processes, it would be very easy for a foreign adversary to do so,” said Justin Sherman, a researcher at Duke who led the project. “The Russian intelligence services don’t have a ban on deception.”

The Consumer Data Industry Association, a trade group that represents data brokers, said in response to the report, it does not comment on individual companies’ practices, but noted the use of consumer data is regulated by state laws and the Gramm-Leach-Bliley Act. (That legislation, enacted in 1999, applies only to financial institutions.)

Though servicemembers’ data is subject to the same rules as any other American residents, their roles — and the rules around their conduct — could make them especially vulnerable to blackmail.

The datasets included information such as a servicemember’s marital status, number and ages of their children, health conditions, credit rating, net worth, their homeowner status and their interests in gambling. The information, which costs between 12 cents to 32 cents per person, also includes personal contact information, allowing foreign adversaries to easily reach out to potential targets.

“Cheating on your spouse, financial issues, mental health concerns, all of those things can get your security clearances revoked. Those things are all in the data. It just takes the right combination of content and attackers to start trying to exploit that information,” said Dawson.

The Department of Defense did not respond to multiple requests for comment.

The researchers purchased datasets from the three data brokers twice. Sherman said the study doesn’t name the brokers involved because the companies made multiple statements of confidentiality in their business processes while selling the datasets. The researchers did not agree to confidentiality, but decided against naming the companies to avoid legal conflicts in publishing the report.

Military data-scraping has been on Washington’s radar for some time, with at least two legislative efforts to fix it, but neither has become law.

Sen. Ron Wyden (D-Ore.), authored a provision in the annual National Defense Authorization Act that requires the Government Accountability Office to report on how the Defense Department is protecting personnel’s information from being exploited by foreign adversaries. That language is in the Senate’s version of the NDAA, which passed in July. (The House and Senate are currently working on a compromise version of the NDAA and it’s unclear if Wyden’s provision will make it into the final language.)

In March, Sen. Bill Cassidy (R-La.) introduced a bill to prohibit data brokers from selling information on military service members to foreign adversaries. That bill has not moved.

“This report further solidifies the need to address this gaping hole in the protection of U.S. servicemembers,” said Cassidy, who reviewed the report.

Regulatory agencies want to crack down on the industry as well. The Consumer Financial Protection Bureau in the past year has started a rulemaking process to limit the information brokers can get from credit reports, a significant source of data for the industry.

An agency spokesperson told POLITICO that the CFPB has seen the report and will consider its findings as part of its rulemaking inquiry.

“The monetization of military personnel data, including financial information, is alarming and raises significant national security concerns,” a CFPB spokesperson said.

The Federal Trade Commission, which has also reviewed the report, declined to comment on any specific company’s practices, but said it has repeatedly scrutinized the industry and its effects on consumer privacy.

The issue hasn’t been a bigger focus, Dawson suggested, in part because it’s a long-term risk and not a sudden crisis.

“I don’t know if there’s going to be a massive collective attack that’s going to get everybody’s attention,” she said. “It’s going to be a death by a thousand cuts. That’s a difficult risk to communicate with a sense of urgency in a lot of ways.”

Sherman, the Duke researcher, said Congress should pass a federal policy to rein in data brokers, pointing specifically to last year’s proposed American Data Privacy and Protection Act, which included a provision that would prevent companies from sharing personal data without direct consent. The bill also would have created a data broker registry that allowed people to opt-out of data sales across the industry.

The co-sponsors of that bill, House Energy and Commerce Committee chair Cathy McMorris Rodgers (R-Wash.) and ranking member Frank Pallone (D-N.J.) have both reviewed the Duke report, and raised concerns about the data broker industry creating a national security risk.

“These findings are yet another terrible example of the harms posed by the data broker industry and underscore the need to pass comprehensive national privacy legislation and regulate data brokers,” Pallone said in a statement.