Data Brokers Sell Sensitive Data of US Military and Veterans
Foreign buyers welcome. No questions asked. 12¢ per.
The U.S. data broker industry is—yet again—in the spotlight, for all the wrong reasons. This time, researchers have discovered overseas buyers can easily get detailed, highly personal info of active service personnel and veterans.
When will we rid ourselves of this evil trade? In today’s SB Blogwatch, we lobby hard to shut ’em down.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Star Wars 1920.
Follow the Money
What’s the craic? As Tate Ryan-Mosley reports, “It’s shockingly easy to buy”:
“Disturbing finding”
For as little as $0.12 per record, data brokers in the US are selling sensitive private data about active-duty military members and veterans, including their names, home addresses, geolocation, net worth, and religion, and information about their children and health conditions. … Many brokers offered to sell the data with minimal vetting.
…
These companies are part of a shadowy multibillion-dollar industry that collects, aggregates, buys, and sells data, practices that are currently legal in the US. … Data brokers have claimed to have strong vetting processes that prevent data from being sold to criminal or otherwise dangerous parties and to ensure that the data they sell is used responsibly. But [the] research showed this to be the exception, not the rule.
…
In one particularly disturbing finding, one of the brokers even sold … data about the ages and sex of children of active-duty military members living in Washington, DC, Maryland, and Virginia, and whether they had children living in their homes. This data set … included the members’ home addresses.
“Disturbing” doesn’t begin to describe it. Katie Malone adds—“Data brokers sold them information on military servicemembers”:
“Gaping hole”
Third parties selling our personal data is annoying. But for certain sensitive populations like military service members, the selling of that information could quickly become a national security threat. Researchers at Duke University … used wiped computers, VPNs, burner phones bought with cash and other means of identity obfuscation to go undercover … posing as two entities: … Chicago-based … datamarketresearch.org and dataanalytics.asia … located in Singapore.
…
The sensitive information included health records and financial information. Location data was also available. … This gaping hole in our national security apparatus is due in large part to the absence of comprehensive federal regulations.
Yikes. Here’s an interview with Duke University’s Justin Sherman by Lily Jamali and Rosie Hughes, who ask, “Is that a threat to national security?”
“Really, really dangerous”
The data brokers we purchased from did not vet who we were. … We had set up a secure server in Singapore … and they literally sent these U.S. service members’ data overseas. … There wasn’t any thinking about whether there was a risk there or any general obligation to think about privacy or national security.
…
We were able to purchase … data about people’s health conditions, data about people’s finances, whether they’re in debt, whether they have a mortgage, as well as pretty personal demographic information. [It] is, in many cases, very clearly linked to a person by name.
…
If you’re trying to identify people in debt, that could be really, really dangerous from a national security perspective if you can identify, target and then blackmail particular people. … It would be really easy for a foreign actor to do the exact same thing. … It’s very scary. And for anyone listening to this who might be concerned and thinks, “Well I’m not in the military,” … we could have done this exact same study … for police officers, judges, survivors of gendered violence [or] any other demographic group.
Our own Jeffrey Burt hammers home the point—“Data Brokers Selling US Military Personnel Info”:
“Big business”
The study, which was sponsored by the U.S. Military Academy at West Point, … looked at not only how easy and cheap it was to acquire the information, but also highlighted how easy it would be for foreign adversaries or cybercriminals to do the same. … Intelligence services of foreign governments could use the sensitive data to exploit members of the military in multiple ways, from coercing or blackmailing them to outing their sexual orientations, releasing information that damages their reputations, following personnel, and targeting them with specific messages.
…
It’s a big business, with some reports saying it could grow from $319 billion in 2021 to more than $545 billion in 2031, with about 4,000 brokers worldwide. Some brokers are such well-known companies like Oracle and Experian, while others are smaller with much lower profiles. … However, they essentially all do the same thing, which is make personal information available to those who want to buy it.
How do they get this data? It’s happened to swells34:
The Holy Grail of documents is the DD-214, which has every single piece of sensitive personal information a civilian has, all in one place. … It’s a complete identity package; full name, signature, photo, work history, residence history, dates, personal description, mother’s maiden name, date of birth, location of birth, name of birth hospital and doctor. Then there’s security clearance paperwork, which may be even worse, extensive un-redacted medical records, etc.
All of these documents are viewed hundreds of times by hundreds of people, … scanned, photocopied, emailed, printed, all without any sort of authorization or even knowledge by the service member. It’s legitimately scary. And then after you’re out, all of this information is managed by the VA—by people who have nearly unrestricted access to it, and in my case along with thousands of others, put on a thumb drive and taken home and sold to a broker. It’s a life ruiner.
Lest we forget, the data broker problem isn’t just about military personnel’s data. Here’s johnfbw:
It would be very American to bring in privacy laws not to protect people, but to protect the military! It is scary how much data is freely distributed about people in the US — and all of it could be used for potential blackmail (not just of the military).
So why should military data be any different? A slightly sweary Shakrai says that’s the wrong question:
That’s the wrong question. It’s very obvious why having military member information this easy to get is a terrible idea.
The right question is: Why does it have to happen to the military before someone bothers to notice that it is happening? I can call out a multitude of other professions (finance, human resources, IT, law enforcement—list is endless) and situations (domestic violence, witnesses to crime) where this is a huge ****ing problem.
What should the government do? rurp is here to help:
Changing possession of personal user data from a financial asset to a liability is probably the most effective thing the government could do in the near term to protect people’s information. Companies right now are incentivized to collect tons of personal data because it’s worth real money to them and others—and the liabilities mostly fall to the users. If there were heavy financial consequences to leaking personal data then companies would self regulate away a lot of terrible behavior that is currently common.
Whose fault is it? Apparently our own—according to drankinatty:
We have no one but ourselves to blame. The sad part is there are maggots out there willing to aggregate and then push other peoples pilfered data for profit. The equally sad part out there is there are maggots willing to buy [it].
…
It’s the side effects on the lives of real peoples that are lost in this frenzied capitalistic data-centric masturbation. The 23andMe intrusion lifted close to a million personally-identifiable genetic records: In this cesspool, it is the insurance companies and actuaries playing the part of the buyer maggots … for purposes they are not allowed to under HIIPA.
…
Six months later your parents are in tears because they are uninsurable for some nebulous reason given by their health insurer. And the chilling anecdotes just keep on coming. Good lord, where does it end?
Meanwhile, CaptQuark agrees:
Ask for a military discount? …
Use ID.me to verify military affiliation? …
Get veterans car tags?
…
The data doesn’t have to come from any federal government database. … It’s sometimes hard to get outraged at the collection of data that we so freely give away for a 10% discount at Lowes or Subway.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: One Idea LLC (cc:0; leveled and cropped)