Unauthorized harvesting of Americans’ personal online data isn’t just a privacy issue—it’s also a matter of national security, according to new findings. As highlighted in a recent study from Duke University researchers, bad actors can purchase current and former US military personnel’s sensitive information for as little as 12 cents a person.
At any given time, third-party brokers are collecting and selling millions of people’s personal data, often without their knowledge or consent. Much of this information is legally collected through public records, via embedded codes within websites and apps, or by purchasing other companies’ customer data. This is particularly an issue in the US, where federal laws governing the online data brokerage industry remain relatively permissible—creating huge revenue streams for companies like Meta, Google, and Amazon. Depending on whose hands the data troves fall into, the information can be used for everything from targeted advertising, to surveillance, to financial fraud.
[Related: How data brokers threaten your privacy.]
Disturbingly, researchers at Duke University’s Sanford School of Public Policy found US service members’ non-public, individually-identifying information such as credit scores, health data, marital status, children’s names, and religious practices—reportedly offered for sale through over 500 websites.
To test just how straightforward it can be to obtain the information, researchers first scraped hundreds of data broker sites for terms like “military” and “veteran.” They then contacted a number of these companies—some of which used .org and .asia domain names—via email, phone, Google Voice, and Zoom. The study authors eventually were able to purchase the personal data of almost 50,000 service members, and data about veterans, for barely $10,000. The team also noted that, in some instances, individuals’ current location data was available to purchase, although the authors did not do that.
Many brokers required little-to-no verification or proof of identity information before selling their sensitive data caches. In one instance, a company told researchers they needed to confirm their identity before purchasing military data via a credit card, unless the Duke University team opted to pay through a wire transfer—which they then did.
This “highly unregulated” ecosystem is ripe for exploitation, write the study authors, and could be used by “foreign and malicious actors to target active-duty military personnel, veterans, and their families and acquaintances for profiling, blackmail, targeting with information campaigns, and more.” As NBC News also notes, foreign actors could use such data to identify and approach individuals for access to state secrets via blackmail, coercion, or bribery.
Like many tech industry critics, privacy advocates, and bipartisan politicians before them, the study’s authors stressed the need for comprehensive US data privacy oversight featuring “strong controls on the data brokerage ecosystem.” A handful of states, including California and Massachusetts, have passed or are considering individual data regulatory legislation, but a US federal law remains elusive. Researchers reference the American Data Privacy and Protection Act as a potential roadmap; Congress proposed the bill in 2022, but has yet to reintroduce it this session.
The study also cites the European Union’s General Data Protection Regulations (GDPR) as another example of a strenuous, comprehensive approach to protecting online privacy. Passed in 2016 and enforced in 2018, the GDPR guards against many of the digital security problems faced by US residents.
Harvesting American data isn’t just a third-party broker issue, however. According to a partially declassified 2022 report released earlier this year by the Office of the Director of National Intelligence, agencies including the CIA, FBI, and NSA consistently purchase citizens’ commercially available information from data brokers with little regulation or oversight.