The multibillion-dollar data brokerage industry is virtually unregulated and poses a grave national security threat by advertising and selling information it has culled on military personnel, cybersecurity experts and a U.S. senator say.
Justin Sherman, a fellow at the Atlantic Council’s Cyber Statecraft Initiative and a cyber policy fellow at the Duke Tech Policy Lab, has been tracking — and sounding an alarm over — data brokers’ practices since last year. He said three large data brokerage companies — Axciom, LexisNexis and NielsenIQ — market data on current or former military personnel specifically.
Data for sale can include individual web searches, family members, home addresses and even real-time GPS locations. LexisNexis markets the fact that it can search an individual and identify whether they are active-duty military, Sherman said.
A U.S. senator is trying to stop the practice. Within the next few weeks, Bill Cassidy, R-La., plans to unveil legislation which will make it illegal for data brokers to sell military personnel data to adversarial nations, including China and Russia.
Cassidy highlighted his national security concerns about the data brokerage industry at a December Senate Finance Committee hearing. The Senate session also included testimony from Sherman.
“There’s nothing stopping data brokers from selling service members’ personal information to adversaries like China and Russia,” Cassidy told CyberScoop in a prepared statement. “It’s dangerous and threatens our national security. We must ensure consumers, especially our service members, have the ability to protect their data online.”
Senators Jon Ossoff, D-Ga., and Ron Wyden, D-Ore., also have recently introduced legislation targeting data brokers, with Wyden specifically proposing a ban on the sale of individual’s personal data to unfriendly foreign companies and governments.
Sherman has called for an extensive overhaul of the data brokerage industry since last year, when he released a report which asserted there is “virtually nothing in U.S. law preventing data brokers from selling information on U.S. individuals to foreign entities.”
He said that foreign actors such as Russia’s Internet Research Agency could easily exploit readily-available data on military personnel and their families to support foreign government information operations, coercion, blackmail or intelligence-gathering.
Many data brokers even market and sell pre-packaged databases on specific population sub-groups, including military personnel, Sherman said, and there is no reporting or enforcement mechanism for even knowing when it is happening.
“There is a multibillion dollar, virtually unregulated industry of data brokers that compile massive dossiers on Americans and then sell it on the open market,” Sherman said in an interview. “That is a massive national security risk … It’s too easy for a foreign actor to walk right in the front door and buy up sensitive data on US citizens.”
Sherman said data brokers gather and sell a wide variety of personal data, including individual mental health conditions, credit card purchase histories, Internet search histories, GPS locations and political preferences and compile them into profiles which include thousands of data points on individuals — what Sherman called an “insane level of granularity.”
Family Educational Rights and Privacy Act (FERPA) protections and Health Insurance Portability and Accountability Act (HIPAA) — federal laws which protect sensitive student and health care records, respectively, from being released without consent — don’t shield individuals from data brokers.
“HIPAA and FERPA don’t typically protect individuals’ personal health and education data from data brokers because they only cover specific entities collecting that information, leaving out the likes of many mental health apps, education marketing firms and middle-men companies,” Sherman said.
Worse, he said, there are few if any vetting processes in place to screen who the brokers sell to or how the data is used once sold.
“The Chinese and Russian governments, for example, are constantly using shell companies and front companies and companies nominally not linked to the state to acquire technology to scrape data and so it would be very low cost to do the same thing … go to a data broker in the U.S. and buy up all this sensitive information on people they want to profile or target,” Sherman said.
The Department of Defense declined to provide an official for an interview but issued a statement through a spokesman, saying via email that it is “aware of this issue, and undertaking a range of initiatives to support efforts by our workforce and retirees to secure their personal information.”
Spokespeople for Axciom and NielsenIQ did not reply to an email seeking comment. A spokesperson for LexisNexis shared a statement saying the company uses military personnel data to “help banks and other financial firms comply with federal laws that protect members of the military … Beyond this tightly controlled use, which protects members of the military, our products do not use military status data.”
Data brokers have already been implicated in several high-profile incidents. Sherman said the July 2020 murder of the son of federal judge Esther Salas at the door of her New Jersey home was facilitated by a data broker who sold the gunman the judge’s address. In a New York Times op-ed about the incident Salas decried the fact that judges’ addresses and photos of their homes and vehicle license plates can be easily obtained online and from data brokers.
“In my case, this deranged gunman was able to create a complete dossier of my life: he stalked my neighborhood, mapped my routes to work and even learned the names of my best friend and the church I attend,” Salas wrote. “All of which was completely legal. This access to such personal information enabled this man to take our only child from my husband, Mark, and me.”
Exposed data on military personnel can pose other challenges, too. In January 2018, journalists and researchers discovered that fitness enthusiasts using the popular “social network for athletes” known as Strava had inadvertently revealed the existence of secret military bases and even a CIA black site by publishing heat maps of individual workout regimens.
Daniel Kahn Gillmor, a senior staff technologist at the American Civil Liberties Union, said individuals, including military personnel, should worry about their location data being shared by data brokers anytime they are using a mapping app such as Strava, Waze or Google Maps.
“The companies that run those apps are also tasked with maximizing profit for their shareholders and they’re sitting on a pile of data,” Gillmor said. “Someone comes along and says to them, ‘Hey, you’ve already got this data. We would give you more money for it.’ … What is stopping them from saying no?”