A recent study published by a Duke research team discovered that sensitive personal information of U.S. military personnel and veterans can be bought by data brokers for as little as 12 cents per record.
The study, which has received nationwide attention, addresses major shortcomings in privacy protection and their implications for national security.
Justin Sherman, a senior fellow at the Sanford School of Public Policy, led the project, collaborating with co-authors Haley Barton, Trinity ’19 and current master’s student, Brady Kruse, a master’s of public policy student, sophomore Anushka Srinivasan and senior Aden Klein.
“Many brokers just did not seem to notice or care, and they still sold data to these completely unconfirmed identities to these fake domains,” Kruse said. “And it was sensitive data, it's identifiable data, it's things about people's names, addresses, where to find them, their religion, their ethnicity — so that was just stunning.”
The authors used U.S. .org and Singaporean .asia domains to contact and purchase data from brokers online after scraping their websites, eventually purchasing data from three out of the 12 brokers they contacted.
National security concerns and limited regulation
Individuals, including military personnel, often do not know what data is being collected about them, how their data is used or the risks involved in having their data sold.
Furthermore, brokers varied in the way they verified their clients who wished to buy data. Some raised concerns that the research group was an “unverified business entity” and requested a phone call beforehand, while others raised no concerns when contacted using either the U.S. or Singapore domain.
Barton noted that the data provided was all identifiable, as names and contact information were provided.
“A lot of the brokers provided us with lists of hundreds of different demographic variables that they could provide to us,” Barton said. “So there were some that we purchased including things like income level, health conditions, number of children, whether they had a mortgage and how much it was for — all sorts of different information.”
One broker was even able to offer military members’ respective individual credit ratings, while another could provide medical information, such as whether or not a person had Alzheimer’s disease or heart problems.
“You're buying data sets where the single record is matched across a bunch of different variables that, when combined, give you a really deep profile,” Klein said. “So when you think about the purpose of espionage, you're essentially getting this information in the same combination by purchasing a record.”
The research team’s report warned that foreign and non-state actors could use the location data available to target individual military service members and stalk potential military targets. For Klein, the data's low barrier to access paints a "really disturbing picture" of its potential to coerce or blackmail service members who frequent sensitive locations.
What can be done to protect data privacy?
The student co-authors argue that while lawmakers often ask what individuals can do to protect their data, the conversation needs to shift toward regulation through policy.
Some states, such as California, Colorado and Utah, have enacted laws to protect consumers, while others have passed legislation to protect specific data, such as Washington’s law preventing health data from being shared without consent and setting guardrails for how and when such data can be gathered and distributed.
However, no data privacy law currently exists at the federal level.
The report concludes that a federal data privacy law would be vital to protecting consumers nationwide and also encourages states to enact more stringent regulations at their discretion. The co-authors also recommend that the Department of Defense conduct a review to examine any risks data brokerages pose, that federal regulatory agencies examine any role they can have in regulating data brokers and that lawmakers consider legislating national security-focused data controls.
Klein and Barton contend that their policy proposals may not come to fruition immediately, but they remain optimistic. Possible alternative steps could include funding and regulatory action instead of a federal privacy bill, Klein said.
“The measures that seem to be getting the most support and press right now are some of these more targeted bills, but I think our hope with a project like this is that, even if a comprehensive privacy law is not the most likely thing at the moment, this type of work is maybe going to inch the needle ever so slightly in the direction towards something like that,” Barton said.
Get The Chronicle straight to your inbox
Signup for our weekly newsletter. Cancel at any time.
Samanyu Gangappa is a Trinity first-year and a staff reporter for the news department.