Service members are increasingly vulnerable to the collection and exploitation of their personally identifiable information (PII) via official U.S. Navy social media sites. Commands routinely post the full names, rates, locations, and hometowns of sailors to “share our Navy’s story.”1 However, modern data collection tools allow even unsophisticated actors to collect this information at scale and use it to pick sailors out of public databases. Commands must consider their social media posts from a data privacy perspective.
Official Accounts Expose PII
U.S. adversaries routinely collect and exploit PII posted on social media. In Operation Fox Hunt, for example, the People’s Republic of China mined social media data to locate and forcibly repatriate Chinese citizens living in the United States.2 Similarly, Russian intelligence officers scrape popular Ukrainian social media sites for PII to personalize propaganda, blackmail, and threats sent directly to the phones of soldiers on the front lines.3 A bad actor conceivably could use PII from Navy social media posts to dox or threaten the crew of a warship, for example, after a freedom of navigation operation in the South China Sea.4
Free online databases collect and store individuals’ email addresses, phone numbers, ages, street addresses, family members’ names, social media accounts, and employment history—all available with a simple name search. Identifying a specific individual among a sea of potential matches requires crossmatching known attributes—such as age or hometown—to those returned by a public database. By posting sailors’ identifying information online, command social media accounts make it easier to crossmatch the PII of a targeted sailor.
Official social media accounts are easier to find and exploit than individual accounts. To collect the PII a sailor self-discloses on social media, one would need to identify a group of sailors, find their social media accounts, access profiles set to “private,” and review countless posts for information deemed relevant. By contrast, official social media accounts appear in Google searches, rarely use privacy settings, archive old content, and often publish posts using a predictable format that is easy to scrape for PII.
Furthermore, while a personal account may reveal the PII of a single sailor, the social media account of an aircraft carrier, for example, posts the identifying information of numerous crewmembers.
Update Security Practices
Commands should minimize the information used to identify sailors in public posts and delete old content. In data analytics, the “l-diversity” principle describes an industry data privacy standard that prevents the disclosure of characteristics either numerous or specific enough to identify an individual in an anonymized data set.5 The more information provided about a sailor, the easier it is to identify him or her in other public databases online. Providing only sailors’ ranks and first names in public posts, as the French Navy does, would limit the information available for crossmatching database search results.
Because few social media applications automatically delete old posts, official social media pages are repositories of data that can be scraped for PII. Commands should consider deleting old posts to limit the exposure of data.
Keeping pace with evolving information security threats does not require sweeping legislation or even a department-wide mandate. Public affairs officers and mass communications specialists can take simple steps to better protect their shipmates’ PII from collection and exploitation.
1. Navy Office of Information, U.S. Navy Social Media Handbook (March 2019), 5.
2. Caroline Delbert, “A Chinese Database Is Tracking American Nuclear Scientists and Military Officers,” Popular Mechanics, 28 October 2020; and Katrina Manson, “U.S. Charges Eight with Alleged Plot to Harass and Kidnap Chinese Citizens,” Financial Times, 28 October 2020.
3. Raphael Satter, “Ukraine Soldiers Bombarded by ‘Pinpoint Propaganda’ Texts,” Associated Press, 11 May 2017.
4. To “dox” is to publicly reveal the identity or private information of an individual or organization, usually for revenge, extortion, or other such reasons.
5. Ninghui Li, Tiancheng Li, and S. Venkatasubramanian, “t-Closeness: Privacy Beyond k-Anonymity and l-Diversity,” IEEE 23rd International Conference on Data Engineering, April 2007.