“The vast ocean of data, just like oil resources during industrialization, contains immense productive power and opportunities. Whoever controls big data technologies will control the resources for development and have the upper hand.”
– Xi Jinping, President of China1
You are a senior Marine Corps officer. You have medical conditions that require prescription medications; you eat at the same restaurants each weekend; your kids have some debt problems; one of your siblings is a recovering alcoholic; you pay for your mother’s housing; and you have top secret access at the Pentagon.
Most people don’t know these personal details about you. But data brokers may already have all this information and more—and our foreign adversaries can legally purchase it. In fact, they can purchase similar information about millions of other service members and veterans. This is a weak link for national security.
Background
While there are numerous definitions of data brokers, at their core, data brokers collect and sell information on individuals with whom they have no “direct relationship.”2 More important, though, is the “data brokerage ecosystem,” which includes not only the brokers but also companies that provide a product to consumers and, in return, gather information from them.3
Billions of data points are collected on Americans. Every time a product is purchased, a smart car is driven, or an application is downloaded, new data points are created. And because of the vast amount of information collected, algorithms can create profiles and infer behaviors—to the point that the person behind the information can be “unmasked.” As a result, data might be sold without a name—“circumvent[ing] the narrow legal restrictions that do protect individuals’ data”—but once enough data is purchased, an individual can be identified.4
Service members and veterans are among the most prevalent targets for data brokers. Three major data brokers sell data on current or former U.S. military personnel: Acxiom, LexisNexis, and Nielsen.5 All three firms provide information on people, ranging from family members and friends to spending habits, mental health conditions, and geolocation. And both Acxiom and LexisNexis provide users the ability to verify whether someone is active duty.
Of course, not all data collection on service members and veterans is inherently nefarious. These demographics are large and economically important, so it makes sense that companies would want to understand them. But there is little to prevent their data from being sold to foreign adversaries.
Foreign Adversaries and our Data
Intelligence—whether signals intelligence, cyber espionage, or human intelligence—is costly, manpower intensive, and can yield little even after lengthy operations.6 So, when an alternative such as purchasing data sets exists, there is no question U.S. adversaries will exploit it. In fact, every global power wants to corner the information environment and exploit it.
China, Russia, and Iran can go directly to data brokers to purchase information about service members and veterans or, if that fails, they can just steal it. “Almost every top broker has been hacked at some point: Acxiom was hacked in 2003, Epsilon in 2011, and Experian in 2015, to name just a few.”7 Indeed, the Chinese hacked Equifax, gaining sensitive information on “almost half of all Americans.”8 Regardless of their method, adversaries want this information and will acquire it.
Adversaries can use this information in a myriad of ways. For example, they can use data sets to identify where service members work and then, armed with their health or financial information, bribe or blackmail personnel to gain access to restricted systems, sensitive information, or critical programs or infrastructure. Data allows these countries to track service members’ movements, impersonate personnel online or in email, and identify personnel working on specific tasks within the military.
Along the same lines, location data combined with photographs allows adversaries “to confirm positions within military bases and map patterns of movement over time.” In addition, adversaries can bypass biometric systems with the right picture. How? Pictures that show military personnel’s fingertips can be used to recreate their fingerprints.9
Adversaries could also use this data to create psychological operations to influence behaviors, opinions, and decision-making. Russia and Ukraine have used this approach in their recent conflict: Russia has texted Ukrainian soldiers threatening messages while Ukraine has called the mothers of Russian soldiers, asking them to come to Ukraine and pick up their captured sons.10
Information from data brokers also creates vulnerabilities in military equipment, such as computers and advanced weaponry. Combining geolocation data and open-source information, foreign adversaries can gather equipment capabilities and manipulate or sabotage systems. For example, the beer-rating app Untapped provided a perfect way for service members to unknowingly share “sensitive data about their location and, in some cases, pictures of sensitive military equipment.”11
Adversaries who purchase service members’ information can reap the benefits of significant intelligence while avoiding the costs of intelligence operations. This is not limited to operations overseas or during armed conflict—in fact, this information is likely more useful to U.S. adversaries during “peacetime.”12
Congressional Response
There is little legislation at the federal or state levels to address data brokerage issues. Congress must act.
There are several steps Congress should take immediately:
• Protect certain types of data, such as geolocation data or health information, from being collected by data brokers. Even if brokers do not sell this information, the Equifax example shows this data can be hacked.
• Establish cybersecurity standards for companies to become licensed data brokers.13
• Limit “broker sales of sensitive data on U.S. individuals to foreign governments and to non-state actors with close ties to foreign intelligence and security agencies.”14
• Implement prohibitions regarding making “inferences” from data and selling that information. Without this, limiting data sold may be ineffective. For example, data brokers prohibited from collecting individuals’ GPS histories still could mine purchases, Wi-Fi connections, and other information to gain that data—bypassing legislation.15
• Enact severe sanctions for adversaries who attempt to bypass these laws.
Data Is Critical Infrastructure
Data brokers make spycraft easy. After obtaining a dataset of “location pings” and combining home and work locations with public information, the New York Times was able to identify “individuals belonging to the President’s Secret Service detail.”16 If journalists can do this, imagine what a foreign adversary armed with advanced technology and the power of the state can do.
As National Security expert Klon Kitchen notes, “The present risks of our citizens’ data being sold to foreign governments are grossly underappreciated.”17 The United States cannot wait to act. Data is critical infrastructure—we must treat it as such.18
1. David Feith and Matt Pottinger, “The Most Powerful Data Broker in the World Is Winning the War Against the U.S.,” New York Times, 30 November 2021.
2. Stacy Gray, testimony before the U.S. Senate Finance Subcommittee on Fiscal Responsibility and Economic Growth on “Promoting Competition, Growth, and Privacy Protection in the Technology Sector,” 7 December 2021.
3. Justin Sherman, “Data Brokerage and Threats to U.S. Privacy and Security,” testimony before the U.S. Senate Finance Subcommittee on Fiscal Responsibility and Economic Growth on “Promoting Competition, Growth, and Privacy Protection in the Technology Sector,” 7 December 2021.
4. “Data Brokerage and Threats to U.S. Privacy and Security,” testimony of Justin Sherman.
5. Justin Sherman, “Data Brokers Are Advertising Data on U.S. Military Personnel,” Lawfare, 23 August 2021. See also Henrik Twetman and Gundars Bergmanis-Korats, Data Brokers and Security (Riga: NATO Strategic Communications Centre of Excellence, 14 January 2021). “The US-based data broker Acxiom (recently rebranded to LiveRamp) is considered one of the world’s leading data brokers and serves as a point of reference for the scale of the industry. Acxiom reportedly has over 20,000 servers for collecting and analysing data on over 700 million individuals worldwide.”
6. Henrik Twetman Sebastian Bay, and Michael Batrla, Camouflage for the Digital Domain (Riga: NATO Strategic Communications Centre of Excellence, 2020), 25.
7. Twetman, and Bergmanis-Korats, Data Brokers and Security, 22.
8. Klon Kitchen and Bill Drexel, “When Foreign Adversaries Purchase Americans’ Data, AEIdeas, 1 June 2021.
9. Twetman and Bergmanis-Korats, Data Brokers and Security, 25, 27.
10. See Twetman and Bergmanis-Korats, Data Brokers and Security; April Falcon Doss, “Data Privacy & National Security: A Rubik’s Cube of Challenges and Opportunities that Are Inextricably Linked, Duquesne Law Review 59, no. 2 (2021); Joe Littell, Maggie Smith, and Nick Starck, “The Devil Is in the Data: Publicly Available Information and the Risks to Force Protection and Readiness, Modern War Institute, 20 September 2022; Jake Epstein, “Ukraine Is Asking Russian Mothers to Come Pick Up Their Sons Captured in Putin’s Invasion, Business Insider, 2 March 2022; and Daniel Brown, “Russian-Backed Separatists Are Using Terrifying Text Messages to Shock Adversaries—and It’s Changing the Face of Warfare,” Business Insider, 14 August 2018.
11. Twetman and Bergmanis-Korats, Data Brokers and Security, 25.
12. Littell, Smith, and Starck, “The Devil Is in the Data.
13. Sam Sacks, testimony before the Senate Finance Subcommittee on Fiscal Responsibility and Economic Growth on “Promoting Competition, Growth, and Privacy Protection in the Technology Sector,” 7 December 2021.
14. Sherman, “Data Brokers Are Advertising Data on U.S. Military Personnel.”
15. Sherman, “Data Brokerage and Threats to U.S. Privacy and Security.”
16. Twetman and Bergmanis-Korats, Data Brokers and Security, 25.
17. Kitchen and Drexel, “When Foreign Adversaries Purchase Americans’ Data.”
18. Littell, Smith, and Starck, “The Devil Is in the Data.”