At least three of America’s largest data brokers are potentially harming national security by selling information on U.S. active-duty military personnel, according to new research from Duke University.
Data brokers are companies that buy and sell online information in bulk—facilitating legitimate business such as credit scoring, advertising, and research.
However, critics say the industry is ripe for abuse. Privacy advocates have raised concerns that data brokers enable government to bypass Fourth Amendment protections by purchasing data instead of obtaining a warrant, while civil libertarians have compared the industry’s “consumer scores” to China’s social credit system.
On Monday, Duke University’s Data Broker Project released a report finding that three major data brokers—LexisNexis, Acxiom, and Nielsen—are selling information on U.S. active-duty military members.
“LexisNexis advertises a capability to search an individual and identify whether they are active-duty military,” the Duke report said.
“Acxiom also offers ‘verification and location of military servicemen (deployed but missing from base)’ as part of commercial work for credit card issuers and retail banks.”
As for Nielsen, the report said the company published research in 2019 on “today’s veteran consumers”—attempting to depict what active and former U.S. military personnel watch, where veterans shop, what veterans spend on what they buy, and how that compares to what the average household buys.
“Nielsen also advertises its ‘HomeScan DeCa (Defense Commissary Agency) database’ which ‘tracks consumer spending at military commissaries and exchanges,’” the report added. “The company has publicly published multiple other analyses of U.S. military personnel economic activity that draw on multiple Nielsen surveys and datasets.”
“And other brokers likely sweep up military personnel in their larger datasets.”
LexisNexis and Nielsen did not respond to media inquiries. Acxiom provided The Epoch Times with a statement about how it protects military and other data.
“The data Acxiom licenses to brands is classified as non-sensitive—marketing data from publicly available information and trusted sources. It is used under strict legal controls solely to help reputable brands and organizations better understand their current and potential customers,” Acxiom said.
“Acxiom does not allow organizations or individuals to look up specific individuals, and the location data we work with only relates to commercial locations such as grocery stores and car dealerships to provide relevant offers. No location data is used at the personally identifiable level,” the company said.
Acxiom further explained that it divested its risk business, which involves identity verification and fraud prevention, and that it no longer provides services in relation to military services personnel.
“Nor do we have military records information,” the company said.
Former NSA general counsel Stewart Baker told The Epoch Times that the Duke report raises legitimate questions, especially if data about serving members and their families is being sold to people with ties to adversary nations—or even terrorists.
“When a small amount of data of that kind was extracted by an ISIS-affiliated hacker and used to send threats to the service members, the U.S. treated it as a national security threat,” said Baker, referring to a 2015 incident when a hacker in Malaysia allegedly provided personal information of military members to ISIS.
“The hacker was arrested and extradited, and the ISIS member who sent the threats was killed in a drone strike,” said Baker, who is now a partner at the law firm Steptoe & Johnson. “That shows the power and danger of such information.”
The Duke report reached similar conclusions, warning of the “dire” consequences of a terrorist organization obtaining bulk data on U.S. military personnel.
The report did note that brokering military data isn’t problematic in of itself, because military members comprise a unique demographic that companies want to reach with tailored advertisements.
However, the report warned of numerous risks associated with the activity. With data brokering being a virtually unregulated activity, nothing prevents companies from doing business with bad actors, the report said.
“The data advertised by these brokers—spanning everything from financial transaction histories and internet browsing patterns to travel interests and support for political causes and organizations—could be used by foreign entities for a range of national security-damaging activities,” the report said.
“This could include building profiles on senior U.S. military personnel involved in key decisions relevant to a foreign power, or even building profiles on their family members and close acquaintances (seeing as some data brokers openly and explicitly advertise their ability to map network connections between individuals), for the purposes of information operations, coercion, blackmail, or intelligence-gathering,” the report said.
The Aug. 23 report follows recent revelations about how governments use bulk data for intelligence and espionage.
In December, for instance, Foreign Policy published findings on the Chinese government’s use of “multiple huge U.S, datasets”—combined with data Chinese hackers stole in the infamous U.S. Office of Personnel Management (OPM) hack—to expose CIA operatives in Africa and Europe.
“When paired with travel details and other purloined data, information from the OPM breach likely provided Chinese intelligence potent clues about unusual behavior patterns, biographical information, or career milestones that marked individuals as likely U.S. spies, officials say,” Foreign Policy reported.
“Now, these officials feared, China could search for when suspected U.S. spies were in certain locations—and potentially also meeting secretly with their Chinese sources.”
The issue has attracted the attention of lawmakers. In April, Sen. Ron Wyden (D-Ore.) and five colleagues wrote to the country’s major telecoms companies in April, seeking information about their data sales to foreign countries.
“Few Americans realize that some auction participants are siphoning off and storing ‘bidstream’ data to compile exhaustive dossiers about them. In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments,” Wyden said at the time.
“This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns.”
Later in April, Wyden announced draft legislation that would place export controls on data brokers doing business with certain countries. The Protecting Americans’ Data from Foreign Surveillance Act would have the U.S. Secretary of Commerce compile a greenlist of friendly countries, and then require licenses for exports of personal data in bulk to countries not on that list.
“My bill would set up common sense rules for how and where sensitive data can be shared overseas, to make sure that foreign criminals and spies don’t get their hands on it,” Wyden said in April.
Wyden’s announcement included a quote from Director of Intelligence Avril Haines, who told Congress in April: “I agree with you [Wyden] there’s a concern about foreign adversaries getting commercially-acquired information as well and am absolutely committed to trying to do everything we can to reduce that possibility.”
The Department of Defense did not respond to a request for comment.