Published by The Lawfare Institute
in Cooperation With
Data brokers constitute a large yet secretive industry of companies buying, aggregating, selling, licensing and otherwise sharing consumer data. They might collect data directly on individuals and then build profiles on those people, which they sell to third parties. Or they might acquire data from hundreds or even thousands of other companies, and then package it all together in searchable databases. They might even operate “white pages” or “people-search” websites, where companies crawl government records and other public documents, and aggregate them for public searching.
In a new report for the Cyber Policy Program at Duke University’s Sanford School of Public Policy, I surveyed 10 major data brokers and found that they advertise highly sensitive data on U.S. individuals. This includes data on U.S. individuals’ sensitive demographic information, data on their political preferences and beliefs, and data on their whereabouts and even real-time GPS locations. Troublingly, as I focus on in this piece, I also found three data brokers openly and explicitly advertising their data on U.S. military personnel—a case study that underscores the broader threats posed by the unregulated data brokerage ecosystem to civil rights, national security and democracy.
Data Brokers Advertising Data on Military Personnel
Three major U.S. data brokers—Acxiom, LexisNexis and Nielsen—openly and explicitly advertise data on current or former U.S. military personnel; LexisNexis advertises a capability to search an individual and identify whether the individual is active-duty military; and other brokers likely sweep up military personnel in their larger data sets. People-search websites also aggregate public records on individuals and make it possible for anyone to search for senior military personnel—uncovering home addresses, phone numbers and other information, as well as the names of known family members and relatives.
Acxiom is one of the largest data brokers, advertising broad data coverage across 62 countries and the ability to reach more than 2.5 billion consumers globally. Acxiom also openly and explicitly advertises that it has data on 45.5 million current and former U.S. military personnel (see Figure 1). It also advertises a marketing service for clients to use the data to send “gated offers” to those personnel by identifying the intended audience, defining the offer, specifying the channels used for outreach, and establishing the timing of the offer; after this point, Acxiom says it will map out an implementation plan that can go live in as few as 45 days. Acxiom also offers “verification and location of military servicemen (deployed but missing from base)” as part of commercial work for credit card issuers and retail banks. In other words, Acxiom’s data sets include significant data on current and former members of the U.S. military, including their current whereabouts.
Figure 1. Advertisement of Acxiom’s data on active and former U.S. military personnel, July 2021.
LexisNexis, another large data broker, broadly advertises data on 270 million transactions around the globe each hour, data linked to more than 283 million active U.S. consumer profiles and data from billions of business, bankruptcy, cell phone and other records. It also advertises a capability to identify active-duty military personnel. Of note, alongside advertising data on active-duty military personnel, LexisNexis advertises the ability to “identify relatives, associates and neighbors who may show up in photos or be mentioned in social media postings with a search of hundreds of networks and millions of sites on the open web.” It additionally advertises the ability to “determine a person’s current whereabouts” using recent driver’s license records.
Nielsen, another data broker, broadly advertises audience data “across more than 60,000 segments,” from demographics to psychographics to spending habits, as well as purchase data on 90 million households. Nielsen also explicitly advertises data on current and former U.S. military personnel. It published a report in 2019 on “today’s veteran consumers” that drew on two external sources and four Nielsen data sets, attempting to depict what active and former U.S. military personnel watch, where veterans shop, what veterans spend on what they buy, and how that compares to what the average household buys. Nielsen also advertises its HomeScan DeCa (Defense Commissary Agency) database, which “tracks consumer spending at military commissaries and exchanges.” The company has publicly published multiple other analyses of U.S. military personnel economic activity that draw on multiple Nielsen surveys and data sets.
I also examined people-search websites in the context of data on U.S. military personnel. People-search websites, commonly referred to as white pages websites, allow internet users to search for information on an individual by entering the individual’s name. These websites typically scrape this information from public records (property records, tax filings, voting records, and the like), aggregate it, and publish it online in a searchable format; these searches may be free of charge or may be run for a small fee. People-search websites cover much of the U.S. population, and as such, it is highly likely that address, contact, and family information on many active and former U.S. military personnel is searchable via these publicly available websites—along with information on hundreds of millions of other U.S. citizens. I was able to conduct searches on multiple, unnamed, publicly accessible people-search websites that appeared to provide data (for example, phone numbers and addresses) for senior members of the U.S. military.
Analysis of Policy Implications for the United States
The data brokerage industry advertises data on many individuals and activities, and many vulnerable populations in particular, as documented in the report for Duke’s Sanford Cyber Policy Program. Military personnel are but one segment of the population whose information is currently held by data brokers and advertised as part of their product offerings. Among other problems with the data brokerage industry, the aggressive collection of data on military personnel presents risks to U.S. national security.
Three of the 10 data brokers surveyed for the report—Acxiom, LexisNexis and Nielsen—openly and explicitly advertise data on current and former U.S. military personnel. By no means are data sets on U.S. military personnel necessarily used for nefarious purposes: Current and former U.S. military personnel are a unique demographic, and as such, many different industries may want to target them with uniquely tailored advertisements for products and services. Some data brokers may also offer economic opportunities to businesses through the use of this information, without actually selling the information to the business client—for example, allowing a client insurance firm to run ads through the data broker’s platform, but without ever handing over the underlying data on particular individuals.
That said, many data brokers actively sell their data sets to willing buyers. There is little transparency, if any at all, into data brokerage transactions. There is also virtually nothing in U.S. law preventing data brokers from selling information on U.S. individuals to foreign entities. The data advertised by these brokers—spanning everything from financial transaction histories and internet browsing patterns to travel interests and support for political causes and organizations—could be used by foreign entities for a range of activities that damage national security. This could include building profiles on senior U.S. military personnel involved in key decisions relevant to a foreign power, or even building profiles on their family members and close acquaintances—some data brokers openly and explicitly advertise their ability to map network connections between individuals. All of this could theoretically aid information operations, coercion, blackmail, or intelligence gathering. Should terrorist organizations acquire any of this data on U.S. military personnel, for example, the consequences could be even more dire.
As mentioned, the U.S. government has few mechanisms in place to limit the sharing of data brokerage data, including highly sensitive data, on U.S. individuals. Buyers of data brokerage data could potentially combine data from multiple brokers to, for example, uncover a U.S. military or government employee’s family member and then obtain the family member’s real-time location or location history. This data use can also be commercially exploitative; for-profit schools could, for example, use acquired data to target predatory advertisements to veterans looking for educational opportunities.
These concerns only compound broader national security problems associated with data brokers. The data on U.S. individuals held by data brokers is highly sensitive and could be used in many other ways to undermine U.S. national security. Foreign actors could use this data to bolster their influence campaigns to interfere in U.S. electoral processes. Criminal organizations could use this data to build profiles on and subsequently target prosecutors and judges. Foreign intelligence organizations could acquire this data through a variety of means—including through front companies that could legally purchase the data from U.S. brokers and through simply hacking a data broker and stealing it all—to build profiles on politicians, media figures, diplomats, civil servants, and even suspected or secretly identified intelligence operatives.
This is merely one element of a larger problem. As detailed in the report, data brokers also advertise data on vulnerable and marginalized populations, U.S. individuals’ interest in political organizations and causes, and U.S. individuals’ real-time GPS locations. This poses threats to civil rights, to national security, and to American democracy itself.
So far, relatively little regulatory pressure has been brought to bear on the data brokerage industry. In response, Congress should consider giving the executive branch export control authorities to limit potential data broker sales of sensitive data on U.S. individuals to foreign governments and to non-state actors with close ties to foreign intelligence and security agencies. Sen. Ron Wyden’s office has already released a bill that takes a step in that direction. Congress should also make data brokerage a central part of robust federal privacy legislation that establishes rules around and implements restrictions on the private collection, aggregation, sale, licensing and sharing of U.S. individuals’ data—including placing limits on federal government purchasing of data brokerage data and giving the Federal Trade Commission further authority to investigate unfair and exploitative data broker practices and the use of data brokerage data by other firms. All these harms will only persist and worsen without further regulation.