Tackling Data Brokerage Threats to American National Security

A news story used brokered location data to track military personnel—illuminating a considerable threat to national security.

Tackling Data Brokerage Threats to American National Security
Ramstein Air Base (Photo: Flickr/USACE, https://www.flickr.com/photos/europedistrict/3986776066, Public Domain

They tracked phones traveling from U.S. military barracks in Germany to work buildings, Italian restaurants, grocery stores, and bars. They tracked 189 devices inside a high-security German military installation, as people walked around—and watched as four mobile devices from Ramstein Air Base, a U.S. Air Force installation in Germany, traveled to brothels off-base, including a place called SexWorld.

This specific story isn’t an operation by China’s Ministry of State Security (MSS) or Russia’s military intelligence agency (GRU)—it’s a joint effort by Wired, Bayerischer Rundfunk, and Netzpolitik.org showing just some of what can be done with more than 3 billion phone location pings gathered (and sold) by a U.S. data broker. But it just as easily could have been conducted by a foreign actor, especially one with deep pockets, years of experience in deception, and a persistent dedication to gathering data on U.S. persons and targeting the U.S. government.

Far from an isolated incident, this latest, troubling story speaks to an urgent problem for the incoming presidential administration and Congress: how to keep building out data security protections for all Americans, including military service members and intelligence community personnel, in light of ever-expanding for-profit data collection and a raft of growing data threats from—among others—the Chinese government. It is far too easy for foreign actors to obtain highly sensitive data, including geolocation data on people serving in the military and intelligence community, via data brokers and other commercial firms and use it to harm those people and the country. As the next administration identifies its top policy priorities in what it describes as strategic competition with China—and as the United States faces highly persistent adversaries determined to collect and exploit Americans’ and U.S. companies’ data, including to run intelligence operations and build artificial intelligence (AI) models—it should integrate this problem into its approach to China, cybersecurity, and strategic questions around data.

There are three main takeaways from this recent story. First, data brokerage on U.S. persons is an active operational security issue that demands immediate attention from Congress and from executive branch agencies with the power to, at a minimum, increase the resources available to people serving their country to protect themselves—and with the power to convene a task force to identify immediate steps on the problem. Second, this case not only underscores the identifiability of device-level geolocation data but also highlights that aggregated geolocation data is still a national security threat; for example, it can quickly enable a foreign government or terrorist to identify peak and low levels of activity at sensitive sites. Third, the administration and Congress need to pursue a comprehensive response. This includes continuing to build out programs focused on China and data security, such as the bulk data transfer and national security review program, as well as pursuing strong regulations on data brokerage that will protect everyone from private citizens visiting places of worship to people serving in the U.S. military.

Military Service Members, Nuclear Weapons, Brothels, and More

Thousands of companies in the United States are involved in data brokerage—the practice of collecting, aggregating, analyzing, inferring, and then selling or otherwise monetizing (e.g., selling subscriptions to) people’s data. Across the industry, various data brokers collect and sell data on Americans’ demographics (e.g., religion, race, marital status), political preferences and beliefs (e.g., party registration, political campaign donations, environmental advocacy, support for gun ownership), health and mental health information (e.g., online searches for medical conditions, specific prescriptions and dosages taken, elderly people suffering from Alzheimer’s), and even biometric data like voices and face photos. There is also a booming market for geolocation data—primarily, from app developers that sell their users’ geolocation data, telecom providers that sell their customers’ geolocation data, and manufacturers of increasingly connected vehicles looking to monetize their drivers’ geolocation data. Brokered geolocation data covers virtually every single person in the United States as well as billions of people around the world.

Reporters at Wired, Bayerischer Rundfunk, and Netzpolitik.org struck at the heart of this geolocation data industry—and its threat to U.S. national security—in their recent story. It’s worth a full read, but some of the most disturbing anecdotes include:

Our investigation uncovered 38,474 location signals from up to 189 devices inside Büchel Air Base, a high-security German installation where as many as 15 US nuclear weapons are reportedly stored in underground bunkers. At Grafenwöhr Training Area, where thousands of US troops are stationed and have trained Ukrainian soldiers on Abrams tanks, we tracked 191,415 signals from up to 1,257 devices.

And:

At Ramstein Air Base, which supports some US drone operations, 164,223 signals from nearly 2,000 devices were tracked. That included devices tracked to Ramstein Elementary and High School, base schools for the children of military personnel.

And, just one more (again, check out the full story):

The patterns we could observe from devices at Büchel go far beyond just understanding the working hours of people on base. In aggregate, it’s possible to map key entry and exit points, pinpointing frequently visited areas, and even tracing personnel to their off-base routines. For a terrorist, this information could be a gold mine—an opportunity to identify weak points, plan an attack, or target individuals with access to sensitive areas.

By examining these billions of geolocation data points—which may sound like an enormous number, but isn’t to a location data broker—the reporters say they were able to track the intimate, daily movements of people on military bases as well as what they believe are devices going to alleged intelligence sites. This includes data on service members’ children and information about individuals visiting brothels, material that could easily be used to coerce or blackmail people working on military bases and with access to sensitive information. Critically, it was not data that was hacked, illegally siphoned, or snuck out a server room back door on an insider’s thumb drive. It was legally obtained by reporters doing an investigation of the data a U.S. company collects and sells—demonstrating the lack of regulation of the data brokerage industry.

Confronting the Threat Head-On

Combined with other studies, including one I led in 2023 in which we bought individually identified health, financial, and family data about active-duty military service members from U.S. data brokers with virtually no vetting (and even via Singapore-based server infrastructure with a .asia domain, geofenced to special operations bases), it’s clear it would be child’s play for a sophisticated foreign adversary, such as a Chinese, Russian, or Iranian government organization or front company, to obtain the same—and even more—data to harm the United States. For the incoming administration, this highlights at least three critical issues for locking down Americans’ data against security threats.

First, this is an immediate and ongoing threat to personnel that demands a rapid response. It is clear that the Chinese government is amassing huge volumes of personal data on Americans, whether through hacking the U.S. Office of Personnel Management or Marriott, making investments in American firms, or other means. It is also clear that other foreign adversaries are similarly intent on acquiring data they can use to track Americans, profile sensitive government sites, gain insights into U.S. government activities, run intelligence operations, hack targets, and even build AI models. An October 2024 declassified assessment from the Office of the Director of National Intelligence noted that Iranian Revolutionary Guard Corps (IRGC) cyber actors had been—alongside (“almost certainly”) creating a website with death threats against U.S. officials—publishing “personally identifiable information about U.S. federal and state officials to try to incite violence.” The just-published investigative story spotlights how a foreign adversary with access to brokered data on U.S. persons or facilities could gain incredibly sensitive insights into, for example, devices at nuclear facilities or the off-base movements of military service members stationed overseas.

While a more comprehensive response is needed (more on that below), executive branch agencies and Congress should recognize the immediacy of the threat. Federal agencies should consider setting up task forces to ensure that employees and contractors who are doxxed (have their personal information published online)—including by foreign actors like the IRGC—can quickly access resources to respond, such as crisis hotlines within the agency and prelisted points of contact at major tech firms and search engines that might be able to help. This should also include exploration of short-term, proactive mitigation technologies and policies to help employees and contractors try to limit the data that data brokers collect about them and sell—to the extent possible in the absence of new laws—as well as other defensive measures. Many federal agencies should also look at the data brokerage industry from a national security and counterintelligence perspective. Agencies must recognize that existing data security guidance and policies, such as the Defense Department’s 2018 policy restricting wearable trackers in deployed settings, are necessary but wholly insufficient.

Clearly, preventing a military officer from wearing a FitBit while in combat does not prevent data brokers from buying data from apps on service members’ mobile phones and then selling individually identifiable data on them walking around nuclear-housing military sites and meeting with other personnel off-base. But the solution cannot be always leaving a phone at home (or throwing it into the ocean). Federal agencies, including the Defense Department, therefore need to develop specific, near-term, actionable recommendations to secure geolocation and other data on personnel movements as much as they can, including through exploring technical device controls as well as other policies and measures to limit geolocation and other data brokerage tracking. Likewise, an interagency task force that brings together experts on data security, commercial data privacy issues, data brokerage, counterintelligence, and national security, including outside academic subject matter experts, could integrate knowledge and perspectives to develop more comprehensive, short-term mitigations to the extent possible. Fundamentally, though, it’s a congressional problem (again, more on that below)—meaning Congress should hold hearings with experts beginning next year to better illuminate and understand the data security threats ahead of writing the 2025 National Defense Authorization Act (NDAA).

Second, the story shows that the brokerage of aggregated data on Americans and on U.S. government sites is also a threat to national security. Device-level geolocation data, despite what some companies may claim, is not technically “anonymizable” at all while still retaining any degree of utility for what companies want. The sale of device-level geolocation data is incredibly damaging because it allows data-holders to pinpoint a person’s real-time or near-real-time location and find them, it cannot be meaningfully anonymized, and it allows the data-holder to infer other information based on an individual’s movements, including via visits to religious places of worship, health clinics, kids’ schools, gay bars, and government buildings. But aggregated data, such as on how many people are somewhere at what time, is still a risk.

As part of the Wired story, the reporters were able to “map key entry and exit points, pinpointing frequently visited areas, and even tracing personnel to their off-base routines” by examining aggregated geolocation data on U.S. military facilities. A foreign adversary does not need to know which specific devices are in a geographic area at a particular time if all it’s looking for is when a U.S. government building is least guarded and occupied. A terrorist actor, as the reporters note, does not need to know who the devices on a travel route belong to if all they want to do is identify points where many deployed military personnel drive around. A lack of aggregated geolocation data activity in a facility, in the inverse case, could also suggest some degree of sensitivity or heightened set of protections in the area. Data privacy and security laws and policies that contain outdated notions of what is “personally identifiable information” or what is considered “anonymized” (and other industry-favored terms), particularly when it comes to geolocation data, will not only fail to capture the identifiability of data in the modern landscape but also fail to appreciate how aggregated data can also pose national security risks.

Third, the incoming administration and Congress need to pursue a comprehensive response to data brokerage that includes extensive data privacy and security controls over Americans’ data—as well as national security-specific controls on top of that widespread baseline of protections. Even if legislators and regulators tried to draw prohibited sale lists around specific people (e.g., those serving in the armed forces) or specific locations (e.g., special operations bases), foreign actors could easily get around those restrictions. They could, as Wired and the others did in this very story, target military service members’ families and kids to learn about their daily patterns and identify points of potential coercive leverage. They could, as the reporters also did, just focus on their activities off-site—which may yield sensitive insights into nighttime conversations with sources, off-the-record meetups with other partner countries, extramarital affairs, or, as here, visits to brothels. Brokered geolocation data could even enable foreign adversaries to investigate buildings and known zones of operation retroactively, by geofencing an area in a database with access to historical location data and pulling all the devices in that area during a specific period of time. As much as data brokers attempt to paint this as a “few bad apples” problem, there are too many companies collecting and selling too much data, and lobbying to keep it an unregulated environment of for-profit data-gathering, that highly focused controls on their own will not solve the bigger problems—including the national security threats to those focused groups of people and facilities.

This is an issue with bipartisan support. For example, the Protecting Americans’ Data from Foreign Adversaries Act, aiming to restrict some third-party data broker sales of some kinds of Americans’ data to some foreign countries, sailed through the House and Senate with Democrat and Republican support and went into law last year. Sen Marco Rubio (R-Fla.), President Trump’s pick to be secretary of state, also co-sponsored a bipartisan bill in 2022 called the Protecting Military Servicemembers’ Data Act of 2022 to start to crack down on this harmful data collection and sale. As Rubio noted then: “It is common sense to prevent big data companies and shady brokers from selling information about our military personnel to countries that could use that information against us.” Alongside other cybersecurity and data security efforts—such as increasing cybersecurity baseline practices among critical infrastructure providers and ensuring companies make timely notification of data breaches to their customers and vendors—legal, regulatory, and policy efforts to restrict data brokerage are vital to limit the amount of sensitive data available to foreign adversaries on Americans, on U.S. companies (including emerging tech firms), and on the U.S. government.

The next administration should therefore continue to expand programs like the bulk data transfer and national security review program, which speak to long-articulated Trump administration concerns about the Chinese government exploiting U.S. companies and gathering data on Americans to gain operational and strategic advantage. It should consider how existing mechanisms for national security review, such as the Committee on Foreign Investment in the United States (CFIUS), are also mechanisms to screen for foreign adversaries trying to acquire Americans’ sensitive personal data, including data on military service members, intelligence community personnel, and U.S. government buildings. And equally important, it should think about how broader comprehensive privacy efforts fit into the picture. Nonpartisan regulatory efforts to—for instance—prohibit American direct-to-consumer genetic testing companies from storing customers’ unencrypted genetic data on publicly accessible servers, or clarify that many telehealth companies and telehealth apps that collect, sell, and share Americans’ health data may be violating the law, also help with the bigger picture of cracking down on data brokerage and the availability of Americans’ data to bad actors. The administration should recognize that the true solution to the ease with which Beijing and other foreign governments can acquire Americans’ data right now, including geolocation data of the kind analyzed on the U.S. military in Germany, is a comprehensive data privacy and security approach that leaves few gaps for foreign adversaries to exploit.

In that vein, Congress also has a role to play—and, as the same party will control the White House and both chambers of Congress, the administration has a role to play in encouraging Congress to act. For years, Congress has debated comprehensive privacy proposals such as the American Data Privacy and Protection Act and the American Privacy Rights Act. As bipartisan concerns keep piling up about data breaches and leaks, violations of Americans’ privacy by technology companies, a lack of transparency into data collection and sale, and the national security threats posed by data brokerage, it is essential for Congress to continue pursuing comprehensive federal privacy legislation that would create a baseline of protections for all Americans—and, indeed, for companies also impacted by poor practices, whether vendors with bad cybersecurity measures or data brokers selling other companies’ employees’ data. Legislation like the Protecting Americans’ Data from Foreign Adversaries Act, while moving in the right direction, does not address myriad other issues and massive gaps in U.S. data security—including the ability of the Chinese government or other actors to set up front companies in other countries to acquire sensitive U.S. data from the highly unregulated data brokerage industry.

These essential data privacy and security measures are about protecting all Americans and ensuring U.S. leadership in responsible data governance and use. And as the Wired story demonstrates, comprehensive privacy and security regulations will have tremendous benefits for national security and efforts to secure Americans’ data against foreign adversaries.

– Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; and a nonresident fellow at the Atlantic Council. Published courtesy of Lawfare

No Comments Yet

Leave a Reply

Your email address will not be published.

©2024 Global Security Wire. Use Our Intel. All Rights Reserved. Washington, D.C.