The Case for Comprehensive Federal Privacy Legislation to Protect Service members’ Data
In an era where privacy is taking center stage, a unified, robust federal framework is required to foster strong privacy standards for our connected future. Presently, the patchwork of state privacy legislation leaves U.S. citizens vulnerable to breaches in their privacy. This patchwork presents unique challenges to consumers and businesses alike: disparate laws
- promote confusion among consumers as to what their privacy rights are; and
- create compliance challenges as the requirements and standards become a moving target.
One particular harm created by the disparate laws is the exploitation of U.S. Military members by data brokerage companies. As such, it is vital that a Federal Privacy bill is enacted carefully and expeditiously.
Data brokerage companies are organizations that profit from the collection, analysis, and sale of personal information for various purposes. Brokerage companies can collect sensitive health and financial information and they gather information from consumers’ browsing search history, purchase history, online agreements, and public records. Companies typically ask for consent to share information through the fine print of their agreements.
Data brokers usually do not have a personal relationship with the people whom they are collecting data on, so most people do not know that their data is being collected. In 2021, the global data broker market was valued at over $300 billion. It is expected to reach $545 billion by 2028.
Data brokerage companies sell U.S. Military members’ personal information, such as health records and financial information, to the highest bidder, leaving room for exploitation and blackmail. This not only creates risks of harm for these individuals but can also lead to serious national security concerns with service members’ data being more susceptible to blackmail.. With the right combination of information, bad actors could exploit that information. Due to the national security risks, the U.S. Military Academy at West Point funded a study conducted by Duke University to investigate how service members’ data is sold. The study revealed that files with personal and financial information are sold to interested marketing companies for anywhere from 12- 32 cents per U.S. Military service member. Comparatively, standalone information about U.S. Military service members such as their age, gender, and location is typically $0.01 per person when the data is purchased in a larger batch of records. The data includes information about their children, homeowner status, credit ratings, telephone numbers, networth, marital status, and more. This is quite similar to the privacy concerns faced by consumers, however, it is an even more harmful practice because foreign adversaries can target service members and use the information to weaken national security.
However, with a carefully crafted federal privacy bill and efforts from many tech companies, members of the military can be safeguarded from these unique privacy challenges.
Many technology companies are taking action to protect their users, including service members, from the evolving privacy challenges of today. Companies like Google are committed to having robust privacy protections in place and do not sell personal information. For example: (1) Google prohibits developers from selling personal and sensitive user data and it requires that the data is only used for purposes related to the operation of the app; (2) Google users’ location history is off by default; and (3) objecting to overly broad requests by law enforcement.
Personal data deserves to be protected, but there are key differences between consumers’ and U.S. Military members’ privacy risks:
- civilians’ privacy information is often gathered by hackers, non-state actors, and cybercriminals; and their data is used to predict and infer behavioral patterns and trends.
- U.S. Military members’ privacy information faces a broader range of adversaries, including nation-states and sophisticated cyber warfare entities.
There have been federal actions in the past to support data privacy and national security. Recently, in 2022, President Biden approved a limited TikTok ban which prohibited federal government employees from accessing TikTok on devices owned by federal agencies. TikTok has been accused of cybersecurity threats and irresponsible and invasive privacy practices.
Looking at ongoing efforts, there are currently two federal legislative proposals centered on data-gathering efforts from brokerage firms, but neither has been codified. First, Senator Ron Wyden (D-OR) drafted a provision in the National Defense Authorization Act that requires the Government Accountability Office to report how the Department of Defense is protecting information from being exploited by foreign adversaries. Second, Senator Bill Cassidy (R-LA) introduced a bill aimed at prohibiting data brokers from selling military service members’ information to foreign adversaries, but the bill remains unmoved. While these efforts are great first steps, they do not do nearly enough to protect service members and civilians, and ensure consequences for bad actors.
The absence of federal privacy legislation has seen states explore options to address this problem, and there are several disparate laws. In 2019, the privacy framework shifted with the enactment of the California Consumer Privacy Act. To date, 12 states have enacted comprehensive privacy laws: California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Florida also passed a law focused on a narrow set of digital services and technology companies. While state-specific privacy laws are a start, the burdensome regulatory patchwork remains a cause of concern.
In an age where information is shared more freely, privacy is still the heart of democracy. It is imperative that both the public and private sectors act to ensure that civilians’, but especially U.S. military service members’, data is safeguarded.