Report "Data Brokers and Security" takes a closer look at data brokers and the data industry to investigate how the commercial availability of data can be exploited and lead to security issues for military organisations such as NATO and its Allies. It aims both to provide an overview of the data broker industry and its procedures, and to discuss risks and vulnerabilities related to this industry. It also describes the proof-of-concept experiment conducted by researchers from the NATO StratCom COE who engaged with multiple data brokers and purchased consumer data from an analytics company, and then used red-team analysis to assess how such data can be exploited.
Vulnerabilities related to data brokers include:
- Abundance: Data brokers have too much data and are use it without restraint to create inferential data and to make products such as lists and personal profiles.
- Storage: Data is stored with insufficient security to prevent its being leaked or misused; there are no limitations on data storage so it is often retained indefinitely for potential use.
- Use: There is no oversight or control over how data sold by brokers is used by their customers.
- Lack of transparency: There is little transparency in the field of data brokarage. ‘User consent’ is glossed over; how companies collect, process, and sell their data is not at all clear.
Based on the findings of this report, we identify five key aspects for NATO and any other military organisation to consider:
(1) Recognise that awareness is necessary but not sufficient;
2) View data as critical infrastructure;
3) Control your data;
4) Red-team to understand risk and
(5) Leverage the potential of data.