The U.S. Army can’t escape the internet’s surveillance machine

U.S. Army personnel may be training for cyberwar, but their own web browsing is quietly feeding the surveillance economy.

According to a recent study by the Army Cyber Institute at West Point, corporate surveillance has deeply infiltrated the U.S. Army’s unclassified IT infrastructure in the continental United States. The researchers—who declined an interview request, citing increased scrutiny of external engagements by the Department of Defense—analyzed the 1,000 most frequently requested internet resources on Army networks over a two-month period and found that 21.2% were “tracker domains.”

Those domains exist solely to harvest user data and analytics. A follow-up dataset showed that while trackers made up roughly 19% of the top domains, they accounted for nearly 42% of actual web requests. Another 10.4% of the original sample consisted of standard websites embedded with tracking code.

“For several years there have been concerns about the use of the open internet from military locations and by military and government personnel,” says Alan Woodward, professor of cybersecurity at the University of Surrey in the U.K. (who was not involved in the research). “This paper makes the alarming point that many domains commonly visited from those using military or government networks are tracking domains.”

The companies operating those domains include Adobe, Microsoft, and Akamai—but also TikTok, which was ostensibly banned on federal devices due to its Chinese ownership, as well as Google China and a defunct gambling site. Those three were singled out by the authors as domains that warrant further investigation.

The data hoovered up by these adtech trackers—including geolocation, email addresses, and browsing preferences—is routinely aggregated and sold by data brokers as commercially available information (CAI). From there, adversaries could potentially purchase that data and use it to identify and analyze how servicemen and women interact online.

Woodward said the findings suggest lessons still haven’t been learned from past incidents involving commercial products exposing sensitive military data, such as when fitness app Strava’s public “heat map” revealed the locations and patrol routes of military bases around the world in 2018. “It sounds like simple operational security,” Woodward says, “but still many systems administrators haven’t learned that old lesson that on the internet, if you’re not a paying customer you are the product.”

View the full article