On Tuesday, Motherboard reported that data broker SafeGraph was selling location information “related to visits to clinics that provide abortions including Planned Parenthood facilities.” This included where people came from and where they went afterwards.
In response, SafeGraph agreed to stop selling data about Planned Parenthood visitors. But it also defended its behavior, claiming “SafeGraph has always committed to the highest level of privacy practices ensuring individual privacy is NEVER compromised.“ The company, it continued, “only sell[s] data about physical places (not individuals.)”
This framing is misleading. First, SafeGraph for years did sell data about individuals—and then remained closely tied to a business that still did so. Second, the aggregated location data that SafeGraph now sells is based on the same sensitive, individual location traces that are collected and sold without meaningful consent.
SafeGraph’s History of Privacy Violations
Last year, EFF reported public records showing that SafeGraph had sold 2 years of “disaggregated, device-specific” location data about millions of people to the Illinois government, starting in January 2019.
Older materials about SafeGraph indicate that it used to offer a product called “Movement Panel.” A 2017 blog post from two people at SafeGraph describes Movement Panel as a “database of ultra-accurate GPS-location data that comes from anonymized mobile devices.” It also describes how SafeGraph used “the bidstream”—that is, data siphoned from the millions of apps that solicit ads on the open market through real-time bidding. Use of bidstream data is considered ethically dubious even within marketing circles, in part because it is nearly impossible to get knowing consent when data is shared and sold among hundreds of unseen parties.
It’s entirely possible that SafeGraph itself no longer sells this kind of data. But that’s not the whole story.
In 2019, SafeGraph spun off a company called Veraset, and the two companies remained tight. In 2020, Quartz reported that “[SafeGraph] says it gets mobility data from providers like its spin-off Veraset, which own the relationships with the apps that gather its data (Veraset doesn’t share the names of the apps with SafeGraph).” Founder Auren Hoffman and other SafeGraph employees have also used SafeGraph forums to direct potential customers to Veraset for specific data needs.
Veraset sells raw, disaggregated, per-device location data. Last year, EFF received records showing how Veraset gave a free trial of such data to officials in Washington, D.C., as well as other unnamed agencies. Veraset offers a product called “Movement”. As the company explains it: “Our core population human movement dataset delivers the most granular and frequent GPS signals available in a third-party dataset. Unlike other data providers who rely on one SDK, we source from thousands of apps and SDKs to avoid a biased sample.” (“SDK” means a “software development kit” embedded in a mobile app, which can be used to gather location data.)
In sum, Veraset is in the business of selling precise, ping-level location data from the smart phones of millions of people. Safegraph itself was in this business until it spun those services off to Veraset. And after this spin-off, Safegraph continued to acquire data from Veraset and steer business there. But a corporate restructuring does not make anyone safer. Highly invasive data about millions of people is still up for sale, putting vulnerable people at serious risk.
The “Places Not People” Fallacy
With that context in mind, let’s consider SafeGraph’s claim that it “only sells data about physical places (not individuals).” However the company frames it, the data is about people. Safegraph’s data comes from mobile devices carried by human beings, and represents large portions of their daily movements, habits, and routines. Marketers, transportation departments, law enforcement, and others are only interested in location data because it reveals things about the people who visit those locations.
When location data is disaggregated and device-specific (as in SafeGraph’s contract with Illinois), it is effectively impossible to “de-identify.” Information about where a person has been itself is usually enough to re-identify them. For example, someone who travels frequently between a given office building and a single-family home is probably unique in those habits and therefore identifiable from other readily identifiable sources. One widely cited study from 2013 even found that researchers could uniquely characterize 50% of people using only two randomly chosen time and location data points.
A national security contractor that peddles the same kind of data relies on its specificity. As one spokesperson said during a live demonstration, “If I’m a foreign intel officer, I don’t have access to things like the agency or the fort, I can find where those people live, I can find where they travel, I can see when they leave the country.”
Aggregation of location data can sometimes preserve individual privacy, depending on appropriate aggregation parameters and choices. Factors include the number of people and phone pings in the data set, and the granularity of the location described (such as square miles versus square feet). But no privacy-preserving aggregation protocols can justify the initial collection of location data from people without their voluntary opt-in consent, especially when that location data is then exploited for profit. Sensitive data should only be collected and used with specific, informed consent, and we must reserve the right to withdraw that consent at any time. Data brokers like SafeGraph do not meet these standards.
What Can We Do?
Users who are concerned about tracking by data brokers can take simple steps to reduce their impact.
Read our new guide to digital safety and privacy tips for people involved in abortion access, as well as our Surveillance Self-Defense playlist for reproductive healthcare providers, seekers, and advocates. You can also check out more information on creating a personal security plan, attending a protest, and location tracking on mobile phones.
To start, disable the advertising ID on your phone, which is the primary key that brokers use to link data to individuals. (Here’s how on Android and iOS.) Disable location permissions for apps you don’t trust, and generally audit the permissions that third-party apps are granted. Use a browser that respects your privacy, like Safari or Firefox, and install a tracker blocker like Privacy Badger for extra protection.
If you live in California, you can file a “right to know” request with SafeGraph and Veraset to see what information they have about you. You can also exercise your right to opt out of sale and request that the companies delete your personal information. Unfortunately, Safegraph and Veraset are just two of the hundreds of data brokers that profit from personal information: you can see a list of brokers, and find out how to exercise your rights, at the California attorney general’s registry. Nevada residents can also request that the brokers refrain from selling your data in the future.
If you are a sitting member of Congress, you can pass a comprehensive privacy law to stop this invasive business model once and for all.
Categories: Electronic Frontier Foundation