SafeGraph, COVID-19, the CDC, New Alleged Privacy Violations
When the COVID-19 pandemic first unfolded in March of 2020, American citizens and people around the world alike were confronted with a new level of uncertainty that most had not anticipated. Moreover, when governments around the globe began to enforce lockdown procedures on the general public, limited to so-called essential services employees, the level of confusion and apprehension that many people had already been feeling was increased even further. To this end, due to the technological advancements that have been made in recent decades, location data and contact tracing played a pivotal role in ensuring that people were adhering to the rules and regulations that had been set in relation to these lockdown measures, as virtually all citizens within the U.S. had some sort of cellphone by the year 2020.
Nevertheless, while these measures were undoubtedly geared toward reducing the spread of the deadly coronavirus, there were also privacy concerns that were raised due with respect to state surveillance and the application of widespread mandates, as all forms of power can lead to corruption, irrespective of any specific reasoning or context that has informed such mandates. To this point, many of the companies that have supplied location data to major U.S. government agencies such as the Centers for Disease Control and Prevention (CDC) have come under fire in recent months, as there have been accusations claiming that these companies have sold the personal information of American citizens to the highest bidder, even when the COVID-19 lockdown and vaccine mandates around the country were eventually lifted.
As stated on the company’s website, “SafeGraph’s places dataset includes a breadth of information about global places. This includes points of interest, spatial hierarchy metadata, foot traffic data, spending patterns, and more. Organizations use our data to help inform their people and machines to make better business decisions.” Likewise, reports revealed that some of the location data that the CDC had used to inform the general public about the rise or fall of COVID-19 cases within a particular part of the country had been obtained from SafeGraph. More specifically, the CDC purchased aggregated data, or data that is designed to follow trends in accordance with the movements of populations over time. While aggregated data is supposed to be anonymized, privacy advocates and researchers have argued that this data can in fact be used to track specific people under certain circumstances.
How the CDC used aggregated data
As stated in CDC documentation that has been obtained by Motherboard, a subsidiary of popular digital media and broadcasting company Vice, via a Freedom of Information (FOIA) request, the “government agency used the data for monitoring curfews, with the documents saying that SafeGraph’s data has been critical for ongoing response efforts, such as hourly monitoring of activity in curfew zones or detailed counts of visits to participating pharmacies for vaccine monitoring. The documents date from 2021.” This CDC documentation also outlined that the CDC intended to use the aggregated data they received from SafeGraph in a very general manner, which included as many as 21 potential use cases.
Furthermore, the documentation also revealed that while the CDC had received free aggregated data concerning U.S. citizens from SafeGuard for a year due to the unexpected emergence of the COVID-19 virus, the CDC agreed to purchase this information when SafeGuard stated they no longer wanted to provide the agency with free data. As stated in the documentation, the “CDC has an interest in continued access to this mobility data as the country opens back up. This data is used by several teams/groups in the response and have been resulting in deeper insights into the pandemic as it pertains to human behavior.” On top of this, the CDC also purchased location data from other similar technology companies, including a company called Cubeiq, among others.
Allegations against SafeGraph
While the collection of location data is by no means against the law, as the so-called location industry has seen an enormous boom in recent years in conjunction with the proliferation of smart devices such as iPhones, Apple Watches, and laptop computers, among other products, companies that collect such data also have a duty to protect the privacy and security of American citizens. This being said, it was revealed that SafeGraph had been banned from Google’s Play Store in June of 2021, as the multinational technology company forbids application developers from selling the data they harvest from users of said applications to government agencies or other third parties. This ban was due in large part to the business practices of SafeGraph, as the company will reportedly sell data they have collected to any willing buyer.
To test this notion, employees at Motherboard purchased a small set of data from SafeGuard for $200 in 2020, with the aim of verifying whether or not the information the company had collected was indeed aggregated. On the contrary, these employees found that the data they had purchased from SafeGuard was not anonymous, as the data included specific points of interest that U.S. citizens had visited during the course of 2020, including various convenience stores, as well as specific places of worship around the country. What’s more, Zach Edwards, a researcher who has closely followed the supply chain of various sources of data showed that “data related to a specific, small doctor’s clinic, demonstrating how finely SafeGraph’s data can target particular locations.”
As applications that have the ability to track a person’s movement’s through their cellphone or mobile device are a relatively new advancement, lawmakers around the world have yet to pass legislation that regulates the use of such technology. As a result of this, there is a great level of grey area concerning the steps and procedures that a company must follow when looking to harvest location data from a particular population. This rise of the global COVID-19 pandemic has only added to this level of ambiguity, as emergency regulations have led to decisions that may have been viewed as invasions of privacy under ordinary circumstances. Despite all of this, citizens worldwide have the right to know when, where, and how personal data regarding them is being collected or sold, as this information has the potential to put lives in danger when it is missed.