Documents obtained by a Freedom of Information Act request to the CDC by Motherboard have shown how the CDC has been secretly tracking millions of phones to see if Americans were following the COVID lockdown mandates.
Must Watch: Would you live on 3D Printed Mars for a year for $60,000?
According to Centers for Disease Control and Prevention (CDC) documents obtained by Motherboard, the CDC purchased access to location data harvested from tens of millions of phones in the United States in order to analyze curfew compliance, track patterns of people visiting K-12 schools, and specifically monitor the effectiveness of policy in the Navajo Nation. The records also demonstrate that, while COVID-19 was cited as a justification for buying faster access to the data, the CDC intended to use it for more general CDC objectives.
Location data is information about a device’s location that is gathered from the phone and can be used to display where a person lives, works, and goes. Although the data purchased by the CDC was aggregated—that is, it was designed to study trends that emerge from the activities of groups of individuals—researchers have repeatedly expressed worries about how location data may be deanonymized and used to track specific people.
The records expose the CDC’s ambitious intention to use location data from a highly controversial data broker last year. Peter Thiel and the former head of Saudi intelligence are among the investors in SafeGraph, the company to which the CDC paid $420,000 for access to a year’s worth of data. In June, Google banned the company from the Play Store.
SafeGraph’s data “has been critical for ongoing response efforts, such as hourly monitoring of activity in curfew zones or detailed counts of visits to participating pharmacies for vaccine monitoring,” according to the documents. The documents start from 2021.
Subscribe to GreatGameIndia
“The CDC seems to have purposefully created an open-ended list of use cases, which included monitoring curfews, neighbor to neighbor visits, visits to churches, schools, and pharmacies, and also a variety of analysis with this data specifically focused on ‘violence,'” said Zach Edwards, a cybersecurity researcher who closely follows the data marketplace,to Motherboard in an online chat after reviewing the documents. (The document includes “places of worship,” not only churches.)
The documents were obtained through a Freedom of Information Act (FOIA) request to the CDC by Motherboard.
The documents include a long list of 21 different “potential CDC use cases for data,” as described by the CDC. They are as follows:
- “Track patterns of those visiting K-12 schools by the school and compare to 2019; compare with epi metrics [Environmental Performance Index] if possible.”
- “Examination of the correlation of mobility patterns data and rise in COVID-19 cases […] Movement restrictions (Border closures, inter-regional and nigh curfews) to show compliance.”
- “Examination of the effectiveness of public policy on [the] Navajo Nation.”
Cell phone location data was viewed as a potentially beneficial tool at the outset of the pandemic. The New York Times, for example, used GPS data provided by companies in the industry to demonstrate where people were going once the lockdowns were lifted, or to underline that poorer communities were unable to shelter in place as much as wealthier communities.
The COVID-19 pandemic has sparked a broader culture war, with conservatives and anti-vaccine groups denouncing government mask and vaccination regulations. They’ve also raised concerns that vaccine passports could be used as a tracking or surveillance tool, thereby portraying vaccine refusal as a civil rights problem.
Children’s Health Defense, founded by Robert F. Kennedy Jr., is one of the most powerful and well-funded anti-vaccine organizations in the United States. It has raised concerns that digital immunization certificates could be used to spy on residents. Vaccine passports are “a Trojan horse being used to create a completely new type of controlled and surveilled society in which the freedom we enjoy today will be a distant memory,” according to QAnon promoter Dustin Nemos, who wrote so on Telegram in December.
The use of mobile phone location data for such a wide variety of tracking techniques, even if helpful for better understanding the pandemic’s progress or guiding policy, is likely to be unpopular against that enflamed backdrop. It’s also likely to provide anti-vaccine groups with real-world evidence to back up their most dire warnings.
“This is a URGENT COVID-19 PR [procurement request],” the procurement documents state, and they ask for the transaction to be expedited.
However, not all of the use cases are directly related to the COVID-19 epidemic. “Research points of interest for physical activity and chronic disease prevention such as visits to parks, gyms, or weight management businesses,” says one.
Another section of the document delves more into the use of location data for non-COVID-19 programs.
“CDC also plans to use mobility data and services acquired through this acquisition to support non-COVID-19 programmatic areas and public health priorities across the agency, including but not limited to travel to parks and greenspaces, physical activity and mode of travel, and population migration before, during, and after natural disasters,” it reads. “The mobility data obtained under this contract will be available for CDC agency-wide use and will support numerous CDC priorities.”
Multiple inquiries to the CDC requesting comment on which use cases SafeGraph data was deployed for went unanswered.
SafeGraph is a part of the growing location industry, and the company has previously shared datasets containing 18 million US cell phones. According to the documents, this purchase is for geographically representative data, “i.e., data derived from at least 20 million active cellphone users per day across the United States.”
App developers are typically asked, or paid, to add location data collection code in their apps by companies in this sector. The location data is then passed on to businesses, which may resell the raw data or package it into products.
Both are provided by SafeGraph. On the developed product front, SafeGraph has a number of options. “Places” refers to points of interest (POIs), such as the locations of certain stores or buildings. According to SafeGraph’s website, “Patterns” is based on mobile phone location data that may reveal how long people spend at a location, as well as “Where they came from” and “Where else they go.” SafeGraph has just began delivering aggregated transaction data under the “Spend” package, which shows how much users generally spend at various places. SafeGraph’s products are used in a variety of industries, including real estate, insurance, and advertising. Rather than the location of specific devices, these products include aggregated data on movements and expenditures. A set of SafeGraph location data was previously purchased by Motherboard for $200.
The data was aggregated, which meant it couldn’t be used to track individual devices or people, but Edwards stated at the time, “In my opinion the SafeGraph data is way beyond any safe thresholds [around anonymity].” Edwards highlighted how finely tuned SafeGraph’s data may be by pointing to a search result in the company’s data portal that provided data relating to a specific doctor’s office. An attacker might theoretically use such information to attempt to unmask specific users, which studies have proved is doable.
According to activist organization the Electronic Frontier Foundation (EFF), the Illinois Department of Transportation purchased data from SafeGraph in January 2019 that related to over five million phones.
The CDC purchased SafeGraph’s “U.S. Core Place Data,” “Weekly Patterns Data,” and “Neighborhood Patterns Data,” according to the documents. This last product aggregates data by state and census block and contains information such as home dwelling time.
According to one of the CDC documents, “SafeGraph offers visitor data at the Census Block Group level that allows for extremely accurate insights related to age, gender, race, citizenship status, income, and more.”
Both SafeGraph and the CDC have previously discussed their partnership, but not to the extent that the documents disclose. In September 2020, the CDC published a report (pdf given below) that purported to use SafeGraph data to see if people across the country were following stay-at-home directives.
“To play our part in the fight against the COVID-19 health crisis—and its devastating impact on the global economy—we decided to expand our program further, making our foot traffic data free for non-profit organizations and government agencies at the local, state, and federal level,” SafeGraph stated in a blog post in April 2020. During the peak of the pandemic in the United States, several location data companies advertised their data as a potential mitigation tool, and gave data to government and media organizations.
According to the documents, the CDC bought access to the data a year later because SafeGraph no longer wanted to supply it for free. According to the documents, the Data Use Agreement for the in-kind provided data was set to expire on March 31, 2021. The CDC maintained in the documents that the data was still necessary to have access to when the US opened up.
“CDC has interest in continued access to this mobility data as the country opens back up. This data is used by several teams/groups in the response and have been resulting in deeper insights into the pandemic as it pertains to human behavior,” one section reads.
Separately from the SafeGraph documents, researchers at the EFF uncovered information exposing the CDC’s purchase of similar location data products from a company called Cubeiq. Motherboard received those papers from the EFF. They revealed that the CDC requested that Cubeiq’s data be purchased more quickly because of COVID-19, but that they intended to use it for non-COVID-19 objectives. The documents also identified the same potential Cubeiq data use-cases as the SafeGraph docs.
SafeGraph was removed from the Google Play Store in June. This meant that anyone who used SafeGraph’s code in their app had to delete it or risk having their app pulled from the store. It’s unclear how effective this ban has been: SafeGraph previously stated that it collects location data through Veraset, a spin-off firm that interacts with app developers.
Multiple requests for comment from SafeGraph were unanswered.
Read the report below: