Image: The Washington Post/Contributor
Piracy. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reports on the dark underbelly of the internet.
A location data firm sells information about visits to clinics that offer abortions, including Planned Parenthood facilities, showing where groups of people visiting the venues came from, how long they stayed there, and where they then went, according to data sets purchased by the motherboard.
The sale of data is obviously more important in the context of leaked Supreme Court draft opinion in which Judge Alito indicated that the court is ready to reverse the decision in Roe vs. Wade, the decades-old precedent that provided federal protections for those seeking abortions. If this project were to become a formal decision, it would immediately prohibit, totally or partially, the right to abortion in at least 13 states.
How data collection intersects with abortion rights, or lack thereof, is expected to attract more attention as a result of the project. The country could also see an increase in vigilante activities or forms of surveillance and harassment against those who request or provide abortions. With this aggregate location data available to everyone in the open market, customers could also include anti-abortion vigilantes. Anti-abortion groups are already quite adept at using new technologies to achieve their goals. In 2016, an advertising CEO who worked with anti-abortion and Christian groups sent targeted ads to women sitting in Planned Parenthood clinics in an attempt to change their decision to have an abortion. The sale of location data raises questions about why companies sell data based on abortion clinics in particular, and whether they should introduce more safeguards around buying or even selling this information. .
“It’s damn dangerous to have abortion clinics and have someone buy the census leads where people come from to visit that abortion clinic,” said Zach Edwards, a cybersecurity researcher who closely follows the data sale market, to Motherboard in an online chat after reviewing the data. “That’s how you dox someone who crosses state lines for abortions — how you dox the clinics providing that service.”
Do you work in the location data industry or how do you know the data is being used? We would love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected] or email an email to [email protected]
Following a near-total ban on abortion in Texas, for example, people in Texas seeking abortions have increasingly had to travel to other states where access to abortion is easier to get the care they need. With deer about to fall, people seeking abortions who live in conservative states and can afford it are likely to start traveling for abortions. Location data could play a role in who and how that trip is identified, making it even more urgent for regulators and lawmakers to examine how location data is collected, used and sold.
The company selling the data is SafeGraph. SafeGraph ultimately obtains location data from regular apps installed on people’s phones. Often, app developers install code, called software development kits (SDKs), into their apps that sends users’ location data to companies in exchange for payment from the developer. Sometimes app users are unaware that their phone, whether through a prayer app or a weather app, collects and sends location data to third parties, not to mention some of the most dangerous use cases. reported by Motherboard, including the transfer of data to US military contractors. Planned Parenthood is not the organization that collects the data or benefits financially from it.
SafeGraph then repackages this location data and other data into various products. Tuesday Motherboard reported CDC purchased $420,000 worth of SafeGraph data for a long list of COVID-19 and non-COVID-19 use cases. Google banned SafeGraph from the Google Play Store in June.
SafeGraph classifies “Planned Parenthood” as a “brand” that can be tracked, and data purchased by Motherboard includes more than 600 Planned Parenthood locations in the United States. The data included a week of location data for these locations in mid-April. SafeGraph calls the location data product “Patterns”. In total, the data costs just over $160. Not all Planned Parenthood sites offer abortion services. But Motherboard has verified that some facilities included in the purchased dataset do.
Motherboard also searched the SafeGraph website for “Family Planning,” which returned a relevant result of “Family Planning Centers” that people could then purchase related data from.
Patterns data from SafeGraph aims to answer questions such as “how often people visit, how long they stay, where they come from, where they go to, etc.” according to the SafeGraph website. SafeGraph calculates where it believes visitors to a location live at the census block level. SafeGraph does this by analyzing where a phone is typically located overnight, company documentation suggests.
SafeGraph data is aggregated, which means it does not explicitly specify where a certain device has been moved. Instead, it focuses on the movements of groups of devices. But researchers have repeatedly alerted to the possibilities of unmasking individuals contained in purportedly anonymized datasets.
The sections of the SafeGraph dataset purchased by the motherboard manage a very small number of devices per record, which theoretically makes it easier to de-anonymize these people. Some only had four or five devices visiting that location, with SafeGraph filtering the data based on whether the person was also using an Android or iOS device.
On data showing where people went to a certain clinic based on their census block, potentially across state lines, Edwards said, “SafeGraph is going to be the weapon of choice for anti-radicals. -choices that attempt to target “out-of-state clinics” providing medical care. Missouri is considering legislation to making it illegal to “aid or abet” abortions in other states.
Tracking visitors to abortion clinics has long been an essential part of showing the threat posed by location data. In a 2018 survey, The New York Times took location data and tracked several people inside, and unmasked some of them. One of those tracked visited a Planned Parenthood facility, according to the report.
Recently, a Christian-focused media outlet, The Pillar, published an article that used location data to track the movements of a specific priest and then publicly outed him as potentially gay without his consent.
Planned Parenthood did not respond to a request for comment. SafeGraph also did not respond to a request for comment, which included the specific question of whether the company would continue to sell location data related to abortion clinics.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.