Disclosed documents show the agency tracked Americans using an easily de-anonymized data broker
The US Centers for Disease Control and Prevention bought access to tens of millions of Americans’ cell phone location data under the guise of tracking compliance with Covid-19 control measures, but ultimately used the information to conduct much more complex and sweeping surveillance, according to documents obtained through a FOIA request by Motherboard, which published its findings on Tuesday.
Documents show that while the agency used the looming specter of the Covid-19 pandemic to justify rapidly acquiring comprehensive cell phone location data on tens of millions of people, the information was ultimately used for much more than simply monitoring compliance with curfews and social distancing measures. Americans’ visits to schools and places of worship were measured on a granular level, while another program focused on surveilling the effectiveness of policy interventions inside the Navajo nation and another concentrated on “exposure to certain building types, urban areas and violence.”
While the CDC’s data was aggregated – apparently aimed at tracking larger trends among populations – studies have repeatedly shown that such supposedly anonymous information can be de-anonymized to the point of pinpointing individuals. Worse, the company the CDC used to obtain its data, SafeGraph, is backed by Peter Thiel, whose company Palantir was deeply involved in the UK’s own ultra-intrusive Covid-19 tracking efforts.
Even Google – itself criticized for breaches while protecting users’ privacy – banned SafeGraph from its Play Store over unscrupulous sales practices last year.
While the CDC insisted SafeGraph’s data was “critical for ongoing response efforts, such as hourly monitoring of activity in curfew zones or detailed counts of visits to participating pharmacies for vaccine monitoring,” cybersecurity researcher Zach Edwards told Motherboard the agency appeared to have “purposefully created an open-ended list of use cases, which included monitoring curfews, neighbor to neighbor visits, visits to churches, schools and pharmacies, and also a variety of analysis with this data specifically focused on ‘violence.’”
While the data was obtained as “urgent,” such expediency supposedly justified by the pandemic, many of the uses it was meant for had little if anything to do with the outbreak. Cases like “research points of interest for physical activity and chronic disease prevention such as visits to parks, gyms, or weight management businesses,” for example, appeared totally unrelated to the virus, as did “exposure to place-based environmental exposures, like places with high air pollution and area-level incidence of pollution-related outcomes like asthma.”
Another vaguely ominous area of documentation focused on the use of “mobility data and services… to support non-Covid-19 programmatic areas and public health priorities… including but not limited to travel to parks and greenspaces, physical activity and mode of travel, and population migration before, during, and after natural disasters.” Such information would be used across the agency to “support numerous CDC priorities.”
The SafeGraph cellphone location information used to populate these datasets might also raise red flags for the privacy-conscious, revealing not just where an individual is at any given time but how long they spend there, where they came from, and where they go next, according to the company’s website.