According to CDC documents obtained by Motherboard, the CDC purchased access to location data harvested from tens of millions of phones in the United States in order to analyze curfew compliance, track patterns of people visiting K-12 schools, and specifically monitor the effectiveness of policy in the Navajo Nation. The records also demonstrate that, while COVID-19 was cited as a justification for buying expedited access to the data, the CDC intended to use it for more general CDC reasons.

Cdc Spying On You

Location data is information about a device’s location that is gathered from the phone and can be used to display where a person lives, works, and goes. Although the data purchased by the CDC was aggregated—that is, it was created to track trends that emerge from the movements of groups of people—researchers have repeatedly expressed concerns about how location data can be deanonymized and used to track specific people.

The records expose the CDC’s ambitious intention to use location data from a highly polarizing data broker last year. Peter Thiel and the former head of Saudi intelligence are among the investors in SafeGraph, the business to which the CDC paid $420,000 for access to a year’s worth of data. In June, Google removed the company from the Play Store.

Cdc Spying On You

SafeGraph’s data “has been critical for ongoing response efforts, such as hourly monitoring of activity in curfew zones or detailed counts of visits to participating pharmacies for vaccine monitoring,” according to the docs. The documents were created in 2021.

“The CDC seems to have purposefully created an open-ended list of use cases, which included monitoring curfews, neighbor to neighbor visits, visits to churches, schools, and pharmacies, and also a variety of analysis with this data specifically focused on ‘violence,'” said Zach Edwards, a cybersecurity researcher who closely follows the data marketplace, in an online chat after reviewing the documents. (The document includes “places of worship,” not only churches.)

FOIA to the rescue to uncover CDC spying

The materials were obtained through a Freedom of Information Act (FOIA) request to the CDC by Motherboard.

The documents include a long list of 21 possible “potential CDC use cases for data,” as described by the CDC. They are as follows:

  • “Track visitors to K-12 schools by school and compare to 2019; if possible, compare with epi metrics [Environmental Performance Index].”
  • “Examination of the correlation of mobility patterns data and rise in COVID-19 cases […] Movement restrictions (Border closures, inter-regional and nigh curfews) to show compliance.”
  • “An examination of the effectiveness of Navajo Nation public policy.”
Cdc Spying On You

Cell phone location data was viewed as a potentially beneficial tool at the outset of the pandemic. The New York Times, for example, used GPS data provided by industry businesses to demonstrate where people were going once the lockdowns were lifted, or to underline that poorer communities were unable to shelter in place as much as wealthier communities.

The COVID-19 epidemic has sparked a broader culture battle, with conservatives and anti-vaccine groups denouncing government mask and vaccination requirements. They’ve also raised concerns that vaccine passports could be used as a tracking or surveillance tool, thereby portraying vaccine refusal as a civil rights problem.

Children’s Health Defense, founded by Robert F. Kennedy Jr., is one of the most powerful and well-funded anti-vaccine organizations in the United States. It has raised concerns that digital immunization certificates could be used to spy on residents. Vaccine passports are “a Trojan horse being used to create a completely new type of controlled and surveilled society in which the freedom we enjoy today will be a distant memory.” according to QAnon proponent Dustin Nemos, who wrote on Telegram in December.

Cdc Use Case

The use of mobile phone location data for such a wide variety of tracking techniques, even if helpful for better understanding the pandemic’s progress or guiding policy, is likely to be unpopular against that enflamed backdrop. It’s also likely to provide anti-vaccine activists with real-world evidence to back up their most dire predictions.

“This is a URGENT COVID-19 PR [procurement request],” the procurement documents state, and they ask for the purchase to be expedited.

However, not all of the use cases are directly related to the COVID-19 epidemic. “Research points of interest for physical activity and chronic disease prevention, such as visits to parks, gyms, or weight-loss businesses,” says one.

Cdc Spying On You

Another section of the document delves more into the use of location data for non-COVID-19 programs.

“CDC also plans to use mobility data and services acquired through this acquisition to support non-COVID-19 programmatic areas and public health priorities across the agency, including but not limited to travel to parks and greenspaces, physical activity and mode of transportation, and population migration before, during, and after natural disasters,” according to the statement. “The mobility data obtained under this contract will be available for use across the CDC and will support a number of CDC priorities,” says the statement.

Multiple inquiries to the CDC requesting comment on which use cases SafeGraph data was deployed for went unanswered.

SafeGraph is a part of the burgeoning location sector, and the company has previously shared datasets containing 18 million US cell phones. According to the documents, this purchase is for geographically representative data, “i.e., data derived from at least 20 million active cellphone users per day across the United States.”

App developers are typically asked, or paid, to add location data collection code in their apps by organizations in this area. The location data is subsequently passed on to businesses, which may resell the raw data or package it into products.


Both are available at SafeGraph. On the developed product front, SafeGraph has a number of options. “Places” refers to points of interest (POIs), such as the locations of certain establishments or structures. According to SafeGraph’s website, “Patterns” is based on mobile phone location data that may reveal how long people spend at a location, as well as “Where they came from” and “Where else they go.” SafeGraph has just began delivering aggregated transaction data under the “Spend” package, which shows how much users generally spend at various places.

Cdc Spying On You

SafeGraph’s products are used in a variety of industries, including real estate, insurance, and advertising. Rather than the location of specific gadgets, these goods include aggregated data on movements and expenditures. Motherboard previously paid $200 for a set of SafeGraph location data.

The data was aggregated, which meant it couldn’t be used to track individual devices or people, but Edwards noted at the time, “In my opinion the SafeGraph data is way beyond any safe thresholds [around anonymity].” Edwards demonstrated how finely tuned SafeGraph’s data may be by pointing to a search result in the company’s data portal that provided data relating to a specific doctor’s office. An attacker might theoretically use such information to attempt to unmask specific users, which studies have proved is doable.

EFF

According to the Electronic Frontier Foundation (EFF), the Illinois Department of Transportation purchased data from SafeGraph in January 2019 that related to over five million phones.

The CDC purchased SafeGraph’s “U.S. Core Place Data,” “Weekly Patterns Data,” and “Neighborhood Patterns Data,” according to the records. This last product aggregates data by state and census block and contains information such as home-dwelling time.

According to one of the CDC documents, “SafeGraph offers visitor data at the Census Block Group level, allowing for extremely accurate insights related to age, gender, race, citizenship status, income, and more.”

Cdc Spying On You

Both SafeGraph and the CDC have previously discussed their collaboration, but not to the extent that the records disclose. In September 2020, the CDC published a report that purported to use SafeGraph data to see if people across the country were following stay-at-home directives.

“To play our part in the fight against the COVID-19 health crisis—and its devastating impact on the global economy,” SafeGraph wrote in a blog post in April 2020, “we decided to expand our program further, making our foot traffic data free for non-profit organizations and government agencies at the local, state, and federal levels.” During the peak of the epidemic in the United States, several location data firms promoted their data as a potential mitigation tool, and gave data to government and media organizations.

According to the records, the CDC acquired access to the data a year later because SafeGraph no longer wanted to supply it for free. According to the documents, the Data Use Agreement for the in-kind donated data was set to expire on March 31, 2021. The CDC maintained in the documents that the data was still necessary to have access to when the US opened up.

“As the country reopens, the CDC is interested in continuing to have access to this mobility data.” This information is used by multiple teams/groups in the response, and it has led to “deeper insights into the pandemic as it relates to human behavior,” according to one portion.

Separately from the SafeGraph documents, researchers at the EFF uncovered information exposing the CDC’s acquisition of comparable location data products from a business called Cubeiq. Motherboard received those papers from the EFF. They demonstrated that the CDC requested that Cubeiq’s data be purchased more quickly because of COVID-19, but that they intended to use it for non-COVID-19 objectives. The materials also identified the same potential Cubeiq data use-cases as the SafeGraph docs.

SafeGraph was removed from the Google Play Store in June. This meant that anyone who used SafeGraph’s code in their app had to delete it or risk having their app pulled from the store. It’s unclear how effective this prohibition has been: SafeGraph previously stated that it collects location data through Veraset, a spin-off firm that works with app developers.

Multiple requests for comment from SafeGraph were ignored.