New Documents: CDC Tracked Millions of Americans’ Compliance with COVID Rules Using Cell Phone Location Data
The Centers for Disease Control and Prevention purchased location data extracted from millions of phones nationwide to analyze curfew compliance, track people’s visiting patterns and examine health policy effectiveness.
The data procurements were revealed through a series of CDC documents obtained by the news outlet VICE through a Freedom of Information Act request. VICE first reported news of the documents.
The documents VICE obtained from the CDC unveiled a large-scale plan by the agency to get location data from SafeGraph, a controversial location data vendor financially supported by Turki bin Faisal Al Saud, former head of Saudi intelligence, the outlet reported.
Last year, the company, which used plug-ins and other applications to gather and sell cellphone users’ data, was banned from the Google Play Store. According to SafeGraph’s website, its clients include the CDC, the California Governor’s Office, the City of Los Angeles, Johns Hopkins University and Harvard University.
“To play our part in the fight against the COVID-19 health crisis—and its devastating impact on the global economy—we decided to expand our program further, making our foot traffic data free for non-profit organizations and government agencies at the local, state, and federal level,” the company said on its website.
The documents VICE obtained showed that the agency purchased access to SafeGraph data for $420,000, citing fighting COVID-19 as the reason for procurement.
According to VICE, among other things, the CDC categorized “potential CDC use cases for data” as:
- “Track patterns of those visiting K-12 schools by the school and compare to 2019; compare with epi metrics [Environmental Performance Index] if possible.”
- “Examination of the correlation of mobility patterns data and rise in COVID-19 cases […] Movement restrictions (Border closures, inter-regional and nigh curfews) to show compliance.”
- “Examination of the effectiveness of public policy on [the] Navajo Nation.”
While the agency cited COVID-19 tracking as its justification for purchasing access to SafeGraph data, the documents VICE accessed showed that the agency sought to expand its use of the data for purposes beyond COVID-19.
“The CDC seems to have purposefully created an open-ended list of use cases, which included monitoring curfews, neighbor to neighbor visits, visits to churches, schools and pharmacies, and also a variety of analysis with this data specifically focused on ‘violence,’” cybersecurity expert Zach Edwards told VICE.
Should federal agencies be legally mandated to provide full disclosure of their uses of data?
Yes: 90% (27 Votes)
No: 10% (3 Votes)
“In my opinion the SafeGraph data is way beyond any safe thresholds [around anonymity],” Edwards said.
“CDC also plans to use mobility data and services acquired through this acquisition to support non-COVID-19 programmatic areas and public health priorities across the agency, including but not limited to travel to parks and greenspaces, physical activity and mode of travel, and population migration before, during, and after natural disasters,” a section of the documents discussing non-COVID-19-related use stated, according to VICE News.
“The mobility data obtained under this contract will be available for CDC agency-wide use and will support numerous CDC priorities,” the document stated.
The CDC did not respond to VICE’s requests for comment.
The CDC bought access to aggregated data. This is data that focuses on general trends of people’s movements. However, according to VICE, researchers worry that this data can be stripped of its anonymity and used to track individuals.
The Illinois Department of Transportation also bought data from SafeGraph, according to the Electronic Frontier Foundation.
According to the purchase agreement accessed by the EFF, the IDOT gave SafeGraph $49,500 for getting raw location data for two years.
The data SafeGraph gave the IDOT included 50 million daily pings from 5 million users. The information consisted of precise latitude and longitude markers, timestamps of the data and the type of device tracked.