from the drop-in-the-bucket dept
A few days ago, Motherboard revealed they were able to purchase the location data of visitors to Planned Parenthood clinics for just $160 from a company named SafeGraph. While SafeGraph refused to comment at the time, they’ve since written a blot post announcing they’ll be ending the practice. But not without spending much of the blog downplaying obvious potential harm:
…there are always extreme hypothetical corner cases, and in some cases these are worth actively preventing.
In light of potential federal changes in family planning access, we’re removing Patterns data for locations classified as NAICS code 621410 (‘Family Planning Centers’) from our self-serve “shop” and API to curtail any potential misuse of its data.
Like the last dozen companies caught in location data scandals, SafeGraph implies this was all an over-reaction because they saw no examples of the data being abused (not that they spent much time verifying identities or looking) and individual identities weren’t exposed due to aggregation and anonymization:
SafeGraph also has a Patterns dataset that shows how groups of people interact with a place (fully aggregated and anonymized). SafeGraph has always committed to the highest level of privacy practices ensuring individual privacy is NEVER compromised. We use differential privacy to ensure anonymity.
But there’s been just an absolute parade of quality studies showing how “anonymization” is meaningless, and user identities can be teased out of such datasets with only a modicum of additional data from other sources. That companies just keep pretending these studies don’t exist is both absurd and insulting. SafeGraph also sold this data with no user identity verification.
Obviously, the harm here is that abortion (and helping those seeking abortion) is criminalized in numerous states, and this data becomes useful for both law enforcement and politicians — but also potentially violent authoritarians who feel harassment efforts have been validated by an extremely unpopular right wing Supreme Court decision.
This cycle we’re in, where a company gets caught being cavalier with user location data, then only sheepishly backs away after a news outlet discovers the practice (while insisting they didn’t actually do anything wrong), isn’t working. There’s very often no meaningful penalty, no third party confirmation that the company has changed anything it claims to have changed, and no real incentive for other actors to stop misbehaving, since the financial cost is minimal to nonexistent and the reputation hit fleeting.
SafeGraph stopping this collection and sale doesn’t stop the countless other data brokers, adtech companies, telecoms, app makers, and big tech giants that are also routinely cavalier with user location and other data — including abortion clinic visitor data (in fact it took Vice all of a day to find another broker doing this same thing). All of this has been greenlit by regulators and lawmakers soaked in campaign contributions.
We’ve built a massive interconnected ecosystem of rampant data over-collection and monetization with little to no meaningful oversight, whether we’re talking about your broadband and wireless provider, prayer and meditation apps, or period tracking apps. This data has already been abused by a wide variety of cops, people posing as cops, criminals, stalkers, and others. Believing it won’t also be abused by a surging U.S. authoritarian right is dangerous wishful thinking.