Not-so-SafeGraph: Location tracker revealed to sell data on abortion clinics' clients
Think that your innocent-looking weather app is not tracking you on your way to a doctor's appointment? Well, maybe it's true, but you can't be so sure nowadays. Let's assume that it does track you, but then what becomes of all that data? Surely it's not falling into the hands of some third-party actors that are abusing it. Oh, wait.
In a scoop that is certain to add fuel to the already raging debate about abortion rights in the US, Motherboard has revealed that it bought user location data from more than 600 Planned Parenthood centers around the country for a mere $160 for a week's worth of data. Some of the centers offer abortion. The data showed where the people traveled from, how long they were at the location, and where they set off after the visit.
The feat has become possible thanks to the services of SafeGraph, a company that is notorious for bulk-selling of location data to the US public health agency (CDC) and to The New York Times.
So how exactly does SafeGraph get access to user location data? The answer is in plain sight. The company harvests this sensitive information from the apps that use its software development kit (SDK). App developers are fond of SDKs because they make their life easier, allowing them to cut costs on developing their own features from scratch — for instance, a location-tracking feature. In the case of SafeGraph SDK, that is precisely what happened. Say you enable a geo-tracking feature in your weather app. Rest assured — SafeGraph SDK would inherit this permission.
After helping the apps to pinpoint and track location, SafeGraph repackaged this information and sold it as a separate product to anybody who was willing to pay for it, and, apparently, for peanuts.
Users, as it often happens in such cases, were most likely unaware of this scheme. SafeGraph SDK was embedded not only in weather, travel and sports apps. The majority of its clients were forums that cater to a broad range of interests, from cars to psychology and even plastic surgery.
Thus, If you granted such an app permission to use your location, SafeGraph could also receive this data. Note that many of SafeGraph's most popular apps have been downloaded more than 10,000 times. Among the top apps that contain SafeGraph are a basketball forum (RealGM Forum), a forum for firearms enthusiasts (Ruger Forum), an off-road travel forum (SA 4x4 Community Forum), an Apple products discussion forum (iMore Forums) — the list goes on.
Motherboard reports that the data it bought from SafeGraph contained information gathered during one unspecified week in mid-April. The product is referred to on the SafeGraph website as "Weekly Pattern". The company boasts, "Weekly Patterns provides answers to questions like: How often do people visit a location? How long do they stay? Where do they come from? Where else do they go?" If this does not sound disconcerting to you, then perhaps it should.
While SafeGraph claims that it draws on "anonymous mobile data" and the result is a demographic aggregation, meaning that the identities of individual users remain secret, there have been concerns that this data can still be traced back to specific users.
It's not the first time SafeGraph has made headlines for all the wrong reasons. Last year, it was reported that Google launched a crackdown on the company, threatening to banish all apps that used its SDK from its Google Play Store within seven days if they failed to remove the SDK.
However, the reported ban apparently did little to stop SafeGraph from continuing to do business as usual.
The revelation by Motherboard comes at a time when the US public is reeling from the publication of the leaked majority opinion of the US Supreme Court that threatens to put the final nail in the coffin of the federal consitutional protection of abortion rights in the country. The landmark ruling is known as Roe v Wade.
Taking into account the fiery political debate on abortion rights in the US, SafeGraph's data collection practices can directly affect the lives of ordinary people. Moreover, users will be unaware of the fact that their location data — which they themselves allowed the apps to use — can be mishandled to such an extent.
We have only briefly touched on the possible applications of this method of data collection. That does not mean you can feel safe if you don't visit the aforementioned locations. It will be possible to obtain information on any places that you frequent from your data — the technology allows it.
"How not to get into such a situation?" you may ask. There's no need to become paranoid and throw away your phone. We have always called on users to grant only the most essential permissions to their apps. Isn't it strange, when, say, a weather app requests your call history? And if the app really requires this data — and there are many such apps — then you need to protect yourself.
At present, AdGuard blocks the collection of data through this particular SDK. Moreover, the list of blocked threats is being updated on a regular basis. We constantly monitor new threats to users' confidentiality and block them, which allows us to limit the risks stemming from unscrupulous data collectors.