The Centers for Disease Control and Prevention (CDC) bought access to location data harvested from tens of millions of phones in the United States to perform analysis of compliance with curfews, track patterns of people visiting K-12 schools, and specifically monitor the effectiveness of policy in the Navajo Nation, according to CDC documents obtained by Motherboard.
The documents also show that although the CDC used COVID-19 as a reason to buy access to the data more quickly, it intended to use it for more-general CDC purposes.
Location data is information on a device’s location sourced from the phone, which can then show where a person lives, works, and where they went. The sort of data the CDC bought was aggregated—meaning it was designed to follow trends that emerge from the movements of groups of people—but researchers have repeatedly raised concerns with how location data can be deanonymized and used to track specific people.
The documents reveal the expansive plan the CDC had last year to use location data from a highly controversial data broker. SafeGraph, the company the CDC paid $420,000 for access to one year of data, includes Peter Thiel and the former head of Saudi intelligence among its investors. Google banned the company from the Play Store in June.
The CDC used the data for monitoring curfews, with the documents saying that SafeGraph’s data “has been critical for ongoing response efforts, such as hourly monitoring of activity in curfew zones or detailed counts of visits to participating pharmacies for vaccine monitoring.” The documents date from 2021.
Zach Edwards, a cybersecurity researcher who closely follows the data marketplace, told Motherboard in an online chat after reviewing the documents: “The CDC seems to have purposefully created an open-ended list of use cases, which included monitoring curfews, neighbor-to-neighbor visits, visits to churches, schools and pharmacies, and also a variety of analysis with this data specifically focused on ‘violence.’” (The document doesn’t stop at churches; it mentions “places of worship.”)
Motherboard obtained the documents through a Freedom of Information Act (FOIA) request with the CDC.
The documents contain a long list of what the CDC describes as 21 different “potential CDC use cases for data.” They include: