UPDATE: Reacting to the news, SafeGraph has now announced it will stop selling data related to visits to abortion clinics, Planned Parenthood and other similar institutions.
“In light of potential federal changes in family planning access, we're removing Patterns data for locations classified as NAICS code 621410 (‘Family Planning Centers’) from our self-serve ‘shop’ and API to curtail any potential misuse of its data,” Auren Hoffman, SafeGraph’s CEO, wrote in a blog post.
Original story below:
As the debate over abortion rights in the United States reaches a flash point once again, a firm has been discovered selling data on those who have visited abortion clinics.
Motherboard discovered that SafeGraph, a company that sells data for all kinds of uses — demographic analysis, advertising, real estate, and more - is selling packs of data showing where groups of visitors came from, how long they stayed around facilities including Planned Parenthood clinics, as well as where they went after the ordeal.
The report also says the company is able to estimate where the tracked individuals live, down to the census block level, by analyzing the location where a mobile device spent the night.
Selling data
Motherboard bought some of the data to verify its authenticity, and says data on more than 600 Planned Parenthood locations in the US, for mid-April, was bought for just over $160.
SafeGraph works by selling its software development kits (SDK) to developers, which then push them into various mobile apps, such as prayer apps, weather apps, QR codes, and more. App users are often oblivious to the fact that a third party is gathering and selling this data.
These apps then gather user data, including location data. SafeGraph is then able to sell it to third parties and, according to Motherboard, various U.S. military contractors were among the buyers, in the past.
SafeGraph, however, does not sell data on individual users, or illegal data, per se (such as, for example, passwords), but rather aggregates data, and focuses on the movement of groups. However, Vice says that with some sections of data containing a “very small number of devices per record”, the risk of deanonymization is very real.
Some locations have had “just four, or five devices, visiting”, the report says. And with further filtering, by mobile OS, possible, identifying individuals becomes a real threat.
SafeGraph was banned from the Google Play Store last June.
“It's bonkers dangerous to have abortion clinics and then let someone buy the census tracks where people are coming from to visit that abortion clinic,” cybersecurity researcher Zach Edwards told Motherboard after reviewing the data. “This is how you dox someone traveling across state lines for abortions—how you dox clinics providing this service.”
After the news broke out, SafeGraph published a blog post, saying it will no longer offer this type of data for sale:
“In light of potential federal changes in family planning access, we're removing Patterns data for locations classified as NAICS code 621410 (‘Family Planning Centers’) from our self-serve ‘shop’ and API to curtail any potential misuse of its data,” wrote Auren Hoffman, SafeGraph CEO.