WASHINGTON -- A data broker shared billions of "highly sensitive" phone-location records with the government in Washington, D.C., last year that revealed how people moved about the city, public records show.
The sharing of the raw phone location data was pitched as uniquely valuable for tracking the covid pandemic, the records show. But provision of the records for six months to the Department of Health also shows the potential for abuse of such data, which is generally collected without consumers' knowledge and then sold to public and private buyers.
The company, Veraset, provided the data as part of a free trial, according to internal emails obtained via a Freedom of Information Act request by the Electronic Frontier Foundation, a digital-rights group. D.C. officials reviewed the data but ultimately declined to renew the partnership after the trial ended.
The emails show that the shared data was authorized for covid-tracking purposes only and did not include people's names and personal details. Foundation researchers said they found no evidence that the data was misused.
But foundation technologist Bennett Cyphers said the emails showed how data brokers tried to "covid-wash" their controversial work during the health crisis and forge new relationships with government authorities. He also questioned how anonymous the data truly is.
"A lot of these data brokers' existence depends on people not knowing too much about them because they're universally unpopular," Cyphers said. "Veraset refuses to reveal even how they get their data or which apps they purchase it from. And I think that's because if anyone realized the app you're using ... also opts you into having your location data sold on the open market, people would be angry and creeped out."
He noted that Veraset's location data includes sequences of code, known as "advertising identifiers," that can be used to pinpoint individual phones.
Researchers have also shown that such data can be easily "de-anonymized" and linked to a specific person. Apple and Google announced changes earlier this year that would allow people to block their ID numbers from being used for tracking.
Veraset and other data brokers have worked to improve their public image and squash privacy concerns by sharing their records with public health agencies, researchers and news organizations, claiming the data could provide an indispensable way to monitor potentially risky crowd movements and public gatherings. The Washington Post, the New York Times and other news organizations also have made use of the data in reporting on potential health risks.
Data brokers pay software developers to include snippets of code in their apps that then sent a user's location data back to the company. Some companies have folded their code into games and weather apps, but Veraset does not say which apps it works with.
Critics have questioned whether users are aware that their data is being shared in such a way. The company is a spinoff of the location-data firm SafeGraph, which Google banned earlier this year as part of an effort to restrict covert location tracking.
Officials with Veraset and SafeGraph did not respond to requests for comment.
Sam Quinney, director of The Lab DC, a science and technology team in the government, said in a statement that District of Columbia officials reviewed the data to determine if it could help with the local covid response but "did not find suitable insights for our use cases" and declined to renew their access. The data, he said, was never shared with anyone other than authorized officials and is scheduled for deletion at the end of the year.
SafeGraph said last year that it had shared data with the Centers for Disease Control and Prevention, and state and city officials across the U.S., and its website says the company strives to "be the source of truth about the physical world."
The CDC used SafeGraph data as part of a one-year trial starting in the first weeks of the pandemic and, in April, awarded a contract to the company for another year of "social mobility" data, a spokeswoman told The Washington Post.
The data is used in the CDC's publicly viewable pandemic "Data Tracker" to estimate what percentage of the population is staying home. The CDC has also published at least two scientific reports using SafeGraph data covering how stay-at-home orders and the timing of public-policy changes altered population movement and "community mobility."
Some public health groups and news organizations have argued that the data can offer important insights and should be handled carefully so as to limit risks to people's privacy.
Veraset required D.C. officials to sign a "data access agreement" prohibiting the use of the data for non-research purposes and allowing the company to "choose to remain anonymous as the source of the Data at Company's sole discretion."
That agreement, Cypher said, could help Veraset ensure its work is cast in a positive light. The city's refusal to pay for the data, he added, suggested that raw location data may be less useful for public health than the company has claimed.
A D.C. government official said in the emails that the records included more than 12 billion data points. One phone can produce many data points because its movements are tracked over time.