Image: Cathryn Virginia/Motherboard
Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
Google has banned SafeGraph, a location data firm whose investors include a former head of Saudi intelligence, Motherboard has learned. The ban means that any apps working with SafeGraph had to remove the offending location gathering code from their apps. SafeGraph markets its data to government entities and a wide range of industries, but it also sells the data on the open market to essentially anyone.
The news signals Google’s continued crackdown on location data firms who sometimes, in violation of Google’s policies, pay app developers to include their data harvesting code and then sell the collected data to companies or government agencies.
“They are willing to sell extremely fine-grained data and anyone with a credit card can start buying it,” Zach Edwards, a researcher who has closely followed the supply chain of various sources of data, told Motherboard in an email last year, when both he and Motherboard were separately investigating SafeGraph.
Do you work at SafeGraph or are you a customer? Did you used to work there, or know anything else about the location data industry? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
SafeGraph collected at least some of its location data by having app developers embed the company’s code, or software development kit (SDK), into their own apps. Those apps would then track the physical location of their users, which SafeGraph would repackage and then sell to other parties. Google confirmed to Motherboard it told app developers in early June they had seven days to remove SafeGraph’s SDK from their apps. If they didn’t do this, Google told Motherboard the apps may face enforcement. This can mean removal from the Play Store itself.
Beyond its own data, SafeGraph also offers customers the chance to buy related data sets from other providers to enrich the location information, such as the names of property owners in the U.S.
Last year Motherboard bought a small set of data from SafeGraph for around $200 to test how easy it was to obtain and to verify the sort of information it contained. It included a list of points of interest for the area we bought data for, and other information such as the specific next point of interest visitors then went to. For example, one line showed the people who went to The Church of Jesus Christ of Latter-day Saints then visited a list of particular convenience stores.
“In my opinion the SafeGraph data is way beyond any safe thresholds [around anonymity],” Edwards said last year when Motherboard showed him the data. Academics and journalists have repeatedly found how it is possible to deanonymize specific people in sets of location data. In his own test, Edwards pointed to a search result on the SafeGraph portal that showed data related to a specific, small doctor’s clinic, demonstrating how finely SafeGraph’s data can target particular locations.
Last year, the New York Times used SafeGraph data (and data from other location data brokers) to create maps that showed where people were spending their time after coronavirus lockdowns were loosened. It attempted to estimate how crowded various restaurants, gyms, and coffee shops were and how dangerous they could be. At the time, Motherboard asked the Times why it felt comfortable using SafeGraph data considering that its own reporters earlier showed how it could be used to violate people’s privacy. “We’re confident that our use of this data across news and opinion was responsible,” a New York Times spokesperson said. “The data used in [two articles that used location data] is aggregated, and did not include individualized location data. As you note, both the newsroom and opinion section have done in-depth investigations showing the dangers of allowing companies to sell individualized location data. In both cases the data used in those investigations was securely stored during the reporting process and permanently erased.”
On its website SafeGraph says “We believe places data should be open for all.” In April 2017, Turki bin Faisal Al Saud, the former head of Saudi Arabia’s intelligence agency, invested in SafeGraph as part of a $16 million Series A funding round. SafeGraph said it had “assembled the deepest policy thinkers.” Beyond Faisal Al Saud, SafeGraph said it had enlisted the help of former U.S. House Majority Leader Eric Cantor, author Sam Harris, Meghan O’Sullivan who ran Iraq and Afghanistan policy under President George Bush, former Deputy Chief of Staff to President Obama Mona Sutphen, and former German Minister of Defense Karl-Theodor zu Guttenberg, among others. Peter Thiel is also an investor in the company.
SafeGraph was one of the many location data firms that jumped on the opportunity to sell their gathered data to help counter the ongoing COVID-19 pandemic. SafeGraph’s users included the CDC and at least one county health department, according to documents and online records reviewed by Motherboard.
“LICENSE PERIOD: Minimum of 1 year or until COVID-19 (Coronavirus) global response has subsided,” a data license agreement between SafeGraph and the County of Santa Clara, obtained by Motherboard through a public records act request, reads. In April, the CDC paid SafeGraph $420,000 for “data gathering and reporting,” according to public procurement records.
It’s unclear if SafeGraph is still collecting any data from Android devices after Google’s ban. Earlier this month The Wall Street Journal reported that a similar company called X-Mode, which Google banned after Motherboard revealed it collected information from a Muslim prayer app and has U.S. military contractors among its customers, has found a workaround to still harvest location information from apps. Now, X-Mode provides tools to individual app developers to collect the location data themselves, who then pass it over to X-Mode, making it arguably harder for Google, researchers, journalists, or regulators to detect abuses.
Keith Chu, communications director for the office of Senator Ron Wyden, told Motherboard that when it urged Apple and Google to take action against X-Mode following Motherboard’s reporting, the office also flagged SafeGraph to the tech giants. Chu added Wyden’s office tried to contact SafeGraph in June, July, and twice in August last year, but never received a response.
In a statement, Wyden said this enforcement was the right move by Google, but Google and Apple “need to do more than play whack-a-mole with apps that sell Americans’ location information. These companies need a real plan to protect users’ privacy and safety from these malicious apps.”
Google also banned another location firm called Predicio after Motherboard’s reporting.
SafeGraph did not respond to multiple requests for comment on its ban from the Google Play Store.
Update: This article has been updated to include more specific use cases of SafeGraph data.
Subscribe to our cybersecurity podcast CYBER, here.