Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy IT Technology

CDC Tracked Millions of Phones To See If Americans Followed COVID Lockdown Orders (vice.com) 65

The Centers for Disease Control and Prevention (CDC) bought access to location data harvested from tens of millions of phones in the United States to perform analysis of compliance with curfews, track patterns of people visiting K-12 schools, and specifically monitor the effectiveness of policy in the Navajo Nation, according to CDC documents obtained by Motherboard. From a report: The documents also show that although the CDC used COVID-19 as a reason to buy access to the data more quickly, it intended to use it for more general CDC purposes. Location data is information on a device's location sourced from the phone, which can then show where a person lives, works, and where they went.

The sort of data the CDC bought was aggregated -- meaning it was designed to follow trends that emerge from the movements of groups of people -- but researchers have repeatedly raised concerns with how location data can be deanonymized and used to track specific people. The documents reveal the expansive plan the CDC had last year to use location data from a highly controversial data broker. SafeGraph, the company the CDC paid $420,000 for access to one year of data to, includes Peter Thiel and the former head of Saudi intelligence among its investors. Google banned the company from the Play Store in June.

This discussion has been archived. No new comments can be posted.

CDC Tracked Millions of Phones To See If Americans Followed COVID Lockdown Orders

Comments Filter:
  • by WankerWeasel ( 875277 ) on Tuesday May 03, 2022 @01:28PM (#62499982)
    The CDC didn't track them, a 3rd party data seller did and the CDC simply paid for the anonymized data. Countless companies pay for such, and it's often helpful. It's generally not a huge issue if anonymized properly.
    • Still, the companies should be forced to reveal to you the data they tracked about YOU. Also, where it came from (which App, etc).
      • They generally are. It's in their terms and conditions. For instance, if you look at the privacy policy here on Slashdot, you can see what information they collect and how it may be used.
        • They generally are. It's in their terms and conditions. For instance, if you look at the privacy policy here on Slashdot, you can see what information they collect and how it may be used.

          Privacy policies are meaningless drivel.

        • I never thought I'd see the day where a slashdot user acts like the terms and conditions are a legit source to quote.

          • Bro, find sites recording information other than what's in that policy and sue them. Get rich. It's legally binding.
        • Except Amazon has been caught tracking against their own apps privacy policies.

      • Google and apple both have had strict rules about disclosing that kind of tracking and it's fairly well enforced because every time somebody gets caught doing it without disclosing it it makes the news.

        This was either a data taken from Wi-Fi and Bluetooth or data purchased from a cell phone company. You can't do anything about that because the cell phone companies have too much lobbying power and money. If you have a problem with it you're going to have to change how American politics works so that that
        • Google and apple both have had strict rules about disclosing that kind of tracking and it's fairly well enforced because every time somebody gets caught doing it without disclosing it it makes the news.

          This was either a data taken from Wi-Fi and Bluetooth or data purchased from a cell phone company. You can't do anything about that because the cell phone companies have too much lobbying power and money.

          You have it backwards. Cell companies are subject to legal restrictions (Title 47) on their use of customer information and have been successfully sued in court and fined for failures.

          Everyone else enjoy no such restrictions and can do as they please. This notion of failing to disclose something in a privacy policy nobody reads or understands is a nullity.

    • by Anonymous Coward

      The CDC is not a company, they are the government. Whether the CDC does the tracking themselves or buys tracking data from an agent of the government they should have to get a warrant, and this project should have been open for public comment beforehand.

      “The CDC seems to have purposefully created an open-ended list of use cases, which included monitoring curfews, neighbor to neighbor visits, visits to churches, schools and pharmacies, and also a variety of analysis with this data specifically focused

      • by Dynedain ( 141758 ) <slashdot2&anthonymclin,com> on Tuesday May 03, 2022 @03:14PM (#62500380) Homepage

        I don't think you understand what a warrant is. A warrant is a court order that entitles a government agency to collect materials from a private entity without their consent.

        Voluntary relinquishment of materials, or selling access to those materials, has never required a warrant, nor will it ever.

        • I did not voluntarily relinquish any information to the government. Most privacy policies clearly state for commercial and advertising purposes.

          The government should always have a warrant, even if it uses a third party to do the search, thatâ(TM)s been established as case law for decades and with tech related to those hacking devices. Just because the police can buy a third party to access into a device doesnâ(TM)t mean they donâ(TM)t need a search warrant to do so.

          • The warrant or request isn't going to you, it is going to the tracker. And the tracker is willingly selling it, so no warrant needed.

            Under current law the data belongs to the tracker, not you. The data is *about* you, but you are not the data owner.

            • by guruevi ( 827432 )

              So if police use a third party investigator bureau to plant a GPS tracker that's now legal since the data belongs to the data owner, it's only "about" you?

              • That's a decision for the courts and is a different situation since it is a targeted action to single out an individual.

                Current law holds that the data collected by data aggregators is property of the aggregators, and not the people who are tracked.

                Would I like to see that changed? Yes - but that is solved by changing data privacy laws so the information cannot be collected in the first place.

      • by hey! ( 33014 )

        I think you're on the right track here, but you're framing it the wrong way; although to be fair framing privacy issues is notoriously difficult even for lawyers and professional philosophers.

        I think most people feel they have a kind of *interest* (in the legal rights sense) in what happens to information about them that should be protected from intrusion; in some cases it's just government intrusion that people object to, and in other cases it's intrusion by businesses as well. They feel they should have

    • Re: (Score:2, Troll)

      The CDC didn't track them, a 3rd party data seller did and the CDC simply paid for the anonymized data.

      This is a distinction without a difference. No different than asserting:

      CDC didn't kill them, a third party contract killer did and the CDC simply paid for the anonymized service.

      Countless companies pay for such, and it's often helpful.

      To whom?

      It's generally not a huge issue if anonymized properly.

      How would you know what the people the data was exfiltrated from think of it? Did they get a say? Were they even aware?

      • by dgatwood ( 11270 )

        The CDC didn't track them, a 3rd party data seller did and the CDC simply paid for the anonymized data.

        This is a distinction without a difference. No different than asserting:

        CDC didn't kill them, a third party contract killer did and the CDC simply paid for the anonymized service.

        Actually, there are a number of huge differences.

        First, a death doesn't stop causing harm merely because you don't know which person was killed, whereas knowing that a person traveled along a particular route, almost by definition, cannot cause harm without knowing who that person was.

        Second, those companies presumably did not collect that data at the CDC's request. They were already collecting it. So a better analogy would be that this is no different than sending a check to someone in prison for murder,

        • First, a death doesn't stop causing harm merely because you don't know which person was killed,

          The issue is benefiting from ends while disavowing of means. Ends and means are linked.

          whereas knowing that a person traveled along a particular route, almost by definition, cannot cause harm without knowing who that person was.

          Million restraining orders, tens of thousands of domestic violence murders yearly yet you appear to believe buying a history of someone's whereabouts is harmless. You seem to think people can't be trivially identified using such data... or that people have not already been murdered as a result of purchasing such data. Cute.. not relevant to the issue but cute.

          To the researchers analyzing the data that they otherwise would not have been able to obtain.

          I disagree with the premise. There have been voluntary pub

          • by dgatwood ( 11270 )

            First, a death doesn't stop causing harm merely because you don't know which person was killed,

            The issue is benefiting from ends while disavowing of means. Ends and means are linked.

            The means are moot, though, unless the ends result in harm. I can shoot the dirt a million times, and as long as it doesn't cause lead pollution in the water supply, I haven't harmed anybody, and there's no reason for someone to care. But put one bullet in a person, and suddenly you're a criminal. Surely you understand the difference.

            whereas knowing that a person traveled along a particular route, almost by definition, cannot cause harm without knowing who that person was.

            Million restraining orders, tens of thousands of domestic violence murders yearly yet you appear to believe buying a history of someone's whereabouts is harmless.

            Ah, you just moved the goalpost. I didn't say that buying the history of a particular person's whereabouts is harmless. I said that buying an anonymized history of an unkn

            • The means are moot, though, unless the ends result in harm.

              Nobody is entitled to do as they please so long as it achieves outcomes they want.

              I can shoot the dirt a million times, and as long as it doesn't cause lead pollution in the water supply, I haven't harmed anybody, and there's no reason for someone to care.

              If the means of making holes in dirt is shooting a weapon it may well be the case neither the means or ends are harmful.

              If the means of making holes in dirt is to steal a crane, attach a 10 ton boulder to it, lift boulder 50 feet in the air then drop it upon same dirt mound you were shooting at earlier saying "means are moot" will not fly with the judge or jury. Claiming it's ok because you just made a harmless hole in the di

              • by dgatwood ( 11270 )

                The means are moot, though, unless the ends result in harm.

                Nobody is entitled to do as they please so long as it achieves outcomes they want.

                Odd. The traditional conservative/libertarian voice in my head says that everyone should be allowed to do whatever they want as long as nobody else is harmed by it. It's thinking like yours that leads to nearly every bad law you can think of, whether on the left or the right.

                I can shoot the dirt a million times, and as long as it doesn't cause lead pollution in the water supply, I haven't harmed anybody, and there's no reason for someone to care.

                If the means of making holes in dirt is shooting a weapon it may well be the case neither the means or ends are harmful.

                As is the case in what we're talking about. The harm exists entirely in your head.

                If the means of making holes in dirt is to steal a crane,

                Again with the ridiculous theft metaphors. As mentioned before, that does not apply here. Nothing is being stolen.

                Ah, you just moved the goalpost. I didn't say that buying the history of a particular person's whereabouts is harmless. I said that buying an anonymized history of an unknown person's whereabouts is harmless.

                If I buy GPS coordinates of a rando for 24 hours chances are good I will know where they work or go to school, where they live and probably who they are by correlating location with public parcel records I downloaded from county GIS website.

                Maybe. That depends on a lot of fa

    • Also, it's from a company involved with Peter Theil - a Republican.

    • Comment removed based on user account deletion
    • is there any way to candy coat it even further?

    • Even if it's not well-anonymized, they're almost certainly doing nothing whatsoever to deanonymize it. The FBI, CIA, and NSA all have the same data. If I'm going to work about a TLA abusing it, it's not going to be the CDC.

  • Ooooo Scaaary (Score:5, Insightful)

    by rsilvergun ( 571051 ) on Tuesday May 03, 2022 @01:30PM (#62499990)
    Seriously, it's a study. They're a well respected medical institution. They would have anonymized the data in full compliance with HIPAA and only used it for the intended purpose.

    When the cops do this yeah, I worry. I do that because I don't trust our criminal "justice" system. Too many stories of cops getting confessions from innocent people (John Oliver just did a funny bit on it for his show, it's on YouTube if you wanna go watch it).

    I am not at all worried about medical researchers doing this kind of thing because I'm not in an inherently antagonistic position with them like I am with the cops and their prosecutors.

    It's the difference between people who's job is to lock criminals up (cops) people who work in public safety (Epidemiologists). And for the record, there's no reason we can't change cops jobs to be public safety instead of filling our prisons.
    • I'm sure they know what they're doing and have our best interests at heart.

      Right?
      • I'm from the government and I'm here to help.
        • You may find that funny (and today, alas, it is) but I can remember whern it was true.
        • so you'd be so afraid of gov't that you'd withdraw from civic life and duty, giving him and his cronies total control of the county. Worked too.

          Like it or not you're gonna have a big gov't. That's because you're gonna have a big military to protect yourself from other big militaries, and without a big civilian gov't to oversee it you're gonna have a Junta. And as soon as you've got all that you're stuck. Might as well have that gov't work for you instead of a handful of oligarchs and billionaires (getti
      • They always do- up until the point when they don't any more, and the technology begins to be used for tyranny and control. You'll know the point when it happens, because we will be told its being done to keep us safe.

      • by rsilvergun ( 571051 ) on Tuesday May 03, 2022 @04:43PM (#62500694)
        I think they do, and I base that on several factors:

        1. They're some of the best trained scientists on earth and they're working for peanuts. Gov't pay is crap and with their credentials they could make 3-5 times what they do in the private sector. And most of them are lifers.

        2. It's not like they leave and use their contacts to score a high paying job like the guys who regulate Cable TV. The ones who leave are usually the ones who couldn't survive on the extremely low pay.

        3. They don't have a lot of power. All they can really do is make reports that every other president ignores. I can't imagine a more frustrating job. You have to be in it for a damn good reason to stick around and "forcing Americans to put cloth over their faces" doesn't sound plausible.

        4. They're extremely well educated. They couldn't do their jobs if they weren't. You can't "fake it till you make it" in epidemiology.

        In short, I can't think of a motive for them to misuse this data and/or lie to us. Yeah, they might screw up like anyone might, but I trust a bunch of guys with PhDs a hell of a lot more than the yahoos that we give near unlimited power to like those billionaires or the shmucks we keep sending to Congress because they've got the coolest adverts and the most fun rallies.

        I mean, when was the last time Anthony Fauci even held a rally, much less danced to YMCA at one?
    • So, according to your logic, being antagonistic to, say, government officials that may be corrupt (never happens, though), would warrant a negative reaction to this. It's simply about the subjective perception of random after all, right?

    • Seriously, it's a study. They're a well respected medical institution. They would have anonymized the data in full compliance with HIPAA and only used it for the intended purpose.

      HIPAA is not applicable.

      I am not at all worried about medical researchers doing this kind of thing because I'm not in an inherently antagonistic position with them like I am with the cops and their prosecutors.

      This picking and choosing of which causes are just, noble and sufficiently deserving to purchase exfiltrated data is equal parts academic (You don't have a say) and proclamation of ends justifying means.

      It's the exfiltration, aggregation and selling part that is the problem. There is no law neither is there likely to be any law preventing law enforcement or plaintiffs from leveraging third party data brokers.

      People have been murdered based on location data purchased from third party

      • HIPAA applies to gov't agencies just like anything else, and this is medical data. So HIPAA kicks in.

        And yes, we can pick and choose. Nuance is not dead. We don't need to act like children and be incapable of understanding that complex situations can be different, and that different people can be trusted (or not) to do different things. You're thinking's too black and white. That makes it easy to manipulate and exploit you.
        • HIPAA applies to gov't agencies just like anything else, and this is medical data. So HIPAA kicks in.

          HIPAA does not apply.

          And yes, we can pick and choose. Nuance is not dead. We don't need to act like children and be incapable of understanding that complex situations can be different, and that different people can be trusted (or not) to do different things. You're thinking's too black and white.

          When one robs a bank they are arrested for robbing the bank not what they did with the money. One can pick and choose what to buy to their hearts content it just isn't relevant.

          What is relevant is exfiltration of the data in the first place not how it is used once exfiltrated.

        • by Anonymous Coward

          HIPAA applies to gov't agencies just like anything else, and this is medical data. So HIPAA kicks in.

          HIPAA is not about medical data it is about heath insurance. Literally it is the Health Insurance Portability and Accountability Act of 1996. It only applies to providers who take health insurance. And it isn't even medical data. It is location data from cell phones. Just because it is medical study doesn't make the data about health insurance. Now, I'm sure there are some other ethical rules the CDC must follow, but HIPAA certainly isn't one here.

    • by anegg ( 1390659 )

      Seriously, it's a study. They're a well respected medical institution. They would have anonymized the data in full compliance with HIPAA and only used it for the intended purpose.

      I'll assume you are serious, and not being sarcastic.

      Nope, I can't do it. I can't believe that you would seriously believe "They would have anonymized the data in full compliance with HIPAA and only used it for the intended purpose."

      The first strike against that belief is that this is the government, and scope creep of government missions is practically a natural law. It doesn't matter that it is the CDC, it is just going to happen. It always happens.

      Second, the HIPAA "security rule" doesn't even cove

    • This is the same government institution that believes courts should not be able to override their mandates. It's a government institution run by humans which are all fallible regardless of their job titles..

    • The fact that this was done without consent should be enough to worry you. It's interesting that you decide which divisions of the government are not political and should be trusted.
      It's never a good idea to hand over privacy and freedom.

    • They're a well respected medical institution. ... I am not at all worried about medical researchers doing this kind of thing because

      Agreed completely.

      There are many other government agencies and bodies out there --- including many that already buy exactly the same data and much more --- that I trust far less with it.

      Out of all the groups out there the CDC is one of the few I actually trust to do the right thing with the data. They're not an organization that enforces, punishes, fines, or harms, they're an organization that looks for trends in illness, injury, and reduction of livelihood to make them better. They already have access to

    • Funny you say that ... because personally, I find that the cops and their prosecutors really aren't interfering with my life in any way, shape or form right now. I find that if you're not trying to violate the established laws of the land and you agree to the mandated fees and taxes for things like renewing your vehicle's plates on time? They're generally just a non-issue.

      On the other hand, the mandated lock-downs of businesses that were advocated for by agencies like the CDC and other medical researchers h

    • The public health establishment no longer has the trust of the majority of Americans, 52% trust the CDC, local and state health departments poll in the mid 40s, 37% trust the NIH.

      Moreover the information collected was very detailed and specifically targeted groups that were non-compliant, it is likely that with the raw data I can find out who exactly can be targeted.

      Moreover, weâ(TM)ve seen the CDC and NIH did attain significant policing and political powers in the last few years. Everything from mask

  • I love stories about government agencies setting money on fire!

  • Turns out that many politicians didn't follow the lockdown procedures either.

    No mask. No social distancing. No lockdown.

    True leadership.

    That is all.

  • "You have zero privacy anyway, get over it" - Scott McNeely. 1999

    • You have no rights. Get over it.

      • That is manifestly untrue.

        Each person has whatever rights they claim to have and defend to the death against any other seeking to deny there existance (that is, to the death of the right holder claimant or the other negative claimant).

        Thus has it been for billions of years and so it will be for billions more.

  • Which is most likely slurping up all data and analyzes it with no oversight

  • You can get very good relative numbers by checking wastewater counts [cdc.gov], something that individual members of the community aren't going to bother to fake.
  • Like most /. readers, I stayed in my basement as usual, so, meh?

  • Google [google.com] and Apple [apple.com] both shared phone mobility data publicly during the pandemic. Anybody with a computer could look at the data, and it certainly wasn't a secret.
  • Let's see how these medical authoritarians pet politicians do in November. We will see how much appetite for tracking and rights grabbing folks really have.

No spitting on the Bus! Thank you, The Mgt.

Working...