Data Broker Is Selling Location Data of People Who Visit Abortion Clinics

A location data firm is selling information related to visits to clinics that provide abortions including Planned Parenthood facilities, showing where groups of people visiting the locations came from, how long they stayed there, and where they then went afterwards, according to sets of the data purchased by Motherboard.

The data sale is obviously more important in the context of a leaked Supreme Court draft opinion in which Justice Alito indicated that the court is ready to repeal the decision in Roe v. Wade, the decades-old precedent that has provided federal protections to those seeking an abortion. If that draft does become a formal decision, it would immediately fully or partly ban abortion rights in at least 13 states.

How data collecting intersects with abortion rights, or the lack thereof, is likely to gather more attention in the wake of the draft. The country may also see an increase in vigilante activity or forms of surveillance and harassment against those seeking or providing abortions. With this aggregated location data available to anyone on the open market, customers could include anti-abortion vigilantes as well. Anti-abortion groups are already fairly adept at using novel technology for their goals. In 2016, an advertising CEO who worked with anti-abortion and Christian groups sent targeted advertisements to women sitting in Planned Parenthood clinics in an attempt to change their decision around getting an abortion. The sale of the location data raises questions around why companies are selling data based on abortion clinics specifically, and whether they should introduce more safeguards around the purchase of that information, if be selling it at all.

“It's bonkers dangerous to have abortion clinics and then let someone buy the census tracks where people are coming from to visit that abortion clinic,” Zach Edwards, a cybersecurity researcher who closely tracks the data selling marketplace, told Motherboard in an online chat after reviewing the data. “This is how you dox someone traveling across state lines for abortions—how you dox clinics providing this service.”

In the wake of a near-total abortion ban in Texas, for example, people in Texas seeking abortions have increasingly had to travel to other states where abortion access is easier to get the care they need. With Roe set to fall, people seeking abortions who live in conservative states and can afford to are likely to start traveling to get an abortion. Location data could play into whether and how that travel is identified, making it even more urgent for regulators and lawmakers to consider how location data is collected, used, and sold.

The company selling the data is SafeGraph. SafeGraph ultimately obtains location data from ordinary apps installed on peoples’ phones. Often app developers install code, called software development kits (SDKs), into their apps that sends users’ location data to companies in exchange for the developer receiving payment. Sometimes app users don’t know that their phone—be that via a prayer app, or a weather app—is collecting and sending location data to third parties, let alone some of the more dangerous use cases that Motherboard has reported on, including transferring data to U.S. military contractors. Planned Parenthood is not the organization performing the data collection nor benefiting from it financially.

SafeGraph then repackages that location data and other data into various products. On Tuesday Motherboard reported that the CDC bought $420,000 worth of SafeGraph data for a laundry list of COVID-19 and non-COVID-19 use cases. Google banned SafeGraph from the Google Play Store in June.

SafeGraph classifies "Planned Parenthood" as a "brand" that can be tracked, and the data Motherboard purchased includes more than 600 Planned Parenthood locations in the United States. The data included a week's worth of location data for those locations in mid-April. SafeGraph calls the location data product “Patterns.” In total, the data cost just over $160. Not all Planned Parenthood locations offer abortion services. But Motherboard verified that some facilities included in the purchased dataset do. 

Motherboard also searched the SafeGraph website for “Family Planning,” which returned a relevant result of “Family Planning Centers” that people could then buy data related to.

SafeGraph’s Patterns data aims to answer questions like “how often people visit, how long they stay, where they came from, where else they go, and more,” according to SafeGraph’s website. SafeGraph calculates where it believes visitors to a location live to the census block level. SafeGraph does this by analyzing where a phone is commonly located overnight, the company’s documentation suggests.

SafeGraph’s data is aggregated, meaning it isn’t explicitly specifying where a certain device moved to. Instead, it focuses on the movements of groups of devices. But researchers have repeatedly warned about the possibilities of unmasking individuals contained in allegedly anonymized datasets. 

Sections of the SafeGraph dataset Motherboard purchased handle a very small number of devices per record, theoretically making deanonymization of those people easier. Some had just four or five devices visiting that location, with SafeGraph filtering the data by whether the person used an Android or an iOS device as well.

On the data showing where people traveled to a certain clinic based on their census block, potentially across state borders, Edwards said “SafeGraph is going to be the weapon of choice for anti-choice radicals attempting to target ‘out of state clinics’ providing medical care.” Missouri is considering a law to make it illegal to “aid or abet” abortions in other states.

Tracking visitors to abortion clinics has long been a staple in showing the threat posed by location data. In a 2018 investigation, The New York Times took location data and followed multiple people inside it, and unmasked some of those. One of the people followed visited a Planned Parenthood facility, according to the report.

Recently, a Christian-focused outlet The Pillar published a piece that used location data to track the movements of a specific priest and then outed him publicly as potentially gay without his consent.

Planned Parenthood did not respond to a request for comment. SafeGraph did not respond to a request for comment either, which included the specific question of whether the company would continue to sell location data related to abortion clinics.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.