Tech

Location Data Broker Admits Users Accessed Data for Planned Parenthood Clinics

The lookups on Placer.ai were long before the repeal of Roe v. Wade, but still demonstrate the stark risk that location data firms and data brokers pose.
Planned Parenthood
Image: Saul Loeb/Contributor
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

Placer.ai, a location data firm that Motherboard previously revealed was providing heatmaps of approximately where abortion clinic visitors live, has admitted that people have obtained data related to these visits in the past.

The news highlights the risk that location data providers and data brokers in general pose in a post-Roe v. Wade United States, in which anti-abortion activists and law enforcement agencies in certain states may seek out such data to determine which clinics or locations might be providing out-of-state abortions.

Advertisement

“​​In an effort to be as responsive as possible to your inquiry, Placer.ai recently reviewed all Planned Parenthood locations on its platform that were ever accessed by paying or free customers,” Placer.ai wrote in a letter addressed to Senator Elizabeth Warren in June. Warren’s office published the letter on Thursday. The letter was responding to a letter Warren sent to Placer.ai and another company called SafeGraph the previous month. That outreach came after Motherboard revealed both SafeGraph’s and Placer.ai’s data selling practices around abortion clinics.

Do you have any documents from inside the location data industry? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Placer.ai said that between 2020 and 2022, data on 17 Planned Parenthood locations was accessed. Some of those instances would have included Motherboard and reporters from The Markup exploring the data for verification purposes. But Placer.ai admits in the letter that activity related to 10 of the locations queried by 11 users were not these journalists.

Advertisement

They include a lookup for a Planned Parenthood location in Michigan in 2020, another in Illinois in the same year, and then lookups for three different clinics in Minnesota across 2021 and 2022.

Placer.ai also said that between August 2021 and May 2022, it provided one “medical consumer goods company” with weekly data about many medical facilities, which included information about Planned Parenthood locations. This data included “high-level metrics like total foot traffic, but no location heatmaps.”

placer-table.png

A screenshot of the table that Placer.ai included in its letter. Image: Motherboard.

In its letter Placer.ai provided no additional information on who these users might be. Theoretically, they could be users performing research on abortion for academic purposes, or carrying out some other form of innocuous use case for the data. The users might have also had malicious intent, but there is no evidence to indicate either way. When asked if the company had more information on the identity of these users, Placer.ai sent Motherboard links to two pages on the company’s website. Neither of these had information about the identity of the users. It is not clear if Placer.ai does have identifying information and has decided not to release it, or whether Placer.ai does not know who the users were.

After originally being contacted by Motherboard for comment in May, Placer.ai removed the ability to search for Planned Parenthood related data on its website. In a June blog post, the company said “The Company commits, on a permanent basis, to disabling user access to data about any additional sensitive locations that raise similar concerns–including other reproductive health providers that may not have been identified in the Company’s prior reviews.” This mirrors language included in Placer.ai’s letter to Warren.

Advertisement

In its own response to Warren, SafeGraph also said it would commit to not selling the data of people who visit abortion clinics. The company had already removed Planned Parenthood related data from its store when Motherboard first reported the issue in May.

“Two large data brokers have committed to stop selling the location data of people who visit abortion clinics. This is a good start,” Warren said in a statement published along with the letters. “But with Roe v. Wade dead and states across the country seeking to criminalize essential health care, we can’t rely on the goodwill of Big Tech to protect Americans’ data and safety. That’s why I’m calling on the United States Congress to pass my Health and Location Data Protection Act to ban brokers from selling location and health data and establish serious privacy protections for consumers.” 

Motherboard first reported on the proposed Health and Location Data Protection in Act in June. The legislation plans to essentially outlaw the sale of location data minus some exceptions.

Earlier this month, Google announced it was going to purge location data from the accounts of users who visited abortion clinics. The move came after a group of over 40 members of Congress urged the company to curb the amount of location data it was gathering in preparation for the removal of Roe v. Wade’s protections.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.