The United States intelligence community consists of a whopping 17 different agencies, but today you can add an 18th to the list: The CDC.
Just-released documents show that the Centers for Disease Control and Prevention used purchased data to track “compliance with curfews, track patterns of people visiting K-12 schools, and specifically monitor the effectiveness of policy in the Navajo Nation.”
Why the Navajo Nation was targeted is not yet known.
Supposedly, the data the CDC purchased had been anonymized, but security experts “have repeatedly raised concerns with how location data can be deanonymized and used to track specific people.”
According to the documents obtained by Motherboard through the Freedom of Information Act, the CDC monitored “for ongoing response efforts, such as hourly monitoring of activity in curfew zones or detailed counts of visits to participating pharmacies for vaccine monitoring.”
The CDC spent nearly half a million dollars buying smartphone tracking data from SafeGraph. SafeGraph has such a lousy reputation for privacy that last year even Google effectively banned their apps from the Android mobile operating system:
Google has banned a company that sold Android users’ location data for COVID-19 mapping and other purposes, Motherboard reports. SafeGraph was one of several companies that collected geolocation records through plug-ins in other Android apps.
A plugin is a piece of software from one developer that can be used by another developer in their own apps. Finding tracking apps hidden inside innocuous-seeming applications like puzzle games or calculators is common in the Android ecosystem.
Also for our VIPs: Part II: Russia Is Fighting the Ukraine War on Five Fronts: Where Are They Winning?
(Apple has taken measures in iOS against cross-app data sharing and location tracking. Users are opted out by default and must manually opt in to be tracked. However, certain developers — cough, Facebook, cough — are constantly scheming to find ways around those privacy controls.)
Most chilling might be this bit from the Motherboard report:
Zach Edwards, a cybersecurity researcher who closely follows the data marketplace, told Motherboard in an online chat after reviewing the documents: “The CDC seems to have purposefully created an open-ended list of use cases, which included monitoring curfews, neighbor-to-neighbor visits, visits to churches, schools and pharmacies, and also a variety of analysis with this data specifically focused on ‘violence.’” (The document doesn’t stop at churches; it mentions “places of worship.”)
In all, the CDC had — has? — plans for 21 different use-cases for your tracking data.
Furthermore, the CDC deal with Safeguard says that the agency “has interest in continued access to this mobility data as the country opens back up.”
After these last two years, I’ve come to this conclusion.
Every agency of the federal government is a potential spy agency, and every spy agency eventually goes rogue.
