Privacy researcher worries about a 'scenario where everyone is a sheriff' post-Roe
Editor's Note: This post was originally posted on Recorded Future's The Record website.
“Your phone is the snitch in your pocket,” cybersecurity researcher Zach Edwards told the Click Here podcast. “Every app that you download, the permissions that you give that app, all of the other… companies that are integrated into that app also get those same permissions,” he said.
Edwards’ area of expertise is focusing on data brokers, the companies that bundle up personal information, create anonymous profiles, and then sell it. Among other things, they keep track of the websites you visit, your GPS location, how long you’re staying in one place, and a roster of other bits of your digital dust to create pattern data. Then, anyone with a credit card can buy it.
Shortly after Politico published a Supreme Court draft opinion suggesting the conservative majority was prepared to overturn Roe v. Wade, the landmark decision legalizing abortion, Edwards went into a roster of data broker platforms to see how the information stored there might be weaponized in states that come to outlaw — and possibly criminalize — abortion.
Some of his findings were published in a report by Joseph Cox at Motherboard, which made clear that just about anyone with the inclination and a credit card could access granular data about abortion clinics from public sites like SafeGraph and Placer.ai (both companies have since removed Planned Parenthood as a searchable option).
In the May 24 episode of Click Here, Edwards explained how simple weaponizing data can be and why people living in rural areas need to be especially careful.
The interview has been edited for length and clarity.
Click Here: So why is this data so valuable?
Zach Edwards: So we have a problem where for a long, long time, the [latitude and longitude] of your phone — these pings of exactly where you are — has been bought and sold mostly for things like local car ads and trying to get people concert ticket ads. So it was a slight privacy problem but more of a convenience for people. But now the apps themselves are realizing they can do more than just take that one latitude and longitude. hey pin them all together and they create a pattern of where someone is going and then sell those patterns — they can get tens of hundreds of times the value from it. Many of these companies have access to tens of millions, if not hundreds of millions, of devices. They are basically able to print cash because we have no laws restricting this.
CH: So could you imagine a scenario in which the same sort of thing is used in relation to abortions?
ZE: There’s at least half a dozen data brokers that are selling pattern data at the moment, and a little sunshine is the best disinfectant because many of these products are deeply scary as soon as you dig into it just a little bit. And location data brokers are particularly scary for people who live in rural areas.
Until [two weeks ago], you could go to the Placer.ai homepage and type in Planned Parenthood, and it would populate with Planned Parenthoods all over the United States. If you looked at the data for a Planned Parenthood in an urban location, the pattern data was much more confusing. The lines would stop at an apartment complex with hundreds of potential residents, and it’s not as easy to see who lives at the end of that line. But these rural locations, in quite a few of them the patterns had people who lived in states with current abortion restrictions traveling to a nearby state that has less restrictive abortion restrictions.
I looked at too many maps this past week that were not shared publicly because the person, the pattern or the route from a super rural location to a Planned Parenthood — it could only have been one house, and it’s haunting. It’s frightening to see that today, and there are services that you can do for free.
CH: So if you know about this, aren’t there going to be abortion critics who could get the same data?
ZE: They have. This is the dystopian scenario where everyone is a sheriff. “I am the law” type of stuff. The snitch in your pocket is the snitch next door that wants to get a $10,000 bounty that costs them $1.50 to buy your pattern data. So let’s just think about the classic Hatfield and McCoy rural feud between two families that lived in the middle of nowhere. Well, in 2022, the Hatfields could have bought the pattern data on the McCoy’s, doxed all of the places that they shopped, and basically been able to wait for them at those locations, shame them, yada, yada, yada.
CH: Yeah. It’s sort of like if you live in a small town, everybody knows your business.
ZE: Yeah, now they can buy it, too — for like a buck.
CH: So let me go full dystopian on you. I’m in a rural place. And I want to drive to Planned Parenthood where, for whatever reason, I don’t want to keep this child. Could I get a pop-up on my phone that says, “Don’t do this. There are other alternatives”?
ZE: They’ve already done that. That’s already happening — the geo-fencing around Planned Parenthoods and saying like, “Wait.” Those types of ads have been happening for years, and that’s easy peasy. The concept of just being, like, I have $100,000 a month and I want to target around this half-mile circle — so you may get some of the residential people around them. Who cares? You’re going to definitely get that abortion clinic, too.
Half a mile in an urban area, that could be a couple of hundred thousand people. Half a mile in a rural area is six folks and a guy named Joe. It’s a totally different math, and so that’s what we always say when you’re creating a privacy filter, you must account for population density and urban and rural differences. And if your algorithm isn’t starkly different between those two populations, then you are doxing rural people.
CH: Placer.ai has since changed the ability to just type in Planned Parenthood. So what’s going on now? You can’t just type in Planned Parenthood, but maybe you could type in “clinic” and start to do it basically by changing your search terms?
ZE: That’s exactly right. And I’ll say it because the scary people know how to do this already. So I want everyone to think about your local Planned Parenthood. That Planned Parenthood is within 500 yards of other businesses. So if a data broker only removes the fine-grain visit data for Planned Parenthood, but not the business immediately to the left and right of it, oftentimes you can just search for location data for someone who visited the laundromat next door, get that pattern data, and you’ve actually still just doxed the Planned Parenthood visit. It’s whack-a-mole. If they don’t fix the underlying problem, sophisticated operators will just use the system in a slightly different way and get the same outputs.
CH: So you can just keep drilling, drilling, drilling down until you get to the thing that you want?
ZE: That’s unfortunately correct. It’s a choose-your-own-non-compliant-data-adventure, brought to you by Big Tech and basically allowed because we have no laws to speak of.
CH: Are we being overly paranoid about this or not paranoid enough?
ZE: Well, that’s a good question. I think it’s healthy to be paranoid about the current system while acknowledging that things are changing. It’s a really terrible political reality we’re in. The fact that rights are being taken away from people, the fact that we have to talk about people turning their phones off, all this ridiculous stuff to protect your privacy, it’s awful. So are we being paranoid? Rights that have been enshrined for 40-plus years absolutely appear to be on their way out, and the technical systems that have been built in the last 10 or 15 years are now being able to be applied to these bounty laws, which empower private citizens to track their neighbors. I don’t think we’re paranoid enough about certain things. We all just need to just talk more about people making money off of selling our privacy.