The EFF, a digital rights group, says it has seen public records (obtained here) that show location data broker Veraset and the District of Columbia (DC) government had struck a deal early in the Covid pandemic last year, allowing the latter full access to highly sensitive, individually identifiable GPS data, harvested from people's mobile devices in the DC area.
Veraset made the offer and DC authorities accepted it, which was followed by half a year of updates coming from the company – that operates a proprietary database for this data, meaning that Veraset's tools cannot be audited or scrutinized by the public – tracking hundreds of thousands of people going about their day.
EFF said that there is no evidence that the data was used for purposes other than Covid research, but that it isn't clear in what way existing policies allow for data to be shared in this manner inside DC government entities. The data flowing in from Veraset was taken over by the DC Office of the Chief Technology Officer (OCTO) and a division of the Office of the City Administrator, writes EFF, and then uploaded to a DC government data sharing system known as “Data Lake.”
This instance of private data brokers and governments working together is not unique but it sheds some new light on how these deals work and what they entail. With the onset of the pandemic, the practice seemed to have started to spread around the world, showing that raw GPS location data was a commodity to be sold and bought on the open market.
The director of the Lab @ DC of the Office of the City Administrator, Sam Quinney, said that the information did not prove useful and that the contract was not renewed after September 2020, while the data would be deleted by the end of this year. Quinn also said the DC government got this data for free.
Veraset, meanwhile, has a “higher profile” spinoff company, Safegraph, that also worked with government and was recently kicked off Google's app store for selling Android users' data.
Veraset claims that datasets it collects feature “only anonymous device IDs” – but EFF writes, “The so-called ‘anonymous' ID in question is the advertising identifier (…) These ad IDs are not really anonymous: an entire industry of ‘identity resolution' services link ad IDs to real identities at scale.”