Like it or not, tech companies can use your phone location data to map social distancing

Is slowing the spread of coronavirus worth compromising your privacy?

Since the coronavirus pandemic began, businesses from Ford to Facebook have offered up their services, money, and face mask stashes to try to help. Some companies that deal in your data are stepping up, too, offering their data analysis services to try to track or stop the spread of the virus.

On one hand, it’s a welcome change to see this data — data that’s usually supplied by you often without your knowledge or consent, then used to make other companies richer — also being used to help other people. And these days, we can use all the help we can get.

On the other hand, the situation draws attention to just how granular this data collection can be and how little control we have over its collection, who gets it, and what those companies do with it.

Unacast, a data company that collects and provides cellphone location data and analysis to the retail, real estate, marketing, and tourism industries, recently revealed something called the Social Distancing Scoreboard. The scoreboard is an interactive map that assigns letter grades to every state and county in America based on how well Unacast’s data analysis infers that its residents are practicing social distancing. It’s the first product from the company’s new COVID-19 Location Data Toolkit, and over the coming days and weeks, more location data will be added that the company hopes will show trends and patterns.

Unacast

“This is a pro bono initiative,” Jeanne Meyer, a spokesperson for Unacast, told Recode. “They have 25 data scientists that took five years’ work and spent four days cooking this thing up to help with what’s happening.”

One way the maps could help is by showing health officials that surrounding countries are getting better grades, which would imply that their messaging to local residents about social distancing needs improvement.

“What that’s going to tell a local official is, ‘What are we doing? What is that county doing that we’re not?’” Meyer said. “They’re very large conclusions one might draw, but I think the value with this will come over time.” According to the Washington Post, Unacast’s scores haven’t been vetted by public health officials or epidemiologists, so it’s hard to say how reliable they are or what they’ll be able to tell us.

Unacast isn’t the only tech company to use its data these days for what it says is a public good. Facebook’s “Data for Good” program uses de-identified aggregate data from its users to power its Disease Prevention Maps, which can give insights into where people live and where they move that may help health organizations track the spread of diseases or predict where they’ll hit next. Kinsa Health uses data from its smart thermometers to try to detect unusually high levels of illness for its US Health Weather Map, which the company says has accurately predicted the spread of the flu in the past and might be able to track coronavirus outbreaks now.

But Unacast is a bit different. For Facebook’s program and in Kinsa’s app, you have to opt in to having your location tracked, and then you have a direct relationship with those companies. Unacast, on the other hand, collects data about you from a variety of third-party sources. According to its privacy policy, these sources include Unacast’s partners as well as the software development kit, or SDK, it places in apps. (SDKs are a package of tools that make it easier and faster for developers to build apps. Those tools can also include ways to track user data and report it back to the SDK provider. In this case, that’s Unacast.)

The sticking point is that you may grant permission to one of those apps to access your location data without knowing that this location data is also going to Unacast. There’s no easy way for the typical user to see what SDKs an app may use, and app privacy policies usually say the information is going to third parties without revealing who those parties are. Unacast says on its website that its SDK is its “preferred” data source, but when we asked for specifics, the company would not say which apps or partners it works with. An analysis by mobile app intelligence company Apptopia found Unacast’s SDK in all kinds of iOS and Android apps, including smart TV remotes, period trackers, games, free wifi locators, weather forecasters, and step trackers. You can always turn location tracking off for those apps, but some of them obviously need the location services to be able to work at all.

“[Unacast’s] privacy statement basically screams that it’s up to you to monitor which apps you use and your phone settings, if you don’t like the fact that companies like them are getting access to your location data,” Jennifer King, the director of privacy at the Center for Internet and Society at Stanford Law School, told Recode. “In that respect, at least, it’s a bit more helpful than most notices and gives us a decent map as to how they’re getting the data.”

But this means that a company you’ve likely never heard of has a lot of data about your phone and, by extension, you. That data includes your device’s unique advertising identifier; location data specific enough to detect which fast food restaurant the device is in and how long it’s been there; and the network name and MAC address of the wifi router the device is connected to. Unacast’s marketing materials show how specific this data can get:

Unacast

And this very granular data is how Unacast can tell how well people are distancing themselves from each other: In order to deduce how people’s travel patterns have changed, it has to know what those patterns were in the first place, all the way down to the de-identified individual data point.

Unacast also discloses some of this information to third parties, though the company says it never shares identifying data like your name or email address. The company also further hashes, or anonymizes, the device identifiers it pulls in, which adds another layer of anonymity, Meyer explained. That said, it is possible to identify a specific person even from such “anonymized” data points, which is why many privacy advocates prefer using the term “de-identified” data rather than “anonymized,” reasoning that nothing is ever truly anonymous.

Importantly, Unacast’s Social Distancing maps don’t show specific individuals. What the public sees is only the analysis of that data, and it only goes down to the county level. (Unacast CEO and co-founder Thomas Walle goes into more detail on the methodology here). Taken at its word, Unacast is adapting technology and data it already uses for its business purposes to prevent the spread of coronavirus.

While the map itself might be a helpful tool, it also makes these data collection practices that go on behind the scenes — and how specific the data collected can get — much more apparent. Unacast is hardly the only company doing this kind of data crunching. Marketing company oneAudience, for example, puts its SDK in apps to collect information about users. As Facebook claimed in a recent lawsuit, the company also secretly harvested social media data, although oneAudience said this collection was unintentional and that it has updated its SDK to stop it. Unacast says it has always been “committed to protecting and respecting data privacy and see[s] privacy as a key driver for the growth of location technologies” and that it follows all applicable privacy laws, including the European Union’s General Data Protection Regulation and the California Consumer Privacy Act.

There’s no reason to doubt this. The problem is there’s also no way for an average consumer caught up in Unacast’s net to know exactly what’s going on with their location data, including which companies have access to it and which companies are properly protecting it. Broadly speaking, there aren’t federal laws that prevent this data from being collected, and it’s hard for consumers to take advantage of the privacy rights they do have when most of them don’t even know data collection companies like Unacast even exist.

“There is no way that anyone would know that their location data is being collected from any particular app and then sold on to companies like these,” King said. “At least now you have a right (in California) to request that your data be deleted from their dataset, but fundamentally we should have laws that limit the abilities of third parties to collect your location data without your affirmative consent.”

While Unacast is simply repurposing its existing data sources and presenting only anonymous, aggregated data, companies in other countries have been more willing (or forced) to hand over personally identifiable data. The Chinese and Iranian governments have come out with apps that track their citizens’ movements during the pandemic, while Israel is considering tapping into cellphone location data gathered for antiterrorism purposes to track infected people and their contacts. The South Korean government combined several sources, including phone location data, to track the movements of coronavirus carriers. It then made that information public, prompting private developers to turn that data into maps of coronavirus carriers.

There are concerns among privacy advocates that the serious nature of the pandemic could cause privacy rights in this country to erode, too. In which case, the question then becomes: Do the temporary benefits of this data outweigh the long-term privacy implications?

For King, at least, the answer is no.

“Just because we can make pretty maps with people’s data doesn’t mean that we are gaining useful or actionable insights from that data,” King said. “I would want to hear what tools public health researchers say they need and what would help them, rather than what data scientists who have access to location data can cook up.”

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.