SafeGraph CEO Auren Hoffman
Photo: SafeGraph

SafeGraph’s CEO glad 'we were called out'

Protocol Enterprise

Hello and welcome to Protocol Enterprise! Today: SafeGraph tells Protocol changes are coming after selling abortion clinic visitor data to customers, GitHub makes two-factor authentication the No. 1 login method, and Twilio’s CEO sees the antidote to the “privacy-focused world.”

Spin up

Companies that move to the cloud often cite a desire for increased speed and agility, but that’s not always the case, at least at first. New research from Tigera found that almost all of the companies it surveyed building cloud-native applications are moving slower than they’d like, with two-thirds of them citing security concerns as the bottleneck.

Location, location, location

“I think it's good that we were called out,” Auren Hoffman, CEO of location data provider SafeGraph, told Protocol on Wednesday.

After Motherboard reported Tuesday that SafeGraph sold information showing where groups of people visiting clinics providing family planning and abortion services had traveled from, how long they stayed and where they traveled afterwards, changes are coming. On Wednesday SafeGraph said “in light of potential federal changes in family planning access,” it would remove the data associated with family planning center locations from its online self-serve data platform and from the API through which it distributes data to customers.

  • SafeGraph calls the data it sells showing the locations where anonymized mobile devices move “Patterns” data.
  • It’s the sort of information that’s been sold by location data providers for years to advertisers, real estate developers and other business customers, as well as government customers.
  • Because SafeGraph and other location providers gather mobile identifiers and precise, time-stamped latitudinal and longitudinal location coordinates, privacy and abortion rights advocates fear that the information could be used to detect when specific people have visited abortion clinics or other sensitive locations, particularly if only a few devices are present in a place at a given time.
  • But Hoffman said data showing movements to and from family planning centers has no commercial value, despite being available as part of SafeGraph’s commercial data products.

When asked why the company has ever made such data available commercially, Hoffman said, “Honestly, it's a good question, so we're reviewing it.”

  • However, Hoffman told Protocol that researchers interested in the data are already complaining about its removal.
  • “Once we decided to take it down, we had hundreds of researchers complain to us about it,” he said. “They want to see, ‘do these new laws dampen family planning visits,’ and stuff like that. And now we're taking that data away from them.”
  • Hoffman said he did not know any information about specific researchers who have complained, though. “I haven't talked to anyone myself,” he said.

Like other providers of controversial location data, SafeGraph began making its data showing where or how often people moved around the country available for free to nonprofit organizations and government agencies around the start of the COVID-19 pandemic.

  • The information was used as a means of assessing whether people complied with social distancing rules, for example.
  • But in general, the “data for good”-style approach also serves as a way for location data providers to deflect data privacy and security concerns about the information they sell.
  • Privacy concerns have gotten in the way of data access by researchers in the past. But the same considerations have been used as a convenient argument by companies such as Meta when it comes to data transparency and access to academic researchers.
  • Hoffman has made a point of emphasizing the need to “democratize” access to the location data the company provides. “Part of democratizing access to data means making it available in a self-serve way. But of course, making data convenient and accessible also has drawbacks. It means we aren’t able to fully control who buys the data. But we’ve never tried to censor or hide anything,” Hoffman wrote in a company blog post earlier this week.

But now Hoffman said that SafeGraph might consider altering its approach to data access.

  • “We could say, only vetted researchers can get access to this data, whereas the broader public can get less access to the data, and that's something we might do.”
  • Still, even though SafeGraph touts its commitment to data transparency by providing detailed documentation of its data online, the company will not name any of its data suppliers.
  • In fact, for years mobile location data providers have been reluctant to name the ad exchanges, mobile app publishers and mobile data aggregators they partner with to provide the information they transform into data products and services.
  • “Since our beginning, we’ve been committed to transparency and providing access to high-quality places data without compromising consumer privacy,” the company wrote in a January blog post.

When asked today whether the company would name any of the partners it works with to supply location data showing patterns of places people visit, Hoffman said he could not.

  • Why? NDAs, he said.
— Kate Kaye (email | twitter)

A MESSAGE FROM PENDO

Our workplace has changed in many ways. Most work now happens inside technology, hybrid work arrangements appear here to stay, and organizations are trying to keep up. Join us NEXT WEEK May 10 at Guide: The Digital Adoption Summit to learn how your org can adapt to the digital workplace.

Learn more

It takes two

[Editor’s note: Meet Kyle Alspach, who just joined Protocol Enterprise this week to cover cybersecurity! We’re thrilled that we can now put more emphasis on this absolutely vital sector of enterprise tech, and you can get in touch with Kyle below.]

GitHub announced Wednesday that it will require developers who contribute code to the repository to use two-factor authentication by the end of 2023, in a drive to better lock down the security of the software supply chain.

Just 16.5% of GitHub.com users currently use two-factor authentication, considered to be a substantially more secure method of logging in given that it requires more than just a password. The two-factor authentication requirement will affect GitHub.com's 83 million users, and is being announced well in advance to "make sure we get this right" in terms of the user experience for developers, said Mike Hanley, chief security officer at GitHub.

In an interview with Protocol, Hanley said the move "has a potential to really bolster the overall security of the software ecosystem." GitHub said that its enterprise customers will also be able to require their developers to use two-factor authentication when accessing their repositories.

The announcement by Microsoft-owned GitHub comes at a time of high anxiety in the enterprise about the potential security risks of open-source software components. This is due in part to rising attacks against software supply chains — which jumped by more than 300% in 2021, according to a report from application protection firm Aqua Security.

Countless software development teams depend on the use of open-source code from repositories such as GitHub. But the insertion of malicious code into a major open-source project — perhaps enabled by a compromised password — can be catastrophic. With widely used open-source code, if an adversary has control for even a short time, "it can be downloaded tens of thousands of times or hundreds of thousands of times," Hanley said.

— Kyle Alspach (email | twitter)

And the data will save us

Off the heels of 48% revenue growth for the quarter, Twilio CEO Jeff Lawson is optimistic the SaaS giant is on its way to profitability. While heavy investments in acquisitions such as the $3.2 billion acquisition of Segment have driven up operating expenses in recent years, Lawson is shifting focus to turning a profit.

Part of that shift will entail capitalizing on those acquisitions. Lawson is counting on first-party data platform Segment to drive continued revenue growth as the privacy landscape continues to shift. “CDPs are the antidote to the privacy-focused world that we’ve entered into,” said Lawson. Update: Twilio later reached out to note that while Lawson did indeed say "antidote," he meant to say "answer," which makes a little more sense.

Even though customer data platforms had a bit of a false start several years ago, Lawson thinks now is their time to shine. “I think the market is ready. And I think that pretty soon, any company that has customers will need a CDP, and we’re building for that world and we’re going to go really after that market,” he said.

— Aisha Counts (email | twitter)

Around the enterprise

Fastly announced that it will begin searching for a new CEO, with current CEO Joshua Bixby planning to step down once that search has been completed.

SAP and Google Cloud linked S/4HANA Cloud and Google Workspace through a new integration that will make it easier to use data stored in SAP within Google’s office productivity tools.

Heroku began resetting customer passwords after a security incident last month, and the change could break applications using Heroku APIs until access tokens are regenerated.

A MESSAGE FROM PENDO

What makes it hard to manage a complex IT portfolio? How can IT take the lead on driving software adoption? What role should cross-departmental partners play in their strategy? You’ll get the answers to these questions and more from leaders at Asana, Linksys, and ELF Beauty during our CIO panel at Guide: The Digital Adoption Summit. Join us NEXT WEEK on May 10.

Learn more

Thanks for reading — see you tomorrow!

Recent Issues

The Dreamforce hangover

Veni, vidi, Vendia?