FTC sues Kochava for selling people’s sensitive location data

The U.S. Federal Trade Commission (FTC) announced on Monday that it has filed a lawsuit against data broker Kochava Inc. for selling geolocation data from “hundreds of millions of mobile devices,” it says. she, which could be used to trace the movements of individuals, including those to and from sensitive locations. Specifically, the FTC said the data could reveal people’s visits to places like reproductive health clinics, domestic violence or homeless shelters, drug rehabilitation centers and places of worship.

This personal and private information could expose people to “threats of stigma, harassment, discrimination, job loss, and even physical abuse,” the FTC explained in a press release.

The lawsuit seeks to end Kochava’s data collection practices involving sensitive geolocation data and will ask the company to delete data it has already collected.

His arrival further signals that the FTC is cracking down on mobile data brokers whose business relies on the collection and resale of data from consumers’ smartphones – a long-standing industry practice that has many policy implications. of confidentiality, but which is often unknown to the end users who are affected. The move also follows a significant overhaul of tracking by Apple, which updated its mobile operating system to allow consumers to opt out of certain data collection practices on a per-app basis.

More recently, the US House Oversight Committee began investigating how the business practices of rule-tracking apps and data brokers could potentially weaponize consumers’ private health data in the post-Roe v. Wade, TechCrunch reported.

Idaho-based Kochava isn’t a household name, but has a significant footprint in the data collection industry. The company is a location data broker that provides accurate geolocation data from consumers’ smartphones and also purchases data from other brokers to resell to customers. These data feeds are often used by customers who want to analyze things like foot traffic in local stores or other locations. This data itself is very precise – it includes such things as timestamped latitude and longitude coordinates showing the exact location of mobile devices, which is further associated with a unique identifier, such as a device ID as well as to other information, such as an IP address, device type and more.

This Device ID, or Mobile Advertising ID, is a unique identifier assigned to a consumer’s mobile device to assist marketers who wish to advertise to the end user. Although consumers can reset this identifier at any time, they should be aware of this and understand where this option is available in their device settings.

According to Kochava’s own description of its product, cited by the FTC complaints, the company offers customers “raw latitude/longitude data with volumes of approximately 94 billion geographic transactions per month, 125 million users monthly active and 35 million daily active users, averaging over 90 daily transactions per device It sells its data feeds on a subscription basis on publicly accessible sites, including on AWS Marketplace until June 2022. To access the feed, a buyer would need a free AWS account and $25,000 to subscribe to Kochava’s location data feed Sample data containing over 327 million rows and 11 columns data for over 61.8 million unique mobile devices was also available.

This data is not anonymized, according to the FTC, and can be used to identify the user or owner of the mobile device. This is possible because other data brokers specifically sell services that work to match these mobile advertising IDs with offline information, such as consumer names and physical addresses.

In addition to being able to track consumers visiting sensitive locations, the FTC noted that the data could be used to make inferences about a consumer’s LGBTQ+ identification or visits to other medical facilities beyond those provide reproductive care. It could also be used to link this activity to someone’s home address.

And, in light of the overturning of Roe v. Wade, the FTC points out that this data could be used not only to identify individuals visiting reproductive health clinics, but also medical professionals who perform or assist in the performance of abortion services. This was the subject of a recent report by VICE’s Motherboard, but it focused on another data broker known as SafeGraph. The broker and Placer.ai agreed in July to stop selling the location data of people who visit abortion clinics after Sen. Warren and 13 other senators wrote to the companies seeking answers about their data collection practices. data and asked them to stop selling visitation data. at abortion clinics.

That same month, Google said it would automatically remove location history for “particularly personal” places from users’ accounts, including abortion clinics, shelters, addiction treatment centers and others. He also advised his Fitbit users to manually delete their logs.

The FTC aims to prosecute Kochava based on numerous violations of FTC law, including those involving the unfair sale of sensitive data and consumer harm. He seeks a permanent injunction to prevent future violations and any additional relief determined by the court.

“Where consumers seek health care, receive advice or celebrate their faith, that’s private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, director of the Consumer Protection Office of the FTC, in a statement. “The FTC is suing Kochava to protect people’s privacy and stop the sale of their sensitive geolocation information.”

The Commission’s vote allowing the lawsuit against Kochava to be filed was 4 to 1, with Commissioner Noah Joshua Phillips the only one voting no.

News of this latest action is not surprising. The agency warned companies in July that it planned to enforce the law against the unlawful use and sharing of sensitive consumer data and said this month it was exploring new rules that would further crack down on abusers. companies that “collect, analyze and profit from information about people”. .”

However, this is also not the first action taken by the FTC that directly targets a company involved in the collection of sensitive data. Last year, the FTC took action against fertility tracking app Flo for sharing sensitive data with third parties. The app did not receive a financial penalty, but was notable because it was the first time the regulator had ordered notice of such a privacy action.

Kochava said he will release his statement at 2:30 p.m. EDT today. We will update his answer then. [See statement below]

“Harvesting our location behaviors has become a major way for apps, mobile carriers and other ‘location intelligence’ companies to monetize our information,” said Jeff Chester, executive director of the Center for Digital Democracy, an advocate for digital rights and consumer protection, in a statement following the FTC’s announcement. “The FTC says information about the places we visit is sensitive data and cannot be used in the way the surveillance marketing firm expects. With a bipartisan vote supporting the lawsuit, today’s commission action demonstrates that confidentiality is a key issue for both parties. This puts the data and platform industry on notice that they have a serious fight to fight,” he said.

Kochava released the following statement:

This lawsuit shows the sad reality that the FTC has a fundamental misunderstanding of the data market activities of Kochava and other data companies. Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy. Prior to the legal proceeding, Kochava took the initiative to announce a new capability to block geographic data from sensitive locations through Privacy Block, effectively removing such data from the Data Market, and is currently in the process of being implemented to add this feature. In the absence of specificity from the FTC, we are constantly monitoring and proactively adjusting our technology to block geographic data from other sensitive locations. Kochava obtains 100% of the geographic data in our data marketplace from third-party data brokers who all claim that the data comes from consenting consumers. Over the past several weeks, Kochava has worked to educate the FTC on the role of data, the process by which it is collected, and how it is used in digital advertising. We hoped to have productive conversations that led to effective solutions with the FTC on these complex and important issues and we look forward to them in the future. Unfortunately, the only outcome the FTC wanted was a settlement that had no clear terms or resolutions and reframed the problem as a moving target. Real progress in improving data privacy for consumers will not be achieved by flamboyant press releases and frivolous litigation. It is disappointing that the agency continues to circumvent the legislative process and perpetuate misinformation about data privacy.

About the author