The Federal Trade Commission on Monday sued a data broker for allegedly selling location data pulled from hundreds of millions of phones that can be used to track the movements of people visiting abortion clinics, domestic abuse shelters, places of worship. and other sensitive places.
in a complain, the agency said Idaho-based Kochava has touted its marketplace as a provider of “rich geographic data spanning billions of devices around the world.” The data broker has also said that it “delivers raw latitude/longitude data with volumes of around 94 billion geographic transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.
The FTC said Kochava amassed the data by tracking mobile advertising identification, or MAID, from phones and selling the data through Amazon Web Services or other outlets without first anonymizing the data. Anyone who buys the data can use it to track the comings and goings of many phone owners. Many of the allegations are based on the agency’s analysis of a sample of data that the company made available for free to promote sales of its data, which was available online with no restrictions on use.
“In fact, with just the data that Kochava made available in the Kochava data sample, it is possible to identify a mobile device that visited a women’s reproductive health clinic and trace that mobile device back to a single-family residence,” the complaint alleges. . “The data set also reveals that the same mobile device was in a particular location at least three nights in the same week, suggesting the routine of the mobile device user. The data can also be used to identify medical professionals who perform or assist in the performance of abortion services.
The FTC went on to claim, “In addition, because Kochava’s data allows its clients to track consumers over time, the data could be used to identify consumers’ past conditions, such as homelessness. , the Kochava data sample identifies a mobile device that appears to have spent the night in a temporary shelter whose mission is to provide residence to young people at risk, pregnant or new mothers”.
Kochava officials issued a statement that said:
This lawsuit shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data market business and other data businesses. Kochava consistently and proactively operates in compliance with all rules and laws, including those specific to privacy.
Prior to legal proceedings, Kochava took the proactive step of announcing a new ability to block sensitive location geodata via Privacy Lock, effectively removing that data from the data marketplace, and is currently in the process of rolling out to add that functionality. In the absence of any specificity from the FTC, we are constantly monitoring and proactively adjusting our technology to block geodata from other sensitive locations. Kochava sources 100% of the geographic data in our data marketplace from third-party data brokers, all of whom represent that the data comes from consenting consumers.
For the past several weeks, Kochava has worked to educate the FTC about the role of data, the process by which it is collected, and how it is used in digital advertising. We looked forward to having productive conversations leading to effective solutions with the FTC on these complicated and important issues, and we are open to them in the future. Unfortunately, the only outcome the FTC wanted was a settlement that had no clear terms or resolutions and redefined the issue as a moving target. Real progress in improving consumer data privacy will not be made through flashy press releases and frivolous litigation. It is disappointing that the agency continues to circumvent the legislative process and perpetuate data privacy misinformation.
Two weeks ago, the company sued the FTC in anticipation of Monday’s complaint, alleging its practices to comply with all rules and laws and that the agency’s actions were overreaching.
Monday’s complaint said it was possible to access Kochava’s data sample with minimal effort. “A buyer could use an ordinary personal email address and describe the intended use simply as ‘business,'” the FTC’s lawyers wrote. “The application would then be sent to Kochava for approval. Kochava has approved such applications in as little as 24 hours.”
The data sample consisted of a subset of the paid data source that covered a continuous period of seven days. Data for a single day contained more than 327,480,000 rows and 11 columns of data that pulled data from more than 61.8 million mobile devices.
“Where consumers seek medical care, receive advice or celebrate their faith is private information that should not be sold to the highest bidder,” Samuel Levine, director of the FTC’s Office of Consumer Protection, said in a statement. Press release. “The FTC is taking Kochava to court to protect people’s privacy and stop the sale of their sensitive geolocation information.”
Allegations such as those in the complaint raise a broader question about how to control location tracking via mobile devices. People should carefully review iOS and Android privacy settings to limit apps’ access to location data. Both operating systems also allow users to disable ad personalization, a measure that can limit the use of some identifiers such as MAID. iOS further allows users to prohibit an app from tracking their activity in other apps.
None of these measures guarantees that location data won’t be swept up and sold by companies like Kochava, but it’s good practice to follow them anyway.