The Federal Trade Commission on Monday sued a data broker for allegedly selling location data culled from hundreds of millions of phones that can be used to track the movements of people visiting abortion clinics, domestic abuse shelters, places of worship, and other sensitive places.
In a complaint, the agency said that Idaho-based Kochava has promoted its marketplace as providing “rich geo data spanning billions of devices globally.” The data broker has also said it “delivers raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.”
The FTC said Kochava amassed the data by tracking the Mobile Advertising ID, or MAID, from phones and selling the data through Amazon Web Services or other outlets without first anonymizing the data. Anyone who purchases the data can then use it to track the comings and goings of many phone owners. Many of the allegations are based on the agency’s analysis of a data sample the company made available for free to promote sales of its data, which was available online with no restrictions on usage.
“In fact, in just the data Kochava made available in the Kochava Data Sample, it is possible to identify a mobile device that visited a women’s reproductive health clinic and trace that mobile device to a single-family residence,” the complaint alleged. “The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user’s routine. The data may also be used to identify medical professionals who perform, or assist in the performance, of abortion services.”
The FTC went on to allege: “In addition, because Kochava’s data allows its customers to track consumers over time, the data could be used to identify consumers’ past conditions, such as homelessness. In fact, the Kochava Data Sample identifies a mobile device that appears to have spent the night at a temporary shelter whose mission is to provide residence for at-risk, pregnant young women or new mothers.”
Kochava officials released a statement that read:
This lawsuit shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses. Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.
Prior to the legal proceedings, Kochava took the proactive step of announcing a new capability to block geo data from sensitive locations via Privacy Block, effectively removing that data from the data marketplace, and is currently in the implementation process of adding that functionality. Absent specificity from the FTC, we are constantly monitoring and proactively adjusting our technology to block geo data from other sensitive locations. Kochava sources 100% of the geo data in our data marketplace from third party data brokers all of whom represent that the data comes from consenting consumers.
For the past several weeks, Kochava has worked to educate the FTC on the role of data, the process by which it is collected and the way it is used in digital advertising. We hoped to have productive conversations that led to effective solutions with the FTC about these complicated and important issues and are open to them in the future. Unfortunately the only outcome the FTC desired was a settlement that had no clear terms or resolutions and redefined the problem into a moving target. Real progress to improve data privacy for consumers will not be reached through flamboyant press releases and frivolous litigation. It’s disappointing that the agency continues to circumvent the lawmaking process and perpetuate misinformation surrounding data privacy.
Two weeks ago, the company sued the FTC in anticipation of Monday’s complaint, alleging its practices comply with all rules and laws and that the agency’s actions were an overreach.
Monday’s complaint said it was possible to access the Kochava data sample with minimal effort. “A purchaser could use an ordinary personal email address and describe the intended use simply as ‘business,'” FTC attorneys wrote. “The request would then be sent to Kochava for approval. Kochava has approved such requests in as little as 24 hours.”
The data sample consisted of a subset of the paid data feed that covered a rolling seven-day period. A single day’s worth of data contained more than 327,480,000 rows and 11 columns of data that pulled data from more than 61.8 million mobile devices.
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a press release. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
Allegations like those in the complaint raise a larger question about reining in location tracking by mobile devices. People should carefully review iOS and Android privacy settings to limit the apps’ access to location data. Both OSes also allow users to turn off ad personalization, a measure that can limit the use of some identifiers such as MAIDs. iOS further enables users to bar one app from tracking their activity across other apps.
None of these measures guarantees that location data won’t get swept up and sold by companies such as Kochava, but it’s a good practice to follow them anyway.