This article is more than 1 year old
FTC sues data broker for selling millions of people's 'precise' location info
Which would be very problematic in this Post-Roe era
The Federal Trade Commission has accused data broker Kochava of trampling over people's privacy by selling the "precise" whereabouts of hundreds of millions of mobile devices.
The American watchdog alleged in a lawsuit that Kochava's data feeds, which are sold via publicly accessible marketplaces, reveal individuals' visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, addiction recovery facilities, and other sensitive places.
These records, it is claimed, pinpoint – using timestamps and latitude and longitude values – when and where people have been.
Though this information is ideally supposed to be anonymized, there is a concern it can be used with other data to unmask netizens and discover their identities – or simply studied to figure out who they are from their travels and the addresses they stay at.
Kochava can get this data from Android and iOS apps and websites that embed its tracker code. Developers use this toolkit to monitor their users – figuring out what they are interested in, how they use an app, tying their activities to a targeted advertising ID, and so forth – and Kochava would get a real-time feed of information to collect and sell. According to the FTC, Kochava also buys up personal records from other brokers to resell.
"In numerous instances, [the] defendant has sold, licensed, or otherwise transferred precise geolocation data associated with unique persistent identifiers that reveal consumers' visits to sensitive locations," according to the FTC's lawsuit [PDF] filed Monday in a US federal district court.
Selling this type of personal information could cause "substantial injury to consumers" such as stalking, discrimination, job loss, and physical violence, the FTC argues. As such, the regulator claims Kochava is breaking American consumer protection law.
For example, geolocation data could reveal the location of someone involved in domestic violence, and an abuser could use this information to track down a victim at a supposedly secure shelter. It could also show how long someone stayed at a rehab clinic or homeless shelter, which may hurt their future job prospects, the lawsuit stated.
Following the US Supreme Court's decision to overturn Roe v. Wade, and nearly a dozen states' subsequent laws making abortion illegal — some with bounties that incentivize digital witch hunts of women seeking abortions or anyone helping to provide the procedure — this data could also be used to track down and prosecute anyone seeking to end a pregnancy.
According to the court documents:
The data may be used to identify consumers who have visited an abortion clinic and, as a result, may have had or contemplated having an abortion. In fact, in just the data Kochava made available in the Kochava Data Sample, it is possible to identify a mobile device that visited a women's reproductive health clinic and trace that mobile device to a single-family residence. The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user's routine. The data may also be used to identify medical professionals who perform, or assist in the performance, of abortion services.
This info was listed for sale on the AWS Marketplace until June, according to the FTC. For $25,000, anyone with a free AWS account could subscribe to the location data feed, the lawsuit alleges.
A sample of this data examined by the FTC included precise, timestamped location records collected from more than 61 million unique mobile devices in the previous week. When combined with the mobile device's advertising ID (MAID), it would be easy to identify the phone's user, the regulator said.
"The location data sold by Kochava typically includes multiple timestamped signals for each MAID," the lawsuit stated. "By plotting each of these signals on a map, much can be inferred about the mobile device owners. For example, the location of a mobile device at night likely corresponds to the consumer's home address."
In fact, we're told Kochava suggested "household mapping" as a use-case for the data in its AWS Marketplace marketing, or in other words: using the data to figure out who lives with each other.
The lawsuit seeks an injunction to force the data broker to stop selling consumers' geolocation data and require Kochava to delete the sensitive information it has collected.
- Sephora to pay $1.2m to settle Cali privacy law claims – and why this is a big deal
- FTC ponders proper punishment for commercial data 'surveillance' and shoddy security
- Data brokers amass profiles of pregnant women – and, of course, it's all up for sale
- Mozilla finds 18 of 25 popular reproductive health apps share your data
"Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn't be sold to the highest bidder," said Samuel Levine, director of the FTC's Bureau of Consumer Protection, in a statement.
The lawsuit also comes about two weeks after Kochava filed a complaint [PDF] against the FTC, which had threatened legal action against the data broker. Kochava sought to head off the FTC at the pass, and foil any court case brought against it by the regulator.
In that filing, the biz denied it sold precise location data and that this data could be used to track down individuals to sensitive locations. Kochava also denied allegations it has poor privacy protections, and questioned whether the FTC had the legal powers to take the company to court over geolocation practices.
Kochava also said users opted into having their data collected when they installed or used apps containing tracking code. "Even if an injury to the consumer did indeed occur," the biz added, "it is reasonably avoidable by the consumer themselves by way the opt-out provision to allow the data collection. In other words, the consumer agreed to share its location data with an app developer."
Cracking down on commercial surveillance
While the FTC specifically goes after Kochava with today's lawsuit, the move is part of a larger effort by the consumer protection agency to crack down on commercial surveillance practices that collect, analyze, and profit from personal information.
In July, the FTC put businesses on notice that it intends to enforce the law against the illegal use and sharing of highly sensitive consumer data, including sensitive health data. A month later, it announced an effort to formulate privacy rules to deter unwelcome online monitoring and shoddy privacy protections.
Last year, the agency issued a policy statement warning health apps and connected devices that collect or use consumers' health information that they must notify people when a security or privacy breach occurs, and it also took action against fertility-tracking app Flo for sharing sensitive health data with Facebook, Google, and other third parties. ®