The U.S. Federal Trade Commission (FTC) on Monday announced it has filed a lawsuit against data broker Kochava Inc. for selling geolocation data from "hundreds of millions of mobile devices," it says, which could be used to trace the movements of individuals including those to and from sensitive locations. Specifically, the FTC said the data could reveal people's visits to places like reproductive health clinics, domestic violence or homeless shelters, addiction recovery centers and places of worship.
This personal and private information could expose people to "threats of stigma, stalking, discrimination, job loss, and even physical violence," the FTC explained in a press release.
The suit aims to halt Kochava's data collection practices involving sensitive geolocation data and will request that the company delete the data it has already collected.
Its arrival additionally signals the FTC is cracking down on mobile data brokers whose businesses rely on collecting and reselling data from consumers' smartphones -- a longtime industry practice that has numerous privacy implications but is one often unknown to the end users who are impacted. The move also follows a significant rethinking of tracking by Apple, which updated its mobile operating system to allow consumers to opt out of some data collection practices on a per-app basis.
More recently, the U.S. House Oversight Committee began investigating how the business practices of period-tracking apps and data brokers could potentially weaponize consumers' private health data in the post-Roe v. Wade era, TechCrunch reported.
Idaho-based Kochava is not a household name but has a sizable footprint in the data collection industry. The company is a location data broker that provides precise geolocation data from consumers' smartphones and also purchases data from other brokers to resell to clients. These data feeds are often used by clients who want to analyze things like foot traffic at local stores or other locations. This data itself is highly precise -- it includes things like timestamped latitude and longitude coordinates showing the exact location of mobile devices, which is additionally associated with a unique identifier, like a device ID as well as other information, like an IP address, device type and more.
This device ID, or Mobile Advertising ID, is a unique identifier that's assigned to a consumer's mobile device to assist marketers who want to advertise to the end user. Though consumers can reset this ID at any time, they would have to know to do so as well as understand where in their device's settings this option is available.
According to Kochava's own description of its product, cited by the FTC's complaints, the company offers clients "raw latitude/longitude data with volumes around 94 billion+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device." It sells its data feeds on a subscription basis on publicly accessible sites, including on the AWS Marketplace up until June 2022. To access the feed, a purchaser would need a free AWS account and $25,000 for the Kochava location data feed subscription. A data sample containing over 327 million rows and 11 columns of data related to 61.8+ million unique mobile devices was also available.
This data is not anonymized, the FTC says, and can be used to identify the mobile device's user or owner. This is possible because other data brokers specifically sell services that work to match these Mobile Advertising IDs with offline information, like consumers' names and physical addresses.
In addition to being able to track consumers visiting sensitive locations, the FTC noted the data could be used to make inferences about a consumer's LGBTQ+ identification or visits to other medical facilities beyond those that provide reproductive care. It could be used to tie that activity to someone's home address, too.
And, in light of the reversal of Roe v. Wade, the FTC points out that this data could be used to not only identify people visiting reproductive health clinics but also the medical professionals who perform, or assist in the performance, of abortion services. This was the subject of recent reporting by VICE's Motherboard, but it had focused on a different data broker known as SafeGraph. The broker along with Placer.ai in July agreed to stop selling location data of people who visit abortion clinics after Senator Warren and 13 other senators wrote to the companies to request answers about their data collection practices and asked them to stop selling data related to visits to abortion clinics.
That same month, Google said it would automatically remove location history from "particularly personal" places from users' accounts, including abortion clinics, shelters, addiction treatment centers and others. It also advised its Fitbit users how to delete their logs manually.
The FTC aims to prosecute Kochava based on numerous violations of the FTC Act, including those involving the unfair sale of sensitive data and consumer injury. It's seeking a permanent injunction to prevent future violations and any additional relief as determined by the court.
“Where consumers seek out health care, receive counseling or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
The Commission vote authorizing the filing of the complaint against Kochava was 4-1, with Commissioner Noah Joshua Phillips the only to vote no.
1. Today @FTC sued data broker Kochava for selling geolocation data that can be used to track people at addiction recovery facilities, reproductive health clinics, places of worship, shelters, and other sensitive locations.https://t.co/um54nTOHCQ
— Lina Khan (@linakhanFTC) August 29, 2022
The news of this latest action is not surprising. The agency had warned businesses in July it planned to enforce the law over the illegal use and sharing of sensitive consumer data and said this month it was exploring new rules that would further crack down on businesses that "collect, analyze and profit from information about people."
This is also not the first action the FTC has taken that directly targets a business involved in sensitive data collection, however. Last year, the FTC had taken action against the fertility tracking app Flo for sharing sensitive data with third parties. The app didn't receive a financial penalty but was noteworthy for being the first time the regulator had ordered notice of a privacy action of this kind.
Kochava said it will release its statement at 2:30 p.m. EDT today. We'll update then with its response. [See statement below]
"Harvesting our location behaviors has become a major way that apps, mobile phone carriers and other 'location intelligence' companies monetize our information," noted Jeff Chester, executive director at digital rights and consumer protection advocate Center for Digital Democracy, in a statement following the FTC's announcement. "The FTC is saying that information on the places we visit is sensitive data and cannot be used in the ways the surveillance marketing business has come to expect. With a bipartisan vote supporting the lawsuit, today’s commission action demonstrates privacy is a key issue for both parties. It’s putting the data and platform industry on notice it has a serious fight on its hands," he said.
Kochava released the following statement:
This lawsuit shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses. Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy. Prior to the legal proceedings, Kochava took the proactive step of announcing a new capability to block geo data from sensitive locations via Privacy Block, effectively removing that data from the data marketplace, and is currently in the implementation process of adding that functionality. Absent specificity from the FTC, we are constantly monitoring and proactively adjusting our technology to block geo data from other sensitive locations. Kochava sources 100% of the geo data in our data marketplace from third party data brokers all of whom represent that the data comes from consenting consumers.For the past several weeks, Kochava has worked to educate the FTC on the role of data, the process by which it is collected and the way it is used in digital advertising. We hoped to have productive conversations that led to effective solutions with the FTC about these complicated and important issues and are open to them in the future. Unfortunately the only outcome the FTC desired was a settlement that had no clear terms or resolutions and redefined the problem into a moving target. Real progress to improve data privacy for consumers will not be reached through flamboyant press releases and frivolous litigation. It’s disappointing that the agency continues to circumvent the lawmaking process and perpetuate misinformation surrounding data privacy.