The lawsuit against data broker Kochava seeks to halt the sale of geolocation data from hundreds of millions of devices
The US Federal Trade Commission (FTC) on Monday sued Idaho-based data broker Kochava for selling geolocation data from hundreds of millions of mobile devices that could be used to track consumers.
The FTC said consumer data could be used to trace people’s movements to and from sensitive locations including “reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities”.
The problem gained interest after a supreme court ruling in June overturned the Roe v Wade decision that guaranteed a constitutional right to an abortion. Since then, privacy advocates and the public have called for more limits to the data tech companies collect over concerns that police or other entities could access customers’ search history, geolocation and other information revealing pregnancy plans.
But the lawsuit, which seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected, addresses issues beyond tracking those pursuing abortion care. In the suit, FTC alleges the company allows people to customize their data feed to filter for mobile devices at specific times and locations. This would make it easy to track a user over time or try to, for instance, find out where they live.
“For example, the location of a mobile device at night likely corresponds to the consumer’s home address,” the suit said. “Public or other records may identify the name of the owner or resident of a particular address.”
In fact, the company advertises “Household Mapping” as one of the ways to use its data.
Until recently, the company also made its data available for purchase by the public and “allowed anyone with little effort to obtain a large sample of sensitive data and use it without restriction”, the FTC alleges. For instance, a sample of Kochava’s data – which included 327,480,000 rows and 11 columns of data, corresponding to more than 61,803,400 unique mobile devices – was available on a trial basis on the Amazon Web Services Marketplace as of June 2022 for anyone to access.
Kochava said the FTC “has a fundamental misunderstanding” of how the data marketplace business works and the company works in compliance with all rules and laws, including those specific to privacy.
“We hoped to have productive conversations that led to effective solutions with the FTC about these complicated and important issues and are open to them in the future,” said Brian Cox, general manager of Kochava. Unfortunately, the only outcome the FTC desired was a settlement that had no clear terms or resolutions and redefined the problem into a moving target. Real progress to improve data privacy for consumers will not be reached through flamboyant press releases and frivolous litigation.”
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
The FTC said Kochava buys vast troves of location information from other data brokers across hundreds of millions of mobile devices that is packaged into customized data. They then sell that data to clients including retailers looking at foot traffic.
The Kochava data FTC reviewed “included precise, timestamped location data collected from more than 61m unique mobile devices in the previous week”. The FTC lawsuit said Kochava has asserted that it offers “rich geo data spanning billions of devices globally”.
Privacy advocates and experts have pushed regulators to address the dangers that the data broker industry poses, particularly to marginalized communities. In Chicago and Colorado, a group of immigrant rights organizations, including Mijente, has fought to expose and close loopholes that the US Customs and Immigration Enforcement Agency (Ice) uses to get around local and state sanctuary policies by buying location and other information from data brokers instead of law enforcement agencies. But the fight against the data broker industry – and tech companies’ general data collection – has garnered mass appeal after the supreme court’s decision.
In July, Alphabet’s Google said it would delete location data showing when users visit an abortion clinic, after concerns that a digital trail could inform law enforcement if someone terminates a pregnancy illegally. Earlier this month, the FTC said it is considering writing rules to better protect Americans’ privacy and crack down on businesses that collect far-reaching personal information without consumers’ full understanding.
Congressional committees have also reached a compromise on the American Data Privacy and Protection Act, which would limit the data broker industry by putting protections around sensitive data like geolocation and by enabling people to demand companies delete data collected on them. However, as Politico reported, the data broker industry has ramped up its lobbying in response to the bill in an effort to soften some of the data-sharing restrictions.
“This is a great step, but it’s just a first step,” said Albert Fox Cahn, the founder of the Surveillance Technology Oversight Project. “Let’s be clear: it’s not just one abusive vendor, it’s a whole abusive industry. We need to systematically shut down the market for Americans’ location data. No one should have to fear that these shadowy companies will track our most intimate moments and sell them to the highest bidder. And the FTC needs to also target the police departments that misuse this ad data.”