FTC sues data broker for selling people's sensitive location data, including abortion...

midian182

Posts: 8,321   +103
Staff member
What just happened? The Federal Trade Commission (FTC) is suing data broker Kochava over allegations it violated millions of people's privacy by selling their precise locations using data from their phones. The information made it possible to discover unsuspecting phone users' visits to sensitive places such as homeless and domestic violence shelters, addiction recovery facilities, and reproductive health clinics.

The suit states Kochava is, among other things, a location data broker that provides its customers massive amounts of precise geolocation data collected from consumers' mobile devices. The records use timestamps and latitude and longitude values matched with unique mobile device identification numbers, so it's not only possible to see where someone has been but also how long they were there.

The Reg explains that Kochava gets its data from Android and iOS apps and websites that embed its tracker code. This allows developers to monitor users' habits and activities for ad-targeting purposes, and Kochava gets a real-time feed of information to collect and sell. The FTC writes that Kochava also buys personal records from other brokers to resell.

"In numerous instances, [the] defendant has sold, licensed, or otherwise transferred precise geolocation data associated with unique persistent identifiers that reveal consumers' visits to sensitive locations," states the lawsuit.

While this sort of data is usually anonymized, it can be used with other information, such as addresses and times, to identify people. Kochava normal sells the data for thousands of dollars, but it offers a free trial with "minimal steps and no restrictions on usage."

The FTC complaint claims that using the free trial, it could identify a mobile device user that visited a women's reproductive health clinic, then trace the device to a home address. Other samples allowed the tracking of users to places of worship, homeless shelters, and domestic violence shelters.

The concern is that the data could be accessed and used by an abuser looking to track down a victim at a domestic violence center; an employer checking if and how long someone spent at a rehab or homeless clinic; or someone looking to find and prosecute a woman seeking to terminate a pregnancy, which is especially relevant in the wake of Roe vs. Wade being overturned.

"By selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence," the FTC complaint states.

The FTC is demanding Kochava stop selling sensitive data and delete any such information it has already collected.

Kochava general manager Brian Cox has denied any wrongdoing by the company:

Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy. For the past several weeks, Kochava has worked to educate the FTC on the role of data, the process by which it is collected, and the way it is used in digital advertising. We hoped to have productive conversations that led to effective solutions with the FTC about these complicated and important issues and are open to them in the future. Unfortunately the only outcome the FTC desired was a settlement that had no clear terms or resolutions and redefined the problem into a moving target.

Permalink to story.

 

yRaz

Posts: 4,807   +5,985
1) I don't do anything that I'd really be bothered by people watching. Not that I never do anything wrong, I'm just a degenerate and don't care

2)that doesn't mean that it's okay to track people constantly. Just because I don't care doesn't mean that I want people watching

3)if data is going to be collected like this, make data collection OP-IN and let people get a chunk of the change that these people are making by selling data.

I'm not "giving" my data away at this point, the devices we carry are in many ways more essential than cars in todays society. Our data is being taken and there isn't anything we can do about it. I don't mind selling my data because, again, I'm a degenerate and don't really care what people know about me. However, if this stuff has value, which it obviously does, it shouldn't be given away for other people to sell. I understand that for free services like twitter and facebook, we are the product. However, for many of these services there isn't even a paid option. Or, to cite google, even if you pay for all their services they STILL collect tons of data about you.

 

Uncle Al

Posts: 9,323   +8,520
Just another great example why internet applications should be restricted from gathering personal data and strictly prohibited from hiding permissions in their "fine print". Those that violate should not be bothered by fines and penalties that are just the "cost of doing business", but should be prohibited from using the internet for ANY PURPOSE. Harsh but necessary to protect the end users.
 

TheRealSCDC

Posts: 448   +766
Just another great example why internet applications should be restricted from gathering personal data and strictly prohibited from hiding permissions in their "fine print". Those that violate should not be bothered by fines and penalties that are just the "cost of doing business", but should be prohibited from using the internet for ANY PURPOSE. Harsh but necessary to protect the end users.

We both know that will never happen. It will get worse. And, people imbedding chips into their bodies to access devices. It's a slippery slope, and society fell right off.
 

passwordistaco

Posts: 412   +951
If a "reproductive health clinic" is operating within a certain state, it is presumably legal in that state. There is no "find and prosecute" at play here. No state has authority to prosecute travel to another state.

Regardless of that issue, fine and prosecute Kochava out of existence.
 

summermick

Posts: 147   +177
Stop using Linkedin!
I found my data were sold to six different data brokers, had to request data deletion one by one. Some of they haven't responded to my request yet after 3 years
 
Last edited: