What just happened? The Federal Trade Commission (FTC) is suing data broker Kochava over allegations it violated millions of people's privacy by selling their precise locations using data from their phones. The information made it possible to discover unsuspecting phone users' visits to sensitive places such as homeless and domestic violence shelters, addiction recovery facilities, and reproductive health clinics.
The suit states Kochava is, among other things, a location data broker that provides its customers massive amounts of precise geolocation data collected from consumers' mobile devices. The records use timestamps and latitude and longitude values matched with unique mobile device identification numbers, so it's not only possible to see where someone has been but also how long they were there.
1. Today @FTC sued data broker Kochava for selling geolocation data that can be used to track people at addiction recovery facilities, reproductive health clinics, places of worship, shelters, and other sensitive locations.https://t.co/um54nTOHCQ— Lina Khan (@linakhanFTC) August 29, 2022
The Reg explains that Kochava gets its data from Android and iOS apps and websites that embed its tracker code. This allows developers to monitor users' habits and activities for ad-targeting purposes, and Kochava gets a real-time feed of information to collect and sell. The FTC writes that Kochava also buys personal records from other brokers to resell.
"In numerous instances, [the] defendant has sold, licensed, or otherwise transferred precise geolocation data associated with unique persistent identifiers that reveal consumers' visits to sensitive locations," states the lawsuit.
While this sort of data is usually anonymized, it can be used with other information, such as addresses and times, to identify people. Kochava normal sells the data for thousands of dollars, but it offers a free trial with "minimal steps and no restrictions on usage."
The FTC complaint claims that using the free trial, it could identify a mobile device user that visited a women's reproductive health clinic, then trace the device to a home address. Other samples allowed the tracking of users to places of worship, homeless shelters, and domestic violence shelters.
The concern is that the data could be accessed and used by an abuser looking to track down a victim at a domestic violence center; an employer checking if and how long someone spent at a rehab or homeless clinic; or someone looking to find and prosecute a woman seeking to terminate a pregnancy, which is especially relevant in the wake of Roe vs. Wade being overturned.
"By selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence," the FTC complaint states.
The FTC is demanding Kochava stop selling sensitive data and delete any such information it has already collected.
Kochava general manager Brian Cox has denied any wrongdoing by the company:
Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy. For the past several weeks, Kochava has worked to educate the FTC on the role of data, the process by which it is collected, and the way it is used in digital advertising. We hoped to have productive conversations that led to effective solutions with the FTC about these complicated and important issues and are open to them in the future. Unfortunately the only outcome the FTC desired was a settlement that had no clear terms or resolutions and redefined the problem into a moving target.