FTC sues data broker that tracks locations of 125M phones per month
The Federal Trade Commission on Monday sued a data broker for allegedly selling location data culled from hundreds of millions of phones that can be used to track the movements of people visiting abortion clinics, domestic abuse shelters, places of worship, and other sensitive places.
In a complaint, the agency said that Idaho-based Kochava has promoted its marketplace as providing “rich geo data spanning billions of devices globally.” The data broker has also said it “delivers raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device.”
The FTC said Kochava amassed the data by tracking the Mobile Advertising ID, or MAID, from phones and selling the data through Amazon Web Services or other outlets without first anonymizing the data. Anyone who purchases the data can then use it to track the comings and goings of many phone owners. Many of the allegations are based on the agency’s analysis of a data sample the company made available for free to promote sales of its data, which was available online with no restrictions on usage.
“In fact, in just the data Kochava made available in the Kochava Data Sample, it is possible to identify a mobile device that visited a women’s reproductive health clinic and trace that mobile device to a single-family residence,” the complaint alleged. “The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user’s routine. The data may also be used to identify medical professionals who perform, or assist in the performance, of abortion services.”
The FTC went on to allege: “In addition, because Kochava’s data allows its customers to track consumers over time, the data could be used to identify consumers’ past conditions, such as homelessness. In fact, the Kochava Data Sample identifies a mobile device that appears to have spent the night at a temporary shelter whose mission is to provide residence for at-risk, pregnant young women or new mothers.”
A Kochava representative didn’t immediately have a comment. Two weeks ago, the company sued the FTC in anticipation of Monday’s complaint, alleging its practices comply with all rules and laws and that the agency’s actions were an overreach.
Monday’s complaint said it was possible to access the Kochava data sample with minimal effort. “A purchaser could use an ordinary personal email address and describe the intended use simply as ‘business,'” FTC attorneys wrote. “The request would then be sent to Kochava for approval. Kochava has approved such requests in as little as 24 hours.”
The data sample consisted of a subset of the paid data feed that covered a rolling seven-day period. A single day’s worth of data contained more than 327,480,000 rows and 11 columns of data that pulled data from more than 61.8 million mobile devices.
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a press release. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
Allegations like those in the complaint raise a larger question about reining in location tracking by mobile devices. People should carefully review iOS and Android privacy settings to limit the apps’ access to location data. Both OSes also allow users to turn off ad personalization, a measure that can limit the use of some identifiers such as MAIDs. iOS further enables users to bar one app from tracking their activity across other apps.
None of these measures guarantees that location data won’t get swept up and sold by companies such as Kochava, but it’s a good practice to follow them anyway.