FTC says data broker sold consumers’ precise geolocation, including attendance at sensitive healthcare facilities

When people seek medical attention or visit other sensitive places, they may think their presence is confidential. Most consumers are unaware that if they have their phone with them, their location – for example, in a women’s health clinic, therapist’s office, addiction treatment center or place of worship – can be collected by technology companies. From there, this unique personal data becomes another commodity bought and sold in the dark information market. An FTC lawsuit against data broker Kochava Inc. alleges that the company acquired consumers’ precise geolocation data and then marketed it in a form that allowed Kochava’s customers — both subscribers and customers. potentials who have subscribed to Kochava a free “sample” – to track consumers. ‘ movements to and from sensitive places. The complaint accuses Kochava’s conduct of constituting an unfair trade practice, in violation of FTC law.

Kochava acquires location data from other data brokers based on information collected from consumers’ mobile devices. Kochava then compiles these into personalized data feeds, which it markets to business customers who want to know where consumers are and what they are doing. The amount of location data Kochava has on consumers is staggering. In showcasing its products, Kochava offers what it describes as “rich geographic data spanning billions of devices worldwide”, further claiming that its location feed “provides raw latitude/longitude data with volumes of ‘about 94 billion geographic transactions per month, 125 million monthly active users, and 35 million daily active users, observing an average of more than 90 daily transactions per device.

The FTC says Kochava wasn’t kidding when describing both the breadth and specificity of the data it sells. For example, on the Amazon Web Services (AWS) marketplace, Kochava used this table to attract new customers:

According to the FTC, Kochava explained to potential customers that its data would link two key pieces of information for marketers: the time-stamped longitudinal and latitudinal coordinates of a mobile device’s location and its Mobile Advertising ID (MAID) – a unique identifier. assigned to a consumer’s mobile device. The FTC alleges that Kochava’s location data was not anonymized and, therefore, [i]It is possible to use geolocation data, combined with the MAID of the mobile device, to identify the user or the owner of the mobile device.

How do these technical specifications translate to the sensitive contexts cited in the FTC’s complaint? This means that Kochava’s data would let customers know that Joe Jones’ (and thus Joe Jones’) cell phone walked into a psychiatrist’s office or stayed in a homeless shelter or that Mary Smith visited a center that provides abortion services. According to the complaint, the information could be even more specifically linked to an individual: [I]It is possible to identify a mobile device that has visited a women’s reproductive health clinic and trace that mobile device to a single-family residence. The dataset also reveals that the same mobile device was in a particular location on at least three evenings during the same week, suggesting the mobile device user’s routine.

This concern is compounded by the FTC’s allegation that Kochava was selling access to its data feeds on publicly available news marketplaces and, until recently, even making free samples available with what the FTC describes it as “only minimal steps and no usage restrictions”. According to the complaint, to gain access to a sample, a potential customer could use a regular personal email address and describe its intended use with something as generic as “business.” And let’s be clear: the sample was much more than a scrap. The FTC says it was a seven-day subset of the paid data stream. Converted to a spreadsheet, the sample would have filled 327,480,000 rows and 11 columns of data, corresponding to more than 61,803,400 mobile devices. According to the complaint, even the free sample included highly sensitive data: “In fact, Kochava’s data sample identifies a mobile device that appears to have spent the night in a temporary shelter whose mission is to provide residence to young people. at-risk pregnant women or new mothers.

You’ll want to read the complaint for more details, but another troubling allegation is that, according to the FTC, “Kochava does not employ any technical controls to prohibit its customers from identifying consumers or tracking them to sensitive locations. For example, it does not use a blacklist that suppresses or hides in its dataset location signals around sensitive locations, such as women’s reproductive health clinics, drug rehabilitation centers and other establishments. medical.

From the FTC’s perspective, the harm suffered by consumers is significant, given that Kochava’s disclosure of highly sensitive information – for example, that a person might be considering an abortion, seeking mental health care, or dating a particular place of worship – could expose them to stigma, harassment, discrimination, job loss and even physical violence. Moreover, consumers could hardly be expected to take steps to avoid these injuries since they did not know that Kochava was tampering with their information in the first place.

The single-count lawsuit, which is pending in federal court in Idaho, accuses Kochava of selling, transferring or licensing precise geolocation data associated with unique persistent identifiers that reveal consumer visits. in sensitive locations is an unfair practice in violation of the FTC Act.

Comments are closed.