InMobi agrees to pay $950,000 for tracking millions of consumer locations without permission
June 24, 2016 |
The Federal Trade Commission (“FTC”) brought a complaint against InMobi for tracking hundreds of millions of its consumers locations without permission. InMobi represented that it would only track consumers’ locations when they opted in for that function. In fact the tracking device operated whether there was consent or not. Worse, the tracking device operated when there was a specific denial of permission.
In a settlement agreement InMobi agreed to pay a fine of $950,000 and enter into a privacy program wihch will last for 20 years.
The media release provides:
Singapore-based mobile advertising company InMobi will pay $950,000 in civil penalties and implement a comprehensive privacy program to settle Federal Trade Commission charges it deceptively tracked the locations of hundreds of millions of consumers – including children – without their knowledge or consent to serve them geo-targeted advertising.
The FTC alleges that InMobi mispresented that its advertising software would only track consumers’ locations when they opted in and in a manner consistent with their device’s privacy settings. According to the complaint, InMobi was actually tracking consumers’ locations whether or not the apps using InMobi’s software asked for consumers’ permission to do so, and even when consumers had denied permission to access their location information.
The FTC alleges that InMobi, whose advertising network has reached more than one billion devices worldwide through thousands of popular apps, offers multiple forms of location-based advertising to its customers, including the ability to serve ads to consumers based on their current locations, locations they visit at certain times, and on their location over time.
“InMobi tracked the locations of hundreds of millions of consumers, including children, without their consent, in many cases totally ignoring consumers’ express privacy preferences,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “This settlement ensures that InMobi will honor consumers’ privacy choices in the future, and will be held accountable for keeping their privacy promises.”
The complaint alleges that inMobi created a database built on information collected from consumers who allowed the company access to their geolocation information, combining that data with the wireless networks they were near to document the physical location of wireless networks themselves. InMobi then would use that database to infer the physical location of consumers based on the networks they were near, even when consumers had turned off location collection on their device.
The FTC alleges that InMobi also violated the Children’s Online Privacy Protection Act (COPPA) by collecting this information from apps that were clearly directed at children, in spite of promising that it did not do so. The complaint noted that InMobi’s software tracked location in thousands of child-directed apps with hundreds of millions of users without following the steps required by COPPA to get a parent or guardian’s consent to collect and use a child’s personal information.
Under the terms of its settlement with the FTC, InMobi is subject to a $4 million civil penalty, which is suspended to $950,000 based on the company’s financial condition. In addition, the company will be required to delete all information it collected from children, and will be prohibited from further violations of COPPA.
In addition, InMobi will be prohibited from collecting consumers’ location information without their affirmative express consent for it to be collected, and will be required to honor consumers’ location privacy settings. The company will also be required to delete the location information of consumers it collected without their consent and will be prohibited from further misrepresenting its privacy practices. The settlement also will require InMobi to institute a comprehensive privacy program that will be independently audited every two years for the next 20 years.
The Commission vote to authorize the staff to refer the complaint to the U.S. Department of Justice and to approve the proposed stipulated order was 3-0. The DOJ filed the complaint and proposed stipulated order on behalf of the Commission in U.S. District Court for the Northern District of California.
As is invariably the case this agreement has attracted media interest, and with it reputational harm. Ars Technica reported on the settlement in Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users stating:
A mobile advertising company that tracked the locations of hundreds of millions of consumers without consent has agreed to pay $950,000 (£640,000) in civil penalties and implement a privacy program to settle charges that it violated federal law.
The US Federal Trade Commission alleged in a complaint filed Wednesday that Singapore-based InMobi undermined phone users’ ability to make informed decisions about the collection of their location information. While InMobi claimed that its software collected geographical whereabouts only when end users provided opt-in consent, the software in fact used nearby Wi-Fi signals to infer locations when permission wasn’t given, FTC officials alleged. InMobi then archived the location information and used it to push targeted advertisements to individual phone users.
Specifically, the FTC alleged, InMobi collected nearby basic service set identification addresses, which act as unique serial numbers for wireless access points. The company, which thousands of Android and iOS app makers use to deliver ads to end users, then fed each BSSID into a “geocorder” database to infer the phone user’s latitude and longitude, even when an end user hadn’t provided permission for location to be tracked through the phone’s dedicated location feature.
“Defendant represented in disclosures… that it tracked the consumer’s location and served geo-targeted ads only if the application developer and the consumer provided access to the location APIs, and the consumer provided opt-in consent,” Wednesday’s complaint, which was filed in San Francisco federal court, stated. “In fact, defendant collected and used BSSID and other Wi-Fi network information to track the consumer’s location and serve geo-targeted ads regardless of the application developer’s intent to include geo-targeted ads, and regardless of the consumer’s location settings.”
According to the FTC, the InMobi advertising network has reached more than one billion devices worldwide through thousands of popular apps that integrate InMobi code. Many of the third-party app makers indicated that their wares were designed for children, many under the age of 13, making the collection a violation of the Children’s Online Privacy Protection Act, the FTC alleged.
“Collectively, hundreds of millions of consumers have downloaded the thousands of child-directed applications from which defendant collected and used personal information,” the complaint stated. “Defendant collected such personal information each time an application made an ad request to their network—typically every 30 seconds when an application is in use.”
Under terms of the settlement, InMobi will pay a civil penalty of $950,000 and delete all information it collected from children and all information collected from adults who didn’t provide their consent. The settlement also requires InMobi to implement a comprehensive privacy program that will be independently audited every two years for the next two decades. InMobi was subject to a $4 million civil penalty, which was lowered to $950,000 “based on the company’s financial condition,” the FTC said in a statement issued Wednesday, without elaborating.
The episode is another reminder of the benefits of turning off mobile device Wi-Fi when a connection isn’t needed. By leaving it on, users often unknowingly leave breadcrumbs that can be used by both access point operators and ad networks to track the comings and goings of the mobile device.
[…] InMobi agrees to pay $950,000 for tracking millions of consumer locations without permission […]