Federal Trade Commission sues Kochava for selling data which tracks people’s movements to sensitive locations

September 6, 2022 |

The US Federal Trade Commission warned as far back as July that it would focus on illegal sharing of highly sensitive health data.  That was preceded with a warning in September 2021 to Health Apps and Connected Device Companies that they had to comply with health breach notification rules.  In June 2021 the FTC settled with Flo Health, a fertility tracking app which inappropriately shared sensitive health data with Facebook and Google. On 11 August 2022 the FTC announced it was embarking on commercial surveillance rule making.

In that context it is not surprising that the FTC has commenced proceedings against Kochava for selling data which tracks people when they are involved in sensitive activities, such as attending health clinics and places of worship.

The media release provides:

The Federal Trade Commission filed a lawsuit against data broker Kochava Inc. for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations. Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities. The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence. The FTC’s lawsuit seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected.

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

Idaho-based Kochava purchases vast troves of location information derived from hundreds of millions of mobile devices. The information is packaged into customized data feeds that match unique mobile device identification numbers with timestamped latitude and longitude locations. According to Kochava, these data feeds can be used to assist clients in advertising and analyzing foot traffic at their stores and other locations. People are often unaware that their location data is being purchased and shared by Kochava and have no control over its sale or use.

In a complaint filed against Kochava, the FTC alleges that the company’s customized data feeds allow purchasers to identify and track specific mobile device users. For example, the location of a mobile device at night is likely the user’s home address and could be combined with property records to uncover their identity. In fact, the data broker has touted identifying households as one of the possible uses of its data in some marketing materials.

According to the FTC’s complaint, Kochava’s sale of geolocation data puts consumers at significant risk. The company’s data allows purchasers to track people at sensitive locations that could reveal information about their personal health decisions, religious beliefs, and steps they are taking to protect themselves from abusers. The release of this data could expose them to stigma, discrimination, physical violence, emotional distress, and other harms.

The FTC alleges that Kochava fails to adequately protect its data from public exposure. Until at least June 2022, Kochava allowed anyone with little effort to obtain a large sample of sensitive data and use it without restriction. The data sample the FTC examined included precise, timestamped location data collected from more than 61 million unique mobile devices in the previous week. Using Kochava’s publicly available data sample, the FTC complaint details how it is possible to identify and track people at sensitive locations such as:

      • Reproductive health clinics: The data could be used to identify people who have visited a reproductive health clinic and therefore expose their private medical decisions. Using the data sample, it is possible to track a mobile device from a reproductive health clinic to a single-family residence to other places routinely visited. The data may also be used to identify medical professionals who perform, or assist in the performance, of reproductive health services.
      • Places of worship: The data could be used to track consumers to places of worship, and thus reveal the religious beliefs and practices of consumers. The data sample identifies mobile devices that were located at Jewish, Christian, Islamic, and other religious denominations’ places of worship.
      • Homeless and domestic violence shelters: The data could be used to track consumers who visited a homeless shelter, domestic violence shelter, or other facilities directed to at-risk populations. This information could reveal the location of people who are escaping domestic violence or other crimes. The data sample identifies a mobile device that appears to have spent the night at a temporary shelter whose mission is to provide residence for at-risk, pregnant young women or new mothers. In addition, because Kochava’s data allows its customers to track people over time, the data could be used to identify their past conditions, such as homelessness.  
      • Addiction recovery centers: The data could be used to track consumers who have visited addiction recovery centers. The data could show how long consumers stayed at the center and whether a consumer potentially relapses and returns to a recovery center. 

Protecting sensitive consumer data, including geolocation and health data, is a top priority for the FTC. This month, the FTC announced that it is exploring rules to crack down on harmful commercial surveillance practices that collect, analyze, and profit from information about people. In July, the FTC warned businesses that the agency intends to enforce the law against the illegal use and sharing of highly sensitive consumer data, including sensitive health data. Last year, the FTC issued a policy statement warning health apps and connected devices that collect or use consumers’ health information that they must notify consumers and others when that data is breached as required by the Health Breach Notification Rule. In 2021, the agency also took action against the fertility app Flo Health for sharing sensitive health data with third parties.  

The complaint goes into some detail as to what Kochava does, relevantly that:

  • it is location data broker that provides its customers massive amounts of precise geolocation data collected from consumers’ mobile devices. Through Kochava’s services, customers can “[l]icense premium data” including the “precision location” of a consumer’s mobile device.
  • it sells timestamped latitude and longitude coordinates showing the location of mobile devices.  each pair of timestamped latitude and longitude coordinates is associated with a “device_id_value,” which is also known as a Mobile Advertising ID (“MAID”). A MAID is a unique identifier assigned to a consumer’s mobile.
  • Precise geolocation data associated with MAIDs, such as the data sold by Kochava, may be used to track consumers to sensitive locations, including places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, medical facilities, and welfare and homeless shelters.
  • The location data provided by Kochava is not anonymized. It is possible to use the geolocation data, combined with the mobile device’s MAID, to identify the mobile device’s user or owner.
  • The location data sold by Kochava typically includes multiple timestamped signals for each MAID. By plotting each of these signals on a map, much can be inferred about the mobile device owners.
  • it employs no technical controls to prohibit its customers from identifying consumers or tracking them to sensitive locations.
  • lacks any meaningful controls over who accesses its location data feed, including the Kochava Data Sample.
  • consumers typically do not know who has collected their location data and how it is being used. Indeed, once information is collected about consumers from their mobile devices, the information can be sold multiple times to companies that consumers have never heard of and never interacted with.

Leave a Reply

Verified by MonsterInsights