The Federal Trade Commission announced a lawsuit Monday against a major data broker, accusing it of offering services that allow for the tracking of Americans at sensitive locations, such as addiction clinics or domestic violence shelters.
Commissioners voted 4-1 this week to bring a suit against Kochava, Inc., which calls itself the “industry leader for mobile app attribution” and sells mobile geo-location data on hundreds of millions of people. The suit accuses the company of violating the FTC Act, and the agency warns that the company’s business practices could easily be used to unmask the locations of vulnerable individuals—including visitors to reproductive health clinics, homeless and domestic violence shelters, places of worship, and addiction recovery centers.
Kochava, which is based in Idaho, sells “customized data feeds” that can be used to identify and track specific phone users, the FTC said in the suit. Kochava collects this data through a variety of means, then repackages it in large datasets to sell to marketers. The datasets include Mobile Advertising IDs, or MAIDs—the unique identifiers for mobile devices used in targeted advertising—as well as timestamped latitude and longitude coordinates for each device (i.e., the approximate location of the user). The data is ostensibly anonymized, but there are well-known ways to de-anonymize it. The suit claims that Kochava is aware of this, as it has allegedly suggested using its data “to map individual devices to households.”
Subscribing to Kochava’s feeds typically requires a hefty fee, but the FTC says that, until at least June, Kochava also granted interested users free access to a sample of the data. This “free sample” apparently included the location data of about 61 million mobile devices. Authorities say that there were “only minimal steps and no restrictions on usage” of this freely offered information.
“As alleged in @FTC’s complaint, Kochava purchased sensitive geolocation data for hundreds of millions of mobile devices & sold this data in easily re-identifiable form, likely exposing people to threats of stigma, discrimination, and physical violence,” tweeted FTC Chair Lina Khan on Monday. “This action is part of the @FTC’s work to use all of our tools to protect Americans’ privacy.”
Samuel Levine, director of the FTC’s Bureau of Consumer Protection, similarly laid into the company: “Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” Levine said, in a statement. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
When reached for comment, Kochava claimed in so many words that the FTC didn’t know what it was talking about. Brian Cox, general manager of the Kochava Collective, issued a statement that reads, in part:
This lawsuit shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses. Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.
Cox also claimed that prior “to the legal proceedings, Kochava took the proactive step of announcing a new capability to block geo data from sensitive locations.” He claims this new feature effectively removes “that data from the data marketplace” and that Kochava is “currently in the implementation process of adding that functionality.” Gizmodo asked Cox to clarify whether he is denying the allegations made in the FTC’s lawsuit or not. We will update this story if he responds.
This isn’t the first time Kochava has been sued over privacy concerns. In 2017, the company was listed as a defendant in a class action lawsuit that accused it of breaking the FTC’s Children’s Online Privacy Protection rule (COPPA). Kochava allegedly helped Disney embed surveillance software in children’s games; the software was then used to collect data on the children and sell it to third-party firms so they could track their behavior “across multiple apps and devices,” the suit claimed. The suit was dismissed on jurisdictional grounds.