FTC sues data broker for selling millions of people's 'precise' location info
The Federal Trade Commission has accused data broker Kochava of trampling over people's privacy by selling the "precise" whereabouts of hundreds of millions of mobile devices.
The American watchdog alleged in a lawsuit that Kochava's data feeds, which are sold via publicly accessible marketplaces, reveal individuals' visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, addiction recovery facilities, and other sensitive places.
Kochava can get this data from Android and iOS apps and websites that
embed its tracker code. Developers use this toolkit to monitor their users – figuring out what they are interested in, how they use an app, tying their activities to a targeted advertising ID, and so forth – and Kochava would get a real-time feed of information to collect and sell. According to the FTC, Kochava also buys up personal records from other brokers to resell.
"In numerous instances, [the] defendant has sold, licensed, or otherwise transferred precise geolocation data associated with unique persistent identifiers that reveal consumers' visits to sensitive locations," according to the FTC's lawsuit [
PDF] filed Monday in a US federal district court.
Selling this type of personal information could cause "substantial injury to consumers" such as stalking, discrimination, job loss, and physical violence, the FTC argues. As such, the regulator claims Kochava is breaking American consumer protection law.
According to the court documents:
The data may be used to identify consumers who have visited an abortion clinic and, as a result, may have had or contemplated having an abortion. In fact, in just the data Kochava made available in the Kochava Data Sample, it is possible to identify a mobile device that visited a women's reproductive health clinic and trace that mobile device to a single-family residence. The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user's routine. The data may also be used to identify medical professionals who perform, or assist in the performance, of abortion services.
This info was listed for sale on the AWS Marketplace until June, according to the FTC. For $25,000, anyone with a free AWS account could subscribe to the location data feed, the lawsuit alleges.
A sample of this data examined by the FTC included precise, timestamped location records collected from more than 61 million unique mobile devices in the previous week. When combined with the mobile device's advertising ID (MAID), it would be easy to identify the phone's user, the regulator said.
Kochava also said users opted into having their data collected when they installed or used apps containing tracking code. "Even if an injury to the consumer did indeed occur," the biz added, "it is reasonably avoidable by the consumer themselves by way the opt-out provision to allow the data collection. In other words, the consumer agreed to share its location data with an app developer."