FTC Sues Data Broker Over Selling Location Data for Hundreds of Millions of Phones

The U.S. Federal Trade Commission (FTC) on Monday said it filed
a lawsuit against Kochava, a location data broker, for collecting
and selling precise geolocation data gathered from consumers’
mobile devices.

The complaint alleges that the U.S. company amasses^[1]
a “wealth of information” about users by purchasing data from other
data brokers to sell to its own clients.

“Kochava then sells customized data feeds to its clients to,
among other purposes, assist in advertising and analyzing foot
traffic at stores or other locations,” the FTC said^[2]. “Among other
categories, Kochava sells timestamped latitude and longitude
coordinates showing the location of mobile devices.”

The company advertises itself as a “real-time data solutions
company” and the “largest independent data marketplace for
connected devices.” It also claims its Kochava
Collective^[3] data marketplace
provides “premium data feeds, audience targeting, and audience
enrichment” through a privacy-first by
design^[4] approach.

The location data is offered to its customers in the form of a
feed that can be accessed through online data marketplaces for a
$25,000 subscription. As recently as June 2022, it also made
available a free sample dataset for a rolling seven-day period on
the Amazon Web Services (AWS) Marketplace with no restrictions
placed on its usage.

While the marketplace^[5]
currently lists no offerings, an Internet Archive snapshot^[6] saved on August 15,
2021, shows that Kochava had marketed three products at the time
–

• COVID-19: Data for the Greater Good – Global Precision Location
  Data (free)
• US Precision Geo Transactional Feed – Sample (free)
• US Precision Geo Transactional Feed ($25,000)

“This premium U.S. Precision Geo feed delivers raw
latitude/longitude data with volumes around 94B+ geo transactions
per month, 125 million monthly active users, and 35 million daily
active users, on average observing more than 90 daily transactions
per device,” Kochava noted.

It’s worth noting that each pair of timestamped latitude and
longitude coordinates are associated with a device identifier –
i.e., mobile advertising IDs (MAIDs^[7]) – a unique, anonymous
alphanumeric identifier that iOS or Android assigns to each mobile
device.

Although this string can be modified, it requires the consumer
to proactively and manually reset the identifier on a periodic
basis.

Stating that the company’s sale of geolocation data puts
consumers at significant risk, the consumer protection watchdog
said the information enables purchasers to identify and track
specific mobile device users, and worse, combined with other
datasets such as property records to unmask their identity.

“The company’s data allows purchasers to track people at
sensitive locations that could reveal information about their
personal health decisions, religious beliefs, and steps they are
taking to protect themselves from abusers,” the FTC said^[8]. “The release of this
data could expose them to stigma, discrimination, physical
violence, emotional distress, and other harms.”

Kochava, however, has denied the allegations in a countersuit^[9]
it filed against the FTC on August 12, stating they “illustrate a
lack of understanding” of its services and that it links the MAID
information to hashed emails and primary IP addresses.

“Although the Kochava Collective collects latitude and
longitude, IP address and MAID associated with a consumer’s device,
Kochava does not receive these data elements until days after
(unlike a GPS tool, for instance), Kochava does not identify the
location associated with latitude and longitude, nor does Kochava
identify the consumer associated with the MAID,” it said.

The lawsuit comes as the FTC in July cautioned^[10] businesses against the
illegal use and sharing of highly sensitive data and false claims
about data anonymization. Earlier this month, it also announced^[11] that it’s exploring
rules to tackle commercial surveillance practices that collect,
analyze, and profit from personal information.