Phone app location data brokers are a growing menace to our privacy and safety. All you did was click a box while downloading an app. Now the app tracks your every move and sends it to a broker, which then sells your location data to the highest bidder.
So three cheers for the Federal Trade Commission for seeking to end this harmful marketplace! The FTC recently sued Kochava, a location data broker, alleging the company violated a federal ban on unfair business practices. The FTC’s complaint against Kochava illustrates the dangers created by this industry.
Kochava harvests and monetizes a staggering volume of location data. The company claims that on a monthly basis, it provides its customers access to 94 billion data points arising from 125 million active users. The FTC analyzed just one day of Kochava’s data, and found 300 million data points arising from 60 million devices.
Kochava’s data can easily be linked to identifiable people. According to the FTC:
The location data provided by Kochava is not anonymized. It is possible to use the geolocation data, combined with the mobile device’s MAID [that is, its “Mobile Advertising ID”], to identify the mobile device’s user or owner. For example, some data brokers advertise services to match MAIDs with ‘offline’ information, such as consumers’ names and physical addresses.
Even without such services, however, location data can be used to identify people. The location data sold by Kochava typically includes multiple timestamped signals for each MAID. By plotting each of these signals on a map, much can be inferred about the mobile device owners. For example, the location of a mobile device at night likely corresponds to the consumer’s home address. Public or other records may identify the name of the owner or resident of a particular address.
Kochava’s location data can harm people, according to the FTC:
[T]he data may be used to identify consumers who have visited an abortion clinic and, as a result, may have had or contemplated having an abortion. In fact, … it is possible to identify a mobile device that visited a women’s reproductive health clinic and trace that mobile device to a single-family residence.
Likewise, the FTC explains that the same data can be used to identify people who visit houses of worship, domestic violence shelters, homeless shelters, and addiction recovery centers. Such invasions of location privacy expose people, in the words of the FTC, to “stigma, discrimination, physical violence, emotional distress, and other harms.”
The FTC Act bans “unfair or deceptive acts or practices in or affecting commerce.” Under the Act, a practice is “unfair” if: (1) the practice “is likely to cause substantial injury to consumers”; (2) the practice “is not reasonably avoidable by consumers themselves”; and (3) the injury is “not outweighed by countervailing benefits to consumers or to competition.”
The FTC lays out a powerful case that Kochava’s brokering of location data is unfair and thus unlawful. We hope the court will rule in the FTC’s favor. Other location data brokers should take a hard look at their own business model or risk similar judicial consequences.
The FTC has recently taken many other welcome actions to protect people’s digital rights. Last month, the agency announced it is exploring new rulemaking against commercial surveillance. Earlier this year, the FTC fined Twitter for using account security data for targeted ads, brought lawsuits to protect people’s right-to-repair, and issued a policy statement against edtech surveillance.