FTC sues data broker for selling location data for hundreds of millions of phones
The U.S. Federal Trade Commission (FTC) announced on Monday that it has filed a lawsuit against Kochava, a location data broker, for collecting and selling precise geolocation data gathered from consumers’ mobile devices.
The complaint alleges that the American company amasses a “wealth of information” about users by buying data from other data brokers to resell to its own customers.
“Kochava then sells custom data feeds to its customers to, among other things, assist with advertising and foot traffic analysis in stores or other locations,” the FTC said. said. “Among other categories, Kochava sells timestamped latitude and longitude coordinates showing the location of mobile devices.”
The company bills itself as a “real-time data solutions company” and the “largest independent data marketplace for connected devices”. He also claims his Kochava Collective Data Marketplace provides “premium data feeds, audience targeting and audience enrichment” through a privacy first by design approach.
Location data is offered to its customers as a stream accessible through online data marketplaces for a $25,000 subscription. As recently as June 2022, it also made a free sample dataset available for a rolling seven-day period on the Amazon Web Services (AWS) marketplace with no usage restrictions.
- COVID-19: Data for the Common Good – Precision Global Location Data (Free)
- US Precision Geo Transaction Feed – Sample (Free)
- US Geographic Precision Transaction Feed ($25,000)
“This premium US Precision Geo feed provides raw latitude/longitude data with volumes of approximately 94 billion geographic transactions per month, 125 million monthly active users and 35 million daily active users, observing an average of over 90 daily transactions per device,” Kochava noted.
It should be noted that each pair of timestamped latitude and longitude coordinates is associated with a device identifier – i.e. mobile advertising identifiers (MAID) – a unique and anonymous alphanumeric identifier that iOS or Android assigns to each mobile device.
Although this string can be changed, it requires the consumer to periodically and manually reset the identifier.
Stating that the company’s sale of geolocation data puts users at significant risk, the consumer protection watchdog said the information allows buyers to identify and track users of mobile devices specific, and worse, combined with other datasets such as property records to unmask their identity.
“The company’s data allows shoppers to track people in sensitive locations that could reveal information about their personal health decisions, religious beliefs, and steps they take to protect themselves from abusers,” a said the FTC. said. “Publishing this data could expose them to stigma, discrimination, physical abuse, emotional distress and other harm.”
Kochava, however, denied the allegations in a countersuit he filed a lawsuit against the FTC on August 12, saying they “illustrate a lack of understanding” of his services and linking MAID information to hashed emails and primary IP addresses.
“Although the Kochava Collective collects the latitude and longitude, IP address and MAID associated with a consumer’s device, Kochava does not receive these data elements until a few days later (unlike a GPS tool, for example ), Kochava does not identify the location associated with latitude and longitude, nor does Kochava identify the consumer associated with MAID,” he said.
The lawsuit comes as the FTC in July warned companies against illegal use and sharing of highly sensitive data and false claims about anonymizing data. Earlier this month, he also announcement that it explore rules to combat commercial surveillance practices that collect, analyze and profit from personal information.