The U.S. Federal Trade Commission has filed a lawsuit against Idaho-based data broker Kochava. According to the complaint, Kochava has been selling mobile device data that includes sensitive location tracking information. The broker even provided free samples of the data using almost no privacy safeguards. The data in question could allow others to track consumers’ movements. Some of the locations tracked included consumers’ homes, places of worship, medical care facilities, reproductive health locations, and more.
FTC Considers Protecting Sensitive Consumer Data, Including Location Tracking Information, a Top Priority
The FTC is a consumer watchdog in the U.S. As such, it considers one of its top priorities to be protecting sensitive consumer data, including location tracking information. In this vein, the agency recently began exploring rules that will crack down on harmful commercial surveillance practices.
It’s against the law in the U.S. to use and share highly sensitive consumer data without specific safeguards. In July, the FTC warned businesses it would start enforcing those laws more aggressively, and the recent lawsuit against Kochava is part of that action.
According to the complaint filed in the U.S. District Court (PDF) for the District of Idaho, Kochava is responsible for selling sensitive location tracking information for millions of consumers on the open market. Furthermore, the FTC alleges Kochava doesn’t work hard enough to protect this data from public exposure.
Until June 2022, anyone with a free Amazon Web Services (AWS) account could easily obtain a large free sample of the data Kochava offers for sale. Upon examining this sample, investigators made several rather chilling discoveries of what kind of information Kochava has been selling.
Kochava Freely Distributed Information Tying Consumers to Homes, Places of Worship, Homeless Shelters, and More
Within its complaint, the FTC points out that even Kochava’s free data sample offers precise, timestamped location tracking information tying consumers to some very sensitive locations. The sample contained data collected from more than 61 million mobile devices in the previous week, showing the dates and times those devices were present at:
- Places of worship, including Jewish, Christian, Islamic and other religious denominations’ locations;
- Homeless and domestic violence shelters;
- Reproductive health clinics;
- Addiction recovery centers;
- And even consumers’ homes.
You read that last part right; the data could even be used to infer a consumer’s home address. Since the data is timestamped and includes precise geolocation coordinates, parties with access to the information could infer that a mobile device is at a consumer’s home.
Obtaining this sample turned out to be astonishingly simple. Until at least June 2022, all you needed to do was search the AWS marketplace for Kochava. A purchaser could register for the data simple using an ordinary email address, describing the intended use simply as “business.” Within as little as 24 hours, they’d have access to the sample.
Even worse, the FTC notes the data isn’t anonymized in any way. While each record is associated with a device-unique Mobile Advertising ID (MAID), some data brokers offer services that match MAIDs with consumer names. Even without such services, just combining the offered data points with public records could tie names to MAIDs.
Exact Number of iPhone Users Affected Unknown, but It’s Still Worrisome
The data sample isn’t readily available any longer and the FTC doesn’t offer a breakdown of which mobile devices are included. Therefore, it’s difficult to say with any certainty how many iPhone and iPad users might be included in the mix. However, Kochava’s own web site makes it clear Apple consumers are definitely at risk here.
One of the solutions Kochava offers includes a tool to automate Apple search ad keywords and other campaign settings. Clearly, the data broker is getting data from iPhone users. That likely means such data includes the sensitive location information most of us don’t really want to be available to the public.
In an age where privacy and security is so much a growing concern that iOS needs to incorporate a feature like Lockdown Mode, it’s good to see the U.S. government taking action against unethical data brokers.