FTC Sues Data Broker

This is good news:

The Federal Trade Commission (FTC) has sued Kochava, a large location data provider, for allegedly selling data that the FTC says can track people at reproductive health clinics and places of worship, according to an announcement from the agency.

“Defendant’s violations are in connection with acquiring consumers’ precise geolocation data and selling the data in a format that allows entities to track the consumers’ movements to and from sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at risk populations, and addiction recovery,” the lawsuit reads.

Tags: , , ,

Posted on August 30, 2022 at 6:58 AM9 Comments

Comments

Ulf August 30, 2022 7:46 AM

I would imagine that the stated reasons apply to most, if not all, location data providers. Maybe they don’t all sell the data that can be used to de-anonymize it, but I’m fairly certain that they have it.

Q August 30, 2022 8:54 AM

Is it possible to disable the GPS receiver in a “smart” phone, or make it always give a fixed position? If so, how?

And would that be enough stop all the shenanigans from companies like this? With no data, or useless fixed data, there is nothing to sell.

Clive Robinson August 30, 2022 9:07 AM

@ ALL,

The FTC is throwing it’s weight around on a political rather than a legal or technical basis.

In the past the FBI and DoJ tried to throw it’s weight around with Apple and was shocked to find Apple were fully prepared to fight back, and did, the result the FBI and DoJ did not get what they wanted, pluss they got a public embarrassment as well.

I suspect if “Kochava” which is just an aggregator rather than a collector decided to fight back the FTC would find it could not win in an open court.

But also think about the fact that the FTC is using a delibratively emotional edge case.

Think instead of directly similar data showing Identity thief movments and location, and being used to stop innocent people being persecuted by US banks and similar financial institutions.

As I keep pointing out there is nothing inherently good or bad in the technology, it just performs a function.

The notion of “good or bad” comes from the “observer” from the position of their mores in society.

My personal view is that unrestrained tracking of people can easily be used to their harm thus it should be not just correctly regulated but strongly supervised. Along with people able to have the standing to take legal action individually or collectively against all in the data chain or who have collected the persons data.

Oh and like prndulums that harm swings both ways…

Remember what you or I might see as inocent women managing their reproductive rights, others in legislative and prosecutorial positions within the US States regard them as Harlots, whores and murderers, to be dragged into the modern equivalent of a stoning.

And it realy does not get more emotive or politically entrenched than that. What I predict is that which ever side wins is actually unimportant because ultimately the loosers will be those who make up US society.

Brenden Walker August 30, 2022 9:08 AM

“Is it possible to disable the GPS receiver in a “smart” phone, or make it always give a fixed position? If so, how?”

Turn off location services. That said, if they are gathering cell tower information your position can still be triangulated. If you connect to WIFI hotspots, that information could be used to track rough location.

Turn off bluetooth, wifi, mobile hotspot, location and mobile data should limit exposure.

In addition use a privacy focused browser, or even better DON’T use a browser on your phone at all.

There’s a lot that can be done to minimize exposure to this type of tracking, however it requires work on the consumers part and limits usability of the device.

I use my phone as a phone, in the rare case that I need network access I enable the appropriate feature when needed and disable when not.

As an added bonus my battery lasts weeks between charges.

Ted August 30, 2022 9:49 AM

@Clive, All

The FTC is throwing it’s weight around on a political rather than a legal or technical basis.

According to the lawsuit, the legal basis is:

Acts or practices are unfair under Section 5 of the FTC Act if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition. 15 U.S.C. § 45(n).

The injuries are enumerated as exposure to stigma, discrimination, physical violence, emotional distress, and other harms.

It looks like until about June 2022 there had been two Kochava datasets available on the AWS Marketplace: a $25,000 location data feed subscription and the Kochava Data Sample.

The Kochava Data Sample was fairly trivial to obtain and had no meaningful controls. It contained precise location data gathered in the prior seven days and, even in just one day, had data that corresponded to over 61 million unique mobile devices.

None August 30, 2022 11:19 AM

I wonder, has anyone checked politicians & 3 levels of consanguinity locations as well as interactions to find instances of undisclosed or unregistered lobbyists?

David Leppik August 30, 2022 1:28 PM

@Q:

Simple. Leave the phone at home.

As Brendon Walker mentioned, location services are a two-way street: there are currently no phone services which decouple your phone number from your phone’s location. (This has been discussed, but no major carrier offers it. I wouldn’t be surprised if Apple started offering its own phone service for exactly that purpose, since it’s doing the same for anonymized web traffic.)

However, right now it’s much too easy to get users to click “allow” to provide precise tracking data—especially on Android.

This is where it’s important to make a distinction between readers of this blog and the general public. The latter has a lot of issues to deal with. Health/dental problems. Unhealthy domestic relationships. Student loans. Employment contracts. These are all things that require either an advanced degree or trusting a third party, and the former might not be enough. Computer security—and computers in general—are just one more thing to add to the list, and like your teeth, it’s not urgent until suddenly it is.

Right now sneaky apps are the low-hanging fruit, since it’s easy to get the public to agree to volunteer their location for some vague pretense. That may be starting to change, especially as young women in the US are discovering how vulnerable they may be. However, as long as there are avenues for the government or government-deputized vigilantes to obtain phone tower metadata, this will not be enough.

Steve August 30, 2022 7:32 PM

Brenden Walker:
… or even better DON’T use a browser on your phone at all.

You’ve just given me an idea, rather than just using a VPN on a phone, it might be interesting to also RDP/VNC into your desktop too so that your browsing is also moved off the phone. I’m sure there would be usability issues, but it might be useful. I’m sure someone has done it.

Petre Peter August 31, 2022 7:18 AM

This is a step in the right direction. However, the paper world also needs attention. Why does my landlord need to have my birth certificate? Are they selling this information to data brokers? I have the feeling that if I ask for a Privacy Policy which states what data is being collected; who has access to it, and how can it be deleted, my application will be tossed aside. Who can I call if I refuse to give my information without receiving a Privacy Policy that states those three things?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.