FTC accuses data broker of selling sensitive location data
WASHINGTON (AP) — Federal regulators have sued a data broker they accuse of selling sensitive geolocation data from millions of mobile devices, information that can be used to identify people and track their movements to and from sensitive locations, including reproductive health clinics, homeless shelters and places of worship.
The Federal Trade Commission on Monday sued Idaho-based Kochava Inc. amid a charged debate over the privacy of individuals who may be seeking an abortion in the wake of the Supreme Court’s ruling in June ending the constitutional protections for abortion. Although it’s not the first case the FTC has brought against a data broker, experts say it is the first one involving health care data and referencing reproductive health clinics.
“This is potentially a big deal,” Jeff Chester, executive director of the Center for Digital Democracy, a privacy advocacy group, said of the FTC’s action. “They’ve placed a stake in the ground.”
The data-broker industry, which gathers, sells or trades location data from mobile phones, has come under increased scrutiny from Congress and regulators following the Supreme Court decision. Lawmakers have asked the top executives of major tech companies, as well as smaller data brokers, for information about their handling of consumers’ location data from mobile phones, and what steps they have taken to protect the privacy rights of individuals seeking information on abortion.
The FTC this month announced it was looking at drafting rules to crack down on what it sees as harmful commercial surveillance and lax data security by tech companies and others.
In its lawsuit against Kochava filed in federal court in Idaho, the FTC alleges that by selling tracking data, the company enables other parties to identify individuals and exposes them to threats of stigma, stalking, discrimination, job loss and even physical violence. The agency is seeking to halt Kochava’s sale of “sensitive geolocation data” and to compel the company to delete the geolocation data it has collected.
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, director of the FTC’s consumer protection bureau. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
The company filed a suit against the FTC earlier this month, after the agency sent Kochava a proposed complaint indicating that it could take the company to court.
On Monday, the company said the FTC’s lawsuit is a sign the agency does not understand the company’s operations or other data businesses.
“”Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy,” said Brian Cox, general manager of Kochava Collective. The company describes itself as the world’s largest independent mobile data marketplace, enabling marketers to “purchase mobile audiences.”
Before the legal proceedings with the FTC began, Kochava unveiled a new capability to block geo data from sensitive locations, Cox said. That effectively removed that data from the data marketplace, and is currently in the implementation process, he said.
“We are constantly monitoring and proactively adjusting our technology to block geo data from other sensitive locations,” he said.
Concerns over consumers’ online privacy deepened last week when allegations surfaced from Twitter’s former security chief that the influential social network misled regulators — including the FTC — about its cyber defenses and efforts to control fake accounts. Among Peiter Zatko’s most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users.
In a landmark privacy action, Sephora Inc., one of the world’s largest cosmetics retailers, last week settled a California lawsuit alleging the company sold customer information without proper notice in violation of the state’s consumer privacy law.