The US government has filed a lawsuit against an Idaho-based data firm accused of selling geolocation data tied to millions of mobile devices, including location information that can reveal visits to abortion clinics, addiction recovery centres and places of worship.
In the first case of its kind in the wake of the US Supreme Court ruling striking down the right to abortion care, a lawsuit from the Federal Trade Commission alleges that Kochava “puts consumers at significant risk” by allowing people and companies to purchase reams of data tracking the movement of mobile devices, which could be used to identify the users.
Data analysis can reveal visits to homeless shelters and centres for survivors of domestic violence, among other places, thus revealing a person’s religion, whether they are in addiction recovery, whether they are survivors of sexual abuse and if they have sought an abortion or work as a provider, according to the lawsuit.
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” according to Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
Until at least June 2022, the company “allowed anyone with little effort to obtain a large sample of sensitive data and use it without restriction,” according to the FTC.
Kochava advertises “better insights and actionable data in one operational platform”.
A data sample reviewed by the agency “included precise, timestamped location data collected from more than 61 million unique mobile devices in the previous week”.
The lawsuit includes a screenshot of Kochava data available for sale through the Amazon Web Services data marketplace, including unique identification markers linked to a device, as well as precise mapping coordinates for a particular point in time.
The FTC explains that “a purchaser could use an ordinary personal email address and describe the intended use simply as ‘business’” – a request that would then be sent to Kochava for approval, sometimes in as little as 24 hours, according to the complaint.
With those unique markers, coupled with GPS coordinates, third-party buyers can effectively deanonymise mobile device users, the FTC alleges.
“In fact, in just the data Kochava made available in the [sample], it is possible to identify a mobile device that visited a women’s reproductive health clinic and trace that mobile device to a single family residence,” according to the lawsuit. “The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user’s routine.”
Legal analysts and abortion rights advocates have warned that the availability of location data harvested from smartphones could be exploited by anti-abortion activists and law enforcement after the Supreme Court overturned the 1973 ruling in Roe v Wade, enacting restrictive laws criminalising care in more than a dozen states.
In a letter to data firms earlier this year, a group of Democratic senators warned that such data could be used to pursue so-called “bounties” in states that allow citizens to sue abortion providers and people who assist with abortion care, with cash judgments awarding plaintiffs thousands of dollars plus legal fees.
“These and other practices targeting women seeking necessary health care services are almost certain to escalate if Roe v Wade is gutted and abortion is criminalised instantly in states across the nation,” the senators wrote. “Under these circumstances, [your company’s] decision to sell data that allowed any buying customer to determine the locations of people seeking abortion services was simply unconscionable, risking the safety and security of women everywhere.”
In recent months, members of Congress have sponsored several pieces of legislation to restrict how firms sell or transfer sensitive data.
One of those firms, Placer.ai, granted access to reams of data showing approximately where people who have visited Planned Parenthood clinics live. Another firm, SafeGraph, offered relatively cheap location data associated with people who visited abortion clincs. Both firms removed that data following inquiries from Motherboard.
A statement from Kochava general manager Brian Cox to The Independent claims that the lawsuit “shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses” and states that the company “operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.”
Mr Cox notes that the company installed the capability to block geolocation data from sensitive locations, “effectively removing that data from the data marketplace, and is currently in the implementation process of adding that functionality.”
He said the company also is “constantly monitoring and proactively adjusting our technology to block geo data from other sensitive locations” and has been working to “educate the FTC on the role of data” and how it is used in digital advertising.
“We hoped to have productive conversations that led to effective solutions with the FTC about these complicated and important issues and are open to them in the future,” according to Mr Cox. “Unfortunately the only outcome the FTC desired was a settlement that had no clear terms or resolutions and redefined the problem into a moving target.”