The Federal Trade Commission (FTC) has sued Kochava, a large location data provider, for allegedly selling data that the FTC says can track people at reproductive health clinics and places of worship, according to an announcement from the agency.
The news is a dramatic move from the FTC in a post-Roe United States, and signals that the agency will take steps against what it identifies as privacy violations around reproductive health and location data.
Videos by VICE
“Defendant’s violations are in connection with acquiring consumers’ precise geolocation data and selling the data in a format that allows entities to track the consumers’ movements to and from sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at risk populations, and addiction recovery,” the lawsuit reads.
Do you know any other companies selling data regarding abortion clinics? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email joseph.cox@vice.com.
In its announcement, the FTC says its lawsuit is seeking to stop Kochava’s sale of sensitive location data and “require the company to delete the sensitive geolocation information it has collected.”
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in a statement published with the announcement. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
As for why the FTC may have targeted Kochava specifically, Zach Edwards, a researcher who has closely followed the data trade, told Motherboard in an online chat “they are huge. Massive. And have more data broker partners than almost anyone in my opinion.”
On its website, Kochava says it delivers “better insights and actionable data in one operational platform.” Kochava sells a spread of products and capabilities based on different datasets, including letting clients gauge the effectiveness of televised adverts.
Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.
In its lawsuit, the FTC includes a screenshot of Kochava data available for sale via Amazon Web Services data marketplace. That data includes the unique Mobile Advertising ID (MAID) linked to a device—either an IDFA for Apple devices or an ADID for Android—as well as that device’s precise GPS coordinates for a particular point in time. The lawsuit explains Kochava’s process for requesting a sample of the data and it seems very straightforward.
“A purchaser could use an ordinary personal email address and describe the intended use simply as ‘business.’ The request would then be sent to Kochava for approval. Kochava has approved such requests in as little as 24 hours,” the lawsuit says. One day of the sample data included over 327,480,00 rows and 11 columns data regarding over 61 million unique devices, and the sample included precise location data gathered in the seven days prior to the request being approved, the lawsuit adds.
With this data, the FTC says that by taking that data and plotting it with mapping programs “it is possible to identify which consumers’ mobile devices visited reproductive health clinics.”
As Motherboard has reported, armed with a MAID, third parties can unmask phone users, by turning to certain companies that provide deanonymization services at scale. These companies offer personal information that they have linked to a specific MAID. Even without that service, it can be possible to identify people based on just the location data itself, such as seeing where a device is usually overnight and determining that is where the person sleeps.
The FTC alleges just that. “In fact, in just the data Kochava made available in the Kochava Data Sample, it is possible to identify a mobile device that visited a women’s reproductive health clinic and trace that mobile device to a single family residence. The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user’s routine. “The data may also be used to identify medical professionals who perform, or assist in the performance, of abortion services,” the lawsuit adds.
Kochava, in a way, knew this lawsuit was coming. Earlier this month, Kochava filed its own lawsuit against the FTC after reviewing a copy of the FTC’s proposed complaint. At the time of that lawsuit, Kochava defended its data collection practices in a statement to Ars Technica. “Kochava operates consistently and proactively in compliance with all rules and laws, including those specific to privacy. Nonetheless, Kochava has been threatened by the FTC with a lawsuit and a proposed settlement, the merits upon which are not accurate. This is a manipulative attempt by the FTC to give the appearance that it is protecting consumer privacy despite being based on completely false pretenses,” the statement read. After receiving the FTC complaint, Kochava announced a feature called “Privacy Block” which it says “removes health services location data from the Kochava Collective marketplace,” Ars Technica added.
Brian Cox, general manager of Kochava, told Motherboard in an emailed statement that “Kochava sources 100% of the geo data in our data marketplace from third party data brokers all of whom represent that the data comes from consenting consumers. For the past several weeks, Kochava has worked to educate the FTC on the role of data, the process by which it is collected and the way it is used in digital advertising. We hoped to have productive conversations that led to effective solutions with the FTC about these complicated and important issues and are open to them in the future. Unfortunately the only outcome the FTC desired was a settlement that had no clear terms or resolutions and redefined the problem into a moving target. Real progress to improve data privacy for consumers will not be reached through flamboyant press releases and frivolous litigation. It’s disappointing that the agency continues to circumvent the lawmaking process and perpetuate misinformation surrounding data privacy.”
The FTC declined to comment on why it targeted Kochava specifically.
Motherboard has reported on multiple companies selling location data products related to abortion clinic visits. In May, Motherboard found SafeGraph was selling location data of people who visited abortion clinics for as little as $160. Motherboard then found another firm called Placer.ai provided heat maps of where abortion clinic visitors live. Both companies removed the data for sale after Motherboard’s findings.
Updated: This piece has been updated to include a statement from Kochava.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.