The US Federal Trade Commission (FTC) announced on Monday that it has filed a lawsuit against Kochava, a location data broker, for collecting and selling precise geolocation data collected from consumers’ mobile devices.
The complaint alleges that the US company collects a “ton of information” about users by buying data from other data brokers to resell to its own customers.
“Kochava then sells customized data feeds to its customers to assist with advertising and foot traffic analysis in stores or other locations, among other things,” the FTC said. said. “Among other categories, Kochava sells time-stamped latitude and longitude coordinates that show the location of mobile devices.”
– Advertising –
The company markets itself as a “real-time data solutions company” and the “largest independent data marketplace for connected devices”. She also claims her Kochava Collective Data Marketplace offers “premium data feeds, audience targeting and audience enrichment” via a privacy-first-design approach.
Location data is offered to its customers as a stream available through online data marketplaces for a $25,000 subscription. As recently as June 2022, it also made a free trial dataset available for a rolling seven-day period on the Amazon Web Services (AWS) marketplace with no usage restrictions.
While the marketplace currently shows no offers, an Internet Archive Snapshot recorded on August 15, 2021 shows that Kochava had released three products at the time –
- COVID-19: Data for the Common Good – Precision Global Location Data (Free)
- US Precision Geo Transaction Feed – Trial (Free)
- US Geographic Precision Transaction Feed ($25,000)
“This premium US Precision Geo feed delivers raw latitude/longitude data with volumes of approximately 94 billion geographic transactions per month, 125 million monthly active users and 35 million daily active users, and observes an average of more than 90 daily transactions per device, ” remarked Kochava. .
It should be noted that each pair of time-stamped latitude and longitude coordinates is associated with a device identifier—ie. mobile advertisement identifiers (MAID) – a unique and anonymous alphanumeric identifier that iOS or Android assigns to each mobile device.
Although this string can be changed, it requires the consumer to periodically and manually reset the identifier.
Determining that the company’s sale of geolocation data poses a significant risk to consumers, the consumer protection watchdog said the information allows buyers to identify and track users of specific mobile devices and worse, combined with other data sets such as property records to reveal their identity.
“The company’s data allows customers to track people in sensitive locations that may reveal information about their personal health decisions, religious beliefs and steps they take to protect themselves from abusers,” the FTC said. said. “Disclosing this data could expose them to stigma, discrimination, physical abuse, emotional distress and other harm.”
However, Kochava denied the allegations in a countersuit he filed against the FTC on August 12, saying they “illustrate a lack of understanding” of his services and that he links MAID information to e-hashed emails and to primary IP addresses addresses.
“Although the Kochava Collective collects the latitude and longitude, IP address and MAID associated with a consumer’s device, Kochava does not receive these data elements until a few days later (unlike, say, a GPS tool), Kochava does not identify the associates location with latitude and longitude, nor does Kochava identify the consumer associated with MAID,” he said.
The lawsuit comes as the FTC warned companies in July against illegal use and sharing of highly sensitive data and false claims about anonymizing data. Earlier this month, it also announced that it is investigating rules to combat commercial surveillance practices that collect, analyze and profit from personal information.