The U.S. Federal Trade Commission (FTC) warned this week that it will crack down on tech companies' illegal use and sharing of highly sensitive data and false claims about data anonymization.
"While many consumers may happily offer their location data in exchange for real-time crowd-sourced advice on the fastest route home, they likely think differently about having their thinly-disguised online identity associated with the frequency of their visits to a therapist or cancer doctor," FTC's Kristin Cohen said.
The sensitive nature of information about users' health and their precise whereabouts has prompted the agency to caution against opaque practices in the "shadowy ad tech and data broker ecosystem," with consumers having little to no knowledge of how their personal data is harvested, used, and processed.
This lack of awareness is compounded by the fact that mobile apps embed privacy-invasive software development kits (SDKs) that surreptitiously collect and share anonymized user information with third-parties, including data aggregators that gather such data from myriad sources and then sell access to it.
"These companies often build profiles about consumers and draw inferences about them based on the places they have visited," the FTC said, adding the abuse of mobile location and health information exposes users to "significant harm."
To that end, the consumer protection authority said it intends to "vigorously enforce" the law should it uncover cases where location, health, or other sensitive data are exploited for profit or other ulterior motives.
"Companies may try to placate consumers' privacy concerns by claiming they anonymize or aggregate data," it further stated. "Firms making claims about anonymization should be on guard that these claims can be a deceptive trade practice and violate the FTC Act when untrue."
Data anonymization refers to the practice of protecting private or sensitive information by stripping off identifiers such as names, social security numbers, and addresses that connect an individual to stored data.
However, it's been repeatedly established that anonymized data can often be re-identified when combining several datasets, forming a "surprisingly clear picture of our identities."
In 2016, a study found that any four apps selected at random can be used to re-identify a user in a pseudo-anonymized dataset more than 95% of the time based on information collected from 54,893 Android users over a period of seven months.
Then last July, Vice took the wraps off an "entire overlooked industry" that explicitly functions to link mobile advertising IDs (MAIDs) collected by apps to personally identifiable information (PII), effectively defeating the anonymity protections.