The U.S. Federal Trade Commission (FTC) on Monday said it filed a lawsuit against Kochava, a location data broker, for collecting and selling precise geolocation data gathered from consumers' mobile devices.
The complaint alleges that the U.S. company amasses a "wealth of information" about users by purchasing data from other data brokers to sell to its own clients.
"Kochava then sells customized data feeds to its clients to, among other purposes, assist in advertising and analyzing foot traffic at stores or other locations," the FTC said. "Among other categories, Kochava sells timestamped latitude and longitude coordinates showing the location of mobile devices."
The Idaho-based company advertises itself as a "real-time data solutions company" and the "largest independent data marketplace for connected devices." It also claims its Kochava Collective data marketplace provides "premium data feeds, audience targeting, and audience enrichment" through a privacy-first by design approach.
The location data is offered to its customers in the form of a feed that can be accessed through online data marketplaces for a $25,000 subscription. As recently as June 2022, it also made available a free sample dataset for a rolling seven-day period on the Amazon Web Services (AWS) Marketplace with no restrictions placed on its usage.
While the marketplace currently lists no offerings, an Internet Archive snapshot saved on August 15, 2021, shows that Kochava had marketed three products at the time -
- COVID-19: Data for the Greater Good - Global Precision Location Data (free)
- U.S. Precision Geo Transactional Feed - Sample (free)
- U.S. Precision Geo Transactional Feed ($25,000)
"This premium U.S. Precision Geo feed delivers raw latitude/longitude data with volumes around 94B+ geo transactions per month, 125 million monthly active users, and 35 million daily active users, on average observing more than 90 daily transactions per device," Kochava noted.
This highly precise data comprises, among other things, a list of timestamped latitude and longitude coordinates, each of which is associated with a device identifier – i.e., mobile advertising IDs (MAIDs) – a unique, anonymous alphanumeric identifier that iOS or Android assigns to each mobile device.
Although this string can be modified, it requires the consumer to proactively and manually reset the identifier on a periodic basis.
Stating that the company's sale of geolocation data puts users at significant risk, the consumer protection watchdog said the information enables purchasers to identify and track specific mobile device users, and worse, combined with other datasets such as property records to unmask their identity.
"The company's data allows purchasers to track people at sensitive locations that could reveal information about their personal health decisions, religious beliefs, and steps they are taking to protect themselves from abusers," the FTC said. "The release of this data could expose them to stigma, discrimination, physical violence, emotional distress, and other harms."
Kochava, however, has denied the allegations in a countersuit it filed against the FTC on August 12, stating they "illustrate a lack of understanding" of its services and that it links the MAID information to hashed emails and primary IP addresses.
"Although the Kochava Collective collects latitude and longitude, IP address and MAID associated with a consumer's device, Kochava does not receive these data elements until days after (unlike a GPS tool, for instance), Kochava does not identify the location associated with latitude and longitude, nor does Kochava identify the consumer associated with the MAID," it said.
The lawsuit comes as the FTC in July cautioned businesses against the illegal use and sharing of highly sensitive data and false claims about data anonymization. Earlier this month, it also announced that it's exploring rules to tackle commercial surveillance practices that collect, analyze, and profit from personal information.