The data broker Kochava is said to have sold location data that could reveal abortion seekers. The protection of health-related data is coming into focus.
The U.S. Federal Trade Commission (FTC) is suing app analytics company Kochava for allegedly selling sensitive location data that can be used to identify certain abortion seekers, religious believers, or others who may be at risk of discrimination, intimidation, or even harassment threatened with violence.
The lawsuit (PDF) filed Monday alleges that Kochava failed to comply with basic data protection regulations over location data, which is collected largely without the knowledge of cellphone owners. “Kokhava’s data can provide insight into people’s visits to reproductive health clinics, places of worship, homeless shelters, domestic violence facilities and addiction hospitals,” the FTC said in a press release. “By selling tracking data, Kochava enables others to identify individuals and expose them to risk of stigma, stalking, discrimination, job loss and even physical violence.” Kochava is being asked by the FTC to stop selling sensitive information and delete all information collected. Kochava is a marketing data company that counts big brands like Disney, McDonald’s and Hilton among its clients.
Criminal prosecution based on location data conceivable
The lawsuit follows a promise by the FTC to stop the sharing of medical location data. This is a widespread problem that has become particularly explosive in the US abortion debate. Following the Supreme Court decision this year overturning federal abortion rights, the FTC has signaled that it will increasingly focus on protecting health-related information.
Anti-abortion activists in the US are already collecting data from clinics for law enforcement. Body cameras and license plate tracking are being used to track people coming to abortion clinics.
US civil rights organizations are worried about privacy after the abortion ruling. They warn that new US federal laws restricting abortions could result in abortion seekers’ location data being used as evidence of wrongdoing against them. There is growing concern that a person’s digital fingerprint – including websites visited, location data from a phone or private messages on a social platform – could be used in the future to prosecute someone who has performed an abortion. However, the tech industry is largely silent on the data protection issue.
Under pressure from Democratic Senator Elizabeth Warren and others, data brokers SafeGraph and Placer.ai pledged to stop selling geolocation data around reproductive health clinics. Google recently announced that it will delete location data after visiting abortion clinics.
Kochava’s data openly available
According to the FTC, Kochava’s data was not anonymized, so by combining the location data with data from other sources, it was possible to determine an individual’s true identity from the information offered by Kochava. In the investigation that led to the lawsuit, the FTC says it analyzed a sample of Kochava that included more than 60 million unique mobile devices in a single week. Kochava’s data contains accurate, time-stamped latitude and longitude information for individual consumers, the lawsuit alleges.
According to them, using a free sample of Kochava data, the FTC was able to identify a mobile device that visited a women’s reproductive health clinic and then associated it with a home address that would likely reveal the identity of the user. The FTC is asking Kochava to take security precautions in sensitive locations, which could be done at a “reasonable” cost.
