FTC scolds two data brokers for allegedly selling your location to the metre

The FTC has reached a settlement with two data brokerages over allegations they harvested precise location data that shows when people entered hospitals, places of worship, and even attended protests supporting the late George Floyd.

US data sellers Gravy Analytics and Mobilewalla agreed separate settlements [PDF] with the American consumer watchdog this week over claims they bought and sold highly sensitive personal information without consent. This includes location data that Gravy Analytics claimed had a resolution of one metre and would allow a buyer to track which rooms a person visited within a building.

Neither of the companies performed the tracking; instead, they bought logs of people's whereabouts from app developers and other companies that carried out software-based tracking of location, and then resold it. Mobilewalla retained location data on hundreds of millions of devices, while Gravy claimed to have "over 17 billion signals from approximately a billion mobile devices on a daily basis," according to the FTC complaints.

Essentially, apps would make a note, if able to, of their users' locations, and then pass those details on to be packaged up and sold. That info would be collected by some advertising or analytics SDKs, typically. In the case of Gravy and Mobilewalla, this location data was not fully anonymized, it is alleged.

We note Gravy's ads featured the line, "Where we go is who we are."

Key to the FTC's case was consent. In both cases, the data brokers either didn't check that informed consent for data collection had been obtained from netizens – or knew consent had not been granted and carried on using the data anyway.

Both have now agreed to check their databases for information obtained without people's permission, and implement appropriate consent safeguards.

Crucially, they have agreed to delete any improperly collected location data, and promised not to distribute location information of people visiting certain sensitive places, such as medical facilities, schools, religious institutions, and military bases. They will also have to introduce strict privacy policies.

The rulings were both cleared by the watchdog's commissioners in a bipartisan 5-0 vote. Such unanimous decisions are unusual as the FTC’s commissioners reflect a spread of political opinion. Brian Shull, an FTC attorney within the agency's division of privacy and identity protection, told The Register on Tuesday privacy is a bipartisan issue.

"People, no matter whether you're on the right side or left side of the aisle, care about their privacy and about knowing who has their data and what they're doing with it," he explained.

"We've been warning about data brokers and the potential dangers of them for over a decade,” he added, citing past action against data broker Kochava and two other settlements with similar operators. “We are really taking action," he said.

The FTC isn't the only US government body acting on privacy. On Tuesday, the Consumer Financial Protection Bureau (CFPB) proposed new rules to curb the sale of sensitive personal and financial information, such as Social Security numbers and banking details, to those without a legitimate reason. Data brokers would have to be designated "consumer reporting agencies," status that brings much stricter reporting standards and privacy protections.

"By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying," said CFPB boss Rohit Chopra. "The CFPB’s proposed rule will curtail these practices that threaten our personal safety and undermine America’s national security."

The move would also require sellers to maintain their databases securely, which has been a major issue of late. Last month, more than 600,000 sensitive files containing thousands of people's info were exposed to the internet after a data broker got sloppy on security and left them in an open AWS S3 bucket. ®