• by Wendy Davis , Staff Writer @wendyndavis, September 7, 2022

Late last month, mobile analytics firm Kochava was sued by the Federal Trade Commission for allegedly engaging in an unfair business practice by selling location data -- including information that could reveal visits to sensitive locales like abortion clinics.

On Tuesday, California resident David Greenley piled on with a class-action complaint alleging that Kochava violated state wiretapping laws.

Kochava “collected, sold, licensed, and transferred” precise location data collected from mobile phones, without the owners' consent, Greenley alleges in a class-action complaint brought in U.S. District Court for the Southern District of California.

Greenley's complaint draws on the FTC's lawsuit, and repeats many of the same allegations. He contends that the company is violating various California laws governing the interception of communications.

For its part, Kochava said in legal papers that doesn't “uniquely identify users,” but only links the mobile advertiser identification to “hashed emails and primary IP addresses.”

“Kochava does not collect, then subsequently sell data compilation that allows one to track a specific individual to a specific location,” the company wrote in court documents filed in its dispute with the FTC.

But the FTC (and Greenley) noted that geolocation data, combined with mobile advertising identifiers -- pseudonymous alphanumeric strings -- can be enough to identify individuals.

The FTC said in its complaint against Kochava that data brokers sometimes advertise the ability to match mobile identifiers with names and physical addresses.

What's more, even without that type of service, location data alone can be used to identify people. For example, a mobile device is typically located at the owner's home address overnight, the FTC alleged.

The lawsuits against Kochava come as advocates, public officials and other industry observers are increasingly expressing concerns that law enforcement authorities will harness location data to prosecute women seeking abortions.

Kochava is hardly the only potential supplier of that kind of data.

Last week, the digital rights group Electronic Frontier Foundation posted a blockbuster report about a different business -- Fog Data Science, which obtains location data originally collected by mobile apps, then sells that to law enforcement. Fog reportedly obtains at least some data from Venntel -- a subsidiary of Gravy Analytics, which itself purchases mobile location data from Mobilewalla and other brokers.

In almost all cases the data was originally collected for ad-related purposes before it was resold to data brokers, who ultimately resold it to the police. The information also is almost always tied to mobile ad identifiers or other tracking mechanisms developed by the ad industry.

The digital rights group Electronic Frontier Foundation outlined the process last week, in the post “How Ad Tech Became Cop Spy Tech.”

“Ad IDs are a crucial part of the online advertising ecosystem. Without them (or a similar technique for fingerprinting devices), it’s hard to imagine the data brokers’ current business model continuing to function,” the digital rights group writes. “Certainly, companies like Fog and Venntel would find it much harder to sell individual device’s location data to law enforcement, which would be a huge win for people’s privacy.”