• by Wendy Davis  @wendyndavis, June 28, 2023

Mobile data broker Kochava is urging a federal judge to keep the Federal Trade Commission's new privacy complaint sealed from the public, arguing that it contains “misleading” and “false” allegations.

The FTC's amended complaint, filed earlier this month, “includes misleading allegations, that intentionally conflate separate and distinct services offered ... to make impossible conclusory assertions about them and to weave a false narrative that Kochava’s data and/or conduct is responsible for the disclosure of private information,” the company writes in papers filed Wednesday with U.S. District Court Judge B. Lynn Winmill in Coeur D'Alene, Idaho.

Kochava adds that the new complaint “includes known false allegations,” including that Kochava “currently tracks identifiable persons to 'sensitive locations.'”

Kochava denies doing so, and says it has “implemented significant technical safeguards” to prevent third parties from tracking identifiable people to sensitive locations.

The company also reiterates that it currently deploys “privacy block” that removes known health services locations from its marketplace.

Kochava rolled out that feature last August, shortly before the FTC filed suit.

The FTC previously argued that even if Kochava's “privacy block” limits some location disclosures, an injunction against the company would still be warranted.

“Kochava continues to assert that its conduct is not illegal and has made no assurances that it will stop its misconduct in the future,” the FTC said in papers filed last year.

Kochava says in its most recent filing that it plans to ask Winmill to sanction the FTC for filing the amended complaint, unless the agency withdraws the document.

An FTC spokesperson declined to comment.

The new filing marks the latest turn in the FTC's lawsuit against Kochava, brought last August. The FTC alleged in its initial complaint that Kochava sells the kind of precise geolocation data that could expose sensitive information, such as whether people visited doctors' offices or religious institutions. (Kochava had sued the FTC earlier that month, in an attempt to preempt the FTC's complaint; Kochava's suit was dismissed with prejudice in May.)

The FTC claimed Kochava's alleged sale of the information was unfair, arguing that disclosing location data could cause result in stigma, discrimination or other injuries to consumers. The agency also said sharing location data was such an extreme privacy violation that it should be considered harmful in itself.

Among other allegations, the FTC said Kochava sells “timestamped latitude and longitude coordinates showing the location of mobile devices,” as well as mobile advertising IDs -- unique, 32-character identifiers that persist, unless consumers proactively reset them.

The agency added that even though the mobile advertising identifiers are pseudonymous, they can reveal people's actual identities. For instance, the FTC wrote, the location of a smartphone at night could correspond to the user's street address.

Kochava countered in court filings that the data it sells isn't “personally identifiable.”

The company argued that a mobile advertising identifier, even when combined with geolocation coordinates, “does not readily permit an ordinary person to identify a particular individual.”

In May, U.S. District Court Judge B. Lynn Winmill in Idaho threw out the claims, ruling that the FTC's allegations, even if proven true, wouldn't show that Kochava created a “significant risk” of harm to consumers.

Winmill said in his ruling that the FTC didn't allege that any consumers were harmed by Kochava, and that the alleged privacy violation wasn't in itself a “substantial injury.”

He also said any “private information” stemming from Kochava's data would come from unreliable inferences.

“Geolocation data showing that a device visited an oncology clinic twice in one week could reveal that the device user suffers from cancer,” he wrote. “Or it may instead reveal that the person has a friend or family member who suffers from cancer.”

Winmill also said that information that can be inferred from location data “is generally accessible through other, lawful means.”

“A third party may also discover a person’s home address by reviewing publicly accessible property records,” he wrote.

His ruling allowed the FTC to amend its complaint and bring it again.

The FTC did so earlier this month, but filed the new document under seal. One week later, the FTC asked Winmill to make it available to the public on the grounds that Kochava hadn't yet requested sealing any specific passages, and that most of the allegations concern information Kochava has already made public.

“For example,” the agency wrote, “Paragraph 51 excerpts from a document that Kochava designated 'proprietary' or 'highly confidential,' yet Kochava brags about its data identifying consumers based on ethnicity in its own online marketing material,” the FTC asserted. “Kochava cannot assert that information that is already public should remain under seal.”

Kochava is now opposing that motion.

“There is no public interest served by access to the irrelevant, misleading, and outright false allegations, made with knowledge of their untruth, in amended complaint,” Kochava argues. “To the contrary, allowing these assertions into the public record could very well result in the public believing something about Kochava that is not true, particularly since the allegations are made by the government which gives the information an unwarranted appearance of inherent credibility.”

John Davisson, director of litigation at the advocacy group Electronic Privacy Information Center, expressed doubt that Kochava's attempt to prevent the public from learning of the FTC's allegations will succeed.

“Ordinarily if defendants object to characterizations in a complaint, they have the opportunity to rebut that in a motion to dismiss, or an answer,” he says.