'Likely to cause substantial injury:' Why the FTC put Kochava in the spotlight

When a little-known tech vendor came under investigation last week for allegedly selling data that links people to abortion clinic visits, it put a spotlight on an industry of jumbled data connections and undisclosed deals.

Map with location service

The FTC complaint described a process that can be used to decipher someone’s identity when location data includes the times devices appeared in a certain place, as Kochava’s data does.

Illustration: Christopher T. Fong/Protocol

When a little-known tech vendor called Kochava came under investigation last week by the Federal Trade Commission for allegedly selling data that can link identifiable people to abortion clinic visits, it put a spotlight on a digital ad and data industry driven by jumbled data connections and shielded through undisclosed deals.

Amid digital advertisers and app makers, Kochava is best known for providing mobile app and advertising measurement and analytics services, helping app publishers track and verify the number of app installs that come through paid partners. Advertisers also work with the company to track the performance of their advertising, to customize mobile ad targeting to specific groups of people or to purchase Kochava data to add to the information they already have about customers.

“You go to [Kochava] if you don’t trust your partners and you want raw data to track [mobile app installs and advertising],” said a digital ad tech practitioner who worked with Kochava on behalf of an advertiser client in the past, and asked not to be named in the story.

Now the FTC is cracking down on the unintended consequences of that obfuscated chaos.

In its complaint against Kochava, the FTC alleged that location data sold by the company — which was readily available for purchase in places including Amazon’s AWS data marketplace — was provided in a form that could identify people who visit sensitive locations such as reproductive health or addiction recovery centers, places of religious worship or homeless or domestic violence shelters.

Plausible data deniability

Kochava says its advertising and app measurement services are distinct from its data marketplace business, which is at the heart of the FTC complaint. The company says each business lives in a distinct cloud instance managed under separate accounts.

Kochava will not reveal where the data sold in that marketplace comes from, according to a source familiar with the company's strategy. In fact, in some cases, even the company itself does not know.

As is de rigueur in the opaque mobile location data industry, partnerships are almost always obscured by non-disclosure agreements. Companies that sell location data or provide other types of data services often do not reveal the original sources of the information they gather, package and sell.

When Kochava introduced its marketplace business in 2017, the company said the data sold there would come through its free app analytics service, from mobile ad networks and from app publishers and other partners. At the time, the company only named one data supplier that aimed to monetize its data by partnering with Kochava: AreaMetrics, a consumer-facing mobile app that offered location-based restaurant reviews.

But Kochava said it only derives the precise location data sold in its marketplace from data brokers and does not obtain precise location data sold in its marketplace from direct data supplier relationships with app publishers or through its free analytics product.

Still, Kochava wants legal protection to take those steps. It currently requires companies using that free analytics product to agree to a license and service contract that demands they include verbatim language in their privacy policies stating they collect and may sell personal information including identifiers, geolocation data and inferences drawn from those categories. Kochava also requires companies using its free analytics service to obtain user consent to collect precise location data and to share or sell it with third parties.

There are big incentives for media companies and app developers to give location data sellers access to the data derived through their apps. For one thing, allowing access to the information helps determine places people are or have been, making the ad inventory that app publishers sell more valuable to advertisers who pay more for ads targeted by location.

Allowing access to that data could also produce additional revenue streams with little extra work for the publisher. Typically, location data suppliers pay publishers according to the number of unique data signals they provide. For example, they might pay a flat fee for location data points associated with 1,000 app users.

FTC cracks down on unintended data use

Following the Supreme Court’s overturning of Roe v. Wade earlier this year, more people began to realize that location data is often packaged and sold, and can be used to identify people. Now that states across the country are penalizing people for obtaining abortions, the digital footprints their phones create when they visit health clinics and other sensitive places have serious real-world legal implications.

With location data under heightened scrutiny, digital ad groups and data providers have begun to respond by restricting its use. Location data sellers SafeGraph and Placer.ai said they would stop selling data associated with reproductive health center locations. Google also now deletes location data from sensitive places including abortion clinics.

Last month, Kochava itself said it would begin removing precision geo-location data associated with health care services locations starting at the end of the third quarter of this year. The company will also allow people to register to block sensitive location data from being used, shared or purchased in its data marketplace.

Kochava’s system connects with big names in Big Tech including Amazon, Facebook, Google, Snapchat and TikTok to enable advertising and ad-related services on their properties. For instance, Google counts Kochava as an integrated app attribution partner.

Meanwhile, companies that make apps with millions of daily users including Disney, Instagram, and Major League Baseball are all listed publicly by Kochava as integrated partners. But rather than representing Kochava customers or contractual partnerships, the list of “partners” merely represents the ad tech vendors and media companies Kochava’s measurement system can recognize and report on when it receives information about how well advertising performed from its advertiser clients.

All the same, the list of hundreds of companies, most of which pass data among several ad systems to enable targeted advertising, is a visible symbol of a labyrinthine mobile ad ecosystem — one the FTC pegs as part of the digital data surveillance industry it aims to shackle. In its complaint, the agency included information from Kochava’s own data sales materials showing it has sold precise latitudinal and longitudinal map coordinates collected at a specific time and associated with device IDs showing when a device was present at a given location.

"What the FTC has suggested about Kochava is technologically completely plausible,” said another ad tech company vice president who asked not to be named in this story.

While advertisers have entirely different uses for this sort of data — such as to understand how their ad campaigns helped grow incremental app downloads or product sales, or whether people from a certain area drove by a billboard — the FTC aims to highlight the unintended uses for precise location data that comes with time stamps and can be attached to device IDs, especially when it is made readily available for sale to the public.

“The sale of such data poses an unwarranted intrusion into the most private areas of consumers’ lives and causes or is likely to cause substantial injury to consumers,” the FTC complaint said.

The complaint described a process that can be used to decipher someone’s identity when location data includes the times devices appeared in a certain place, as Kochava’s data does.

First, the home address associated with a mobile device is detected through data patterns showing a device has lingered in a specific location for several hours overnight, indicating it is a residence. That residential address can then be matched to a person’s name, contact data and other demographic information. Through this series of data matches, visits to a specific location can then be tied to an identified person.

“What the FTC has suggested about Kochava is technologically completely plausible,” said another ad tech company vice president who asked not to be named in this story.

Kochava puts up a fight

The identification process described by the FTC involves some sleuthing. But before the FTC announced its complaint against the company last week, Kochava filed its own lawsuit against the agency arguing that the company is not responsible if data it sells is used to identify someone. Instead, it contends that the onus is on consumers to protect their data.

Kochava’s suit states, “the consumer agreed to share its location data with an app developer. As such, the consumer should reasonably expect that this data will contain the consumer’s locations, even locations which the consumer deems is sensitive. Prior to the data collection, a disclaimer or a warning was also provided to a consumer regarding collection of data from all locations, including sensitive ones.”

Essentially, Kochava believes it should not be at fault if people combine the data it sells with other information.

“We do not take lightly being launched into a political fight we have no reason to be in the ring for. We know the regulatory road ahead of us is likely long and winding. We take regulatory compliance very seriously at Kochava, and we are not going to sit idly by and let our company and community’s reputation be damaged. We won’t stand for that and we are grateful to have all of our supporters in our corner for as long as we’re in this fight,” Kochava CEO Charles Manning wrote in a Sept. 1 company blog post.

As Congress has failed to rein in the digital data use that fuels ad-driven business models, facilitating what many call the “surveillance economy,” the FTC is expected to continue its aggressive approach to regulating data use.

The commission will hold a public forum on commercial surveillance on Thursday.

“Mass surveillance has heightened the risks and stakes of errors, deception, manipulation and other abuses,” the agency said. “The Federal Trade Commission is asking the public to weigh in on whether new rules are needed to protect people’s privacy and information in the commercial surveillance economy.”

A 'Soho house for techies': VCs place a bet on community

Contrary is the latest venture firm to experiment with building community spaces instead of offices.

Contrary NYC is meant to re-create being part of a members-only club where engineers and entrepreneurs can hang out together, have a space to work, and host events for people in tech.

Photo: Courtesy of Contrary

In the pre-pandemic times, Contrary’s network of venture scouts, founders, and top technologists reflected the magnetic pull Silicon Valley had on the tech industry. About 80% were based in the Bay Area, with a smattering living elsewhere. Today, when Contrary asked where people in its network were living, the split had changed with 40% in the Bay Area and another 40% living in or planning to move to New York.

It’s totally bifurcated now, said Contrary’s founder Eric Tarczynski.

Keep Reading Show less
Biz Carson

Biz Carson ( @bizcarson) is a San Francisco-based reporter at Protocol, covering Silicon Valley with a focus on startups and venture capital. Previously, she reported for Forbes and was co-editor of Forbes Next Billion-Dollar Startups list. Before that, she worked for Business Insider, Gigaom, and Wired and started her career as a newspaper designer for Gannett.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.

Binance CEO wrestles with the 'Chinese company' label

Changpeng "CZ" Zhao, who leads crypto’s largest marketplace, is pushing back on attempts to link Binance to Beijing.

Despite Binance having to abandon its country of origin shortly after its founding, critics have portrayed the exchange as a tool of the Chinese government.

Photo: Akio Kon/Bloomberg via Getty Images

In crypto, he is known simply as CZ, head of one of the industry’s most dominant players.

It took only five years for Binance CEO and co-founder Changpeng Zhao to build his company, which launched in 2017, into the world’s biggest crypto exchange, with 90 million customers and roughly $76 billion in daily trading volume, outpacing the U.S. crypto powerhouse Coinbase.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.


How I decided to leave the US and pursue a tech career in Europe

Melissa Di Donato moved to Europe to broaden her technology experience with a different market perspective. She planned to stay two years. Seventeen years later, she remains in London as CEO of Suse.

“It was a hard go for me in the beginning. I was entering inside of a company that had been very traditional in a sense.”

Photo: Suse

Click banner image for more How I decided seriesA native New Yorker, Melissa Di Donato made a life-changing decision back in 2005 when she packed up for Europe to further her career in technology. Then with IBM, she made London her new home base.

Today, Di Donato is CEO of Germany’s Suse, now a 30-year-old, open-source enterprise software company that specializes in Linux operating systems, container management, storage, and edge computing. As the company’s first female leader, she has led Suse through the coronavirus pandemic, a 2021 IPO on the Frankfurt Stock Exchange, and the acquisitions of Kubernetes management startup Rancher Labs and container security company NeuVector.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.


UiPath had a rocky few years. Rob Enslin wants to turn it around.

Protocol caught up with Enslin, named earlier this year as UiPath’s co-CEO, to discuss why he left Google Cloud, the untapped potential of robotic-process automation, and how he plans to lead alongside founder Daniel Dines.

Rob Enslin, UiPath's co-CEO, chats with Protocol about the company's future.

Photo: UiPath

UiPath has had a shaky history.

The company, which helps companies automate business processes, went public in 2021 at a valuation of more than $30 billion, but now the company’s market capitalization is only around $7 billion. To add insult to injury, UiPath laid off 5% of its staff in June and then lowered its full-year guidance for fiscal year 2023 just months later, tanking its stock by 15%.

Keep Reading Show less
Aisha Counts

Aisha Counts (@aishacounts) is a reporter at Protocol covering enterprise software. Formerly, she was a management consultant for EY. She's based in Los Angeles and can be reached at acounts@protocol.com.

Latest Stories