'Likely to cause substantial injury:' Why the FTC put Kochava in the spotlight

When a little-known tech vendor came under investigation last week for allegedly selling data that links people to abortion clinic visits, it put a spotlight on an industry of jumbled data connections and undisclosed deals.

Map with location service

The FTC complaint described a process that can be used to decipher someone’s identity when location data includes the times devices appeared in a certain place, as Kochava’s data does.

Illustration: Christopher T. Fong/Protocol

When a little-known tech vendor called Kochava came under investigation last week by the Federal Trade Commission for allegedly selling data that can link identifiable people to abortion clinic visits, it put a spotlight on a digital ad and data industry driven by jumbled data connections and shielded through undisclosed deals.

Amid digital advertisers and app makers, Kochava is best known for providing mobile app and advertising measurement and analytics services, helping app publishers track and verify the number of app installs that come through paid partners. Advertisers also work with the company to track the performance of their advertising, to customize mobile ad targeting to specific groups of people or to purchase Kochava data to add to the information they already have about customers.

“You go to [Kochava] if you don’t trust your partners and you want raw data to track [mobile app installs and advertising],” said a digital ad tech practitioner who worked with Kochava on behalf of an advertiser client in the past, and asked not to be named in the story.

Now the FTC is cracking down on the unintended consequences of that obfuscated chaos.

In its complaint against Kochava, the FTC alleged that location data sold by the company — which was readily available for purchase in places including Amazon’s AWS data marketplace — was provided in a form that could identify people who visit sensitive locations such as reproductive health or addiction recovery centers, places of religious worship or homeless or domestic violence shelters.

Plausible data deniability

Kochava says its advertising and app measurement services are distinct from its data marketplace business, which is at the heart of the FTC complaint. The company says each business lives in a distinct cloud instance managed under separate accounts.

Kochava will not reveal where the data sold in that marketplace comes from, according to a source familiar with the company's strategy. In fact, in some cases, even the company itself does not know.

As is de rigueur in the opaque mobile location data industry, partnerships are almost always obscured by non-disclosure agreements. Companies that sell location data or provide other types of data services often do not reveal the original sources of the information they gather, package and sell.

When Kochava introduced its marketplace business in 2017, the company said the data sold there would come through its free app analytics service, from mobile ad networks and from app publishers and other partners. At the time, the company only named one data supplier that aimed to monetize its data by partnering with Kochava: AreaMetrics, a consumer-facing mobile app that offered location-based restaurant reviews.

But Kochava said it only derives the precise location data sold in its marketplace from data brokers and does not obtain precise location data sold in its marketplace from direct data supplier relationships with app publishers or through its free analytics product.

Still, Kochava wants legal protection to take those steps. It currently requires companies using that free analytics product to agree to a license and service contract that demands they include verbatim language in their privacy policies stating they collect and may sell personal information including identifiers, geolocation data and inferences drawn from those categories. Kochava also requires companies using its free analytics service to obtain user consent to collect precise location data and to share or sell it with third parties.

There are big incentives for media companies and app developers to give location data sellers access to the data derived through their apps. For one thing, allowing access to the information helps determine places people are or have been, making the ad inventory that app publishers sell more valuable to advertisers who pay more for ads targeted by location.

Allowing access to that data could also produce additional revenue streams with little extra work for the publisher. Typically, location data suppliers pay publishers according to the number of unique data signals they provide. For example, they might pay a flat fee for location data points associated with 1,000 app users.

FTC cracks down on unintended data use

Following the Supreme Court’s overturning of Roe v. Wade earlier this year, more people began to realize that location data is often packaged and sold, and can be used to identify people. Now that states across the country are penalizing people for obtaining abortions, the digital footprints their phones create when they visit health clinics and other sensitive places have serious real-world legal implications.

With location data under heightened scrutiny, digital ad groups and data providers have begun to respond by restricting its use. Location data sellers SafeGraph and Placer.ai said they would stop selling data associated with reproductive health center locations. Google also now deletes location data from sensitive places including abortion clinics.

Last month, Kochava itself said it would begin removing precision geo-location data associated with health care services locations starting at the end of the third quarter of this year. The company will also allow people to register to block sensitive location data from being used, shared or purchased in its data marketplace.

Kochava’s system connects with big names in Big Tech including Amazon, Facebook, Google, Snapchat and TikTok to enable advertising and ad-related services on their properties. For instance, Google counts Kochava as an integrated app attribution partner.

Meanwhile, companies that make apps with millions of daily users including Disney, Instagram, and Major League Baseball are all listed publicly by Kochava as integrated partners. But rather than representing Kochava customers or contractual partnerships, the list of “partners” merely represents the ad tech vendors and media companies Kochava’s measurement system can recognize and report on when it receives information about how well advertising performed from its advertiser clients.

All the same, the list of hundreds of companies, most of which pass data among several ad systems to enable targeted advertising, is a visible symbol of a labyrinthine mobile ad ecosystem — one the FTC pegs as part of the digital data surveillance industry it aims to shackle. In its complaint, the agency included information from Kochava’s own data sales materials showing it has sold precise latitudinal and longitudinal map coordinates collected at a specific time and associated with device IDs showing when a device was present at a given location.

"What the FTC has suggested about Kochava is technologically completely plausible,” said another ad tech company vice president who asked not to be named in this story.

While advertisers have entirely different uses for this sort of data — such as to understand how their ad campaigns helped grow incremental app downloads or product sales, or whether people from a certain area drove by a billboard — the FTC aims to highlight the unintended uses for precise location data that comes with time stamps and can be attached to device IDs, especially when it is made readily available for sale to the public.

“The sale of such data poses an unwarranted intrusion into the most private areas of consumers’ lives and causes or is likely to cause substantial injury to consumers,” the FTC complaint said.

The complaint described a process that can be used to decipher someone’s identity when location data includes the times devices appeared in a certain place, as Kochava’s data does.

First, the home address associated with a mobile device is detected through data patterns showing a device has lingered in a specific location for several hours overnight, indicating it is a residence. That residential address can then be matched to a person’s name, contact data and other demographic information. Through this series of data matches, visits to a specific location can then be tied to an identified person.

“What the FTC has suggested about Kochava is technologically completely plausible,” said another ad tech company vice president who asked not to be named in this story.

Kochava puts up a fight

The identification process described by the FTC involves some sleuthing. But before the FTC announced its complaint against the company last week, Kochava filed its own lawsuit against the agency arguing that the company is not responsible if data it sells is used to identify someone. Instead, it contends that the onus is on consumers to protect their data.

Kochava’s suit states, “the consumer agreed to share its location data with an app developer. As such, the consumer should reasonably expect that this data will contain the consumer’s locations, even locations which the consumer deems is sensitive. Prior to the data collection, a disclaimer or a warning was also provided to a consumer regarding collection of data from all locations, including sensitive ones.”

Essentially, Kochava believes it should not be at fault if people combine the data it sells with other information.

“We do not take lightly being launched into a political fight we have no reason to be in the ring for. We know the regulatory road ahead of us is likely long and winding. We take regulatory compliance very seriously at Kochava, and we are not going to sit idly by and let our company and community’s reputation be damaged. We won’t stand for that and we are grateful to have all of our supporters in our corner for as long as we’re in this fight,” Kochava CEO Charles Manning wrote in a Sept. 1 company blog post.

As Congress has failed to rein in the digital data use that fuels ad-driven business models, facilitating what many call the “surveillance economy,” the FTC is expected to continue its aggressive approach to regulating data use.

The commission will hold a public forum on commercial surveillance on Thursday.

“Mass surveillance has heightened the risks and stakes of errors, deception, manipulation and other abuses,” the agency said. “The Federal Trade Commission is asking the public to weigh in on whether new rules are needed to protect people’s privacy and information in the commercial surveillance economy.”


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories