When a little-known tech vendor called Kochava came under investigation last week by the Federal Trade Commission for allegedly selling data that can link identifiable people to abortion clinic visits, it put a spotlight on a digital ad and data industry driven by jumbled data connections and shielded through undisclosed deals.
Amid digital advertisers and app makers, Kochava is best known for providing mobile app and advertising measurement and analytics services, helping app publishers track and verify the number of app installs that come through paid partners. Advertisers also work with the company to track the performance of their advertising, to customize mobile ad targeting to specific groups of people or to purchase Kochava data to add to the information they already have about customers.
“You go to [Kochava] if you don’t trust your partners and you want raw data to track [mobile app installs and advertising],” said a digital ad tech practitioner who worked with Kochava on behalf of an advertiser client in the past, and asked not to be named in the story.
Now the FTC is cracking down on the unintended consequences of that obfuscated chaos.
In its complaint against Kochava, the FTC alleged that location data sold by the company — which was readily available for purchase in places including Amazon’s AWS data marketplace — was provided in a form that could identify people who visit sensitive locations such as reproductive health or addiction recovery centers, places of religious worship or homeless or domestic violence shelters.
Plausible data deniability
Kochava says its advertising and app measurement services are distinct from its data marketplace business, which is at the heart of the FTC complaint. The company says each business lives in a distinct cloud instance managed under separate accounts.
Kochava will not reveal where the data sold in that marketplace comes from, according to a source familiar with the company's strategy. In fact, in some cases, even the company itself does not know.
As is de rigueur in the opaque mobile location data industry, partnerships are almost always obscured by non-disclosure agreements. Companies that sell location data or provide other types of data services often do not reveal the original sources of the information they gather, package and sell.
When Kochava introduced its marketplace business in 2017, the company said the data sold there would come through its free app analytics service, from mobile ad networks and from app publishers and other partners. At the time, the company only named one data supplier that aimed to monetize its data by partnering with Kochava: AreaMetrics, a consumer-facing mobile app that offered location-based restaurant reviews.
But Kochava said it only derives the precise location data sold in its marketplace from data brokers and does not obtain precise location data sold in its marketplace from direct data supplier relationships with app publishers or through its free analytics product.
Still, Kochava wants legal protection to take those steps. It currently requires companies using that free analytics product to agree to a license and service contract that demands they include verbatim language in their privacy policies stating they collect and may sell personal information including identifiers, geolocation data and inferences drawn from those categories. Kochava also requires companies using its free analytics service to obtain user consent to collect precise location data and to share or sell it with third parties.
There are big incentives for media companies and app developers to give location data sellers access to the data derived through their apps. For one thing, allowing access to the information helps determine places people are or have been, making the ad inventory that app publishers sell more valuable to advertisers who pay more for ads targeted by location.
Allowing access to that data could also produce additional revenue streams with little extra work for the publisher. Typically, location data suppliers pay publishers according to the number of unique data signals they provide. For example, they might pay a flat fee for location data points associated with 1,000 app users.
FTC cracks down on unintended data use
Following the Supreme Court’s overturning of Roe v. Wade earlier this year, more people began to realize that location data is often packaged and sold, and can be used to identify people. Now that states across the country are penalizing people for obtaining abortions, the digital footprints their phones create when they visit health clinics and other sensitive places have serious real-world legal implications.
With location data under heightened scrutiny, digital ad groups and data providers have begun to respond by restricting its use. Location data sellers SafeGraph and Placer.ai said they would stop selling data associated with reproductive health center locations. Google also now deletes location data from sensitive places including abortion clinics.
Last month, Kochava itself said it would begin removing precision geo-location data associated with health care services locations starting at the end of the third quarter of this year. The company will also allow people to register to block sensitive location data from being used, shared or purchased in its data marketplace.
Kochava’s system connects with big names in Big Tech including Amazon, Facebook, Google, Snapchat and TikTok to enable advertising and ad-related services on their properties. For instance, Google counts Kochava as an integrated app attribution partner.
Meanwhile, companies that make apps with millions of daily users including Disney, Instagram, and Major League Baseball are all listed publicly by Kochava as integrated partners. But rather than representing Kochava customers or contractual partnerships, the list of “partners” merely represents the ad tech vendors and media companies Kochava’s measurement system can recognize and report on when it receives information about how well advertising performed from its advertiser clients.
All the same, the list of hundreds of companies, most of which pass data among several ad systems to enable targeted advertising, is a visible symbol of a labyrinthine mobile ad ecosystem — one the FTC pegs as part of the digital data surveillance industry it aims to shackle. In its complaint, the agency included information from Kochava’s own data sales materials showing it has sold precise latitudinal and longitudinal map coordinates collected at a specific time and associated with device IDs showing when a device was present at a given location.
"What the FTC has suggested about Kochava is technologically completely plausible,” said another ad tech company vice president who asked not to be named in this story.
While advertisers have entirely different uses for this sort of data — such as to understand how their ad campaigns helped grow incremental app downloads or product sales, or whether people from a certain area drove by a billboard — the FTC aims to highlight the unintended uses for precise location data that comes with time stamps and can be attached to device IDs, especially when it is made readily available for sale to the public.
“The sale of such data poses an unwarranted intrusion into the most private areas of consumers’ lives and causes or is likely to cause substantial injury to consumers,” the FTC complaint said.
The complaint described a process that can be used to decipher someone’s identity when location data includes the times devices appeared in a certain place, as Kochava’s data does.
First, the home address associated with a mobile device is detected through data patterns showing a device has lingered in a specific location for several hours overnight, indicating it is a residence. That residential address can then be matched to a person’s name, contact data and other demographic information. Through this series of data matches, visits to a specific location can then be tied to an identified person.
“What the FTC has suggested about Kochava is technologically completely plausible,” said another ad tech company vice president who asked not to be named in this story.
Kochava puts up a fight
The identification process described by the FTC involves some sleuthing. But before the FTC announced its complaint against the company last week, Kochava filed its own lawsuit against the agency arguing that the company is not responsible if data it sells is used to identify someone. Instead, it contends that the onus is on consumers to protect their data.
Kochava’s suit states, “the consumer agreed to share its location data with an app developer. As such, the consumer should reasonably expect that this data will contain the consumer’s locations, even locations which the consumer deems is sensitive. Prior to the data collection, a disclaimer or a warning was also provided to a consumer regarding collection of data from all locations, including sensitive ones.”
Essentially, Kochava believes it should not be at fault if people combine the data it sells with other information.
“We do not take lightly being launched into a political fight we have no reason to be in the ring for. We know the regulatory road ahead of us is likely long and winding. We take regulatory compliance very seriously at Kochava, and we are not going to sit idly by and let our company and community’s reputation be damaged. We won’t stand for that and we are grateful to have all of our supporters in our corner for as long as we’re in this fight,” Kochava CEO Charles Manning wrote in a Sept. 1 company blog post.
As Congress has failed to rein in the digital data use that fuels ad-driven business models, facilitating what many call the “surveillance economy,” the FTC is expected to continue its aggressive approach to regulating data use.
The commission will hold a public forum on commercial surveillance on Thursday.
“Mass surveillance has heightened the risks and stakes of errors, deception, manipulation and other abuses,” the agency said. “The Federal Trade Commission is asking the public to weigh in on whether new rules are needed to protect people’s privacy and information in the commercial surveillance economy.”