'Likely to cause substantial injury:' Why the FTC put Kochava in the spotlight

When a little-known tech vendor came under investigation last week for allegedly selling data that links people to abortion clinic visits, it put a spotlight on an industry of jumbled data connections and undisclosed deals.

Map with location service

The FTC complaint described a process that can be used to decipher someone’s identity when location data includes the times devices appeared in a certain place, as Kochava’s data does.

Illustration: Christopher T. Fong/Protocol

When a little-known tech vendor called Kochava came under investigation last week by the Federal Trade Commission for allegedly selling data that can link identifiable people to abortion clinic visits, it put a spotlight on a digital ad and data industry driven by jumbled data connections and shielded through undisclosed deals.

Amid digital advertisers and app makers, Kochava is best known for providing mobile app and advertising measurement and analytics services, helping app publishers track and verify the number of app installs that come through paid partners. Advertisers also work with the company to track the performance of their advertising, to customize mobile ad targeting to specific groups of people or to purchase Kochava data to add to the information they already have about customers.

“You go to [Kochava] if you don’t trust your partners and you want raw data to track [mobile app installs and advertising],” said a digital ad tech practitioner who worked with Kochava on behalf of an advertiser client in the past, and asked not to be named in the story.

Now the FTC is cracking down on the unintended consequences of that obfuscated chaos.

In its complaint against Kochava, the FTC alleged that location data sold by the company — which was readily available for purchase in places including Amazon’s AWS data marketplace — was provided in a form that could identify people who visit sensitive locations such as reproductive health or addiction recovery centers, places of religious worship or homeless or domestic violence shelters.

Plausible data deniability

Kochava says its advertising and app measurement services are distinct from its data marketplace business, which is at the heart of the FTC complaint. The company says each business lives in a distinct cloud instance managed under separate accounts.

Kochava will not reveal where the data sold in that marketplace comes from, according to a source familiar with the company's strategy. In fact, in some cases, even the company itself does not know.

As is de rigueur in the opaque mobile location data industry, partnerships are almost always obscured by non-disclosure agreements. Companies that sell location data or provide other types of data services often do not reveal the original sources of the information they gather, package and sell.

When Kochava introduced its marketplace business in 2017, the company said the data sold there would come through its free app analytics service, from mobile ad networks and from app publishers and other partners. At the time, the company only named one data supplier that aimed to monetize its data by partnering with Kochava: AreaMetrics, a consumer-facing mobile app that offered location-based restaurant reviews.

But Kochava said it only derives the precise location data sold in its marketplace from data brokers and does not obtain precise location data sold in its marketplace from direct data supplier relationships with app publishers or through its free analytics product.

Still, Kochava wants legal protection to take those steps. It currently requires companies using that free analytics product to agree to a license and service contract that demands they include verbatim language in their privacy policies stating they collect and may sell personal information including identifiers, geolocation data and inferences drawn from those categories. Kochava also requires companies using its free analytics service to obtain user consent to collect precise location data and to share or sell it with third parties.

There are big incentives for media companies and app developers to give location data sellers access to the data derived through their apps. For one thing, allowing access to the information helps determine places people are or have been, making the ad inventory that app publishers sell more valuable to advertisers who pay more for ads targeted by location.

Allowing access to that data could also produce additional revenue streams with little extra work for the publisher. Typically, location data suppliers pay publishers according to the number of unique data signals they provide. For example, they might pay a flat fee for location data points associated with 1,000 app users.

FTC cracks down on unintended data use

Following the Supreme Court’s overturning of Roe v. Wade earlier this year, more people began to realize that location data is often packaged and sold, and can be used to identify people. Now that states across the country are penalizing people for obtaining abortions, the digital footprints their phones create when they visit health clinics and other sensitive places have serious real-world legal implications.

With location data under heightened scrutiny, digital ad groups and data providers have begun to respond by restricting its use. Location data sellers SafeGraph and Placer.ai said they would stop selling data associated with reproductive health center locations. Google also now deletes location data from sensitive places including abortion clinics.

Last month, Kochava itself said it would begin removing precision geo-location data associated with health care services locations starting at the end of the third quarter of this year. The company will also allow people to register to block sensitive location data from being used, shared or purchased in its data marketplace.

Kochava’s system connects with big names in Big Tech including Amazon, Facebook, Google, Snapchat and TikTok to enable advertising and ad-related services on their properties. For instance, Google counts Kochava as an integrated app attribution partner.

Meanwhile, companies that make apps with millions of daily users including Disney, Instagram, and Major League Baseball are all listed publicly by Kochava as integrated partners. But rather than representing Kochava customers or contractual partnerships, the list of “partners” merely represents the ad tech vendors and media companies Kochava’s measurement system can recognize and report on when it receives information about how well advertising performed from its advertiser clients.

All the same, the list of hundreds of companies, most of which pass data among several ad systems to enable targeted advertising, is a visible symbol of a labyrinthine mobile ad ecosystem — one the FTC pegs as part of the digital data surveillance industry it aims to shackle. In its complaint, the agency included information from Kochava’s own data sales materials showing it has sold precise latitudinal and longitudinal map coordinates collected at a specific time and associated with device IDs showing when a device was present at a given location.

"What the FTC has suggested about Kochava is technologically completely plausible,” said another ad tech company vice president who asked not to be named in this story.

While advertisers have entirely different uses for this sort of data — such as to understand how their ad campaigns helped grow incremental app downloads or product sales, or whether people from a certain area drove by a billboard — the FTC aims to highlight the unintended uses for precise location data that comes with time stamps and can be attached to device IDs, especially when it is made readily available for sale to the public.

“The sale of such data poses an unwarranted intrusion into the most private areas of consumers’ lives and causes or is likely to cause substantial injury to consumers,” the FTC complaint said.

The complaint described a process that can be used to decipher someone’s identity when location data includes the times devices appeared in a certain place, as Kochava’s data does.

First, the home address associated with a mobile device is detected through data patterns showing a device has lingered in a specific location for several hours overnight, indicating it is a residence. That residential address can then be matched to a person’s name, contact data and other demographic information. Through this series of data matches, visits to a specific location can then be tied to an identified person.

“What the FTC has suggested about Kochava is technologically completely plausible,” said another ad tech company vice president who asked not to be named in this story.

Kochava puts up a fight

The identification process described by the FTC involves some sleuthing. But before the FTC announced its complaint against the company last week, Kochava filed its own lawsuit against the agency arguing that the company is not responsible if data it sells is used to identify someone. Instead, it contends that the onus is on consumers to protect their data.

Kochava’s suit states, “the consumer agreed to share its location data with an app developer. As such, the consumer should reasonably expect that this data will contain the consumer’s locations, even locations which the consumer deems is sensitive. Prior to the data collection, a disclaimer or a warning was also provided to a consumer regarding collection of data from all locations, including sensitive ones.”

Essentially, Kochava believes it should not be at fault if people combine the data it sells with other information.

“We do not take lightly being launched into a political fight we have no reason to be in the ring for. We know the regulatory road ahead of us is likely long and winding. We take regulatory compliance very seriously at Kochava, and we are not going to sit idly by and let our company and community’s reputation be damaged. We won’t stand for that and we are grateful to have all of our supporters in our corner for as long as we’re in this fight,” Kochava CEO Charles Manning wrote in a Sept. 1 company blog post.

As Congress has failed to rein in the digital data use that fuels ad-driven business models, facilitating what many call the “surveillance economy,” the FTC is expected to continue its aggressive approach to regulating data use.

The commission will hold a public forum on commercial surveillance on Thursday.

“Mass surveillance has heightened the risks and stakes of errors, deception, manipulation and other abuses,” the agency said. “The Federal Trade Commission is asking the public to weigh in on whether new rules are needed to protect people’s privacy and information in the commercial surveillance economy.”

LA is a growing tech hub. But not everyone may fit.

LA has a housing crisis similar to Silicon Valley’s. And single-family-zoning laws are mostly to blame.

As the number of tech companies in the region grows, so does the number of tech workers, whose high salaries put them at an advantage in both LA's renting and buying markets.

Photo: Nat Rubio-Licht/Protocol

LA’s tech scene is on the rise. The number of unicorn companies in Los Angeles is growing, and the city has become the third-largest startup ecosystem nationally behind the Bay Area and New York with more than 4,000 VC-backed startups in industries ranging from aerospace to creators. As the number of tech companies in the region grows, so does the number of tech workers. The city is quickly becoming more and more like Silicon Valley — a new startup and a dozen tech workers on every corner and companies like Google, Netflix, and Twitter setting up offices there.

But with growth comes growing pains. Los Angeles, especially the burgeoning Silicon Beach area — which includes Santa Monica, Venice, and Marina del Rey — shares something in common with its namesake Silicon Valley: a severe lack of housing.

Keep Reading Show less
Nat Rubio-Licht

Nat Rubio-Licht is a Los Angeles-based news writer at Protocol. They graduated from Syracuse University with a degree in newspaper and online journalism in May 2020. Prior to joining the team, they worked at the Los Angeles Business Journal as a technology and aerospace reporter.

While there remains debate among economists about whether we are officially in a full-blown recession, the signs are certainly there. Like most executives right now, the outlook concerns me.

In any case, businesses aren’t waiting for the official pronouncement. They’re already bracing for impact as U.S. inflation and interest rates soar. Inflation peaked at 9.1% in June 2022 — the highest increase since November 1981 — and the Federal Reserve is targeting an interest rate of 3% by the end of this year.

Keep Reading Show less
Nancy Sansom

Nancy Sansom is the Chief Marketing Officer for Versapay, the leader in Collaborative AR. In this role, she leads marketing, demand generation, product marketing, partner marketing, events, brand, content marketing and communications. She has more than 20 years of experience running successful product and marketing organizations in high-growth software companies focused on HCM and financial technology. Prior to joining Versapay, Nancy served on the senior leadership teams at PlanSource, Benefitfocus and PeopleMatter.


SFPD can now surveil a private camera network funded by Ripple chair

The San Francisco Board of Supervisors approved a policy that the ACLU and EFF argue will further criminalize marginalized groups.

SFPD will be able to temporarily tap into private surveillance networks in certain circumstances.

Photo: Justin Sullivan/Getty Images

Ripple chairman and co-founder Chris Larsen has been funding a network of security cameras throughout San Francisco for a decade. Now, the city has given its police department the green light to monitor the feeds from those cameras — and any other private surveillance devices in the city — in real time, whether or not a crime has been committed.

This week, San Francisco’s Board of Supervisors approved a controversial plan to allow SFPD to temporarily tap into private surveillance networks during life-threatening emergencies, large events, and in the course of criminal investigations, including investigations of misdemeanors. The decision came despite fervent opposition from groups, including the ACLU of Northern California and the Electronic Frontier Foundation, which say the police department’s new authority will be misused against protesters and marginalized groups in a city that has been a bastion for both.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.


These two AWS vets think they can finally solve enterprise blockchain

Vendia, founded by Tim Wagner and Shruthi Rao, wants to help companies build real-time, decentralized data applications. Its product allows enterprises to more easily share code and data across clouds, regions, companies, accounts, and technology stacks.

“We have this thesis here: Cloud was always the missing ingredient in blockchain, and Vendia added it in,” Wagner (right) told Protocol of his and Shruthi Rao's company.

Photo: Vendia

The promise of an enterprise blockchain was not lost on CIOs — the idea that a database or an API could keep corporate data consistent with their business partners, be it their upstream supply chains, downstream logistics, or financial partners.

But while it was one of the most anticipated and hyped technologies in recent memory, blockchain also has been one of the most failed technologies in terms of enterprise pilots and implementations, according to Vendia CEO Tim Wagner.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.


Kraken's CEO got tired of being in finance

Jesse Powell tells Protocol the bureaucratic obligations of running a financial services business contributed to his decision to step back from his role as CEO of one of the world’s largest crypto exchanges.

Photo: David Paul Morris/Bloomberg via Getty Images

Kraken is going through a major leadership change after what has been a tough year for the crypto powerhouse, and for departing CEO Jesse Powell.

The crypto market is still struggling to recover from a major crash, although Kraken appears to have navigated the crisis better than other rivals. Despite his exchange’s apparent success, Powell found himself in the hot seat over allegations published in The New York Times that he made insensitive comments on gender and race that sparked heated conversations within the company.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Latest Stories