“This lawsuit highlights the very real threats that data surveillance poses to peoples’ safety, security, bodily integrity, and access to healthcare,” said the head of Public Citizen.
By Jessica Corbett Published 8-29-2022 by Common Dreams
Earlier this year, the Tulsa Women’s Clinic was overflowing with patients, both from within Oklahoma and Texas. Now, it’s mostly empty as staff try their best to redirect patients to abortion providers in other states. Photo: Andrea Gallegos/Tulsa Women’s Clinic
Privacy and reproductive rights advocates on Monday welcomed the Biden administration’s lawsuit against Kochava Inc., which argues that the Idaho-based data broker’s practices endanger abortion patients in the post-Roe v. Wade era.
Since the U.S. Supreme Court’s late June Dobbs v. Jackson Women’s Health Organization decision reversed Roe, while anti-choice forces have ramped up attacks on reproductive freedom, concerns have mounted about how data from devices like smartphones may be used to target patients and healthcare providers.
In a statement about the new Federal Trade Commission (FTC) suit, Robert Weissman, president of the consumer advocacy group Public Citizen, noted the increased threat posed by those trying to ban and criminalize abortions, and punish those who seek them.
“Especially in the wake of the U.S. Supreme Court’s Dobbs decision, today’s FTC action is urgently needed to protect patients and consumers from data surveillance-superpowered vigilantes, extremists, and overzealous prosecutors,” said Weissman.
“This lawsuit highlights the very real threats that data surveillance poses to peoples’ safety, security, bodily integrity, and access to healthcare,” he continued. “It is why it so important that the FTC is pursuing a broad rule to protect consumer privacy and restrict data surveillance, and why Congress should pass legislation to ensure robust privacy protections for all Americans.”
Great to see the @FTC step up against creepy invasions of privacy made even more salient by the Supreme Court’s awful Dobbs decision. Independent agencies are important! https://t.co/gFNH5C8ek6 pic.twitter.com/UFQvdggaR2
— Jeff Hauser (@jeffhauser) August 29, 2022
U.S. Sen. Elizabeth Warren (D-Mass.) also celebrated the “major action” by the agency and administration “to protect Americans’ privacy,” tweeting that “with abortion rights under attack by the Supreme Court and Republican states, it’s a critical step to crack down on data brokers selling sensitive location data—including at healthcare clinics and places of worship.”
Some, such as Shaunna Thomas of UltraViolet, thanked FTC Chair Lina Khan—an appointee of President Joe Biden—for her leadership.
The @FTC is suing a data broker for selling data that tracks people at reproductive health clinics among other places. This is huge for privacy + sends a clear accountability signal to all data brokers.
Thank you @linakhanFTC for the leadership we needhttps://t.co/NtlTnTZ48k
— Shaunna Thomas (@SLThomas) August 29, 2022
Only Noah Joshua Phillips, one of the two Republican commissioners, voted against filing the complaint, which accuses Kochava of violating federal law “in connection with acquiring consumers’ precise geolocation data and selling the data in a format that allows entities to track the consumers’ movements to and from sensitive locations.”
That data, collected from mobile devices, can connect individuals with not only their homes but also “locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at-risk populations, and addiction recovery,” the complaint explains.
The filing points out that in addition to its paid services, until June, Kochava had a data sample on Amazon Web Services (AWS) that was relatively easy to access for free. One day of that dataset examined by the FTC corresponded to nearly 62 million unique mobile numbers.
In the data sample, “it is possible to identify a mobile device that visited a women’s reproductive health clinic and trace that mobile device to a single-family residence,” the complaint states. “The data set also reveals that the same mobile device was at a particular location at least three evenings in the same week, suggesting the mobile device user’s routine. The data may also be used to identify medical professionals who perform, or assist in the performance, of abortion services.”
The protection of health and location data has taken on more urgency after Dobbs as women and providers are increasingly placed at risk of surveillance and prosecution in forced birth states. https://t.co/ey5TIB6gj3
— Jolynn Dellinger (@MindingPrivacy) August 29, 2022
After detailing other examples, the document declares that “identification of sensitive and private characteristics of consumers from the location data sold and offered by Kochava injures or is likely to injure consumers through exposure to stigma, discrimination, physical violence, emotional distress, and other harms,” and “these injuries are exacerbated by the fact that, as described above, Kochava lacks any meaningful controls over who accesses its location data feed,” including the data sample.
The filing also asserts that “the collection and use of their location data are opaque to consumers, who typically do not know who has collected their location data and how it is being used,” and Kochava “could implement safeguards to remove data associated with sensitive locations… at a reasonable cost and expenditure of resources.”
Echoing the complaint, Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said that “where consumers seek out healthcare, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder.”
“The FTC is taking Kochava to court,” Levine added, “to protect people’s privacy and halt the sale of their sensitive geolocation information.”
How is a company like Kochava real? A data broker that purchases data from other data brokers then sells subscriptions to that data through a public-facing data broker? To kill Hydra, one must sever all the heads then cauterize the neck. https://t.co/Nqvn5UaDZw
— Lee Hepner (@LeeHepner) August 29, 2022
Kochava general manager Brian Cox claimed the suit “shows the unfortunate reality that the FTC has a fundamental misunderstanding of Kochava’s data marketplace business and other data businesses,” and that the company “operates consistently and proactively in compliance with all rules and laws, including those specific to privacy.”
Cox also pointed to Kochava’s newly announced ability to block location data from sensitive locations and recent engagement with the FTC prior to the filing. He added that “real progress to improve data privacy for consumers will not be reached through flamboyant press releases and frivolous litigation,” and “it’s disappointing that the agency continues to circumvent the lawmaking process and perpetuate misinformation surrounding data privacy.”
Meanwhile, experts such as Tulane University law professor Ann Lipton highlighted that “the suit is really about general location sharing, which could be used for all sorts of purposes—including stalking and robbery—but the FTC highlights abortion as one sensitive use.”
In the words of investigative journalist Jon Keegan, “This is a major shot across the bow to the location data industry.”
Kochava was one of the 47 companies @alfredwkng and I identified as part of the multi-billion dollar location data industry. Read more about the industry and who the other big players are here: https://t.co/yv2L11Sogy pic.twitter.com/iVzImKyg7R
— Jon Keegan 🇺🇦 (@jonkeegan) August 29, 2022
Keegan also noted that the suit follows a public warning from July that the FTC “is committed to using the full scope of its legal authorities to protect consumers’ privacy” and “will vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data.”
