The ongoing public fight between the U.S. Federal Trade Commission and mobile data broker Kochava began a new round this week with the publication of the FTC's updated legal complaint. The updates paint a far more expansive picture of the alleged privacy invasions inherent in Kochava's data practices, while showcasing why the Kochava matter remains at the cutting edge of privacy enforcement.
The story of Kochava that emerges in the FTC's latest complaint is one of a data broker totally unbound by privacy norms, engaging in the wanton collection, combination and dissemination of personal profiles amounting to a "multiplying invasiveness" into consumer's private lives. Kochava, of course, fully disputes the account.
As FTC watchers and loyal readers will recall, the commission's initial complaint was dismissed by the U.S. District Court for the District of Idaho. Judge B. Lynn Winmill was not convinced the FTC's substantiated allegations were enough to articulate a plausible claim for legal relief, and so granted Kochava's motion to dismiss during the initial stage of the case.
But Winmill left the door open, offering the agency leave to amend and refile its complaint. Even knowing the odds of changing the judge's mind were stacked against it, the FTC wasted no time in re-crafting its argument. The agency's lawyers know that only by providing evidence of new facts will they be able to move to the real battle: debating the substantive merits of their allegations.
However, as the case has not proceeded to the discovery stage, they were faced with the task of crafting a new story of Kochava's alleged wrongdoing based only on their initial investigation and any public information they have learned since.
With a touch of dramatic irony, Kochava moved to keep the FTC's amended complaint from being revealed to public scrutiny, arguing that the allegations in the document were "knowingly false" and "misleading." But Judge Winmill was not convinced, ruling that Kochava had not demonstrated a compelling reason to keep the document private. At the same time, the court denied Kochava's request to sanction the FTC for filing its amended complaint, concluding that the agency's filing is not "legally unreasonable" or "factually baseless." Quoted in an article in The Record, EPIC's John Davisson colorfully described Kochava's motion as a "desperate attempt to conceal the details of its harmful business model and punish the FTC for daring to push back against data brokers."
There are a few strategic adjustments to unpack in the amended complaint. Rather than argue for two counts of unfairness under the FTC Act, the agency focuses on one — folding in its prior claims about the harms of third-party inferences among the harms that flow from the alleged "unfair use and sale of sensitive data." Judge Winmill had advised that such harms should be demonstrated to be more than "theoretically possible" privacy harms and should instead include facts that show a "significant risk" of such harms.
In the updated complaint, the FTC is careful to respond, at least indirectly, to this and other concerns expressed by the judge about the strength of the case. Judge Winmill previously agreed that mere disclosure of personal information can cause substantial injury to consumers, as required for an unfairness claim under the FTC Act, but was skeptical that Kochava's practices did this for two reasons.
First, the severity of possible harm is lessened because the data in question requires "additional inferences" to be made before it is identifiable. Accordingly, the FTC focuses its fact pattern on allegations about the actual sale and combination of data that its evidence shows, and examples of the ease at which individual consumers are in fact identifiable from unique mobile device IDs, patterns of location and other data types that Kochava allegedly sells in its data services.
The FTC relies not only on the data that it acquired from the broker in its investigation, but also on the company's marketing materials, which allegedly describe the identifiability of its datasets in explicit terms, such as that its service contains "other points to connect to and securely solve for identity" even when consumers reset their unique device IDs. The commission alleges that Kochava ensures a lack of anonymity by design, directly linking Mobile Advertising IDs to individual consumers' identifying information such that its customers can "learn sensitive information about individual consumers who are identifiable without inference or additional steps."
Second, the judge had concluded the severity of harm was lessened by the fact that this data is generally accessible through other, lawful, means. In response, the FTC throughout its complaint focuses on the alleged vastness, complexity and invasiveness of Kochava's datasets, which according to marketing materials include information about 300 million Americans, i.e., nearly the entire population of the U.S. "Kochava collects, stores, and shares information, which is often, on its face, sensitive or private, on hundreds of millions of consumers," The FTC concludes. "This information is not readily observable by the public. Kochava obtains it from a myriad of sources, including from mobile apps and other data brokers."
The renewed focus on the multivariate nature of Kochava's dataset is the most distinguishing feature of the FTC's new complaint. It is no longer just about sensitive locations, though this initial focus area gets renewed factual analysis in the complaint, including allegations that Kochava's audience segments offered to customers in fact include places they have visited, "including locations associated with 'Education,' 'Gvt. Building,' and 'Health.'"
In addition to sensitive location data, the FTC focuses on facts that highlight how the dataset allegedly reveals consumers':
- Movements throughout a "day, week, month, year, or even more, including their visits to sensitive locations."
- Familial characteristics, including by allegedly building household device graphs that include details about identifiable family members.
- Sensitive identities, including political affiliation and religious beliefs.
- Sensitive behaviors, including those inferred via the "App Graph" service, which allegedly relies on both Kochava's own SDKs and purchased datasets to include information about the usage of "over 275,000" mobile apps, which can reveal information about dating, sexuality, religious practice, and health conditions.
Importantly for privacy professionals, the FTC complaint also doubles down on its allegations about the lack of internal privacy safeguards or "any meaningful controls" at the company. The agency alleges that the company had little to no process for determining whether to approve a request for access to its data and few, if any, controls to limit the later use and sale of the data for purposes that could cause privacy harm.
All of these allegations are framed within the requirements of an unfairness claim under the FTC Act. By revealing sensitive information about consumers, the FTC argues, Kochava is causing direct privacy injuries, which are injury enough themselves, but are further compounded by other injuries such as "stigma, discrimination, physical violence, emotional distress, and other harms." Consumers allegedly cannot avoid these harms because they allegedly have no meaningful awareness that Kochava has their data and are not provided opportunities to avoid the injuries.
The court battle will rage on before a policy backdrop that is increasingly hostile to data broker practices. California's passage of the Delete Act, which will provide consumers with centralized opt-out controls from companies like Kochava, will reshape the landscape, even as DC policymakers dither.
Here's what else I'm thinking about:
- A new report is re-invigorating discussions about data broker oversight in Washington. Duke University's Sanford School of Public Policy released a report on the sale of data on U.S. military personnel, based on an investigative analysis of data brokers' processes for vetting requests to purchase personal data related to U.S. military personnel. The researchers examined over 500 websites, selected 12 data brokers to contact and eventually purchased datasets from 3 of these companies, while attempting throughout to minimize the information they revealed that would substantiate the legitimacy of their research project. The study concludes that many data brokers exhibit a "lack of robust controls" around the purchase of U.S. military data, even in some cases when the purchaser was located outside of the U.S.
- Meanwhile, the debate rages on about how to protect youth safety and privacy online. Longtime tech policy scholar and former Biden advisor Tim Wu wrote an article in The Atlantic supporting the Kids Online Safety Act. His argument immediately sparked a new round of hot takes within tech policy circles, including this detailed takedown from Mike Masnick in Tech Dirt. After passing out of committee this summer, KOSA could be considered at any time on the Senate floor, if legislators so choose, though it still does not have a counterpart bill in the House. It remains to be seen how policymakers will adjust their approach to online safety in light of potential conflicts with U.S. free speech protections.
- IAPP's annual privacy governance report is out. One of the flagship outputs from our Research and Insights team, produced thanks to support from EY, the survey-based report provides some surprising insights this year. Privacy professionals report that their teams have grown in over a third of companies in the past year, despite difficult economic conditions. They also confirm the collaborative nature of the privacy function, with 86% reporting regularly working with three or more teams within their organization.
Upcoming happenings:
- 15 Nov., 14:00 ET: New America's Open Technology Institute hosts a virtual discussion on "The Intersection of Federal Privacy Legislation & AI Governance."
Please send feedback, updates and multiplying invasions to cobun@iapp.org.