The NBA, MLB and La Liga place bets on NFTs

“You are going to [Kochava] if you don’t trust your partners and want to track raw data [mobile app installs and advertising]said a digital ad tech practitioner who has worked with Kochava on behalf of an advertiser client in the past, and asked not to be named in the story.

Now the FTC is cracking down on the unintended consequences of this dark chaos.

In its complaint against Kochava, the FTC alleged that location data sold by the company — which was readily available for purchase in places such as Amazon’s AWS Data Marketplace — was provided in a form that could identify people who visit sensitive places such as reproductive health or addiction. rehabilitation centers, places of religious worship or shelters for the homeless or victims of domestic violence.

Plausible deniability of data

Kochava says its advertising and app measurement services are separate from its data marketplace business, which is at the heart of the FTC’s complaint. The company says each company lives in a separate cloud instance managed under separate accounts.

Kochava won’t reveal where the data sold in this marketplace comes from, according to a source familiar with the company’s strategy. In fact, in some cases, even the company itself does not know.

As is de rigeur in the opaque mobile location data industry, partnerships are almost always obscured by non-disclosure agreements. Companies that sell location data or provide other types of data services often do not reveal the original sources of the information they collect, package and sell.

When Kochava launched its marketplace business in 2017, the company said the data that would be sold there would come from its free app analytics service, mobile ad networks and app publishers and other partners. . At the time, the company only named one data provider that aimed to monetize its data by partnering with Kochava: AreaMetrics, a consumer-facing mobile app that offered location-based restaurant reviews.

But Kochava said it only derives precise location data sold in its marketplace from data brokers and does not obtain precise location data sold in its marketplace from direct relationships with data providers. with application publishers or through its free analysis product.

Yet Kochava wants legal protection for taking these steps. It currently requires companies using this free analytics product to agree to a license and service agreement that requires them to include text language in their privacy policies stating that they collect and may sell personal information, including identifiers, geolocation data and inferences drawn from these categories. Kochava also requires companies using its free analytics service to obtain user consent to collect precise location data and share or sell it to third parties.

Media companies and app developers have strong incentives to give location data vendors access to data derived from their apps. On the one hand, allowing access to information helps determine where people are or have been, which makes the advertising inventory that app publishers sell more valuable to advertisers who pay more for ads targeted by location.

Allowing access to this data could also generate additional revenue streams with little additional work for the publisher. Typically, location data providers pay publishers based on the number of unique data signals they provide. For example, they can pay a flat fee for location data points associated with 1,000 app users.

FTC cracks down on unintended data use

Following the Supreme Court’s overturning of Roe v. Wade earlier this year, more and more people began to realize that location data is often packaged and sold and can be used to identify people. Now that states across the country are penalizing people for obtaining abortions, the digital fingerprints their phones create when they visit health clinics and other sensitive places have serious legal implications in the real world.

With location data coming under increased scrutiny, digital ad groups and data providers have begun to respond by limiting its use. Location data vendors SafeGraph and said they would stop selling data associated with reproductive health center locations. Google also now removes location data from sensitive places, including abortion clinics.

Last month, Kochava himself said he would begin removing precision geolocation data associated with health service locations from the end of the third quarter of this year. The company will also allow users to register to prevent the use, sharing or purchase of sensitive location data on its data marketplace.

Kochava’s system connects with big names in Big Tech, including Amazon, Facebook, Google, Snapchat and TikTok, to enable advertising and advertising-related services on their properties. For example, Google counts Kochava as an in-app attribution partner.

Meanwhile, companies that build apps with millions of daily users, including Disney, Instagram and Major League Baseball, are all publicly listed by Kochava as in-app partners. But rather than representing Kochava’s customers or contractual partners, the list of “partners” simply represents the ad technology vendors and media companies that Kochava’s measurement system can recognize and flag when it receives information about the advertising performance of its advertiser clients.

Nonetheless, the list of hundreds of companies, most of which pass data between multiple ad systems to enable targeted advertising, is a visible symbol of a labyrinthine mobile ad ecosystem – one of the pillars of the FTC as part of the digital data surveillance industry it targets. to chain. In its complaint, the agency included information from Kochava’s own data sales materials showing that it sold precise latitudinal and longitudinal map coordinates collected at a specific time and associated with device identifiers indicating when a device was present at a given location.

“What the FTC suggested about Kochava is technologically entirely plausible,” said another vice president of the ad tech company who asked not to be named in this story.

While advertisers have entirely different uses for this type of data – such as understanding how their ad campaigns have helped increase app downloads or product sales, or whether people in a certain area have passed through a billboard – the FTC aims to highlight unintended uses of precise location data that is accompanied by timestamps and may be attached to device identifiers, especially when readily available for sale to the public.

“The sale of such data constitutes an unwarranted intrusion into the most private areas of consumers’ lives and causes or is likely to cause substantial harm to consumers,” the FTC complaint said.

The complaint describes a process that can be used to decipher someone’s identity when location data includes times when devices appeared in a certain location, as Kochava’s data does.

First, the home address associated with a mobile device is detected by data patterns showing that a device has lingered at a specific location for several hours overnight, indicating that it is ‘a residence. This residential address can then be combined with a person’s name, contact information, and other demographic information. Through this series of data matches, visits to a specific location can then be linked to an identified person.

“What the FTC suggested about Kochava is technologically entirely plausible,” said another vice president of the ad tech company who asked not to be named in this story.

Kochava fights

The identification process described by the FTC involves some research. But before the FTC announced its complaint against the company last week, Kochava filed its own lawsuit against the agency arguing that the company is not liable if the data it sells is used to identify someone. Instead, he argues that the onus is on consumers to protect their data.

Kochava’s lawsuit states that “the consumer agreed to share their location data with an app developer. As such, the consumer should reasonably expect this data to contain the consumer’s locations, even those locations that they deem sensitive. Prior to data collection, a disclaimer or warning was also provided to a consumer regarding the collection of data from all locations, including the most sensitive ones. »

Essentially, Kochava thinks he shouldn’t be at fault if people combine the data he sells with other information.

“We don’t take lightly being thrown into a political fight that we have no reason to be in the ring for. We know the regulatory road ahead of us is likely to be long and winding. We are taking regulatory compliance very seriously at Kochava, and we will not sit idly by and allow the reputation of our company and our community to be damaged. We will not tolerate this and we are grateful to have all of our supporters in our corner as long as we are in this fight,” Kochava CEO Charles Manning wrote in a company blog post on September 1.

As Congress has failed to curb the use of digital data that fuels advertising-driven business models, facilitating what many call the “surveillance economy,” the FTC should continue its aggressive approach to regulating data usage.

The commission will hold a public forum on trade surveillance on Thursday.

“Mass surveillance has increased the risks and stakes of error, deception, manipulation and other abuses,” the agency said. “The Federal Trade Commission is asking the public to determine whether new rules are needed to protect the privacy and information of individuals in the commercial surveillance economy.”

Neal T. Doss