Data brokers sold sensitive location info of Americans' visits to health clinics, protests, and more


US data brokerage firms Mobilewalla and Gravy Analytics were handed down a slew of new restrictions on Tuesday after the FTC found that the Big Data companies collected and sold the precise location information of millions of Americans for years – including military members, female clinic patients, political protestors, religious worshippers, and more.

The US Federal Trade Commission announced both data brokers and their subsidiaries are now banned from handling and manipulating any data associated with military sites, healthcare facilities, churches, labor unions, and other sensitive locations.

“Persistent tracking by data brokers can put millions of Americans at risk, exposing the precise locations where service members are stationed or which medical treatments someone is seeking,” said FTC Chair Lina Khan.

ADVERTISEMENT

Data used for profiling and discriminatory marketing

The FTC complaint said the actions of both firms “not only compromised consumers’ personal privacy, but exposed them to potential discrimination, physical violence, emotional distress, and other harms” all without consumers' consent or knowledge.

The bans will restrict the companies from collecting, selling, licensing, transferring, sharing, disclosing, or using sensitive location data, except in limited circumstances, such as involving national security or law enforcement.

“The ease with which digital tools can be deployed to surveil Americans should raise serious alarm,” Khan said in a series of posts on X Tuesday.

The FTC chairwoman further noted that the actions against Mobilewalla and Gravy Analytics “mark the fourth and fifth cases the FTC has brought against the illegal sale of people's sensitive location data in the last 28 months.”

Mobilewalla paired unique identifiers with location data

ADVERTISEMENT

The Georgia-based Mobilewalla was found harvesting sensitive location data, including the identity of an individual’s private home, at a “stunning scale” by exploiting vulnerabilities found in digital ad markets, the FTC said.

From January 2018 to June 2020, Mobilewalla was said to have collected more than 500 million unique consumer advertising identifiers – identifiers that were then paired with consumers’ precise location data.

The raw non-anonymized location data could easily be used to identify a person’s mobile device and the locations they visited, according to the official complaint.

What’s more, Mobilewalla sold access to the raw data to third parties, including advertisers, other data brokers, and analytic firms, who would use the data for target marketing purposes.

The third parties would target consumers based on “sensitive characteristics – like medical conditions and religious beliefs.” This included targeting women who visited pregnancy centers or those who attended political rallies for Black Lives Matter.

In one instance, a report from June 2020 found the company racially profiled people attending rallies protesting the death of George Floyd by using the location data.

Gravy used geo-fencing to target mobile users locations

Meantime, the Virginia-based Gravy Analytic was also charged with selling characteristic profiles of consumers gleaned from their sensitive location data, including political activities, religious viewpoints, and even health or medical decisions.

Other sensitive locations mentioned included schools and childcare facilities, and services sheltering homeless, domestic abuse, refugee, or immigrant populations.

Gravy Analytics and its subsidiary Venntel – who claim to process and curate more than 17 billion signals from roughly a billion mobile devices each day – were said to use a method known as geo-fencing to gather its location data.

ADVERTISEMENT

According to the FTC complaint, the company would “create a virtual geographical boundary to identify and sell lists of consumers” based on certain characteristics, for example, people who attended certain events related to medical conditions and places of worship.

Both companies will be forced to delete all historical location data and create a functional data location program that identifies a comprehensive list of sensitive locations.

Charges in violation of the FTC Act, which prohibits unfair or deceptive commerce practices, include the unfair collection, retention, and selling of sensitive consumer information without consent and the unfair targeting of consumers based on sensitive characteristics.