Data broker’s “staggering” sale of sensitive info exposed in unsealed US FTC filing: Major value in users’ data

A blue coloured map display of the Eastern half of the USA, with each State outlined in a neon red colour line.

One of the world’s largest mobile data brokers, Kochava, has lost its battle to stop the Federal Trade Commission from revealing what the FTC has alleged is a disturbing, widespread pattern of unfair use and sale of sensitive data without consent from hundreds of millions of people.

The FTC has accused Kochava of violating the FTC Act by amassing and disclosing “a staggering amount of sensitive and identifying information about consumers,” alleging that Kochava’s database includes products seemingly capable of identifying nearly every person in the United States.

According to the FTC, Kochava’s customers, ostensibly advertisers, can access this data to trace individuals’ movements—including to sensitive locations like hospitals, temporary shelters, and places of worship, with a promised accuracy within “a few meters”—over a day, a week, a month, or a year. Kochava’s products can also provide a “360-degree perspective” on individuals, unveiling personally identifying information like their names, home addresses, phone numbers, as well as sensitive information like their race, gender, ethnicity, annual income, political affiliations, or religion, the FTC alleged.

These data brokers handle really massive amounts of private data. It costs time and money to obtain, and it seems there is a market of buyers willing to pay for it too. If we look at the types of data then it is also easy to see this is not just about advertising at all.

We know that even law enforcement agencies pay these types of 3rd parties to collect the data that they are prohibited from doing so (for example, recently the NYT 15 Nov 2013 report re CIA collecting global data on transfers of money).

Then there are also the criminals who can purchase this information for blackmail and extortion. Most hackers will admit that their attempts start out with getting to know more about an organisation and its employees, with a view to exploiting social engineering. Even phishing e-mails are way more likely to succeed if they are personalised towards a target.

Data brokers are a serious threat to everyone, and the way that data is collected, means that one person who does not care, can end up exposing family and friends’ private data. The data is not collected in isolation from everyone else… effort goes into tying up all the data points with locations, times, other people, behaviours, and related information. The real value comes once all the individual pixels form a larger, clear picture.

In years past this type of business was very labour, and later computer intensive, and was as a result quite delayed in terms of its value. With the computing power and analysis available today, combined with rich and varied data sources, it’s been taken to a whole new level. And of course, there are now online markets that even trade this data on the Dark Web.

It is also getting more and more difficult for people to effectively stay offline as social services, banking, booking a flight, etc all involve being registered and having interaction with online systems.

The clock also never travels backwards (unless you live in a daylight-saving region) as societal “innovations” keep moving forward.

See https://arstechnica.com/tech-policy/2023/11/data-brokers-staggering-sale-of-sensitive-info-exposed-in-unsealed-ftc-filing/