back to article FTC sues data broker for selling millions of people's 'precise' location info

The Federal Trade Commission has accused data broker Kochava of trampling over people's privacy by selling the "precise" whereabouts of hundreds of millions of mobile devices. The American watchdog alleged in a lawsuit that Kochava's data feeds, which are sold via publicly accessible marketplaces, reveal individuals' visits to …

  1. chuckufarley

    In the age of high tech tracking...

    ...People are better off leaving their devices at home. If you don't have a home to leave it at then turn it off and remove the battery. The "Always On" culture can only be defeated by "Tuning Out and Turning Off."

    1. Sherrie Ludwig

      Re: In the age of high tech tracking...

      Here's an idea: people who do not live at the same residence, but trust each other, could swap devices every couple of days and DELIBERATELY mess up the data.

      1. Anonymous Coward
        Anonymous Coward

        Re: In the age of high tech tracking...

        Single men ought to do this en masse. I would be quite prepared for a round of visits to abortion clinics if I lived there. Let them come then - the sheer costs of wrongful arrest lawsuits would soon end this idiocy.

      2. jmch Silver badge

        Re: In the age of high tech tracking...

        How would that work though? If someone wants to reach me, they are going to message or call my number, or my ID linked to the phone. If phone exchange also involves swapping SIMs and/or having to sign in to a messaging app or email client, these could potentially be tracked at that level.

        Far simpler to (a) use as far as possible phone apps that do not track you (eg telegram instead of whatsapp), clear out as much google stuff as possible if using Android (eg not use google search, mail, mapping etc) or even better use a de-googled phone like /e/.

        (b) simply don't take your phone if going somewhere you don't want to be tracked, or borrow someone's phone temporarily for a few hours

      3. Just Enough

        Re: In the age of high tech tracking...

        " but trust each other, could swap devices every couple of days"

        Except that would reveal to data harvesters more information about people's relationship to each other.

    2. jmch Silver badge

      Re: In the age of high tech tracking...

      "turn it off and remove the battery. "

      That latter feature is less and less available, unfortunately

      1. ThatOne Silver badge
        Devil

        Re: In the age of high tech tracking...

        Crowbar

      2. Anonymous Coward
        Anonymous Coward

        Re: In the age of high tech tracking...

        Or be a little bit paranoid and use one of these (other brands are available)

        https://www.amazon.co.uk/Mission-Darkness-Non-Window-Faraday-Phones-Black/dp/B01A7MACL2

        1. MrDamage Silver badge

          Re: In the age of high tech tracking...

          Nice t see that company has also finally added some style to the old tinfoil hat.

          https://www.amazon.co.uk/stores/page/D6C11205-88B5-4A27-AACA-DDAF0E600D8B?ingress=2&visitId=a1bb1f6c-9017-41de-8159-1dacb71c813d&ref_=ast_bln

    3. Chris the bean counter

      Re: In the age of high tech tracking...

      UK companies now offering to locate active phones anywhere in world for less than a pound.

      They are even running ads on google.

      A semi solution for the woman in the street who wants to avoid stalkers / jealous partners / wants to online date is to use a different number for whatsapp than their actual phone number and only use whatsapp for communicating with friends and rellies....many do already. Yes lots of issues with meta security etc definitely not perfect but good enough for most.

      1. Androgynous Cupboard Silver badge

        Re: In the age of high tech tracking...

        Link please!

        If as you say, that's horrendous and almost certainly illegal. But I'd be interested to know how accurate this is, how they do it, whether it works, which legal entity is behind it and whether they are UK based.

        1. Phones Sheridan Bronze badge

          Re: In the age of high tech tracking...

          A quick goog of "locate active phones anywhere in the world" gets me to this https://www.celltrack.co.uk/

  2. Anonymous Coward
    Anonymous Coward

    Android's missing firewall

    Users are told they are giving an app permission to use the data. The app is designed to do something useful with that data, so they give THE APP permission. But they are not giving the app permission, they are giving the company and its partners permission.

    You might give a messaging app, access to your contacts, thinking it will only request a contact when sending a message. Instead the app promptly slurps down all the contacts and sends them off to the company server to stich up a map of who is in contact with whom. Your contact may not have given permission to the company to have their name, but from *your* phone contact they will extract it from the phone number and the contact detail.

    There is nothing wrong with giving an app GPS location, there is everything wrong when that GPS location is remotely sent off and logged. It's the "app" that is granted permission but the "company" that is misusing it.

    Android is missing a firewall.

    Android is missing a firewall because the company that controls it, is king of the data slurpees.

    1. Anonymous Coward
      Anonymous Coward

      Re: Android's missing firewall

      I also ask you to take a good look at what Google is doing with Google Play and permissions.

      There's an upcoming one, I'll use as example: Apps that need to do something regularly call an API to set an alarm to wake them up. Google split that alarm into two, "exact" alarms for apps that need a specific wakeup and normal alarms that may be a little late or early to improve battery performance. So far so good. The new change is to break the "exact" timers if the app doesn't have an extra permission and force it to be inaccurate.

      So the app needs an exact time, it requested an exact time, it will be refused an exact time. Of course the user won't know the details of the change, it is fine detail, only that the app doesn't run properly. Notifications are late etc.

      That permission will likely be turned on by default for Google Play sourced apps that request it as other permissions have.

      I suspect that Google Play Services will turn it off for non Google Play apps, as it appears to be doing for other critical permissions (USB access and Accessibility Permssions). In effect, if the app doesn't come from Google Play, rather some other store or direct from the company, your app software is under attack from Google Play. Here I suspect you'll miss critical timing things that the app needed.

      This pattern, coupled to the other thing they're doing... forcing all transactions, even third party ones through Google Play Store. It gives them a cut of the fee, sure, but it also gives them the identity details of every Android user. Even ones that don't want to be customers of Google. Things like gift cards are being phased out, and you are being force to reluctantly get a Google Play account, simply to get software not to break, which in turn is forcing financial ID details linkable to the magic cookie (the tracking ID Android phones send as a unique device ID).

      Four other things: changing the magic cookie 'ad ID' on Android does not help. Google had your session data, you change the cookie, it now has the new cookie for that session data. It can link the two, and given Google's behavior it certainly will be doing that.

      Opting out of customized advertising is not the same as "DO NOT SEND THE UNIQUE ID". It's worded to make you think it is, but I think it still sends the ID, I believe Google still *tracks* the ID, it just doesn't serve the adverts with the same level of personalization.

      The ID is obsfucation. At any time, Google can link that ID to an account, but chooses to present you a fake view of the data it has slurped as if it cannot.

      Course position, is a lie, Google has your location to metres, the course position is sent back to you and your apps. It is not the phone that is sending a course location, it is sending the exact location to Google, Google is getting the exact position. What would you bet that the exact position is also logged against Google's magic cookie? 0.9999.... probability.

      1. chuckufarley

        Re: Android's missing firewall

        So yeah:

        Tune Out and Turn OFF.

    2. chuckufarley
      Holmes

      Re: Android's missing firewall

      Thank you, Captain Obvious. We never would have known had you not typed up such an ineloquent essay.

    3. jdiebdhidbsusbvwbsidnsoskebid Bronze badge

      Re: Android's missing firewall

      And this will all be in accordance with the EULA because of weasel words like "we may share data with trusted partners to improve our services", which translates as "we will sell your data to whoever wants to pay for it".

  3. Falmari Silver badge
    Devil

    Liar!

    From article "Kochava also said users opted into having their data collected when they installed or used apps containing tracking code."

    That's a lie, the user is giving the app permission to access data, not the developer to collect and share data. The popup on install does not ask to collect and share data* just that the app requires access to the data.

    The user has not opted into having their data collected and shared as they were never asked for permission.

    *I am not a google android user, so I am assuming that is so.

    1. ThatOne Silver badge

      Re: Liar!

      I'm willing to bet that somewhere on page 154 of the Terms & Conditions pop-up you have to agree to to use the app, there is a fleeting mention of "we might share information with our partners" (obviously to serve you better, somebody think of the children already, and other meaningless excuses).

      Since nobody reads it (and if he did, he would most likely not understand half of it), it's easy to slip in any clause you want, including the most abusive. The user accepted them, too bad for him...

      1. Frank Bitterlich

        Re: Liar!

        You forgot the mandatory "We take your privacy seriously."

        "Article 147. By reading these Terms of Service, you agree to have as much data collected about you and your activities as we technically can, including by circumventing OS-provided privacy mechanisms, and for us to sell this information to anyone who can spring enough money for it. To opt out, simply send a 8-inch floppy disk with a TIFF image of your birth certficate to our field office in Malaysia."

        Your own fault if you don't look into the bottom of the locked filing cabinet stuck in a disused lavatory with a sign on the door saying "Beware of the Leopard".

  4. Neil Barnes Silver badge

    opt-out provision

    And how long will it be before 'opt out' is the default, and not required for every well-hidden anti-patterned switch on the damn phone?

    Oh wait. That'll be never, then.

  5. hayzoos

    Install our app to get ....

    It has gotten to the point where certain businesses almost require you to have their app installed on your phone. I have taken to keeping a copy of the app installation package on my phone. I install when I need to use it, then uninstall it ASAP.

    I tried gasbuddy to see if the savings on gasoline was worth it. Nope. But, poor gasbuddy must think I live at my local gas station since that is the only place I had ever installed the app with location active.

    I treat others similarly.

    Otherwise I have very few non-intrusive apps installed. I have uninstalled bloatware or disabled if possible. I know I could go further and may if I have time.

    Not everybody has the gumption nor know how to keep these data leeches from sucking data from every move we make. Go FTC!

  6. ThatOne Silver badge
    Devil

    Privacy? What for?

    > Selling this type of personal information could cause "substantial injury to consumers" such as stalking, discrimination, job loss, and physical violence, the FTC argues.

    And I guess Kochava argues that if you have nothing to hide, you have nothing to fear...

    being sarcastic here!

  7. Anonymous Coward
    Anonymous Coward

    Forget Roe v. Wade

    Think about your wife finding out that you took yesterday off of work and spent it in a motel with someone other than her. Think about your girlfriend finding you don't spend 2 hours every day drinking in a bar, but at her sister's house. Think about a crime syndicate buying location data for people who uber their whole families to the airport. Think about your local tax authority tracking you from home to work for a month and then checking to see that your car is still locally registered and then sending a note to the tax office in your new state. Most U.S. states have laws that say if you move there, you have 30 days to get your vehicles' registration changed.

    1. jdiebdhidbsusbvwbsidnsoskebid Bronze badge

      Re: Forget Roe v. Wade

      Other than the "crime syndicate" one, those use cases are all pretty good. I'm in!

  8. Anonymous Coward
    Anonymous Coward

    Another "Post-Roe" clickbait

    At least the majority of the article was about the various privacy implications of the data being sold, instead of being solely focused on abortions. Please stop using "Post-Roe" as clickbait; the vast majority of the readers here are bright enough to realize that that's only one of the many issues with collecting and distributing private data.

    1. anonymous boring coward Silver badge

      Re: Another "Post-Roe" clickbait

      “ Please stop using "Post-Roe" as clickbait”

      Do you of many laws that encourage privacy invasion and vigilante behaviour?

      1. ThatOne Silver badge
        WTF?

        Re: Another "Post-Roe" clickbait

        > Do you of many laws that [...]

        Syntax Error

        (quite literally)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like