The Federal Trade Commission (FTC) announced a crackdown on major

The Federal Trade Commission (FTC) announced a crackdown on major
players in the location data industry on Tuesday, including one company
selling surveillance products to an array of law enforcement agencies
that use it to track individuals' precise locations, capturing visits
to sensitive destinations.

That company, Gravy Analytics, and its subsidiary Venntel, extract
location data from apps on smartphones or harvest it from advertising
markets. The data is then peddled to law enforcement and other
government agencies.

Gravy and Venntel [1]are barred from selling, sharing or using
sensitive location data moving forward, according to the FTC’s proposed
order, which makes an exception only for “limited circumstances” tied
to national security and law enforcement needs.

Separately, [2]the FTC said another company, Mobilewalla, allegedly
sold data pinpointing consumers traveling to sensitive locations. It is
barred from selling such data — including where consumers’ homes are
located — as part of a settlement alleging that it made such
transactions without “taking reasonable steps to verify consumers’
consent,” the FTC said.

The FTC defines sensitive locations as including medical facilities,
such as those relating to substance abuse, reproductive care and
psychiatry; religious organizations; correctional facilities; labor
union offices; homeless shelters; groups providing services based on
race and ethnicity; and military sites.

Data powering the surveillance state

Venntel’s data is reportedly [3]used by the [4]powerful and
controversial surveillance company Babel Street to power its product
Locate X, which sells data locations so precise that it makes it
possible for anyone to [5]track individuals' visits to highly sensitive
locations such as abortion clinics.

Gravy Analytics and Venntel say they gather more than 17 billion
signals from about a billion smartphones every day, in part by
obtaining the information from other data suppliers, the FTC said.

The location data the companies sell is not anonymized and can easily
be used to identify individuals, according to the FTC’s complaint.

Under the FTC order, the companies will be required to erase or
de-identify historic sensitive location data going back three years.

The agency’s action against Gravy and Venntel is especially striking
because of how its effects will cascade down to law enforcement, which
has admitted to using sensitive location data that it would only have
been able to obtain [6]with a warrant prior to the development of the
robust data broker marketplace.

The [7]complaint’s description of the exception under which the
companies can continue to sell or license sensitive location data
appears to significantly curtail law enforcement’s access to it by
outlining that it can only be sold for “national security purposes” or
to a federal law enforcement agency responding to an “imminent risk of
death or serious bodily harm to a person.”

Venntel’s data, either on its own or through how it powers Babel
Street, is widely used by law enforcement.

U.S. Customs and Border Protection (CBP) and Immigration and Customs
Enforcement (ICE) have each contracted with Babel Street to collect
location data which has been weaponized against migrants, advocates
say.

In July 2022 the ACLU released records showing that the Department of
Homeland Security (DHS) used Venntel and Babel Street data to buy
access to cell phone locations.

The documents the ACLU received from DHS showed that for one three-day
period in 2018, the agency obtained about 113,654 location points from
the data brokers. That data came from a small area in the southwest and
did not capture the total volume of location data available to DHS
nationwide, the ACLU [8]said at the time.

In 2022, the FBI [9]signed a contract worth as much as $27 million with
Babel Street in exchange for 5,000 licenses to use its software.

Venntel and its parent company did not respond to multiple requests for
comment.

Alleged unfair practices

The FTC says Gravy and Venntel violated the FTC Act by “unfairly
selling sensitive consumer location data, and by collecting and using
consumers’ location data without obtaining “verifiable user consent for
commercial and government uses.”

Gravy Analytics did not stop using consumers’ location data even after
it discovered that they did not give informed consent for the
collection, the FTC said.

It also sold what the FTC called “sensitive characteristics,” including
health or medical decisions, political activities and religious
viewpoints, which it inferred from its vast trove of consumer location
data.

“Surreptitious surveillance by data brokers undermines our civil
liberties and puts servicemembers, union workers, religious minorities,
and others at risk,” Samuel Levine, director of the FTC’s Bureau of
Consumer Protection, said in a statement.

Gravy allegedly also sold data products obtained through geofencing —
defined as establishing a virtual geographic boundary. From there the
company identified and sold lists of consumers who “attended certain
events related to medical conditions and places of worship and sold
additional lists that associate individual consumers to other sensitive
characteristics,” the FTC said.

In addition to setting up a location data program to define and
organize parameters for its data sales and no longer selling, licensing
or sharing sensitive location data other than under the national
security and law enforcement exceptions the order allows, Gravy and
Venntel also must create a “supplier assessment program” to guarantee
consumers have given consent for the collection and use of data that
could show their exact location.

Finally, the companies are barred from deceiving consumers about how
they review data suppliers’ compliance and consent mechanisms,
disclosure language and opt-in measures as well as from misrepresenting
how they gather, share or delete sensitive location data. They also
will be required to be honest with consumers about whether the data
they share is de-identified.

The FTC has previously taken action against three other data brokers
trading in consumer location data. Those orders were meted out against
[10]Kochava for peddling data allowing people to be tracked to
reproductive health clinics and other sensitive locations as well as
against [11]X-Mode, now known as Outlogic, for selling raw location
data and [12]InMarket Media for peddling precise location data.

Mobilewalla’s alleged data abuses

The proposed settlement order against Mobilewalla sets a precedent by
prohibiting the company from collecting consumer data from online
advertising auctions “for purposes other than participating in those
auctions.”

“Mobilewalla exploited vulnerabilities in digital ad markets to harvest
this data at a stunning scale,” FTC Chair Lina Khan said in a
statement. “The FTC is cracking down on firms that unlawfully exploit
people’s sensitive location data and ensuring that we protect Americans
from unchecked surveillance.”

The FTC alleges that the company collected data from real-time bidding
exchanges and third-party aggregators with consumers typically having
no idea that the Georgia-based data broker had seized their data.

The [13]complaint alleges that after Mobilewalla sought to place ads
for clients on real-time advertising exchanges it stored the
information gathered from the customer’s order.

As a result, from 2018 to 2020, Mobilewalla collected in excess of 500
million unique consumer advertising identifiers matched to their
precise location data, the FTC alleged.

“The raw location data Mobilewalla collected was not anonymized and the
company doesn’t have policies to remove sensitive locations from the
data set, meaning that such data could be used to identify individual
consumers’ mobile devices and the sensitive locations they visited,”
the FTC said in a press release.

The agency noted that Mobilewalla sold the raw data to a variety of
third parties.

The company also allegedly used sensitive location data to build
audience segments its customers used for targeted advertising.

One of those audience segments allegedly analyzed protestors reacting
to the death of George Floyd, a Black man killed by police, so that
clients could track the protesters’ racial backgrounds and where they
lived. Mobilewalla also allegedly tracked women to health clinics to
sell audience segments of pregnant women.

A spokesperson for Mobilewalla said in a statement that the company
“respects consumer privacy and has been evolving our privacy
protections throughout our history as a company.”

“While we disagree with many of the FTC’s allegations and implications
that Mobilewalla tracks and targets individuals based on sensitive
categories, we are satisfied that the resolution will allow us to
continue providing valuable insights to businesses in a manner that
respects and protects consumer privacy.”

Under the proposed order, Mobilewalla will be barred from
misrepresenting how it collects and handles consumer data and how much
it does to deidentify the data. The company also can no longer use or
sell sensitive location data obtained from health clinics, religious
organizations and other sensitive locations.

The company also is barred from keeping consumer data it captures from
online advertising auctions. It must build a program listing sensitive
locations in order to prevent future abuses and separately set up a
privacy program subject to annual audits and to train employees.

Finally, the company is required to develop an easy way for consumers
to request that their location data be deleted and to erase historic
location data.

Get more insights with the

Recorded Future

Intelligence Cloud.

[14]Learn more.

No previous article

No new articles

[15]Suzanne Smalley
[16]

Suzanne Smalley

is a reporter covering privacy, disinformation and cybersecurity policy
for The Record. She was previously a cybersecurity reporter at
CyberScoop and Reuters. Earlier in her career Suzanne covered the
Boston Police Department for the Boston Globe and two presidential
campaign cycles for Newsweek. She lives in Washington with her husband
and three children.

References

1. https://www.ftc.gov/news-events/news/press-releases/2024/12/ftc-takes-action-against-gravy-analytics-venntel-unlawfully-selling-location-data-tracking-consumers?utm_source=govdelivery
2. https://www.ftc.gov/news-events/news/press-releases/2024/12/ftc-takes-action-against-mobilewalla-collecting-selling-sensitive-location-data?utm_source=govdelivery
3. https://www.vice.com/en/article/location-data-apps-drone-strikes-iowa-national-guard/
4. https://epic.org/documents/epic-foia-cbp-babel-street-location-tracking-service/
5. https://www.404media.co/inside-the-u-s-government-bought-tool-that-can-track-phones-at-abortion-clinics/
6. https://therecord.media/data-brokers-legislation-government-purchases-cai
7. https://www.documentcloud.org/documents/25431000-2123035gravyanalyticsorder-1/
8. https://www.aclu.org/press-releases/new-records-detail-dhs-purchase-and-use-vast-quantities-cell-phone-location-data-0
9. https://www.washingtonpost.com/politics/2022/04/05/fbi-is-spending-millions-social-media-tracking-software/
10. https://therecord.media/ftc-complaint-against-kochava-unsealed
11. https://therecord.media/ftc-settles-case-geolocation-data-broker-xmode-outlogic
12. https://therecord.media/ftc-settles-data-broker-case-geolocation
13. https://www.documentcloud.org/documents/25431008-2023196mobilewallacomplaint/
14. https://www.recordedfuture.com/platform?mtm_campaign=ad-unit-record
15. https://therecord.media/author/suzanne-smalley
16. https://therecord.media/author/suzanne-smalley