Jan 22, 2024NewsroomPrivacy / Technology

The U.S. Federal Trade Commission (FTC) is continuing to clamp down on data brokers by prohibiting InMarket Media from selling or licensing precise location data.

The settlement is part of allegations that the Texas-based company did not inform or seek consent from consumers before using their location information for advertising and marketing purposes.

“InMarket will also be prohibited from selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data,” the FTC said last week.

In addition, it has been ordered to destroy all the location data it previously collected subject to users’ assent, as well as provide a mechanism for consumers to withdraw their consent and request for deletion of the information previously collected.

The development makes InMarket the second data aggregator to face a ban in as many weeks after Outlogic (formerly X-Mode Social), which faced accusations that it had sold location information that could be used to track users’ visits to medical and reproductive health clinics, places of religious worship, and domestic abuse shelters.

Like Outlogic, InMarket is said to harvest location information from its own proprietary apps like CheckPoints and ListEase, and more than 300 other third-party applications that incorporate its software development kit (SDK). These apps have been downloaded onto over 420 million unique devices since 2017.

“If the user allows access, InMarket SDK receives the device’s precise latitude and longitude, along with a timestamp and a unique mobile device identifier, as often as the mobile device’s operating system provides it — ranging from almost no collection when the device is idle, to every few seconds when the device is actively moving — and transmits it directly to [InMarket’s] servers,” the FTC complaint read.

This historical data is then used to slot consumers into nearly 2,000 segments based on the locations visited and serve tailored ads on apps that include the SDK. It also offers a product that pushes ads to consumers based on their current whereabouts, serving ads related to medicines, for example, when a person is within 200 meters of a pharmacy.

The company, which was previously exposed by The Markup in September 2021, claims to provide its “customers with access to the most accurate and precise, permission-based, SDK-derived location data available today.”

The FTC further said InMarket did little to ensure that third-party apps that embed the company’s SDK have obtained users’ express consent, noting that it failed to notify third-party apps that the location data provided through its SDK will be combined with other data points to create profiles of consumers.

To make matters worse, the company’s five-year data retention policy was described as “unnecessary to carry out the purposes for which it was collected,” and that it put customers at risk by exposing the information to other kinds of misuse.

As mitigations, InMarket “will be required to create a sensitive location data program to prevent the company from using, selling, licensing, transferring, or otherwise sharing any products or services that categorize or target consumers based on sensitive location data.”

The disclosure comes as a joint study published by Consumer Reports and The Markup found that Meta-owned Facebook gets data on individual users from thousands of companies.

On average, the company received data from 2,230 different companies for each of the 709 volunteers, with some identified by more than 7,000 companies. In all, the participants had their data shared by a whopping 186,892 companies.

One of those participants had their information coming from nearly 48,000 different companies, suggesting “unusual app usage habits” or possibly an appealing candidate for microtargeted advertising.

“The company that shared data on the largest number of participants was LiveRamp, a data broker, which shared data on 679, or about 96%, of study participants,” the study said. “A large percentage of the approximately 186,000 companies that appeared in our data appeared to be either small retailers or non-national brands (or were unidentifiable by name).”

Jan 10, 2024NewsroomPrivacy / Regulatory Compliance

The U.S. Federal Trade Commission (FTC) on Tuesday prohibited data broker Outlogic, which was previously known as X-Mode Social, from sharing or selling any sensitive location data with third-parties.

The ban is part of a settlement over allegations that the company “sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.”

The proposed order also requires it to destroy all the location data it previously gathered unless it obtains consumer consent or ensures the data has been de-identified or rendered non-sensitive as well as maintain a comprehensive list of sensitive locations and develop a comprehensive privacy program with a data retention schedule to prevent abuse.

The FTC accused X-Mode Social and Outlogic of failing to establish adequate safeguards to prevent the misuse of such data by downstream customers. The development marks the first-ever ban on the use and sale of sensitive location data.

X-Mode, which first attracted attention in 2020 for selling location data to the U.S. military, works by offering precise location data that it collects from proprietary apps and third-party apps that incorporate its software development kit (SDK) into its apps. It’s also said to have procured location data from other data brokers and aggregators.

Following the revelations in 2020, both Apple and Google urged app developers to remove the SDK from their apps or face a ban from their respective app stores.

“The raw location data that X-Mode/Outlogic has sold is associated with mobile advertising IDs, which are unique identifiers associated with each mobile device,” the FTC said. “This raw location data is not anonymized, and is capable of matching an individual consumer’s mobile device with the locations they visited.”

The agency further said that the company, until May 2023, did not have any policies in place to remove sensitive locations from the location data it sold, not only putting users’ privacy at risk, but also exposing them to potential discrimination, physical violence, emotional distress, and other harms.

The FTC also called out X-Mode for not being transparent about which entities would receive the data when a customer used a third-party app with its SDK and that it failed to ensure that these apps sought informed consumer consent to grant it permission to access their location information in the first place.

Lastly, X-Mode was alleged to have been negligent in honoring requests made by some Android users to opt out of tracking and personalized ads.

In a statement provided to news agency Reuters, Outlogic said it disagreed with the “implications” of the FTC announcement, and there was no finding it misused location data.

“I commend the FTC for taking tough action to hold this shady location data broker responsible for its sale of Americans’ location data,” U.S. Senator Ron Wyden said in a statement shared with The Hacker News.

“In 2020, I discovered that the company had sold Americans’ location data to U.S. military customers through defense contractors. While the FTC’s action is encouraging, the agency should not have to play data broker whack-a-mole. Congress needs to pass tough privacy legislation to protect Americans’ personal information and prevent government agencies from going around the courts by buying our data from data brokers.”