The Federal Trade Commission (FTC) announced a crackdown on major players in the location data industry on Tuesday, including one company selling surveillance products to an array of law enforcement agencies that use it to track individuals' precise locations, capturing visits to sensitive destinations. 

That company, Gravy Analytics, and its subsidiary Venntel, extract location data from apps on smartphones or harvest it from advertising markets. The data is then peddled to law enforcement and other government agencies. 

Gravy and Venntel are barred from selling, sharing or using sensitive location data moving forward, according to the FTC’s proposed order, which makes an exception only for “limited circumstances” tied to national security and law enforcement needs.

Separately, the FTC said another company, Mobilewalla, allegedly sold data pinpointing consumers traveling to sensitive locations. It is barred from selling such data — including where consumers’ homes are located — as part of a settlement alleging that it made such transactions without “taking reasonable steps to verify consumers’ consent,” the FTC said.

The FTC defines sensitive locations as including medical facilities, such as those relating to substance abuse, reproductive care and psychiatry; religious organizations; correctional facilities; labor union offices; homeless shelters; groups providing services based on race and ethnicity; and military sites.

Data powering the surveillance state

Venntel’s data is reportedly used by the powerful and controversial surveillance company Babel Street to power its product Locate X, which sells data locations so precise that it makes it possible for anyone to track individuals' visits to highly sensitive locations such as abortion clinics.

Gravy Analytics and Venntel say they gather more than 17 billion signals from about a billion smartphones every day, in part by obtaining the information from other data suppliers, the FTC said.

The location data the companies sell is not anonymized and can easily be used to identify individuals, according to the FTC’s complaint.

Under the FTC order, the companies will be required to erase or de-identify historic sensitive location data going back three years.

The agency’s action against Gravy and Venntel is especially striking because of how its effects will cascade down to law enforcement, which has admitted to using sensitive location data that it would only have been able to obtain with a warrant prior to the development of the robust data broker marketplace.

The complaint’s description of the exception under which the companies can continue to sell or license sensitive location data appears to significantly curtail law enforcement’s access to it by outlining that it can only be sold for “national security purposes” or to a federal law enforcement agency responding to an “imminent risk of death or serious bodily harm to a person.”

Venntel’s data, either on its own or through how it powers Babel Street, is widely used by law enforcement. 

U.S. Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) have each contracted with Babel Street to collect location data which has been weaponized against migrants, advocates say. 

In July 2022 the ACLU released records showing that the Department of Homeland Security (DHS) used Venntel and Babel Street data to buy access to cell phone locations.

The documents the ACLU received from DHS showed that for one three-day period in 2018, the agency obtained about 113,654 location points from the data brokers. That data came from a small area in the southwest and did not capture the total volume of location data available to DHS nationwide, the ACLU said at the time.

In 2022, the FBI signed a contract worth as much as $27 million with Babel Street in exchange for 5,000 licenses to use its software.

Alleged unfair practices

The FTC says Gravy and Venntel violated the FTC Act by “unfairly selling sensitive consumer location data, and by collecting and using consumers’ location data without obtaining “verifiable user consent for commercial and government uses.”

Gravy Analytics did not stop using consumers’ location data even after it discovered that they did not give informed consent for the collection, the FTC said.

It also sold what the FTC called “sensitive characteristics,” including health or medical decisions, political activities and religious viewpoints, which it inferred from its vast trove of consumer location data.

“Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement.

Gravy allegedly also sold data products obtained through geofencing — defined as establishing a virtual geographic boundary. From there the company identified and sold lists of consumers who “attended certain events related to medical conditions and places of worship and sold additional lists that associate individual consumers to other sensitive characteristics,” the FTC said.

In addition to setting up a location data program to define and organize parameters for its data sales and no longer selling, licensing or sharing sensitive location data other than under the national security and law enforcement exceptions the order allows, Gravy and Venntel also must create a “supplier assessment program” to guarantee consumers have given consent for the collection and use of data that could show their exact location.

Finally, the companies are barred from deceiving consumers about how they review data suppliers’ compliance and consent mechanisms, disclosure language and opt-in measures as well as from misrepresenting how they gather, share or delete sensitive location data. They also will be required to be honest with consumers about whether the data they share is de-identified.

The FTC has previously taken action against three other data brokers trading in consumer location data. Those orders were meted out against Kochava for peddling data allowing people to be tracked to reproductive health clinics and other sensitive locations as well as against X-Mode, now known as Outlogic, for selling raw location data and InMarket Media for peddling precise location data. 

Mobilewalla’s alleged data abuses

The proposed settlement order against Mobilewalla sets a precedent by prohibiting the company from collecting consumer data from online advertising auctions “for purposes other than participating in those auctions.” 

“Mobilewalla exploited vulnerabilities in digital ad markets to harvest this data at a stunning scale,” FTC Chair Lina Khan said in a statement. “The FTC is cracking down on firms that unlawfully exploit people’s sensitive location data and ensuring that we protect Americans from unchecked surveillance.”

The FTC alleges that the company collected data from real-time bidding exchanges and third-party aggregators with consumers typically having no idea that the Georgia-based data broker had seized their data.

The complaint alleges that after Mobilewalla sought to place ads for clients on real-time advertising exchanges it stored the information gathered from the customer’s order.

As a result, from 2018 to 2020, Mobilewalla collected in excess of 500 million unique consumer advertising identifiers matched to their precise location data, the FTC alleged. 

“The raw location data Mobilewalla collected was not anonymized and the company doesn’t have policies to remove sensitive locations from the data set, meaning that such data could be used to identify individual consumers’ mobile devices and the sensitive locations they visited,” the FTC said in a press release. 

The agency noted that Mobilewalla sold the raw data to a variety of third parties.

The company also allegedly used sensitive location data to build audience segments its customers used for targeted advertising.

One of those audience segments allegedly analyzed protestors reacting to the death of George Floyd, a Black man killed by police, so that clients could track the protesters’ racial backgrounds and where they lived. Mobilewalla also allegedly tracked women to health clinics to sell audience segments of pregnant women.

Under the proposed order, Mobilewalla will be barred from misrepresenting how it collects and handles consumer data and how much it does to deidentify the data. The company also can no longer use or sell sensitive location data obtained from health clinics, religious organizations and other sensitive locations.

The company also is barred from keeping consumer data it captures from online advertising auctions. It must build a program listing sensitive locations in order to prevent future abuses and separately set up a privacy program subject to annual audits and to train employees.

Finally, the company is required to develop an easy way for consumers to request that their location data be deleted and to erase historic location data.