The Federal Trade Commission (FTC) announced sweeping action against some of the most important companies in the location data industry on Tuesday, including those that power surveillance tools used by a wide spread of U.S. law enforcement agencies and demanding they delete data related to certain sensitive areas like health clinics and places of worship.
Venntel, through its parent company Gravy Analytics, takes location data from smartphones, either through ordinary apps installed on them or through the advertising ecosystem, and then provides that data feed to other companies who sell location tracking technology to the government or sells the data directly itself. Venntel is the company that provides the underlying data for a variety of other government contractors and surveillance tools, including Locate X. 404 Media and a group of other journalists recently revealed Locate X could be used to pinpoint phones that visited abortion clinics.
The FTC says in a proposed order that Gravy and Venntel will be banned from selling, disclosing, or using sensitive location data, except in “limited circumstances” involving national security or law enforcement. Sensitive locations include medical facilities, religious organizations, correctional facilities, labor union offices, schools and childcare facilities, domestic abuse and homeless support centers, shelters for refugee or immigrant populations, and military installations. The FTC also demands that the companies delete all historic location data.
The move is significant in that it targets a crucial player in the broader location data industry, but also in that it could have an impact on the surveillance of Americans by American agencies.
“Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in the announcement. “This is the FTC’s fourth action taken this year challenging the sale of sensitive location data, and it’s past time for the industry to get serious about protecting Americans’ privacy.” In October, independent researcher Jack Poulson reported that the FTC opened an investigation into Venntel.
In 2020, I and journalists from Norwegian media organization NRK, revealed how Venntel sourced its data at the time. It used ordinary apps installed on peoples’ smartphones, including innocuous looking weather or navigation apps. These apps collected their users location data, and then provided that to other, middlemen companies. Those firms then provide data to Gravy, which sells location data products for marketers. Gravy also owns Venntel, which then sells location data to U.S. law enforcement agencies.
The IRS, DEA, and FBI have all purchased Venntel data. So have Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE).
Venntel has also provided the data for other location data tracking products which the government buys, including Babel Street’s Locate X, according to an internal Department of Homeland Security document obtained by 404 Media. Venntel also appears to provide the data to Fog Data Science, a company that sells a similar monitoring product to local law enforcement, according to emails obtained by the Electronic Frontier Foundation.
In its announcement, the FTC said that Gravy and Venntel violated the FTC Act by “unfairly selling sensitive consumer location data, and by collecting and using consumers’ location data without obtaining verifiable user consent for commercial and government uses.” Gravy continued to use consumers’ location data even after learning that the consumers did not provide informed consent, the FTC says. “Gravy Analytics also unfairly sold sensitive characteristics, like health or medical decisions, political activities and religious viewpoints, derived from consumers’ location data,” the agency adds.
According to the FTC, Gravy and Venntel collect more than 17 billion signals from around a billion mobile devices daily.
The FTC also announced action against Mobilewalla, another location data company. In June 2020, Buzzfeed News reported that Mobilewalla monitored phones at Black Lives Matter protests. The following month, ten lawmakers urged the FTC to investigate Mobilewalla.
“I am glad that the FTC acted on my request to protect the data of U.S. military personnel stationed around the world. This was an absurd limitation in the FTC’s prior order, and the Chair and her staff should be commended for protecting the location data of our men and women in uniform,” Senator Ron Wyden told 404 Media in a statement.
Notably, the action against Mobilewalla bans it from collecting consumer data from “online advertising auctions for purposes other than participating in those auctions.” That refers to the real-time bidding (RTB) process, where instead of getting data from apps directly, companies source it by observing the advertising bidding process. This is “the first time the agency has alleged such a practice was an unfair act or practice,” the announcement reads.
An email to the press inquiries address for Unacast, which merged with Gravy last year, went undelivered.
