FTC Says Data Brokers Unlawfully Tracked Protesters and US Military Personnel

The United States Federal Trade Commission is taking action against two American data brokers accused of unlawfully trafficking in people’s sensitive location data. The data was used, the agency says, to track Americans in and around churches, military bases, and doctors’ offices, among other protected sites. It was sold not only for advertising purposes but also for political campaigns and government uses, including immigration enforcement.

Mobilewalla, a Georgia-based data broker that’s said to have digitally tracked the residents of domestic abuse shelters, is accused by the agency of purposefully tracking protesters in the wake of George Floyd’s murder in 2020. In a court filing, the FTC says Mobilewalla attempted to unmask the protesters’ racial identities by tracking their mobile devices to, for example, Hindu temples and Black churches.

The FTC also accused Gravy Analytics and its subsidiary Venntel of harvesting and exploiting consumers’ location data without consent, alleging that the company used that data to unfairly infer health decisions and religious beliefs.

According to the FTC, Gravy Analytics collected over 17 billion location signals from approximately a billion mobile devices daily. It has reportedly sold access to that data to federal law enforcement agencies such as the Department of Homeland Security, the Drug Enforcement Agency, and the Federal Bureau of Investigation.

Gravy Analytics could not be immediately reached for comment.

A spokesperson for Mobilewalla says the company’s privacy policies are constantly evolving, adding: “While we disagree with many of the FTC’s allegations and implications that Mobilewalla tracks and targets individuals based on sensitive categories, we are satisfied that the resolution will allow us to continue providing valuable insights to businesses in a manner that respects and protects consumer privacy.”

“This data can be used to identify and target consumers based on their religion,” the FTC says. The location data collected by the two companies makes it possible, the agency says, to “identify where individual consumers lived, worked, and worshipped, thus suggesting the mobile device user’s religion and routine and identifying the user’s friends and families.”

According to the two settlements, which must be finalized in court before they would go into effect, Gravy Analytics and Mobilewalla are barred from collecting sensitive location data from consumers and must delete the historical data they gathered on millions of Americans. Mobilewalla would be banned from acquiring location data and other sensitive information from online auctions known as real-time bidding exchanges, marketplaces where advertisers compete to instantaneously deliver ads to targeted consumers. This case marks the first time the FTC has moved to police the collection of data directly from an ad exchange.

In another first, the proposed Gravy Analytics settlement would introduce military installations to the list of “sensitive locations” where the FTC bans location tracking. Under the terms, the company would be prohibited from selling, disclosing, or using data drawn from these locations, which include mental health clinics, substance abuse centers, and child care service providers.

In November, a collaborative investigation by WIRED, Bayerischer Rundfunk, and Netzpolitik.org revealed that over 3 billion phone location data points, collected by a US-based data broker, exposed the movements of US military and intelligence personnel in Germany. These movements included visits to nuclear vaults and brothels. In that story, WIRED first reported on FTC chair Lina Khan’s efforts to shield US military and intelligence personnel from data brokers.

US senator Ron Wyden of Oregon, who first urged the FTC to take action against Mobilewalla in 2020, praised the announcements, calling the companies’ actions “outrageous violations of Americans’ privacy.”

“These companies enabled US government agencies to surveil Americans without a warrant and enabled foreign countries to spy on service members with just a credit card,” says Wyden, who also previously investigated Venntel with other members of Congress.

While the FTC’s orders don’t directly tackle the issue of government agencies purchasing Americans’ location data—information for which a warrant is normally required—Wyden says the cases nevertheless undermine the government’s case for allowing the purchases. The orders make clear, he says, that federal agencies are hiding behind a “flimsy claim that Americans consented to the sale of their data.”

In a statement, FTC commissioner Alvaro Bedoya notes that while surveillance conducted by private companies won’t raise the same constitutional issues as surveillance by government, the difference between the two is “porous if not irrelevant” to the people being watched. “Governments have long relied on private citizens for work that would be impractical or illegal for law enforcement,” he says.

Whether the orders against Gravy Analytics and Mobilewalla will be enforced remains to be seen. Major changes are coming to the agency under the future Trump administration—most expected to undermine years of work by Khan and her staff. Many of Donald Trump’s allies have been vocally critical of Khan’s aggressive pro-consumer approach, including Republican megadonor Elon Musk, who has taken command of an ad hoc office that will purportedly advise the White House on improving “government efficiency.”

FTC commissioner Andrew Ferguson, whose name was floated last month as a potential Khan replacement, partially concurred with the agency’s decision to bring cases against the two data brokers on Tuesday. He agreed the companies had taken insufficient steps to ensure consumer data was properly anonymized, adding that they’d failed to obtain the “meaningfully informed consent” of the consumers they targeted.

Unlike Khan, however, Ferguson argues that the companies did not run afoul of the law by “categorizing consumers based on sensitive characteristics,” such as whether they attend church or political meetings. “These are all public acts that people carry out in the sight of their fellow citizens every day,” he says.

Ferguson likewise chastised the agency for attempting to restrict the power of data brokers to target protesters specifically. “Treating attendance at a political protest as uniquely private and sensitive is an oxymoron,” he says.

In a separate action Tuesday morning, the Consumer Financial Protection Bureau announced it was taking steps to crack down on predatory data brokers that traffic in people’s financial information, calling the practice a gateway for “scamming, stalking, and spying.”

Musk, who donated more than $100 million toward Trump’s reelection, called publicly last week for the bureau to be “deleted.”