Two U.S. data brokers have agreed not to collect private location data on Americans as part of a pair of settlements with the U.S. Federal Trade Commission, which accused the companies of unlawfully tracking millions of people near to sensitive locations like healthcare facilities and military bases.
The two settlements, announced Tuesday, will prohibit Virginia-based Gravy Analytics and Georgia-based Mobilewalla from collecting and retaining people’s sensitive granular location data. This agreement was reached after the FTC accused the two data brokers — companies that profit from collecting huge amounts of people’s personal information and selling it to others — of selling millions of identifiable location data points, including where people visited clinics and places of worship.
The FTC alleges that Gravy Analytics, along with its subsidiary Venntel, collected and used consumers’ location data for commercial and government uses without obtaining consent from the individuals. The organization allegedly continued to use this data even after learning that consumers hadn’t provided informed consent for their data to be sold.
Gravy Analytics also unfairly sold sensitive information about individuals, such as health or medical decisions, political activities and religious viewpoints, that had been derived and determined based on a person’s location data, according to the FTC’s complaint.
Mobilewalla is also accused of selling sensitive location data, including data that could reveal the identity of an individual’s private home, the U.S. federal regulator said.
The FTC alleges that Mobilewalla obtained much of this data from real-time bidding exchanges and third-party aggregators, which meant consumers did not know that the organization had obtained their personal information. This data was not anonymized, according to the complaint, and Mobilewalla is accused of having no policies in place to remove sensitive locations from the data before it sold the information to third parties.
The FTC says that Mobilewalla also used sensitive location data to develop audience segments to target consumers for advertising. For example, the company created a June 2020 report analyzing people who protested the death of George Floyd and determined the protesters’ racial backgrounds and whether they lived in the cities in which they protested, according to the FTC.
Under the two settlements announced on Monday, Gravy Analytics and Mobilewalla will no longer collect sensitive location data on consumers, and must delete the historic data they have collected on millions of Americans.
Both organizations will also have to maintain a sensitive location data program, whereby they must develop a list of sensitive locations and prevent the use, sale, license, transfer, sharing, or disclosure of consumers’ visits to those locations. These locations include medical facilities, religious organizations, schools, and correctional facilities.
Gravy Analytics and Mobilewalla did not immediately respond to TechCrunch’s questions.
This is the latest action taken by the U.S. government as the Biden administration draws to a close. On Monday, the Consumer Financial Protection Bureau proposed a new rule that would block data brokers from selling personal and financial information on Americans, including their Social Security numbers and phone numbers.
Keep reading the article on Tech Crunch
A new proposal by the Consumer Financial Protection Bureau would use a 54-year-old privacy law to impose new oversight of the data broker industry. But first, the agency must survive Elon Musk.
The Consumer Financial Protection Bureau has proposed a new rule that would block data brokers from selling personal and financial information on Americans, including their Social Security numbers and phone numbers, under the Fair Credit Reporting Act.
In proposing the new rules, months after President Biden signed an executive order to curb the sale of Americans’ private data, the U.S. consumer protection agency said it aims to “rein in” data brokers, who sidestep federal law by claiming that they are not subject to the FCRA’s legal provisions.
The CFPB’s director Rohit Chopra told reporters on a call Monday that the proposed rule would “curtail the widespread evasion” of the FCRA, which is the federal privacy law that protects personal data collected by consumer reporting agencies, like credit bureaus and tenant screening companies. The rule would also “make it clear that many of these data brokers, like credit bureaus and background check companies, are subject to federal protection under the FCRA.”
The move to close the regulatory loophole at the federal level comes at a time where data brokers face increasing scrutiny for profiteering from selling access to — and sometimes losing — vast amounts of Americans’ personal information. By acknowledging the “widespread evasion” of the federal privacy law, Chopra said the agency recognized that data brokers have long taken advantage of the law, and warned of the “staggering” problem caused by data brokers who are “making this data available to anyone willing to pay a price.”
According to the CFPB, the proposed rule would treat data brokers the same as credit bureaus and background check companies, or any other company that sells data about income or credit scores, histories, and debt payments, which are already subject to the FCRA. The proposed rule would also limit data brokers from selling information that can identify individuals, such as Social Security numbers and phone numbers, which would be covered under the FCRA going forwards.
“Today’s proposed rule is a major step forward to ensure that companies trafficking in Americans’ most sensitive information face real consequences for violating long standing law and for putting people and our country at risk,” Chopra said.
The CFPB said it was proposing the new rule to “further Congress’ goal” of protecting Americans’ personal data, as intended when it voted to pass the FCRA in 1970. Since then, the United States has become the only Western democracy to not have passed nationwide data protections into law.
The proposed rule will remain public in the Federal Register until early March 2025.
It’s unclear whether the rule will last under the incoming Trump administration, which has promised widespread deregulation across the U.S. government. CFPB officials would not say, but told reporters that there was “broad bipartisan recognition that data brokers pose real dangers.”
Keep reading the article on Tech Crunch
ENGlobal Corporation, a provider of engineering and automation services to the U.S. energy sector and federal government, says it has restricted access to its IT systems following a cyberattack, limiting the company to essential business operations only.
In an 8-K filing with the SEC on Monday, Texas-based ENGlobal said it became aware of a “cybersecurity incident” on November 25. It said a threat actor accessed its systems and “encrypted some of its data files,” suggesting it was the target of a ransomware attack.
ENGlobal, whose customers include the U.S. Department of Defense and Department of Energy, said it is investigating the incident.
“The timing of restoration of full access to the Company’s IT system remains unclear,” the company said. It added that it has not yet determined whether the incident will have a material impact on its financial results.
Keep reading the article on Tech Crunch
An Apple ad-tech employee filed a lawsuit against his employer on Sunday over how the company monitors its employees, reports Semafor.
Apple wants its employees to use Apple devices for work but work-issued devices are so restricted that many employees use personal devices, or tie their work devices to their personal iCloud. To do so, the suit says, employees must allow Apple to install software that grants Apple access to search anything stored on the device or iCloud. The suit claims Apple’s policies allow it to monitor workers even when off duty. The employee claims Apple used its policies to harm his employment prospects.
The suit captures some of the challenges that many corporate workers face: How much visibility should an employer have on personal devices when used for work, or control over personal codes of conduct? Should Apple lose, it could curb the growing trend of bossware in the workplace. Apple did not comment to TechCrunch, but told Semafor that it strongly disagrees with the allegations in the suit.
Keep reading the article on Tech Crunch
For the last few years, the Polish government under Donald Tusk has been investigating the use — and alleged abuse — of Pegasus phone spyware by the previous government.
On Monday, the former head of Poland’s internal security agency Piotr Pogonowski was arrested and forcibly taken to testify before parliament, as part of the current government’s probe into the alleged spyware abuse carried out in recent years under the previous administration of the Law and Justice (PiS) party, per the Financial Times.
Do you have more information about NSO Group? Or other spyware companies and cases of abuse of their technology? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Pogonowski reportedly ignored three summons to testify to the Polish parliamentary committee.
In 2021, Citizen Lab and Amnesty International concluded that NSO Group’s Pegasus spyware was used against three critics of the previous Polish government, including a senator who was allegedly hacked dozens of times ahead of the 2019 parliamentary elections. In 2023, the Polish senate concluded that the use of Pegasus in the country was unlawful.
Keep reading the article on Tech Crunch