On January 25, 2024, Sen. Ron Wyden (D-Ore.) released a document confirming that U.S. intelligence agencies are purchasing location information and other sensitive personal information from data brokers without data subjects’ consent. announced. The FTC has recently gone after data brokers who collect and sell consumers’ sensitive location information without their explicit consent, and intelligence agencies are seeking information from these data brokers that would normally require a warrant to obtain. are purchasing. Businesses need to be careful about what happens to sensitive consumer data and protect themselves from the risk of this data falling into the hands of data brokers without strong agreements.
In a letter to Director of National Intelligence Avril Haines, Sen. Wyden shows, for example, that the National Security Agency (NSA) is purchasing Americans’ browsing data from data brokers without obtaining a warrant. released a declassified letter from the Department of Defense. In his letter, Sen. Wyden calls on the U.S. intelligence community to “take steps to ensure that U.S. intelligence agencies only purchase data about Americans obtained through lawful means.” These data brokers operate in what he calls a “legal gray area,” as he argues that both data brokers and U.S. intelligence agencies seek to protect the public from knowledge of these practices. There is.
In a letter to Sen. Wyden, the NSA said certain types of “commercially available information” are important to U.S. intelligence agencies as part of critical national security missions, including protecting the U.S. defense industrial base. It claims to provide valuable information. The NSA has acknowledged purchasing commercially available netflow (non-content) data related to domestic Internet communications. In a letter to Sen. Wyden, Under Secretary of Defense Ronald Moultrie said that various agencies, including the NSA, “purchase commercial data containing information related to cell phones in and outside the United States.”
Senator Wyden argued that “the U.S. government should not fund and legalize a shady industry whose flagrant invasions of Americans’ privacy are not only unethical, but illegal.” There is. He points to his recent FTC enforcement actions against data brokers his X-Mode Social and its successor, his Outlogic, LLC (“X-Mode”). The FTC alleged that X-Mode sold raw location data without consumer consent and failed to provide reasonable safeguards against the use of this information by third parties. This data is highly sensitive as it may be used to track visits to health care facilities such as places of worship, domestic violence centers, and reproductive health clinics. The FTC order under this enforcement action prohibits X-Mode from selling or sharing this sensitive location data. This is the first settlement with a data broker over the sale of sensitive location information.
According to the FTC, one of the ways X-Mode collected this precise location data was through a software development kit (SDK) that X-Mode sold to third-party mobile apps. An SDK is a collection of app development tools that mobile app developers can use to enable various features within their mobile apps. These tools may also enable the transmission of data, including personal data, from the mobile app in which they are embedded. To encourage mobile app developers to incorporate the X-Mode SDK into their apps, X-Mode has promised passive revenue for each mobile device that allows the SDK to collect location data. The FTC alleges that X-Mode provided app publishers and other companies with incomplete or misleading notices about its data practices and that publishers did not obtain consent to allow X-Mode access to sensitive location data. He claimed that he had not checked whether the matter was correct or not.
This explains how the use of third-party SDKs poses a risk to mobile app publishers that personal data could be disclosed to SDK providers and others and used by those recipients in ways the publisher did not expect. We are emphasizing how to produce. If these disclosures or uses are inconsistent with the mobile app provider’s privacy policy or applicable legal standards, this may result in liability and compliance risks.
There are several steps companies can take to protect themselves from these risks. First, companies publishing mobile applications need to ensure that they understand, at a technical level of detail, what data flows from the application through SDKs and other third-party tools. Second, businesses must enter into agreements with service providers to limit the use of consumers’ personal information to what is necessary to perform the service and otherwise comply with the legal standards of the service provider agreement. Third, companies should ask themselves what level of transparency is necessary, or even if not necessary, what level is desirable from a consumer relationship and brand reputation perspective, and whether they need to obtain consumer consent. You need to consider whether.
