There’s a “request for investigation” pending at the FTC that some of our readers might have missed.  The April 12 complaint, filed by Georgetown Law professor Laura Moy on behalf of the Council on American-Islamic Relations, urges the FTC to conduct a wide-ranging investigation of the location data industry.

The complaint focuses in particular on alleged abuses harming the Muslim community, including the government’s purchase of location data from popular Muslim prayer apps to conduct “warrantless surveillance” on Muslim individuals.  According to the complaint, these practices have led to a “sense of constant surveillance” that has chilled Muslims’ practice of religion, freedom of assembly, and use of technology to communicate. The allegations have broader implications, too, as they describe the “unfettered” and “surreptitious” data collection across many contexts by multiple industry actors, including the operating systems, app and SDK developers, data brokers, and participants in digital advertising’s real time bidding (RTB) process.

As I write this blogpost, the complaint does not appear to have been posted on the FTC’s website.  Although the FTC seeks public comment on petitions for rulemaking, this complaint may not fall within that process since it chiefly seeks investigations, citing rulemaking as a “longer term” goal.  (Of course, stakeholders may want to consider providing input to the FTC anyway to assist in its consideration of the issues.)       

Background on the Complainant

The Council on American-Islamic Relations (CAIR) describes itself as the nation’s largest Muslim civil liberties organization, dedicated to promoting a positive image of Muslims and defending their rights. In light of growing concerns about the link between data collection and discrimination, as well as the use of commercial data by law enforcement, its submission of this complaint is notable.

Laura Moy, who represents CAIR, is Director of Georgetown’s Communications and Technology Law Clinic and Associate Director of the Center on Privacy and Technology. (Notably President Biden’s pending nominee to the FTC, Alvaro Bedoya, a longtime critic of the “surveillance” alleged in the complaint, is Director of the latter organization).  Moy is also a faculty advisor for Georgetown’s Institute for Tech Law and Policy (where, full disclosure, I remain a Distinguished Fellow) and served on President Biden’s FTC transition team. She is a respected academic and consumer advocate whose arguments here will be taken seriously by the FTC.

Summary of the Allegations

In a nutshell, the complaint alleges that:

  • Multiple actors in the location data industry collect precise location data from individuals’ mobile devices constantly and invisibly.
  • Disclosures regarding this practice are hidden and misleading, making it impossible for reasonable individuals to understand and avoid this practice.
  • The data is readily linkable to individuals through device identifiers, and reveals highly personal details about people’s lives.
  • The data is shared freely with third parties such as the government, data collectors, and stalkers.
  • The uncontrolled collection and dissemination of this data leads to multiple forms of harm, including discriminatory advertising, “hyper-surveillance” by law enforcement, and the undermining of individuals’ choices and First Amendment rights.

The complaint contains detailed arguments as to how this conduct is deceptive and unfair, in violation of the FTC Act. While some of these arguments conflate legal requirements with the FTC’s policy recommendations, they nevertheless raise concerns that many readers will find compelling. The complaint includes many citations and concrete examples, some of which could lead to enforcement targets.

Request for FTC Action

As noted above, CAIR requests that the FTC investigate and take action against multiple entities, including:

  • App developers that include location tracking SDKs in their apps “without fully understanding and/or disclosing their data distribution capabilities, leading to users’ sensitive data being unknowingly shared with third parties…including law enforcement and potentially foreign actors.”
  • SDK developers that fail to inform apps about their location-tracking and/or ensure that the apps inform their users.
  • Mobile operating systems that fail to protect location data and/or mislead users about how it’s collected and used.
  • Participants in the RTB process that use data from the ad exchanges for non-advertising purposes.
  • Location aggregators (and other entities) that purchase and sell location data without regard to the disclosures and choices presented when the data was collected.
  • Any company that falsely claims that data is “anonymous” or that re-identifies supposedly anonymized data.

CAIR also recommends that the FTC “build on” such enforcement actions by simultaneously issuing guidance to industry on how to avoid deception. The complaint also mentions rulemaking (to require opt in for enabling ad identifiers) as a long term goal.  As alternatives, CAIR floats the idea of an FTC workshop or Section 6(b) study of the issues.

Finally, the complaint emphasizes that the FTC is the only federal agency with sufficient authority to “rein in” the numerous actors in the industry, while also suggesting the agency has been slow to act here. Of note, the complaint mentions as a “good start” efforts brought during Obama Administration, including the FTC’s 2014 data broker report and its flashlight app and In Mobi cases. (I can’t resist mentioning that I was the Bureau Director then, and that our other “good starts” included cases against Snapchat and Aaron’s, mobile health app guidance, and Congressional testimony all of which addressed concerns raised by location tracking.)

* * *

Overall, the complaint presents many issues for the FTC and stakeholders in the data ecosystem to consider, framed in a compelling way and authored by a respected source who is closely aligned with FTC nominee Bedoya. The FTC will likely pay attention.