The U.S. Federal Trade Commission has announced $950,000 in fines for Singpore-based InMobi. The digital advertising firm tracked the locations of hundreds of millions of consumers without permission.
The FTC alleged in a complaint filed yesterday (June 22) that the firm has undermined phone carrriers' freedom of choice in regards to the collection of their location data.
InMobi claimed to give users a way to opt out, but the software was able to scan local Wi-Fi signals to infer location, even when permission wasn't given, according to the FTC complaint. That data was then used to push targeted ads (that the consumer presumably didn't want to see).
InMobi managed to short circuit users attempts at blocking location information gathering by collecting basic service ID addresses, which are essentially unique serial numbers for wireless access nodes. Those BSSIDs were then fed into a geocoder database, which was able to infer the latitude and longitude of a phone by proximity to said wireless device. And that can be done whether or not the user has given permission for the app to gather location data from the phone or not and seems to have been done whenever said explicit permission was denied.
"Defendant represented in disclosures... that it tracked the consumer's location and served geo-targeted ads only if the application developer and the consumer provided access to the location APIs and the consumer provided opt-in consent," Wednesday's complaint, which was filed in San Francisco federal court, stated. "In fact, defendant collected and used BSSID and other Wi-Fi network information to track the consumer's location and serve geo-targeted ads, regardless of the application developer's intent to include geo-targeted ads and regardless of the consumer's location settings."
According to the FTC, InMobi's advertising network touches over 1 billion devices around the world via the apps that integrate its code. Even more troubling, a large proportion of the apps InMobi is embedded in are designed for young children, which is problematic since the Children's Online Privacy Protection Act bans such data gathering.
"Collectively, hundreds of millions of consumers have downloaded the thousands of child-directed applications from which defendant collected and used personal information," the complaint stated. "Defendant collected such personal information each time an application made an ad request to their network — typically every 30 seconds when an application is in use."
InMobi will pay a civil penalty of $950,000 and delete all information it collected from children and all information collected from adults who didn't provide their consent. The settlement will further require InMobi to submit two audits every two years for the next 20 to make sure its privacy program is up to snuff. Initially, InMobi was facing a $4 million civil penalty, though that figure was reduced "based on the company's financial condition," the FTC said in a statement issued on Wednesday, without elaborating.