| Hi, it’s Ryan. An important update about the sale of Americans’ location data. But first… Must Reads: The Federal Trade Commission this week banned two US location-tracking companies from selling sensitive data gathered from mobile phones. The FTC accused Gravy Analytics and its subsidiary Venntel of unlawfully monitoring people without their consent as they visited health facilities and places of worship. In an order finalized Monday, the FTC said the companies must within 90 days stop selling location data that tracks people in the US as they are visiting “sensitive” places. The agency’s definition of sensitive location data also includes military installations, labor union offices and correctional facilities, among others. The companies can still provide the data to aid law enforcement agencies’ investigations, such as in cases involving national security, according to the FTC’s order. The FTC’s move came just days after Gravy Analytics suffered a hack, which resulted in a user on a Russian-language cybercrime website publishing a trove of its internal files, according to media reports. Representatives from Gravy Analytics and Venntel didn’t immediately respond to requests for comment on the FTC order or the cyberattack. The data contained a sample of more than 30 million location records showing people’s movements in towns and cities in dozens of countries, according to information provided to me by a security researcher. They are potentially highly revealing, for instance, showing individuals who visit sensitive military and intelligence facilities in North America and Europe, according to my own review and security experts’ analysis. “This breach represents one of the most concerning data leaks imaginable,” said Alon Gal, co-founder of cybersecurity firm Hudson Rock. The records could be used to trace the movement history of individuals over several years, Gal added, potentially compromising the safety of undercover agents. Such information can be bought and sold on advertising marketplaces with little oversight or regulation, and later repurposed for a wide range of purposes, including espionage, as Bloomberg News has previously reported. Gravy Analytics and Venntel were acquired last year by Virginia-based location intelligence firm Unacast, founded in 2015 by two Norwegian entrepreneurs. According to the FTC, Gravy Analytics and Venntel obtained billions of location data records every day from a variety of sources – other data brokers, the mobile advertising marketplace, and applications that harvest people’s location information from their phones and resell it. Among the hacked documents is a list of more than 13,000 apps that appear to have been sources of location data for Gravy Analytics, including popular dating, weather and shopping apps. “It should now be inescapably clear,” said Johnny Ryan, a director at the Irish Council for Civil Liberties, “that this is a privacy crisis and a serious national security vulnerability.” | 
