If you have wondered how users' physical locations can be tracked when they use mobile devices, a new white paper explains the process.

It's actually an FTC complaint, and thus a white paper only indirectly. But everything about the case is indirect. The FTC targeted a company for figuring out geolocation data by an indirect method. The agency then charged the company with indirectly misrepresenting its practices. And the case indirectly lays out important new national standards for how geolocation information may be collected.

In a nutshell, the FTC charged inMobi, a business-to-business mobile advertising provider, with misleading consumers, because while InMobi accurately told its clients (mobile app providers) how it collected and used direct geolocation information, it never explained that when direct geolocation data wasn't available, it used other data to infer a mobile device's location. Since InMobi's app developer clients didn't know that it was inferring customer locations, those clients never told their customers (mobile app users). Subsequently, the customers were misled about how they were being tracked, the FTC claimed.

Taken step by step, the case is a fascinating look at mobile apps, geolocation tracking, and how the FTC sets Internet standards.

The rise of mobile app advertising

InMobi, a Singapore company, is a giant provider of ads seen on mobile apps. Its software allows InMobi to display ads (preferably targeted ads) on those apps, and share ad revenue with each app provider. Data collected from app users is used for the ad targeting.

Often the best user data is geolocation data, and InMobi offers three categories of ads keyed to customer locations: a "now" suite based on current location, a "conditional" suite based on past customer habits (like frequent airport visits), and a "psychographic" suite based on demographics and activities in the last two months (like affluent users who have visited luxury auto dealers).

Advertisers love targeted advertising for its presumed efficiency and effectiveness, and InMobi has been very successful in ad placement. InMobi described itself as the “world's largest independent mobile advertising company,” which by February 2015 had reached over one billion unique mobile devices, 19% of them devices in North America. It served 6 billion ad requests per day.

Can location tracking be ‘too effective’?

App users have several opportunities to consent to, or to withhold consent to, use of the specific location data that their mobile devices generate. The consent mechanisms and the application program interfaces (APIs) through which this location data is provided to third parties like InMobi, vary between iOS and Android systems.

InMobi abided by consumer consents as to this direct location data. However, InMobi realized that other available data, generated when devices connect to WiFi networks, could be used to determine locations. Using this data, and its own robust data from the many app users who permitted use of their direct location data, InMobi figured out locations even for users who opted out of location data sharing.

The ability to infer locations from WiFi data wasn't a secret; it had been spelled out in a 2014 research paper by several French researchers. Nor is it startling that locations can be inferred; the FTC implicitly admitted that even readily available IP addresses can at least narrow down users to a particular city.

But the FTC considered InMobi's practice an improper end-run around user control over geolocation tracking. Without explicitly saying so, the FTC seemed to classify InMobi's WiFi tracking as simply too effective and too sneaky to be allowed.

Indirect misleading disclosures

The FTC had a problem in going after InMobi, because InMobi never dealt with mobile device users, only app developers. How could InMobi have deceived app users with whom it never dealt?

Perhaps picking up the spirit of InMobi's focus on indirect means, the FTC alleged that users were indirectly misled. Because InMobi told app developers that it complied with consumer direction on direct location data--but never revealed its indirect location tracking methods--the developers in turn never gave their users the whole story. InMobi's coyness with its app developer customers essentially led to their concealment of key facts from app users, the FTC alleged.

New rules from an inconclusive case

There is one final indirection in the InMobi case. InMobi contested the FTC's allegation that its indirect location tracking was deceptive or unlawful. Nor did it accept the FTC's indirect deception theory.

But in its investigation, the FTC found that InMobi violated the Childrens Online Privacy Protection Act (COPPA). InMobi said it had attempted to exclude any publisher's site or app containing content targeted at children under 13 years of age from interest-based, behavioral advertising, but because of a technical error, that policy was not always correctly implemented. InMobi said it corrected the mistake upon learning of it.

Ultimately the consent decree focused on the COPPA violation, and assessed damages only on that violation. But it also enjoined InMobi from continuing its geolocation inference system, and required deletion of data developed from that system. InMobi said it "proactively" decided to take this course as a matter of following best practices.

All other targeted advertising providers and mobile app developers are now on notice, through the InMobi case, that the FTC considers inferential geolocation determinations, at least at the level of sophistication followed by InMobi, to be unlawful — even though that issue was not fully litigated.

Thus, this case of indirect geolocation determination, and indirect misleading of mobile app users, has, indirectly, set a new standard in the important area of mobile app geolocation tracking.

It is the latest, and one of the most important, in the FTC's recent history of Internet standard setting through complaints and consent judgments.