Among a flurry of privacy activity in D.C. this summer, the Federal Trade Commission (FTC) last week announced an enforcement suit against the data-broker Kochava. The FTC states that the company collected and sold information from billions of different devices, potentially revealing sensitive information—including movements to and from locations like reproductive health centers, domestic abuse shelters and places of worship.

As a result, the FTC argues that the conclusions drawn from these datasets “are likely to cause substantial injury to consumers.” Kochava counters that the FTC misunderstands Kochava’s data-handling practices, stating that it does not sell data linked to unique users, has opt-out options and that the company informs users of how their data is used (and as such, does not mislead them about their information). This situation is a stark reminder that places of worship—and their broader communities—continue to be vulnerable to both privacy and security practices that threaten their congregations’ safety. And while these communities may be exposed to third parties and external forces, they are also responsible for their own baseline defenses. As such, the case is a reminder that these communities need to bolster their data security baseline, so that even if sensitive information is exposed, they are less threatened by the consequences.

Accessibility to geolocation data could be dangerous for places of worship

The FTC’s complaint involving Kochava outlines how the geolocation information in question was—until recently—relatively easy to access, requiring only a free Amazon Web Services account and Kochava’s free data sample (in one day’s sample, that includes information from approximately 61 million mobile devices). As such, there were few systems in place to control who accessed this information (see pgs. 4, 5, 9). This indeed left information open to be purchased by just about anyone. In the case of religious communities—many of whom are no stranger to persecution—this can include perpetrators of hate crimes.

The near-surgical precision of the Kochava datasets could potentially allow for re-tracing activity to and from worship locations to residential addresses. This is aided by company-suggested use cases of information like “household mapping,” (see pg. 7) or the conclusion that grouping mobile devices by dwelling places and times suggest the existence of a household. This possibility underscores the risks with congregants’ information and how it’s linked, both in Kochava’s case and generally when it comes to information available online. While the company didn’t outright link individuals’ names and place of worship, the FTC points out that this information could easily be tied together. This possibility is especially concerning when the FBI’s 2020 hate crime statistics reported that 38 percent of anti-Jewish hate crimes, for example, occurred in a place of worship; 34 percent in cyberspace; and 9 percent in a residence or home—all locations a product like Kochava’s could help connect and map out.  

What’s at risk for faith-based communities?

As outlined in a previous article, faith-based communities face a significant challenge: they collect sensitive data from their congregation members but are often under-resourced to store and use this information securely. Consider the example of a family new to the area who registers at a local church. They might supply their nearby home address, names of each family member, each of their dates of birth and even their credit card information to set up automatic payments for weekly donations. But with churches struggling to retain volunteer forces and fill even paid staff positions, regular tasks like upkeeping parish registries can be harder to maintain. With inconsistent privacy and security over time, sensitive information can be exposed to the wild west of the internet.

Most of the FTC complaint focuses on risks to places of worship as a physical entity. But this does not consider that the nature of faith-based communities often extends far beyond the four walls of a church, mosque, temple, etc. Consider the case of a Muslim-prayer app which stoked fresh fears of Islamophobia and surveillance in its users after it was revealed that it was selling congregants’ information to a slew of third parties. On the bright side, it drove fellow worshippers to develop a privacy-minded alternative.

But faith leaders cannot rely on a headline-grabbing suit as a wake-up call to review and implement data security plans that enforce strong passwords, review user account permissions and keep up an informed relationship with third-party payments processors’ security practices. On the contrary, they need to implement such practices for their own sake.

Faith leaders need to keep progress on data security moving

This isn’t to say that communities of faith should be assumed to be defenseless or aloof to their security needs across the board. Indeed, communities of worship have increasingly placed emphasis on the issue. On the community-end, some parish-focused software companies are rolling out programs to streamline background checks processes. Additionally, the Cybersecurity and Infrastructure Security Agency issued tailored security guidance for faith-based organizations, including tabletop exercises and a self-assessment. But sustained awareness is key to continuous security, the idea that cybersecurity is not a task to cross off once and move on. Rather, it is an ongoing process that requires monitoring and risk assessment.

The suit against Kochava should remind faith leaders of the need for robust data security practices. Ensuring data is secure will help offset threats leaders have less control over. At the same time, leaders shouldn’t wait for a scare like this to assess their internal weaknesses and strengths. It’s always the right time to protect fellow worshippers to ensure their continued safety and security in their place—or app—of worship.

Image credit: Song_about_summer

Featured Publications