In an important milestone, the US Federal Trade Commission (FTC) has banned a data broker from selling sensitive location data without explicit user consent.

“By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance,” the FTC spokesperson said.

The broker that has earned the dubious distinction of being the first to be penalized by the US regulator in such a way is X-Mode Social and its successor Outlogic.

The Notorious One

For those who have been following privacy news for at least a couple of years, the broker’s name might ring a few bells. X-Mode Social first gained notoriety in November 2020, when it became an unlikely co-star, along with the US military, in VICE’s Motherboard report. The report revealed that a Muslim and Quran app with almost 100 million downloads was sending granular location data to X-Mode, which, in turn, was sharing that data with US government contractors, including the US military. The news caused a huge uproar at the time, following which the Muslim app removed X-Mode’s code that was built into it and that was responsible for sending the data to the broker. The backlash was so intense that, in a rare joint effort, both Apple and Google told app developers they had to remove X-Mode’s code from their apps or else.

When things go south, one of the strategies that has become popular with businesses seeing their reputation going up in flames is to rebrand themselves — enter Meta (former Facebook) as an example. So in August 2021, after X-Mode was bought by Digital Envoy, it was rebranded Outlogic.

The bad press and ostracism from the two major app platforms was apparently not enough of a motivation for Outlogic to put guardrails in place so that nothing like this might happen to it in the future. According to the FTC’s complaint, which covers the broker’s alleged transgressions through 2021, X-Mode/Outlogic “did not have any policies in place to remove sensitive locations from the raw location data it sold” until May 2023(!).

So, what did X-Mode/Outlogic exactly do to deserve the unprecedented punishment in the US government’s eyes?

Data-harvesting on steroids

In its complaint, the FTC accuses X-Mode Social and its successor of a wide range of privacy violations, some more egregious than others. Most of X-Mode Social’s alleged transgressions stem from the fact that it had been harvesting sensitive location data from more than 300 apps via its SDK, or software development kit.

The regulator says that X-Mode would incentivize the app makers to embed its SDK into their apps “by promising the app developers passive revenue for each consumer’s mobile device that allows the SDK to collect their location data.” SDKs are pieces of code that enable the app to perform important tasks, such as tracking location. The boon for developers who embed third-party SDKs in their apps is that they don’t have to develop features from scratch, which saves them money and time. Add to that the ability to earn some passive income, and you’ve got an offer that’s hard to refuse. So the developers of these 300 apps, fitness trackers, gaming and religious apps among them, did not.

In addition, the broker also collected data from its own apps, Drunk Mode and Walk Against Humanity. On top of that, it also bought data from other data brokers and aggregators. Put all of this together and X-Mode was reaping a pretty healthy harvest of location data. According to the FTC, the broker “has ingested over 10 billion location data points from all over the world,” all while boasting it to be “70% accurate within 20 meters or less.”

What was collected and to whom it was sold?

The X-Mode’s SDK, which is how most of the sensitive location data landed the the broker’s hands, had unimpeeded access to the location data generated by the users’ devices’ OSs. Namely, the SDK would receive “precise latitude and longitude, along with a timestamp.” It then would pass this information, along with a unique identifier for the mobile device called a Mobile Advertiser ID (or MAID), to X-Mode’s servers.

That set of data could potentially reveal sensitive information about the users, such as their visits to hospitals, places of worship, addiction treatment centers, and drugstores. According to the FTC, X-Mode could not care less about how damaging a potential leak or a misuse of that information could be, as it allegedly “did not have any policies or procedures in place to remove sensitive locations from the raw location data sets it sold.”

In addition to offering the raw location data to anyone willing to buy it, X-Mode parsed the data to create “audience segments” based on a number of characteristics, including very sensitive ones. In one case, it offered a private clinical research company custom audience segments based on people’s visits to different doctors in Columbus, Ohio. On the menu were cardiology, endocrinology, and gastroenterology patients.

If a private clinical research company being the recipient of the health information that you’d probably rather kept secret does not sound bad enough (and it should), then there are even more damning revelations in the FTC’s report. Some of the data ended up with “government contractors” who would use it “for national security purposes.” Nowhere, neither in the privacy notices of third-party apps with its SDK nor in those of its own apps, X-Mode had mentioned this curious fact.

The buyers of X-Mode’s location data also included at least two companies that then resold the data to other companies in breach of their contracts with X-Mode. In this case, it’s almost impossible to track the companies that ended up with the data, since that may not even be the final destination of it. Another problem is that all these tertiary companies are not bound by whatever few restrictions X-Mode may have placed on the use of the data.

How could this data help to identify you?

Since the X-Mode would provide the data to its buyers in raw, non-anonymized form, it would be a piece of cake to identify most individual users. Knowing each user’s device’s persistent identifier (MAID), coupled with multiple time-stamped signals, it wouldn’t take Sherlock Holmes to infer a user’s place of residence based on where their phone is at night.

And we haven’t even mentioned the ability to supplement this data with information from offline sources such as public records, telephone directories, and social media — a cross-matching service offered by many data brokers.

Utilization and risks: From national security to targeted advertising

As we’ve mentioned before, some of the potential uses of this granular location data could be related to national security. That could mean anything from surveillance with the goal of thwarting potential attacks to immigration enforcement.

But a far more popular use is for advertising purposes. Advertisers amass this data to build detailed profiles of consumers in order to target them with highly relevant ads. These tend to be the most effective at getting people to part with their money.

In any case, the sale of this data, as the FTC puts it, “poses an unwarranted intrusion into the most private areas of consumers’ lives and causes or is likely to cause substantial injury” to them. Hard to argue with that.

We can only welcome the FTC’s decision to crack down on the location data selling industry. We only regret that it took them so long to do so. In our view, this move was long overdue, and the unchecked sale of users’ most sensitive data should never have been allowed.

On the other hand, the FTC did not ban the sale of such data alltogether, but rather made it subject to user opt-in. And while this may seem logical at first glance — after all, if the user wants to supply a data broker or an app with their sensitive data, then they are within their rights to go for it — it may not be as simple as it seems.

We fully expect that companies similar to X-Mode or another notorious data broker SafeGraph will continue to play users, tricking them into providing their sensitive data with the help of dark patterns and misleading notices. And we have to keep an eye out for them.