Menu
EN

The tide has turned? In a historic first, US govt bans location data broker from selling sensitive data

In an important milestone, the US Federal Trade Commission (FTC) has banned a data broker from selling sensitive location data without explicit user consent.

“By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance,” the FTC spokesperson said.

The broker that has earned the dubious distinction of being the first to be penalized by the US regulator in such a way is X-Mode Social and its successor Outlogic.

The Notorious One

For those who have been following privacy news for at least a couple of years, the broker’s name might ring a few bells. X-Mode Social first gained notoriety in November 2020, when it became an unlikely co-star, along with the US military, in VICE’s Motherboard report. The report revealed that a Muslim and Quran app with almost 100 million downloads was sending granular location data to X-Mode, which, in turn, was sharing that data with US government contractors, including the US military. The news caused a huge uproar at the time, following which the Muslim app removed X-Mode’s code that was built into it and that was responsible for sending the data to the broker. The backlash was so intense that, in a rare joint effort, both Apple and Google told app developers they had to remove X-Mode’s code from their apps or else.

When things go south, one of the strategies that has become popular with businesses seeing their reputation going up in flames is to rebrand themselves — enter Meta (former Facebook) as an example. So in August 2021, after X-Mode was bought by Digital Envoy, it was rebranded Outlogic.

The bad press and ostracism from the two major app platforms was apparently not enough of a motivation for Outlogic to put guardrails in place so that nothing like this might happen to it in the future. According to the FTC’s complaint, which covers the broker’s alleged transgressions through 2021, X-Mode/Outlogic “did not have any policies in place to remove sensitive locations from the raw location data it sold” until May 2023(!).

So, what did X-Mode/Outlogic exactly do to deserve the unprecedented punishment in the US government’s eyes?

Data-harvesting on steroids

In its complaint, the FTC accuses X-Mode Social and its successor of a wide range of privacy violations, some more egregious than others. Most of X-Mode Social’s alleged transgressions stem from the fact that it had been harvesting sensitive location data from more than 300 apps via its SDK, or software development kit.

The regulator says that X-Mode would incentivize the app makers to embed its SDK into their apps “by promising the app developers passive revenue for each consumer’s mobile device that allows the SDK to collect their location data.” SDKs are pieces of code that enable the app to perform important tasks, such as tracking location. The boon for developers who embed third-party SDKs in their apps is that they don’t have to develop features from scratch, which saves them money and time. Add to that the ability to earn some passive income, and you’ve got an offer that’s hard to refuse. So the developers of these 300 apps, fitness trackers, gaming and religious apps among them, did not.

In addition, the broker also collected data from its own apps, Drunk Mode and Walk Against Humanity. On top of that, it also bought data from other data brokers and aggregators. Put all of this together and X-Mode was reaping a pretty healthy harvest of location data. According to the FTC, the broker “has ingested over 10 billion location data points from all over the world,” all while boasting it to be “70% accurate within 20 meters or less.”

What was collected and to whom it was sold?

The X-Mode’s SDK, which is how most of the sensitive location data landed the the broker’s hands, had unimpeeded access to the location data generated by the users’ devices’ OSs. Namely, the SDK would receive “precise latitude and longitude, along with a timestamp.” It then would pass this information, along with a unique identifier for the mobile device called a Mobile Advertiser ID (or MAID), to X-Mode’s servers.

That set of data could potentially reveal sensitive information about the users, such as their visits to hospitals, places of worship, addiction treatment centers, and drugstores. According to the FTC, X-Mode could not care less about how damaging a potential leak or a misuse of that information could be, as it allegedly “did not have any policies or procedures in place to remove sensitive locations from the raw location data sets it sold.”

In addition to offering the raw location data to anyone willing to buy it, X-Mode parsed the data to create “audience segments” based on a number of characteristics, including very sensitive ones. In one case, it offered a private clinical research company custom audience segments based on people’s visits to different doctors in Columbus, Ohio. On the menu were cardiology, endocrinology, and gastroenterology patients.

If a private clinical research company being the recipient of the health information that you’d probably rather kept secret does not sound bad enough (and it should), then there are even more damning revelations in the FTC’s report. Some of the data ended up with “government contractors” who would use it “for national security purposes.” Nowhere, neither in the privacy notices of third-party apps with its SDK nor in those of its own apps, X-Mode had mentioned this curious fact.

The buyers of X-Mode’s location data also included at least two companies that then resold the data to other companies in breach of their contracts with X-Mode. In this case, it’s almost impossible to track the companies that ended up with the data, since that may not even be the final destination of it. Another problem is that all these tertiary companies are not bound by whatever few restrictions X-Mode may have placed on the use of the data.

How could this data help to identify you?

Since the X-Mode would provide the data to its buyers in raw, non-anonymized form, it would be a piece of cake to identify most individual users. Knowing each user’s device’s persistent identifier (MAID), coupled with multiple time-stamped signals, it wouldn’t take Sherlock Holmes to infer a user’s place of residence based on where their phone is at night.

And we haven’t even mentioned the ability to supplement this data with information from offline sources such as public records, telephone directories, and social media — a cross-matching service offered by many data brokers.

Utilization and risks: From national security to targeted advertising

As we’ve mentioned before, some of the potential uses of this granular location data could be related to national security. That could mean anything from surveillance with the goal of thwarting potential attacks to immigration enforcement.

But a far more popular use is for advertising purposes. Advertisers amass this data to build detailed profiles of consumers in order to target them with highly relevant ads. These tend to be the most effective at getting people to part with their money.

In any case, the sale of this data, as the FTC puts it, “poses an unwarranted intrusion into the most private areas of consumers’ lives and causes or is likely to cause substantial injury” to them. Hard to argue with that.

We can only welcome the FTC’s decision to crack down on the location data selling industry. We only regret that it took them so long to do so. In our view, this move was long overdue, and the unchecked sale of users’ most sensitive data should never have been allowed.

On the other hand, the FTC did not ban the sale of such data alltogether, but rather made it subject to user opt-in. And while this may seem logical at first glance — after all, if the user wants to supply a data broker or an app with their sensitive data, then they are within their rights to go for it — it may not be as simple as it seems.

We fully expect that companies similar to X-Mode or another notorious data broker SafeGraph will continue to play users, tricking them into providing their sensitive data with the help of dark patterns and misleading notices. And we have to keep an eye out for them.

Liked this post?
By downloading the comments you agree the terms and policies

AdGuard for Windows

AdGuard for Windows is more than an ad blocker. It is a multipurpose tool that blocks ads, controls access to dangerous sites, speeds up page loading, and protects children from inappropriate content.
User Reviews: 12821
4.7 out of 5
By downloading the program you accept the terms of the License agreement
Read more

AdGuard for Mac

AdGuard for Mac is a unique ad blocker designed with macOS in mind. In addition to protecting you from annoying ads in browsers and apps, it shields you from tracking, phishing, and fraud.
User Reviews: 12821
4.7 out of 5
By downloading the program you accept the terms of the License agreement
Read more

AdGuard for Android

AdGuard for Android is a perfect solution for Android devices. Unlike most other ad blockers, AdGuard doesn't require root access and provides a wide range of app management options.
User Reviews: 12821
4.7 out of 5
By downloading the program you accept the terms of the License agreement

AdGuard for iOS

The most advanced ad blocker for Safari: it makes you forget about pop-up ads, speeds up page loading, and protects your personal data. A manual element-blocking tool and highly customizable settings help you tailor the filtering to your exact needs.
User Reviews: 12821
4.7 out of 5
By downloading the program you accept the terms of the License agreement

AdGuard Browser Extension

AdGuard is the fastest and most lightweight ad blocking extension that effectively blocks all types of ads on all web pages! Choose AdGuard for the browser you use and get ad-free, fast and safe browsing.
User Reviews: 12821
4.7 out of 5

AdGuard for Safari

Ad blocking extensions for Safari are having hard time since Apple started to force everyone to use the new SDK. AdGuard extension is supposed to bring back the high quality ad blocking back to Safari.
User Reviews: 12821
4.7 out of 5
App Store
Download
By downloading the program you accept the terms of the License agreement

AdGuard Home

AdGuard Home is a network-wide software for blocking ads & tracking. After you set it up, it’ll cover ALL your home devices, and you don’t need any client-side software for that. With the rise of Internet-Of-Things and connected devices, it becomes more and more important to be able to control your whole network.
User Reviews: 12821
4.7 out of 5

AdGuard Content Blocker

AdGuard Content Blocker will eliminate all kinds of ads in mobile browsers that support content blocker technology — namely, Samsung Internet and Yandex.Browser. While being more limited than AdGuard for Android, it is free, easy to install and still provides high ad blocking quality.
User Reviews: 12821
4.7 out of 5
By downloading the program you accept the terms of the License agreement
Read more

AdGuard Assistant

A companion browser extension for AdGuard [desktop apps](/en/products.html). It offers an in-browser access to such features as custom element blocking, allowlisting a website or sending a report.
User Reviews: 12821
4.7 out of 5
Assistant for Chrome Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Firefox Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Edge Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Opera Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Yandex Is it your current browser?
Install
By downloading the program you accept the terms of the License agreement
Assistant for Safari Is it your current browser?
If you can't find your browser, try the old legacy Assistant version, which you can find in AdGuard extension settings.

AdGuard Temp Mail β

A free temporary email address generator that keeps you anonymous and protects your privacy. No spam in your main inbox!
User Reviews: 12821
4.7 out of 5

AdGuard for Android TV

AdGuard for Android TV is the only app that blocks ads, guards your privacy, and acts as a firewall for your Smart TV. Get warnings about web threats, use secure DNS, and benefit from encrypted traffic. Relax and dive into your favorite shows with top-notch security and zero ads!
User Reviews: 12821
4.7 out of 5
Downloading AdGuard To install AdGuard, click the file indicated by the arrow Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, drag the AdGuard icon to the "Applications" folder. Thank you for choosing AdGuard! Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, click "Install". Thank you for choosing AdGuard!
Install AdGuard on your mobile device