Impact: FTC Stops Data Broker X-Mode Selling Sensitive Location Data

Years ago I revealed a data broker was harvesting location data from Muslim prayer and dating apps. The FTC has now banned X-Mode from selling location data related to places of worship and other sensitive locations including family planning facilities.
A crowd.
Image: Timon Studler/Unsplash.

In a landmark settlement, the FTC will prohibit the data broker X-Mode, now known as Outlogic, from selling location data related to sensitive locations such as places of worship, reproductive health clinics, and domestic abuse shelters, and more. The move comes years after I published an investigation which found X-Mode, some of whose clients were U.S. military contractors, harvested some of its data from a massive Muslim prayer app with 98 million downloads, as well as a Muslim dating app. Naturally, those apps could provide information on people who visit places of worship.

The settlement is the FTC’s first with a data broker concerning the collection and sale of sensitive location information, according to the FTC’s announcement. “Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship. The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data,” FTC Chair Lina M. Khan said in the announcement. “By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance.”

My 2020 investigation used a wide variety of sources and techniques to investigate X-Mode’s supply chain of data. To identify which apps were sending X-Mode location data, I performed technical analysis on the apps themselves, digging through their code for clues, and then intercepted traffic emanating from the apps to see the data transfer in action. I also spoke to app developers who were selling their users’ location data to X-Mode, some of whom were not aware who that data ended up with. (X-Mode’s business model involved encouraging app developers to bundle X-Mode code into their apps; in return X-Mode paid developers a fee based on the size of their user base). I also spoke to the office of Senator Ron Wyden, which had found in its own investigation of X-Mode that data harvested from U.S. phones was being sold to U.S. military customers via defense contractors.