FTC bans X-Mode from selling phone location data, and orders firm to delete collected data

by with No Comment Tech

A street map with location dots on top.

Image Credits: Getty Images

The U.S. Federal Trade Commission has banned the data broker X-Mode Social from sharing or selling users’ sensitive location data, the federal regulator said Tuesday.

The first of its kind settlement prohibits X-Mode, now known as Outlogic, from sharing and selling users’ sensitive information to others. The settlement will also require the data broker to delete or destroy all the location data it previously collected, along with any products produced from this data, unless the company obtains consumer consent or ensures the data has been de-identified.

X-Mode buys and sells access to the location data collected from ordinary phone apps. While just one of many organizations in the multibillion-dollar data broker industry, X-Mode faced scrutiny for selling access to the commercial location data of Americans’ past movements to the U.S. government and military contractors.

Soon after, Apple and Google told developers to remove X-Mode from their apps or face a ban from the app stores.

The FTC alleged that X-Mode sold precise location data that could be used to track people’s visits to sensitive locations, such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.

The regulator also alleged that the data broker failed to remove the sensitive locations from the raw location data it sold to third-parties and did not implement “reasonable or appropriate safeguards” against downstream use of this precise location data. For at least one of its contracts, the FTC said that X-Mode provided an unnamed private clinical research company with information about consumers who had visited certain medical facilities, pharmacies or specialty infusion centers within a geographic area across Columbus, Ohio.

X-Mode also failed to ensure that users of its own apps — Drunk Mode and Walk Against Humanity — were fully informed about how their precise location data would be used, the FTC said.

“The information revealed through the location data that X-Mode/Outlogic sold not only violated consumers’ privacy but also exposed them to potential discrimination, physical violence, emotional distress, and other harms,” the FTC said in a statement.

“Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship,” said FTC chair Lina M. Khan. “The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data.”

“By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance,” said Khan.

As per the FTC’s order, X-Mode must also implement procedures to ensure that recipients of its location data do not associate the data with locations that provide services to LGBTQIA+ people, provide a simple way for consumers to withdraw their consent for the collection and use of their location data and establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information.

A statement given to TechCrunch by public relations firm Broadsheet, which represents Outlogic, reads: “We disagree with the implications of the FTC press release. After a lengthy investigation, the FTC found no instance of misuse of any data and made no such allegation. Since its inception, X-Mode has imposed strict contractual terms on all data customers prohibiting them from associating its data with sensitive locations such as healthcare facilities. Adherence to the FTC’s newly introduced policy will be ensured by implementing additional technical processes and will not require any significant changes to business or products.”

Sen. Ron Wyden, whose office first revealed that X-Mode had sold location data to U.S. military contractors, said in response to the FTC’s findings: “I commend the FTC for taking tough action to hold this shady location data broker responsible for its sale of Americans’ location data.”

Updated with comment from Outlogic and Ron Wyden’s office.

Location broker X-Mode continues to track users despite app store bans

a geofence warrant that spans from Fortuna Avenue to Leavenworth Street in San Francisco

A geofence warrant typo cast a location dragnet spanning two miles over San Francisco

by with No Comment Tech

a geofence warrant that spans from Fortuna Avenue to Leavenworth Street in San Francisco

Image Credits: TechCrunch / via ACLU (opens in a new window)

Civil liberties advocates have long argued that “geofence” search warrants are unconstitutional for their ability to ensnare entirely innocent people who were nearby at the time a crime was committed. But errors in the geofence warrant applications that go before a judge can violate the privacy of vastly more people — in one case almost two miles away.

Attorneys at the ACLU of Northern California found what they called an “alarming error” in a geofence warrant application that “resulted in a warrant stretching nearly two miles across San Francisco.” The error, likely caused by a typo, allowed the requesting law enforcement agency to capture information on anyone who entered the stretch of San Francisco erroneously marked on the search warrant.

“Many private homes were also captured in the massive sweep,” wrote Jake Snow, ACLU staff attorney, in a blog post about the findings.

It’s not known which law enforcement agency requested the nearly two-mile-long geofence warrant, or for how long the warrant was in effect. The attorneys questioned how many other geofence warrant application mistakes had slipped through and resulted in the return of vastly more data in error.

Geofence warrants, also known as reverse location warrants, allow law enforcement agencies to seek a court order requesting data from tech companies that store vast amounts of location data on its users, like Google, to demand information on which devices were in a particular geographic area at a certain point in time, such as when and where a crime was carried out. Google revealed in 2021 that geofence warrants made up about one-quarter of all U.S. legal demands it received in the space of a few years.

The ACLU attorneys reviewed thousands of geofence warrants filed in San Francisco Criminal Court that were issued over three years between 2018 and mid-2021, which they say was likely only a fraction of geofence warrants used in San Francisco during that time. The attorneys warned that the reach of geofence warrants when surveilling in busy urban areas — San Francisco is one of the most densely populated U.S. cities — often include homes and apartment buildings, busy thoroughfares and places of worship.

The attorneys said they also found a geofence warrant that included four places of worship over a couple of streets in San Francisco’s Bret Harte neighborhood, allowing police to determine “where you were and who you were with” during the time that the warrant was in effect.

Another geofence warrant over a three-block area in downtown San Francisco captured anyone who was in the Le Méridien hotel or three nearby banks despite having no connection to the alleged criminal sought in the warrant. A review of the area by TechCrunch shows the geofence area also includes the headquarters of software giant Oracle and several busy pubs and restaurants.

“Whether you were in your hotel room or grabbing a salad at Mixt Greens on Commercial Street — with no connection at all to any criminal activity — your location information might well have been shared with the police,” ACLU’s Snow wrote.

The attorneys’ findings also showed the geofence warrants disproportionately targeted certain San Francisco neighborhoods more than others, particularly immigrant-heavy areas like Portola.

Google said in December it would begin storing users’ location data on their devices, effectively ending its ability to respond to geofence warrants going forward by forcing law enforcement agencies to seek the data directly from the device owners. Other tech companies that store troves of users’ location data — like Uber, Microsoft and Yahoo (which owns TechCrunch) — are known to receive geofence warrants.

Courts remain divided on whether geofence warrants comply with Fourth Amendment protections against unreasonable searches and seizures, with an eventual legal challenge likely to end up before the U.S. Supreme Court.

Google moves to end geofence warrants, a surveillance problem it largely created

FTC bans X-Mode from selling phone location data, and orders firm to delete collected data

by with No Comment Tech

A street map with location dots on top.

Image Credits: Getty Images

The U.S. Federal Trade Commission has banned the data broker X-Mode Social from sharing or selling users’ sensitive location data, the federal regulator said Tuesday.

The first of its kind settlement prohibits X-Mode, now known as Outlogic, from sharing and selling users’ sensitive information to others. The settlement will also require the data broker to delete or destroy all the location data it previously collected, along with any products produced from this data, unless the company obtains consumer consent or ensures the data has been de-identified.

X-Mode buys and sells access to the location data collected from ordinary phone apps. While just one of many organizations in the multibillion-dollar data broker industry, X-Mode faced scrutiny for selling access to the commercial location data of Americans’ past movements to the U.S. government and military contractors.

Soon after, Apple and Google told developers to remove X-Mode from their apps or face a ban from the app stores.

The FTC alleged that X-Mode sold precise location data that could be used to track people’s visits to sensitive locations, such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.

The regulator also alleged that the data broker failed to remove the sensitive locations from the raw location data it sold to third-parties and did not implement “reasonable or appropriate safeguards” against downstream use of this precise location data. For at least one of its contracts, the FTC said that X-Mode provided an unnamed private clinical research company with information about consumers who had visited certain medical facilities, pharmacies or specialty infusion centers within a geographic area across Columbus, Ohio.

X-Mode also failed to ensure that users of its own apps — Drunk Mode and Walk Against Humanity — were fully informed about how their precise location data would be used, the FTC said.

“The information revealed through the location data that X-Mode/Outlogic sold not only violated consumers’ privacy but also exposed them to potential discrimination, physical violence, emotional distress, and other harms,” the FTC said in a statement.

“Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship,” said FTC chair Lina M. Khan. “The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data.”

“By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance,” said Khan.

As per the FTC’s order, X-Mode must also implement procedures to ensure that recipients of its location data do not associate the data with locations that provide services to LGBTQIA+ people, provide a simple way for consumers to withdraw their consent for the collection and use of their location data and establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information.

A statement given to TechCrunch by public relations firm Broadsheet, which represents Outlogic, reads: “We disagree with the implications of the FTC press release. After a lengthy investigation, the FTC found no instance of misuse of any data and made no such allegation. Since its inception, X-Mode has imposed strict contractual terms on all data customers prohibiting them from associating its data with sensitive locations such as healthcare facilities. Adherence to the FTC’s newly introduced policy will be ensured by implementing additional technical processes and will not require any significant changes to business or products.”

Sen. Ron Wyden, whose office first revealed that X-Mode had sold location data to U.S. military contractors, said in response to the FTC’s findings: “I commend the FTC for taking tough action to hold this shady location data broker responsible for its sale of Americans’ location data.”

Updated with comment from Outlogic and Ron Wyden’s office.

Location broker X-Mode continues to track users despite app store bans

a geofence warrant that spans from Fortuna Avenue to Leavenworth Street in San Francisco

A geofence warrant typo cast a location dragnet spanning two miles over San Francisco

by with No Comment Tech

a geofence warrant that spans from Fortuna Avenue to Leavenworth Street in San Francisco

Image Credits: TechCrunch / via ACLU (opens in a new window)

Civil liberties advocates have long argued that “geofence” search warrants are unconstitutional for their ability to ensnare entirely innocent people who were nearby at the time a crime was committed. But errors in the geofence warrant applications that go before a judge can violate the privacy of vastly more people — in one case almost two miles away.

Attorneys at the ACLU of Northern California found what they called an “alarming error” in a geofence warrant application that “resulted in a warrant stretching nearly two miles across San Francisco.” The error, likely caused by a typo, allowed the requesting law enforcement agency to capture information on anyone who entered the stretch of San Francisco erroneously marked on the search warrant.

“Many private homes were also captured in the massive sweep,” wrote Jake Snow, ACLU staff attorney, in a blog post about the findings.

It’s not known which law enforcement agency requested the nearly two-mile-long geofence warrant, or for how long the warrant was in effect. The attorneys questioned how many other geofence warrant application mistakes had slipped through and resulted in the return of vastly more data in error.

Geofence warrants, also known as reverse location warrants, allow law enforcement agencies to seek a court order requesting data from tech companies that store vast amounts of location data on its users, like Google, to demand information on which devices were in a particular geographic area at a certain point in time, such as when and where a crime was carried out. Google revealed in 2021 that geofence warrants made up about one-quarter of all U.S. legal demands it received in the space of a few years.

The ACLU attorneys reviewed thousands of geofence warrants filed in San Francisco Criminal Court that were issued over three years between 2018 and mid-2021, which they say was likely only a fraction of geofence warrants used in San Francisco during that time. The attorneys warned that the reach of geofence warrants when surveilling in busy urban areas — San Francisco is one of the most densely populated U.S. cities — often include homes and apartment buildings, busy thoroughfares and places of worship.

The attorneys said they also found a geofence warrant that included four places of worship over a couple of streets in San Francisco’s Bret Harte neighborhood, allowing police to determine “where you were and who you were with” during the time that the warrant was in effect.

Another geofence warrant over a three-block area in downtown San Francisco captured anyone who was in the Le Méridien hotel or three nearby banks despite having no connection to the alleged criminal sought in the warrant. A review of the area by TechCrunch shows the geofence area also includes the headquarters of software giant Oracle and several busy pubs and restaurants.

“Whether you were in your hotel room or grabbing a salad at Mixt Greens on Commercial Street — with no connection at all to any criminal activity — your location information might well have been shared with the police,” ACLU’s Snow wrote.

The attorneys’ findings also showed the geofence warrants disproportionately targeted certain San Francisco neighborhoods more than others, particularly immigrant-heavy areas like Portola.

Google said in December it would begin storing users’ location data on their devices, effectively ending its ability to respond to geofence warrants going forward by forcing law enforcement agencies to seek the data directly from the device owners. Other tech companies that store troves of users’ location data — like Uber, Microsoft and Yahoo (which owns TechCrunch) — are known to receive geofence warrants.

Courts remain divided on whether geofence warrants comply with Fourth Amendment protections against unreasonable searches and seizures, with an eventual legal challenge likely to end up before the U.S. Supreme Court.

Google moves to end geofence warrants, a surveillance problem it largely created