In a recent and striking disclosure, U.S. Senator Ron Wyden revealed that the U.S. National Security Agency (NSA) has been purchasing internet browsing records from data brokers. This practice, bypassing the need for a court order, directly targets the websites and apps frequented by American citizens. This revelation, emerging from a statement made last week, brings to light serious concerns regarding the privacy rights of individuals in the digital era.
Senator Wyden, in a letter addressed to the Director of National Intelligence (DNI) Avril Haines, strongly criticized this practice. He argued that the U.S. government’s funding and legitimization of a “shady industry” is not only unethical but potentially illegal. The core of his concern lies in the violations of Americans’ privacy, as these data brokers operate in a domain where the privacy norms and legal boundaries are often blurred or overlooked.
The NSA’s acquisition of metadata concerning users’ browsing habits poses a severe privacy risk. Such information could reveal personal details about individuals based on their online activities. For example, websites offering mental health resources, assistance for survivors of sexual assault or domestic abuse, and telehealth providers focusing on sensitive issues like birth control or abortion medication could inadvertently expose the private concerns of their users.
In response to Senator Wyden’s queries, the NSA outlined its approach to handling this sensitive data. The agency claimed to have developed robust compliance regimes, emphasizing its efforts to minimize the collection of information pertaining to U.S. citizens. Furthermore, the NSA asserted that it strategically acquires data that is most relevant to its mission requirements, albeit with an assurance of adherence to privacy norms.
However, the agency also clarified its stance on location data. The NSA stated that it does not purchase or use location data collected from phones within the U.S. or from vehicle telematics systems without a court order. This distinction suggests a nuanced approach to different types of data under the agency’s purview.
Under Secretary of Defense for Intelligence and Security, Ronald S. Moultrie, further commented on the Department of Defense’s (DoD) stance. He indicated that DoD components acquire and use commercially available information (CAI) while strictly adhering to privacy and civil liberties protections, particularly in support of lawful intelligence or cybersecurity operations.
This controversy is not isolated. In early 2021, it came to light that the Defense Intelligence Agency (DIA) was also engaging in the purchase and use of domestic location data collected from smartphones, acquired through similar commercial data brokers. This practice indicates a broader trend within intelligence and law enforcement agencies of bypassing traditional legal channels to gather potentially sensitive data.
Adding to the complexity of this issue, the Federal Trade Commission (FTC) recently prohibited Outlogic (formerly X-Mode Social) and InMarket Media from selling precise location information without informed consent from users. Outlogic, in its settlement, has been barred from collecting data that could track visits to sensitive locations, including medical and reproductive health clinics, domestic abuse shelters, and places of worship.
The Shadowy World of Location Data: Unveiling the Players and Practices Behind the Trade
This chart illustrates the flow of location data from apps to agencies via two of the most prominent government-facing brokers: Venntel and Babel Street.
The revelation of companies selling location data has raised significant concerns about the privacy and security of individuals in the digital age. Dozens of companies are reaping substantial profits by trading in location data on the private market. The clientele for such data is diverse, ranging from marketing firms and hedge funds to real estate companies and other data brokers. The lack of robust regulation in this domain has made it exceptionally challenging to track the flow of personal data between private entities and the manner in which it is exploited.
These companies typically assert that the location data they acquire, which reveals where people live, sleep, congregate, worship, and engage in protests, is harnessed for ostensibly benign purposes. These purposes often include decisions related to business locations, like determining where to open a Starbucks, or delivering targeted advertisements. However, a disturbing facet of this trade involves a subset of companies catering to more action-oriented clients, including federal law enforcement agencies, the military, intelligence agencies, and defense contractors.
Among the vendors involved in this clandestine industry, Venntel, a subsidiary of Gravy Analytics, has come under considerable scrutiny. Venntel’s data has been contracted for use by several U.S. government agencies, including the Internal Revenue Service (IRS), the Department of Homeland Security (DHS), its subsidiaries Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP), the Drug Enforcement Administration (DEA), and the Federal Bureau of Investigation (FBI). Gravy Analytics does not embed Software Development Kits (SDKs) directly into apps but rather acquires its data indirectly through other data brokers.
The identity of data sources for Venntel and similar companies often remains concealed. However, investigative efforts and congressional testimony have unveiled some of these sources. For instance, in 2020, Martin Gundersen initiated inquiries under the General Data Protection Regulation’s (GDPR) Right to Know provision to trace how his location data ended up with Venntel. This data journey revealed that navigation apps like Sygic and Funny Weather played a role in funneling his data to location broker Predicio, which subsequently sold it to Gravy Analytics. Other apps from Sygic and Complementics also contributed to this data chain. Mobilewalla, another data broker, has also admitted to selling data to Venntel.
Gravy Analytics publicly claims access to data from “over 150 million” devices and asserts that it does not collect data from the bidstream. However, government officials have contradicted this claim, suggesting that Venntel’s data is sourced from both SDKs and the bidstream. This contention is supported by the fact that Venntel’s dataset reportedly encompasses data from “over 80,000 apps,” a scale of app coverage that aligns more closely with bidstream data acquisition.
Venntel’s data stands out due to its granularity and device-specific nature, making it possible to trace data back to individuals. This capability enables users to search for devices within specific areas, pinpoint devices’ locations, and even track their movements to workplaces, businesses, and homes. While this data may not include explicit personal identifiers like names or phone numbers, it far from qualifies as “anonymous.” Former employees have attested that specific individuals can potentially be identified through this data.
Venntel has monetized its data through various means, including selling annual licenses to its “Venntel Portal,” a web application granting access to its database. The price tag for 12,000 queries is approximately $20,000. For a more substantial fee of $650,000 per year, clients can access all of Venntel’s data for a specific region, updated daily and hosted on a government-controlled server.
Another player in this arena is Babel Street, a government contractor specializing in open-source intelligence (OSINT) services for law enforcement. Its flagship product, Babel X, amalgamates text scraped from social media and other websites with OSINT gathered through traditional intelligence methods. Babel Street’s “Locate X” service provides access to app-derived location data, allowing clients to draw digital boundaries around specific addresses or areas, track device movements, and gather historical data. Records from the Department of Homeland Security (DHS) indicate that Babel Street essentially re-hosts Venntel’s data at a higher cost and with stricter data access controls.
Anomaly 6 (A6) is another company involved in the sale of app-derived location data to government entities. Founded by former Babel Street employees, Brendan Huff and Jeffrey Heinz, A6 allegedly competes with Babel Street’s Locate X service. A6 operates discreetly, with minimal public information available on its website. It is not registered as a data broker in California or Vermont. A6 reportedly collects data via SDKs in “more than 500” mobile apps through its “partners.” Information about its data sources is limited, and A6 claims that its contracts with the government are confidential. Nevertheless, public procurement records reveal at least one known relationship: in September 2020, SOCOM division SOCAFRICA paid $589,000 for A6’s services.
In April 2022, The Intercept and Tech Inquiry reported on A6’s presentations to Zignal Labs, a social media monitoring firm with access to Twitter’s “firehose.” A6 proposed a partnership allowing clients to determine the origins of specific tweets, their senders’ locations, and more. A live demonstration showcased A6’s capability to track the movements of Russian soldiers and intelligence personnel around the world.
The trade in location data has unearthed a complex web of companies, clients, and data sources that span the spectrum from marketing to government surveillance. The lack of transparency surrounding data acquisition and usage poses serious privacy and ethical concerns, necessitating comprehensive regulatory frameworks and heightened scrutiny to safeguard individuals’ rights and privacy in an increasingly data-driven world. As revelations about these practices continue to emerge, the debate over the ethical boundaries of data collection, sharing, and utilization is bound to intensify.
X-Mode’s Data Practices Exposed: A Deep Dive into Consumer Privacy Concerns
In a world increasingly reliant on digital technology, the issue of personal data privacy has become a burning concern for individuals and regulatory bodies alike. Recent revelations surrounding X-Mode, a company specializing in location data, have ignited a debate on the extent to which personal data is being compiled and sold. The Federal Trade Commission (FTC) has shed light on a disconcerting reality, showing that the data X-Mode sold was far from anonymous and held the potential to link individuals to their exact locations.
The FTC’s investigation into X-Mode’s data practices has unearthed significant revelations that raise critical questions about personal privacy. Until May 2023, X-Mode did not have any policies in place to remove sensitive locations from the raw location data it sold. This glaring oversight posed a severe risk to consumers’ sensitive personal information, as it was readily available to third parties. Furthermore, the company failed to implement adequate safeguards to monitor how clients used this data, thereby compromising the security and privacy of users.
The scope of the data set collected by X-Mode is staggering, with the complaint stating that the company daily ingested over 10 billion location data points from around the world. This immense volume of data, acquired through its own apps, partner apps, and other data brokers, highlights the vastness of the information X-Mode had at its disposal.
What makes X-Mode’s practices even more concerning is the accuracy and targeting capabilities of the information it sold. X-Mode advertised that its location data was “70% accurate within 20 meters or less,” demonstrating an alarming level of precision. This level of accuracy allowed for the pinpointing of an individual consumer’s mobile device and the exact locations they visited, raising serious concerns about intrusive surveillance.
The FTC’s complaint paints a disturbing picture of the potential threats to consumers’ privacy resulting from X-Mode’s conduct. The ability to track individuals who visited sensitive locations such as women’s reproductive health clinics exposes the company’s data to be exploited in ways that could have far-reaching consequences. It could be used to target consumers visiting such healthcare facilities and trace their mobile devices to their residences, infringing upon their personal and medical privacy.
X-Mode’s practices did not stop at merely selling location data; they went further to create catalogs of people with shared characteristics and custom lists for clients. For example, the company had a contract with a private clinical research firm to provide data on consumers who had visited specific medical offices in Columbus, Ohio, for marketing purposes. This kind of data utilization raises ethical and privacy concerns regarding the profiling of individuals based on their movements and activities.
To address these serious privacy concerns, the FTC has filed a seven-count complaint against X-Mode/Outlogic, accusing them of multiple instances of unfair or deceptive conduct in violation of the FTC Act. In response, X-Mode/Outlogic has agreed to make substantial changes to its business practices. The proposed settlement imposes stringent limitations on sharing sensitive location data and mandates the development of a comprehensive sensitive location data program to prevent the sale and use of consumers’ sensitive location information.
Additionally, X-Mode/Outlogic must take measures to prevent clients from associating consumers with locations that serve LGBTQ+ individuals or public gatherings like marches or protests. The company must also ensure that location data does not reveal the identity or location of specific individuals’ homes and obtain informed consent from consumers before using less sensitive location data. Historical data collected by X-Mode/Outlogic must either be deleted or rendered non-sensitive, and customers must be informed of this requirement.
One notable aspect of the proposed settlement is the requirement for X-Mode/Outlogic to provide consumers with an easy way to withdraw their consent for data collection, request the deletion of previously collected location data, and inquire about the identity of individuals and businesses to whom their personal data has been sold or shared.
As this proposed settlement enters the public domain through the Federal Register, the FTC will accept public comments for 30 days. This case highlights three fundamental principles regarding the privacy of consumers’ location data:
- Transparency and Accountability: X-Mode’s practices underscore the need for greater transparency and accountability in the collection and sale of personal data. Consumers should have a clear understanding of how their data is used and who has access to it.
- Data Security: The case highlights the importance of robust data security measures to protect sensitive personal information. Companies must implement safeguards to prevent unauthorized access and misuse of data.
- Informed Consent: The requirement for informed consent before using less sensitive location data sets a precedent for respecting individuals’ rights and privacy. It reinforces the notion that consumers should have control over how their data is utilized.
In a digital age where personal data is a valuable commodity, cases like X-Mode serve as a stark reminder of the urgent need for comprehensive data privacy regulations and stringent enforcement to protect consumers from unwarranted invasions of their privacy. As technology continues to advance, society must strike a balance between innovation and the protection of personal privacy.
The status quo in the realm of consumer location information is facing a pivotal moment of reckoning. For far too long, numerous companies have engaged in the unbridled collection and sale of consumer location data, amassing vast repositories of highly sensitive information without obtaining the informed consent of those individuals. What some businesses, including certain data brokers lurking in the shadows, have failed to grasp is that consumers’ personal information should never be treated as just another commodity ripe for commercial exploitation. This sentiment is particularly true when it comes to location data – simply having access to it does not grant carte blanche to use it as one pleases.
While some companies may include contract clauses addressing data use in their agreements, these measures alone fall short of what is needed to safeguard consumers’ privacy. The FTC’s investigation into X-Mode’s practices reveals that, in some cases, their contracts with clients contained clauses that ostensibly imposed limits on third-party data usage. However, the mere presence of words on a piece of paper is insufficient when the stakes involve such high levels of personal privacy. Privacy-conscious companies must go beyond mere rhetoric and take concrete steps to ensure full compliance with privacy regulations and ethical standards.
The illegal and unauthorized trafficking of location data is a paramount concern for both consumers and regulatory authorities, such as the FTC. The question of responsibility for ensuring that consumers have provided their explicit consent for the collection and sharing of their location data looms large. Savvy businesses understand that this responsibility squarely falls on their shoulders. It is a legal obligation that works both ways – businesses must protect consumers, and consumers must be aware of their rights.
When it comes to particularly sensitive locations, such as places of worship or medical facilities, there is no room for compromise. This information should never be utilized for commercial purposes, underlining the importance of respecting the sanctity of these spaces. Moreover, the practice of selling or purchasing location data should be predicated on irrefutable proof of informed consumer consent. It is incumbent upon every participant in the location data marketplace to adhere to the law, and the FTC’s actions in this case serve as a pointed reminder for location data brokers to re-evaluate their practices for compliance with legal and ethical standards.
In conclusion, the era of indiscriminate collection and sale of consumer location data without consent is drawing to a close. Companies must recognize their ethical and legal obligations to protect the privacy of individuals and their sensitive information. Privacy-conscious businesses should take proactive measures to ensure compliance, and consumers should be empowered with the knowledge and control over their personal data. The FTC’s actions in this case send a clear message to all stakeholders in the location data ecosystem: the protection of consumers’ privacy is paramount, and those who fail to uphold these principles will face legal consequences and public scrutiny.
TABLE 1 – Outlogic (formerly X-Mode Social): A Deep Dive into the Location Data Provider
What is Outlogic?
Outlogic, previously known as X-Mode Social, is a data-driven company specializing in the collection, aggregation, and licensing of location data. They primarily focus on providing high-quality location insights to organizations in industries like retail, real estate, and finance.
How does Outlogic work?
Outlogic’s operation can be broken down into three key stages:
- Publisher Network: Outlogic utilizes a network of “publishers,” such as mobile apps, websites, and SDKs, integrated into various digital platforms. These publishers collect anonymous location data (usually precise latitude and longitude coordinates) from users who have opted-in to data sharing within the specific app or platform.
- Privacy Considerations: Outlogic emphasizes that privacy is a top priority. They claim to only collect data from users who have explicitly consented, and they anonymize the data further by removing personally identifiable information (PII) like names and phone numbers.
- Data Quality Control: Outlogic employs a proprietary “publisher toolkit” to ensure the quality and consistency of the collected data. This toolkit verifies the accuracy and validity of the location data and filters out outliers and inconsistencies.
Data Aggregation and Enrichment:
- Massive Dataset: The individual data points collected from various publishers are aggregated into a vast and constantly growing dataset. This dataset covers a wide range of geographic areas and user demographics, offering valuable insights into population movements and spatial trends.
- Data Enrichment: Outlogic goes beyond simple location data. They enrich their dataset with additional information like points of interest (POIs), demographic data, and even weather patterns. This allows for more nuanced and contextual analysis of user behavior.
Data Insights and Application:
- Market Research and Analytics: Outlogic provides its clients with access to their enriched location data through various analytics dashboards and APIs. This enables companies to gain insights into customer behavior, identify potential market opportunities, and optimize their business operations.
- Targeted Marketing and Advertising: The location data can be used for targeted marketing campaigns, allowing businesses to reach potential customers based on their geographic location, interests, and past behavior.
- Real Estate and Urban Planning: Outlogic’s data can be used by real estate developers, planners, and investors to identify promising locations for new developments, understand traffic patterns, and optimize infrastructure needs.
Challenges and Concerns:
- Privacy Issues: Despite Outlogic’s emphasis on privacy, their use of location data remains a sensitive topic. Critics raise concerns about potential misuse of the data for profiling individuals or even tracking their movements.
- Data Accuracy and Bias: The quality and accuracy of the data depend heavily on the reliability of the publisher network and the effectiveness of Outlogic’s data filtering methods. Biases within the data collection process can also skew the insights generated.
- Ethical Considerations: The ethical implications of using location data for commercial purposes and potentially influencing behavior require careful consideration and regulations.
Overall, Outlogic represents a powerful tool for businesses to leverage location data in various ways. However, it’s crucial to acknowledge and address the privacy concerns, data accuracy limitations, and ethical considerations surrounding this technology.
Senator Wyden pointed out the legal ambiguity surrounding the purchase of sensitive data from these data brokers. He emphasized that the consumers, often unaware, do not receive adequate information regarding the sharing and usage of their data. Additionally, third-party apps that incorporate software development kits (SDKs) from these brokers do not typically disclose the sale or sharing of location data, whether for advertising purposes or national security.
In conclusion, the practice of purchasing internet browsing records by the NSA and other agencies raises critical questions about privacy, consent, and legal boundaries in the digital age. It underscores the need for greater transparency, robust legal frameworks, and stringent privacy protections to safeguard the rights of individuals in an increasingly interconnected world. This situation calls for a reevaluation of policies and practices to ensure that the pursuit of national security does not come at the cost of fundamental privacy rights.
TABLE 2 – FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data
FTC charges X-Mode and Outlogic with selling raw location data, failing to obtain informed consumer consent
Data broker X-Mode Social and its successor Outlogic will be prohibited from sharing or selling any sensitive location data to settle Federal Trade Commission allegations that the company sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.
In its first settlement with a data broker concerning the collection and sale of sensitive location information, the FTC also charged that Virginia-based X-Mode Social and Outlogic, LLC, the successor firm to which X-Mode transferred most of its operations in 2021, failed to put in place reasonable and appropriate safeguards on the use of such information by third parties. Today’s action underscores the FTC’s strong commitment to restraining the collection, sale, or disclosure of consumer’ sensitive location data.
“Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship. The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data,” said FTC Chair Lina M. Khan. “By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance.”
The raw location data that X-Mode/Outlogic has sold is associated with mobile advertising IDs, which are unique identifiers associated with each mobile device. This raw location data is not anonymized, and is capable of matching an individual consumer’s mobile device with the locations they visited. In fact, some companies offer services that help companies match such data to individual consumers.
X-Mode/Outlogic sells and licenses precise location data that it collects from third-party apps that incorporate its software development kit (SDK) into their apps, from its own mobile apps, and by purchasing location data from other data brokers and aggregators. The company sells consumer location data to hundreds of clients in industries ranging from real estate to finance, as well as private government contractors for their own purposes, such as advertising or brand analytics.
According to the FTC’s complaint, until May 2023, the company did not have any policies in place to remove sensitive locations from the raw location data it sold. The FTC says X-Mode/Outlogic did not implement reasonable or appropriate safeguards against downstream use of the precise location data it sells, putting consumers’ sensitive personal information at risk.
The information revealed through the location data that X-Mode/Outlogic sold not only violated consumers’ privacy but also exposed them to potential discrimination, physical violence, emotional distress, and other harms, according to the complaint.
The FTC also says the company failed to ensure that users of its own apps, Drunk Mode and Walk Against Humanity, as well as third party apps that used the X-Mode/Outlogic’s SDK were fully informed about how their location data would be used. For example, X-Mode/Outlogic provided third party apps that use the company’s SDK with sample privacy disclosures that did not fully inform consumers about which entities would receive the data and also failed to ensure these third-party apps obtained informed consumer consent to grant X-Mode/Outlogic access to their sensitive location data.
The company also failed to employ the necessary technical safeguards and oversight to ensure that it honored requests by some android users to opt out of tracking and personalized ads, according to the complaint.
The company’s business has also involved creating custom audience segments based on characteristics of consumers. For at least one contract, X-Mode provided a private clinical research company information for marketing and advertising purposes about consumers who had visited certain internal medical facilities and then pharmacies or specialty infusion centers within a certain radius in the Columbus, Ohio area.
The FTC says these practices violate the FTC Act’s prohibition against unfair and deceptive practices.
In addition to the limits on sharing certain sensitive locations, the proposed order requires X-Mode/Outlogic to create a program to ensure it develops and maintains a comprehensive list of sensitive locations, and ensure it is not sharing, selling or transferring location data about such locations. Other provisions of the proposed order require the company to:
- Delete or destroy all the location data it previously collected and any products produced from this data unless it obtains consumer consent or ensures the data has been deidentified or rendered non-sensitive;
- Develop a supplier assessment program to ensure that companies that provide location data to X-Mode/Outlogic are obtaining informed consent from consumers for the collection, use and sale of the data or stop using such information;
- Implement procedures to ensure that recipients of its location data do not associate the data with locations that provide services to LGBTQ+ people such as bars or service organizations, with locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual;
- Provide a simple and easy-to-find way for consumers to withdraw their consent for the collection and use of their location data and for the deletion of any location data that was previously collected;
- Provide a clear and conspicuous means for consumers to request the identity of any individuals and businesses to whom their personal data has been sold or shared or give consumers a way to delete their personal location data from the commercial databases of all recipients of the data; and
- Establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information and also create a data retention schedule.
The proposed order also limits the company from collecting or using location data when consumers have opted out of targeted advertising or tracking or if the company cannot verify records showing that consumers have provided consent to the collection of location data.
The Commission voted 3-0 to issue the proposed administrative complaint and to accept the consent agreement. Chair Khan, joined by Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya, issued a separate statement.
The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $50,120.
The lead staff attorneys on this matter are Bhavna Changrani and Brian Shull from the FTC’s Bureau of Consumer Protection.
The Federal Trade Commission works to promote competition and protect and educate consumers. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.
REFERENCE : https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-prohibits-data-broker-x-mode-social-outlogic-selling-sensitive-location-data