The case suggests this loosely regulated industry can’t deliver on its promises of privacy
By: Jon Keegan and Alfred Ng
The controversial location data broker X‑Mode boasts about collecting information on the whereabouts of more than 50 million people that it sells for hundreds of thousands of dollars. But it doesn’t know where some of that sold data has ended up, according to a lawsuit X-Mode filed against one of its customers in December.
The lawsuit offers a rare glimpse into the often opaque location data industry, which trades on knowing hundreds of millions of people’s whereabouts every day and has been accused of playing fast and loose with people’s sensitive information. Despite companies talking up their safeguards against data abuses, the lawsuit highlights how little control a data broker has over where data can end up.
X-Mode has come under fire in the past for selling location data to U.S. military contractors and gathering location data from sensitive sources like Muslim prayer apps, the family safety app Life360, and a gay dating app.
“It can be really scary,” Whitney Merrill, a privacy attorney, said. “In the wrong hands, somebody knows where you live, where you work, where you go every day, where you’re walking the dog.”
The case was filed in the U.S. District Court for the Northern District of California and is ongoing. X‑Mode’s complaint was amended in February to reflect NybSys’s New York operation.
The Allegations
In its lawsuit, X-Mode, which was rebranded as Outlogic after the company Digital Envoy purchased it last August, has alleged that one of its customers, NybSys, resold raw location data without permission, including to LocalBlox, a company that X-Mode previously banned from buying its data.
NybSys, a “business solutions” technology company operating in New York and California, started buying location data from X‑Mode in April 2020 to help “improve response times in emergency situations” for its web-based dispatch system, according to court documents. X‑Mode claims that NybSys breached the contract in early 2021, after which, X‑Mode claims, it terminated NybSys’s access and the contract. In a response to X‑Mode’s amended complaint, NybSys denies X‑Mode’s breach-of-contract claims and further “denies that it has committed any wrongdoing.” NybSys has filed a counterclaim against X‑Mode alleging among other claims that the location data broker “repeatedly attempted to force NybSys to make extra payments” beyond the original agreement. X‑Mode has not yet responded to NybSys’s counterclaim.
During the time that X-Mode was selling location data to NybSys, X‑Mode was getting location data from hundreds of apps, including apps that could have contained sensitive data, such as dating and Muslim prayer apps.
X-Mode and NybSys didn’t respond to requests for comment.
In X-Mode’s lawsuit, the location data broker said it agreed to provide NybSys with raw location data, including device identifiers, only for the purpose of creating “aggregated insights” based on that information. X‑Mode said its contract specifically prohibited reselling the raw location data and allowed sublicensing of the data only with its “prior written consent,” which it said in court documents that it didn’t grant to NybSys.
X-Mode alleged that in early 2021 it discovered “multiple instances” in which the data it sold to NybSys was provided to other companies. X‑Mode claims that it was able to detect this alleged breach of contract because it inserts unique, traceable information in each customer’s data feed to audit for resales.
One of the alleged customers of the resold data was LocalBlox, a data firm that builds profiles of people through publicly accessible information like social media profiles for various purposes, including targeted advertising. In 2018, security researchers found LocalBlox had left 48 million profiles exposed on an unprotected server online. X‑Mode revealed in its lawsuit that it used to sell location data to LocalBlox but banned the company as a customer in April 2020 for allegedly reselling its location data without permission. NybSys denies X‑Mode’s LocalBlox allegations.
LocalBlox didn’t respond to requests for comment.
X-Mode also claims in its lawsuit that NybSys’s customers resold X‑Mode’s location data to other firms. In addition to seeking unspecified monetary damages, X‑Mode is asking the court to force NybSys to disclose more about the alleged downstream deals.
In a court document in support of expedited document discovery, X‑Mode’s (now Outlogic’s) chief business officer, George “Donnie” Yancey, said that although X‑Mode “had determined that the misappropriated data was disclosed by Nybsys, it did not and does not know the extent of the misappropriation. For example, it does not know the identities of the third party or parties to whom Nybsys provided the data, whether those third parties further distributed the data to other recipients, or the revenues that Nybsys and downstream distributors earned from misappropriating the X‑Mode Data.”
The Consequences
While there’s immense risk for people whose location data has been sold by X‑Mode and reshared to unknown third parties, there are no legal repercussions for the companies involved beyond the lawsuit. The brokers who sell location data are often shielded by confidentiality clauses hiding their names. While it’s known that a Catholic priest was outed for visiting gay bars through location data from Grindr, for example, the data broker who sold this information is still unknown.
Under the California Privacy Rights Act, if a company receives a deletion request, it’s required to pass on that request to any third parties it sold the data to. But the CPRA also notes that this requirement can be exempt if the company can prove it is “impossible or involves disproportionate effort,” and the lawsuit indicates that X‑Mode needs an audit to identify all the parties that received its data.
Customers for that data could include other data resellers, hedge funds, real estate firms, government agencies, and advertisers.
NybSys lists several products on its website, including facial recognition and location data analytics, and it notes that it has “several governments as clients.” In its privacy policy, NybSys discloses that the company collects location data through its own software development kit and partners that provide it with data through server-to-server transfers.
In court documents, NybSys said that its main revenue source was not from selling location data, and it only intended to sell location data temporarily to offset the costs of buying location data. In NybSys’s counterclaim, the company said it paid X‑Mode “over half a million dollars” over the course of 11 months starting in April 2020.
NybSys’s counterclaim denies that the company resold raw data and alleges that it had multiple conversations with X‑Mode during negotiations in which the data broker confirmed that the contract allowed for reselling aggregated data derived from X‑Mode’s location data.
“This just shows the extent to which the data is not just sold but resold and circulates,” said Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation. “It really seems safe to assume that as soon as location data leaves your phone and ends up in the hands of someone who’s trying to monetize it, that data is going to be spread around the entire ecosystem and end up in the hands of all these data brokers because they’re all buying and selling to and from each other.”
This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.