Some app developers Motherboard spoke to were not aware who their users' location data ends up with, and even if a user examines an app's privacy policy, they may not ultimately realize how many different industries, companies, or government agencies are buying some of their most sensitive data. U.S. law enforcement purchase of such information has raised questions about authorities buying their way to location data that may ordinarily require a warrant to access. But the USSOCOM contract and additional reporting is the first evidence that U.S. location data purchases have extended from law enforcement to military agencies.USSOCOM bought access to Locate X, a location data product from a company called Babel Street, according to procurement records uncovered by Motherboard. A former Babel Street employee described to Motherboard how users of the product can draw a shape on a map, see all devices Babel Street has data on in that location, and then follow a specific device around to see where else it has been.Do you work at Babel Street, X-Mode, Venntel, or one of the apps mentioned in this piece? Did you used to, or know anything else about the location data industry? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
Motherboard found another network of dating apps that look and operate nearly identically to Mingle, including sending location data to X-Mode. Motherboard installed another dating app, called Iran Social, on a test device and observed GPS coordinates being sent to the company. The network of apps also includes Turkey Social, Egypt Social, Colombia Social, and others focused on particular countries.X-Mode then sells access to this sort of data to a wide range of different clients. Motherboard has previously shown that one of those clients includes a private intelligence firm whose goal is to use location data to track people down to their "doorstep." X-Mode has also demonstrated how its data can be used to follow where people in COVID-19 hotspots travelled to after potentially exposing one another to the coronavirus."It is safe to say from this context that the reasonable consumer—who is not a tech person—would not have military uses of their data in mind, even if they read the disclosures."
On its website, X-Mode describes its "best practices" in how it obtains consent from app users to gather their location data. As well as the operating system level permission to access location data, and a privacy policy, X-Mode says it also "provide[s] our publisher partners with recommended language both to ease their privacy navigation and to have brand consistency with the way we present our data collection and sharing to users across our panel."The Bubble level terms of service pop-up that appears when a user first opens the app says the software may collect anonymous location data "to power tailored ads, location-based analytics, attribution and other civic, market and scientific research about traffic and crowds." The Global Storms app provided a similar dialogue in Motherboard's tests. The disclaimers themselves do not explicitly say the data will be sent to military contractors or a private intelligence firm. Some app privacy policies as well as X-Mode's own policy says the company may use location data "for disease prevention and research, security, anti-crime and law enforcement.""I cannot be aware X-Mode is working with military contractors if they do not clearly mention it somewhere."