Lawsuit highlights how little control brokers have over location data – The Markup

Controversial location data broker X-Mode boasts of collecting information on the whereabouts of more than 50 million people which it sells for hundreds of thousands of dollars. But he doesn’t know where some of that sold data ended up, according to a X-Mode lawsuit filed against one of his clients in December.

The lawsuit offers rare insight into the often opaque location data industry, which draws on the knowledge of hundreds of millions of people every day and was accused of playing fast and loose with people’s sensitive information. Despite the companies talk about their safeguards against data abusethe lawsuit highlights how little control a data broker has over where data can end up.

X-Mode has been criticized in the past for sell location data to US military contractors and the collection of location data from sensitive sources such as Muslim prayer appsthe Life360 family safety app and a gay dating app.

“It can be really scary,” said Whitney Merrill, a privacy attorney. “In the wrong hands, someone knows where you live, where you work, where you go every day, where you walk the dog.”

The case was filed in the U.S. District Court for the Northern District of California and is pending. X-Mode’s complaint was amended in February to reflect NybSys’ New York operation.

In its lawsuit, X-Mode, which was renamed Outlogic after Digital Envoy bought it last Augustalleged that one of its customers, NybSys, had resold raw location data without permission, including to LocalBlox, a company that X-Mode had previously prohibited from purchasing its data.

NybSys, an “enterprise solutions” technology company operating in New York and California, began purchasing location data from X-Mode in April 2020 to help “improve response times in emergency situations for its web-based dispatch system, according to court documents. X‑Mode claims that NybSys terminated the contract in early 2021, after which, according to X‑Mode, it terminated NybSys’ access and the contract. In answer to X-Mode’s Amended Complaint, NybSys denies X-Mode’s breach of contract allegations and “further denies wrongdoing”. NybSys filed a counterclaim against X-Mode alleging, among other things, that the location data broker “repeatedly attempted to force NybSys to make additional payments” beyond the original agreement. X‑Mode has not yet responded to NybSys’ counterclaim.

While X-Mode sold location data to NybSys, X-Mode obtained location data from hundreds of appsincluding apps that may contain sensitive data, such as Muslim dating and prayer apps.

X-Mode and NybSys did not respond to requests for comment.

In X-Mode’s lawsuit, the location data broker said it agreed to provide NybSys with raw location data, including device identifiers, solely for the purpose of creating “aggregate information” based on this information. X-Mode said its contract specifically prohibits the resale of raw location data and only allows the data to be sublicensed with its “prior written consent”, which it stated in court documents which he did not grant to NybSys.

X-Mode alleged that in early 2021 it discovered “several instances” in which the data it sold to NybSys was provided to other companies. X-Mode says it was able to detect this alleged breach of contract because it inserts unique, traceable information into each customer’s data feed to verify resales.

One of the alleged customers for the resold data was LocalBlox, a data company that builds profiles of people through publicly available information like social media profiles. for various purposes, including targeted advertising. In 2018, security researchers discovered LocalBlox had left 48 million profiles exposed on an unprotected online server. X-Mode revealed in its lawsuit that it used to sell location data to LocalBlox, but banned the company as a customer in April 2020 for allegedly reselling its location data without permission. NybSys denies X-Mode’s LocalBlox allegations.

LocalBlox did not respond to requests for comment.

X-Mode also claims in its lawsuit that NybSys customers resold X-Mode’s location data to other companies. In addition to seeking unspecified damages, X-Mode is asking the court to force NybSys to disclose more about the alleged downstream transactions.

In a court document In support of accelerated document discovery, X-Mode (now Outlogic) business manager George “Donnie” Yancey said that although X-Mode “has determined that the misappropriated data was leaked by Nybsys, he did not know and does not know the extent of the misappropriation. For example, he does not know the identity of the third party or third parties to whom Nybsys provided the data, if these third parties then distributed the data to other recipients , or the revenue that Nybsys and downstream distributors have earned from misusing X‑Mode data.”

While there is immense risk for people whose location data has been sold by X-Mode and shared with unknown third parties, there are no legal repercussions for the companies involved beyond the lawsuit. Brokers who sell location data are often protected by confidentiality clauses obscuring their names. While we know that a The Catholic priest was unmasked to visit gay bars using location data from Grindr, for example, the data broker who sold this information is still unknown.

Under the California Privacy Rights Act, if a company receives a deletion request, it is required to forward this request to all third parties to which it has sold the data. But CPRA also notes that this requirement can be waived if the company can show that it is “impossible or involves a disproportionate effortand the lawsuit says X-Mode needs an audit to identify all parties who received its data.

Customers of this data could include other data resellers, hedge funds, real estate companies, government agencies and advertisers.

It just shows how data is not just sold but resold and circulated.

Bennett Cyphers, Electronic Frontier Foundation

NybSys lists several products on its website, including facial recognition and location data analysisand he notes that he has “multiple governments as clients.” In his privacy policyNybSys reveals that the company collects location data through its own software development kit and partners who provide data to it through server-to-server transfers.

In court documents, NybSys said that its primary source of revenue is not from the sale of location data and that it only intends to temporarily sell location data to offset the costs of purchasing location data. In Counterclaim by NybSysthe company said it paid X-Mode “over half a million dollars” over 11 months beginning in April 2020.

NybSys’ counterclaim denies that the company resold raw data and alleges that it had several conversations with X‑Mode during negotiations during which the data broker confirmed that the contract permitted the resale of derived aggregate data. location data from X‑Mode.

“It just shows how data is not just being sold, but resold and flowing,” said Bennett Cyphers, a technologist at the Electronic Frontier Foundation. “It seems really safe to assume that as soon as location data leaves your phone and ends up in the hands of someone trying to monetize it, that data is going to spread throughout the ecosystem and end up in the hands of all these data brokers because they all buy and sell to each other.