Read on Twitter
New: the U.S. military is buying granular location data of people harvested from ordinary smartphone apps. Through documents, sources, technical analysis, we also identified specific apps. The biggest: a Muslim prayer app with 98+ million downloads https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
We uncovered two parallel streams of data sending location data from ordinary apps, through data brokers, and to the U.S. military. The first one is straight forward: Special Operations Command bought a product called LOCATE X for tracking phones https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
The second stream needs explaining. A company called X-Mode pays app developers to put its location data collecting code into apps. A recent report named the endpoint (URL, basically) used to send data to X-Mode. I used that to try and find specific apps https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
After scanning apps for that endpoint, I then chose specific apps to inspect the network traffic of. On both iOS and Android, the Muslim Pro prayer app sent location data to X-Mode. A researcher I asked to help verify also saw it on the iOS app https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
Other apps I saw sending data to X-Mode included a step counter app, an app for browsing Craigslist, and then a Muslim-focused dating app. The dating company also makes "Black Mingle" for Black people https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
As for why X-Mode is important, if you go through internet archives of their customers page, it includes U.S. defense contractors, including those working on data analysis and work for Army, Navy, Air Force https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
Senator Wyden then told me that X-Mode had said, yes, it has sold location data gathered from U.S. phones to the U.S. military, via contractors https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
X-Mode then confirmed it is selling information taken from ordinary smartphone apps to contractors for counter-terrorism purposes https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
But it's not just about the brokers. It's about the apps, developers, and users too. And app devs I spoke to had no idea X-Mode, who they sell data to, in turn worked with military contractors. The location industry is a black box even for ppl in it https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
Some app developers said they were okay with how X-Mode uses location data. This is the developer of Global Storms, a weather/storm tracking app on Android that has over a million downloads https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
This is the data transfer we discovered, from ordinary apps to the U.S. military. It seems likely other nations would have similar data access. https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
Some apps we observed sending location data to X-Mode do include it in their privacy policy, or have a pop-up saying it will use location data for some purposes. Others had no warning whatsoever, including Muslim Pro. An ordinary user would have no idea https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
When I found apps that hadn't explicitly sought consent to send location data to X-Mode (some only had the operating system level prompt which is not enough) X-Mode clarified the apps only have a 'contractual obligation' to get consent. Not tech mechanism https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
