The controversial data broker X-Mode bought location data from Bro, a dating app for “bi, gay, and open-minded men,” the virtual makeup app Perfect365, and the popular live streaming app Tango, along with dozens of other specific phone apps that The Markup has identified as participating in the multibillion-dollar location data trade. 

The Markup obtained a sample dataset consisting of location data X‑Mode purchased in 2018 and 2019. The data was sourced from 107 apps, with more than 50,000 points of location data from more than 20,000 unique advertising IDs collected from 140 countries during that time. About a quarter of the apps are no longer active, and none of the apps appear to contain X‑Mode’s code anymore. X‑Mode has since faced sanctions from the Google and Apple app stores as well as scrutiny from lawmakers and regulators for, among other things, selling location data to military contractors. The data was provided to The Markup by a former X‑Mode employee, and a second former employee of the company confirmed that it appeared authentic.

Generally, location data brokers are loath to disclose the sources of their data, which comes from smartphone applications that ask users to share their location with the apps. The Markup recently identified the family safety app Life360 as one of the biggest suppliers of precise location data, selling data to about a dozen companies, including X‑Mode. And last year, Motherboard reported that X‑Mode purchased location data from the Muslim prayer apps “Muslim Pro,” “Prayer Times: Qibla Compass, Quran MP3 & Azan,” “Qibla Finder: Prayer Times, Quran MP3 & Azan,” and “Qibla Compass—Prayer Times, Quran MP3 & Azan.” Motherboard also revealed that X‑Mode had supplied location data to U.S. military contractors, potentially putting Muslims who used these apps at risk of surveillance. It’s not clear which apps, specifically, benefited military contractors.

While the data The Markup obtained is not up-to-date and doesn’t contain a complete list of apps that supplied location data to X-Mode, it highlights the scale and variety of the location data broker’s sources right before the company faced major public scrutiny following Motherboard’s report. It also shows that X-Mode received location data from more sensitive sources than previously known.

The dataset points to dozens of apps, including four additional Muslim prayer apps that sold location data to X-Mode in 2019: “Qibla Locator: Prayer Times, Azan, Quran & Qibla,” “Full Quran MP3 – 50+ Languages & Translation Audio,” “Al Quran Mp3 – 50 Reciters & Translation Audio,” and “Prayer Times: Qibla & Quran.”

Tango, Perfect365, and the developers of the Muslim prayer apps did not respond to our requests for comment. The Bro App’s founder, Scott Kutler, told The Markup in an email that the company no longer provides X‑Mode with any user location data.

In August, the intellectual property intelligence firm Digital Envoy acquired the company and rebranded it as Outlogic. On X‑Mode’s old website—which is still up—the company boasted that more than 400 app publishers supplied the company with people’s exact whereabouts and said that X‑Mode’s data included “25%+ of the Adult U.S. population monthly.” But on Outlogic’s current website, it claims only to have up to “10%+ of the adult U.S. population monthly.”

The new owners said they cut off all U.S. location data going to military contractors, but the company is still involved in the location data industry, albeit on what appears to be a smaller scale.  

Two former X-Mode employees told The Markup that the company’s data collection capabilities were at their peak in 2018 and 2019 and significantly dropped after the public backlash. 

X-Mode, Outlogic, and Digital Envoy did not respond to multiple requests for comment. 

The most popular apps in the sample we reviewed were the live streaming service Tango and Perfect 365, a virtual makeup app. Both have a large install base—the Android version of Tango has been installed more than 100 million times, and Perfect365 has more than 50 million installs according to their current Google Play app pages. 

The Markup reached out to all of the app publishers in the dataset for comment. Eight responded: A-Life Software, LLC (“Stock Trainer: Virtual Trading [Stock Markets]”); Difer (“Simple weather & clock widget [no ads]”); Neon Roots (“CatWang”); JRustonApps B.V. (“Guide for Animal Crossing NL,” “My Currency Converter & Rates,” “My Lightning Tracker & Alerts”); New IT Solutions Ltd. (“4shared Mobile”); BroTech LLC (“BRO: Chat, Friends, and Fun”); MOBZAPP (“VoiceFX – Voice Changer with voice effects,” “RecMe Screen Recorder,” “Screen Stream Mirroring”); and YanFlex (“CPlus Classifieds”). 

Each confirmed that they did at one point sell data to X-Mode but have since stopped.

Experts say that some of the apps that sold location data to X‑Mode potentially compromised sensitive information by doing so. 

Selling data from the Muslim prayer apps could subject those who use them to surveillance, said Jamal Ahmed, the CEO of the privacy consultancy firm Kazient Privacy.

“As Muslim organizations, when you are collecting information or when you are developing technology, you have to uphold that trust … that individuals are handing over to you,” Ahmed said. “You have a moral and religious obligation to do that, especially if you think about how targeted Muslims are around the world right now.”  

Other sensitive apps also sold data to X‑Mode, including Bro, which accesses location data to find other users in the area to connect with.

Eric Silverberg, CEO of the gay dating app SCRUFF, said apps that serve the LGBTQ+ community shouldn’t share or sell such data. 

“Any use of that data beyond that service poses unique and disproportionate risks and threats to any minority community, period. Especially the LGBTQ+ community, because we face unique risks in places all over the world, and in the United States,” he said. 

Bro’s Kutler said that all location data that the dating app shared with X‑Mode was “100% anonymized” but stopped giving the broker its users’ data after learning that location data could be de-anonymized.

As Muslim organizations, when you are collecting information … you have to uphold that trust.

Jamal Ahmed, Kazient Privacy

Researchers have found that even with anonymized datasets, you can identify a person through location data with as few as four data points.

“Discovering that third-party brokers could even attempt to use information like a person’s home address to try to de-anonymize our data, we decided it wasn’t worth the risk to our users’ privacy (or trust) to continue working with X-Mode,” Kutler said.

X-Mode sent multiple emails to Silverberg, which he provided to The Markup, in 2017 and 2018, offering at least $100,000 annually for SCRUFF’s user data.

“Since your company is already collecting location data, you might be interested in adding X‑Mode’s revenue of at least $100,000 annually (Based on your apptopia numbers) on top of what you are already making,” X‑Mode’s pitch email in September 2018 said. 

Silverberg said he has consistently ignored the offers.

Last July, a high-ranking Catholic priest resigned after a media outlet used location data to link the priest to a gay dating app and tracked his visits to gay bars. There’s no indication that X‑Mode was involved in the incident. 

Sean O’Brien, the lead researcher at the Yale Privacy Lab, has uncovered several other LGBTQ dating apps that sold location data to X-Mode by looking for apps that used X‑Mode’s SDK. (An SDK, which stands for Software Development Kit, is a tool embedded into apps that can be used for data collection.) App developers would install X-Mode’s SDK so the location data broker could collect information directly in exchange for payouts.

In 2020, O’Brien scanned the Google app store and found that the apps “Wapo: Gay Dating,” “Wapa: Lesbian Dating, Find a Match & Chat to Women,” “MEET MARKET – Gay Dating App. Chat & Date New Guys” and “FEM – Free Lesbian Dating App. Chat & Meet Singles” also had X‑Mode’s tracking code embedded. None of them do anymore, he said. 

The publishers of these apps, Mingle and Wapo y Wapa Ltd., did not respond to a request for comment. 

There are other ways for apps to give data to location data brokers, even without the SDKs. Life360, for instance, provides data brokers with location data directly through its own servers, as The Markup previously reported. 

Two former X‑Mode employees told The Markup that the company received more data from direct server transfers than from SDKs. 

This method would be more difficult for researchers like O’Brien to detect. All of the data in the sample we reviewed appears to be collected directly from mobile devices via the SDK.

It can be difficult for app stores like Apple’s and Google’s to detect and monitor such sales, according to The Wall Street Journal. Apple and Google said certain types of user data sales are prohibited, regardless of how the data is collected and received.

“We do not allow apps to surreptitiously build user profiles based on collected user data. Apps found to be using the X-Mode SDK are required to remove it or risk removal from the App Store altogether,” Apple spokesperson Adam Dema said in an email.

“Google Play’s policy explicitly prohibits apps that collect sensitive and personal user data from selling it,” Google spokesperson Scott Westover said in an email.

Neither company answered questions on how it detects and enforces against server-to-server based transfers. 

A former employee at X-Mode told The Markup that sales team members were each responsible for bringing in new sources of location data.  Each team member’s annual goals were set at one million new combined users from apps, the ex-employee said. 

Often, that included reaching out to app developers with charts showing how much they could make based on their user count and a pitch deck showing how the data was used for targeted advertising. 

The Markup reviewed an X‑Mode pitch deck sent to Silverberg in 2017. It highlighted that X‑Mode sold location data for advertising purposes. 

Three of the developers who sold data to X-Mode said they ended their partnerships after learning about the military relationship. For them, working with X‑Mode mostly represented a simple way to monetize their apps. 

Anuj Saluja, the developer behind the app “Stock Trainer: Virtual Trading,” said he stopped sharing location data with X‑Mode in September 2019 and that he had received from $800 to $1,000 a month from the data broker. 

“Being an indie app, at the time X‑Mode was ~25% of my revenue. So financially it was a hard decision to exclude X‑Mode from my app, but I think I did the right thing by my app’s users. My app doesn’t need to know or care about users’ location,” the developer said in an email.

Daniel Fortuna, the developer of the app “Simple weather & clock widget (no ads),” also stopped supplying X‑Mode with location data once he learned about privacy concerns from Google. 

“We have stopped partnership with XMode more than a year ago after we learned XMode resold its data to certain partners,” Flex Yan, the developer of the app “CPlus Classifieds Marketplace” said in an email. 

The sales teams were also responsible for selling location data to potential buyers, with goals set at $500,000 to $800,000 in annual revenue, according to a former X‑Mode employee. 

The sales to the military could make up a good portion of those goals, as public records show. In 2019, X‑Mode sold location data to the Air Force for $283,125 and in 2020, for $140,000. 

While X-Mode didn’t explicitly tell publishers that their location data could end up with the military, Kazient Privacy’s Ahmed said publishers should have been more responsible with people’s data.

“If they are going to monetize and sell that, they should understand what is actually happening with this information, and is this being used against the people who I’m trying to offer a service to?” Ahmed said.