Where does your info go? US lawsuit gives peek into shadowy world of data brokers | Technology
There are a number of ways your personal data could end up in the hands of entities you’ve never directly given it to. One of them is through the data-broker industry: a complex network of companies that profits off the sale of data such as your location and your purchases, as well as biographical and demographic information.
Now, a new lawsuit is giving consumers an unprecedented peek into this opaque world, and illuminating just how easily a data broker can lose control of the user information it collects.
Data brokers collect personal data from a variety of sources, including social media, public records and other commercial sources or companies. These firms then sell that raw data, or inferences and analysis based on that data – such as a user’s purchase and demographic information – to other companies. Such analysis can be particularly useful for advertisers looking to more effectively attract buyers.
The new lawsuit, first reported by the Markup and filed in in February, involves two companies in this vast network: X-Mode, a data broker that renamed itself Outlogic, and NybSys, one of X-Mode’s customers.
X-Mode has said that its raw location data – which it gathers by embedding directly into various apps – is a trade secret that it licenses out to other companies under strict conditions not to resell the data in its unaggregated form. In other words, companies licensing that data could share inferences and analysis of that information, but not the precise location data.
“XMode strictly prohibits the resale of these latitude and longitude coordinates in ‘raw’ form: it only permits resale (by certain customers) of aggregated insights, eg, that a particular group of devices are likely ‘sports fans’ or ‘theater fans’ (thus enabling more relevant ads, or market research, for instance),” the lawsuit states.
X-Mode alleges that NybSys violated those conditions and resold the raw location data to another firm called LocalBlox, which was already banned from X-Mode’s platform in April 2020 for doing the same thing.
In short, the lawsuit claims people’s exact location data was sold through a chain of industry players, rather than the summary or analysis of that information, without knowledge or permission from the company that collected it in the first place.
While NybSys denies any wrongdoing, the lawsuit shows just how easily the security of people’s data can be breached when it is passed from company to company. X-Mode alleges this would be at least the second time that a contractor resold raw, unaggregated user data without permission.
X-Mode and NybSys did not respond to a request for comment.
That precise location data can be much more revealing than an aggregated summary, though experts argue there’s no truly secure means of selling location data. And the lawsuit shows every time that user information changes hands, the data becomes newly vulnerable.
“Location data is some of the most sensitive data humans create. We’ve seen time again that even when this type of data is supposedly anonymized or aggregated, it can be abused in ways that put people in danger,” Evan Greer, the director of Fight for the Future, said.
“There is no safe way to buy and sell people’s location data for profit. Period. We desperately need a real data privacy law in the US that outlaws this type of surveillance profiteering.”
X-Mode has faced its own controversy in the past over data handling practices, after Motherboard revealed in 2020 that the company sold location data it collected to military contractors. Some of the companies X-Mode collected location data from included apps such as the Muslim prayer app MuslimPro which are geared toward groups disproportionately targeted by surveillance and law enforcement. While companies may argue that data is anonymized or aggregated before being shared, data from apps like MuslimPro that service a single demographic can be easily used to target these groups, particularly in the hands of law enforcement. (MuslimPro said it stopped sharing data with X-Mode after the story was published.)
Motherboard also found that the company sold location data to a private intelligence firm that tracked people to their “doorstep”, although it is not ultimately known what this data, or the data sold to the military, was used for.
Chris Gilliard, a fellow and professor at Macomb Community College in Michigan, says this kind of uncertainty is common in an industry that operates with little transparency. Much remains unknown about how data brokers like X-Mode collect and handle personal data, and consumers are often left to piece together information about where their data could end up.
According to the lawsuit, X-Mode says its customers use the data for both commercial and research purposes including tracking the spread of Covid-19 across state lines.
“Concerning user privacy, in many of the ways that matter, precise v aggregated is a distinction without a difference,” said Gilliard.
“In addition, the fact that a company can claim trade secrets while individuals are left out in the cold in terms of protections speaks to how wildly unregulated this space is when it comes to individual rights.”
