A new report from VICE reveals how apps on iOS and Android are quietly siphoning off GPS location data on millions of users to data brokers who then sell it to military contractors and "by extension, the military." App developers get paid to install data collection SDKs in their apps in exchange for a lucrative fee — the maker of one such service, X-Mode, has suggested an app with 50,000 daily active users can net $1,500 in monthly fees.
Many of the apps that have been found to include X-Mode are geared towards Muslim audiences, such as Muslim Pro, an app that reminds users when to pray. The app has been downloaded more than 50 million times on Android, and almost 100 million times in total across other platforms. Another app using X-Mode is the dating app Muslim Mingle.
One of the clients of X-Mode is a private intelligence firm whose goal is to use location data to track people down to their "doorstep." Another similar service called Locate X allows users to draw a circle around an area and see any devices in that area that the service has information on, and then follow any particular device. Locate X has a contract with USSOCOM, a branch of the military tasked with counterterrorism.
Shooting in the dark — The U.S. military has waged a long war against Muslim terror groups in the Middle East, and targeted drone strikes have left hundreds of thousands of civilians dead as collateral damage. Drone strikes are controversial because they're often anything but precise — from up in the sky it's difficult to know what's happening on the ground or if your target is even down there. The U.S. has attempted to avoid harming civilians to varying degrees of success, and its reporting on civilian casualties is believed to be inconsistent.
The problem with using this type of smartphone data to select targets for strikes is that it can be incredibly unreliable. You might think you're following a target, only to realize later it was the target's mother.
Another concern raised by these new revelations is that there's nothing stopping data aggregators from selling to other countries, and plenty of nations already purchase surveillance technology for the purpose of targeting dissidents and other adversaries. Saudi Arabia, for instance, has used smartphone spyware technology for NSO Group to identify dissidents who spoke with murdered journalist Jamal Khashoggi.
Most of the apps using X-Mode and Locate X don't mention any relationship to X-Mode or Locate X, and are incredibly vague as to how any data is used. Not that they would likely want to disclose such information — it's clearly been in their financial interest to keep it mum.
We need oversight — The irony of the U.S. government quietly enlisting apps to spy on users should not be lost in light of the Trump administration's aggressive attack on TikTok over national security concerns, claiming that Chinese officials could use the app to surveil American citizens.
Meaningful privacy legislation could target all apps for this type of quiet data harvesting and require them to clearly note when data is being sold to third parties or being used for anything but the express functions of the app. That would better protect Americans than targeting one specific app. Attacking TikTok likely had more to do with Trump's tough stance on Chinese trade practices.
California recently passed a law that requires apps to disclose when they sell data, and for what purposes. Users can also request that an app not sell their data. But results of whether or not the law is working have been mixed, and enforcement is limited to California.