Amazon Web Services (AWS) has been advertising granular location data from X-Mode, a controversial firm that collected at least some of its data without informed consent. X-Mode, whose customers include U.S. military contractors, obtained data from Muslim Pro, a hugely popular Muslim prayer app that secretly collected and sold the location of its users, as well as other apps.
The news highlights an often overlooked section of the location data industry: reselling by tech giants such who may not directly collect the data themselves but do provide large scale platforms for others to purchase and sell it. In this case, AWS was selling this data via its Marketplace platform, where developers can sell their own data.
"Several large data brokers and adtech companies are still reselling data on millions from shady sources. They must urgently clean up their data supply chain, and they must be held responsible," Wolfie Christl from digital rights activism and research group Cracked Labs told Motherboard in an online chat.
Do you work at Babel Street, X-Mode, Venntel, or one of the apps mentioned in this piece? Did you used to, or know anything else about the location data industry? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
AWS' marketplace included listings such as "X-Mode US Location Data Panel" for $600,000; "Big Box Shoppers (US Only)" for $240,000; and "Health and Wellness (US Only)" for $240,000. The listings also advertised data more specifically geared for combatting COVID-19, with either free data for researchers or paid versions for commercial use. AWS listed the data since at least last May.
X-Mode gathered location data by paying app developers to include X-Mode code into their apps. Motherboard found that beyond Muslim Pro these apps also included a popular Craigslist app, an app for following storms on a map, and a "level" app for, say, installing shelves in a bedroom. None of the apps made it clear to ordinary users that X-Mode's clients included military contractors. Multiple users of Muslim Pro subsequently told Motherboard they were not aware of the data selling, indicating that the data was not collected with their informed consent.
Motherboard first contacted AWS about the data listings at the start of January and did not receive a response. Some time later, the listings were removed from AWS' marketplace. It is not clear whether AWS itself removed them or whether X-Mode did. In the wake of Motherboard's Muslim Pro report, Google and Apple banned X-Mode from their app stores, telling developers to remove X-Mode's code from their products. Neither company responded to multiple requests for comment.
Google's Play Store policies prohibit app developers from selling personal or sensitive data collected through apps. Although Google enforced this policy against X-Mode, Motherboard found another location data called Predicio paying other developers for location data, including the creator of another Muslim prayer app. It is unclear whether Google will also enforce its policies against Predicio.
Subscribe to our cybersecurity podcast CYBER, here.