X-Mode Social

Overview

X-Mode Social (rebranded as Outlogic in 2023) is an American location data broker founded in 2013, headquartered in Reston, Virginia. The company built one of the most comprehensive mobile location data platforms in the United States by embedding its data collection SDK into thousands of mobile applications, harvesting precise GPS location data from tens of millions of devices, and selling it to commercial advertisers and government contractors with direct access to military and intelligence agencies.

X-Mode's business model operated through a software development kit (SDK) that it paid app developers to integrate into their products. Once embedded, the SDK collected granular location data, GPS coordinates, timestamps, movement patterns, and behavioral signals, which X-Mode aggregated and sold to downstream buyers. The company's SDK was embedded in hundreds of apps serving Muslim communities, including prayer time apps and Quran reading apps, creating particular concerns about religious targeting.

The company became the center of a major controversy in November 2020 when Motherboard/VICE published an investigation documenting that X-Mode was selling location data collected from Muslim prayer apps to U.S. military contractors. The revelation that U.S. military intelligence was tracking Muslim prayer app users through a commercial location data broker triggered immediate responses from Apple and Google, which removed apps containing the X-Mode SDK from their respective stores pending compliance remediation.

In January 2024, the FTC issued an order against X-Mode Social / Outlogic prohibiting the company from selling sensitive location data, the first FTC enforcement action specifically targeting a location data broker's sale of sensitive location categories. X-Mode rebranded as Outlogic in an apparent attempt to distance itself from the controversy and signal a policy reset.

Data Collection Practices

X-Mode / Outlogic collected precise location data at scale through SDK embedding and data aggregation:

Mobile SDK deployment across hundreds of apps in multiple categories:

• Prayer and religious observance apps used by Muslim communities
• Weather, utilities, and productivity apps
• Gaming and entertainment applications
• News and media apps
• Discount, coupon, and shopping apps

The SDK collected:

• GPS coordinates precise to within meters
• Timestamps at collection intervals of minutes
• Device advertising identifiers (IDFA, GAID)
• IP addresses
• App context signals indicating what the user was doing when collected

Movement profile construction from aggregated location histories:

• Home location inference from nighttime coordinate clustering
• Work location inference from daytime patterns
• Regular routes and commuting patterns
• Visits to religious institutions, healthcare facilities, and other sensitive locations
• Cross-border movement tracking
• Frequency-of-visit analytics for specific locations

Audience segmentation built from behavioral location analysis:

• Religious affiliation inference from mosque, church, or temple visits
• Healthcare status inference from clinic and hospital visits
• Political activity inference from attendance at rallies and campaign events
• Income inference from neighborhood clustering and retail visits
• Relationship status inference from overnight location patterns

The Motherboard investigation revealed that X-Mode's location data products specifically tagged visits to mosques, allowing buyers to identify and track Muslim app users based on religious practice. This was not an accidental byproduct, audience segments built from religious location visits were a commercial product.

Known Clients & Government Contracts

X-Mode's government relationships were the primary driver of the 2020 controversy and FTC action:

U.S. military and intelligence contractors: The Motherboard investigation documented that X-Mode sold location data to defense contractors including Babel Street and Sierra Nevada Corporation, which in turn supplied the data to U.S. Special Operations Command (SOCOM) and other Defense Department components. This supply chain was specifically structured to maintain commercial distance between the military end-users and the source of the data.

Defense Intelligence Agency (DIA): DIA was documented as a direct or indirect purchaser of commercial location data from brokers including X-Mode. DIA's general counsel acknowledged in Congressional testimony that the agency purchased commercially available location data without obtaining legal process (warrants or court orders).

Customs and Border Protection: CBP was documented using commercially purchased mobile location data for border surveillance, including tracking device movements in areas near the U.S.-Mexico border. X-Mode data fed into this broader commercial location data pipeline.

Drug Enforcement Administration: DEA's use of commercial location data from brokers including X-Mode was documented in Congressional investigations, raising civil liberties concerns about surveillance of individuals attending addiction treatment facilities and other sensitive locations.

Commercial advertisers: Beyond government contracts, X-Mode's primary revenue came from commercial advertising clients purchasing audience segments and location intelligence for targeting.

The company's positioning as a middleware layer, collecting from apps, selling to contractors who sell to agencies, was deliberate. This structure allowed military and intelligence agencies to access location surveillance capabilities without the legal process requirements that would apply to direct collection.

Privacy Incidents & Litigation

Motherboard Investigation (November 2020): VICE Motherboard's investigation revealed that X-Mode was selling location data collected from Muslim prayer and Quran apps to U.S. military contractors. The investigation published concrete evidence showing X-Mode as the data supply chain intermediary between consumer mobile apps and military intelligence buyers. The story triggered immediate responses from Apple and Google, which issued emergency orders requiring apps to remove the X-Mode SDK within 7-14 days or face App Store delisting.

Apple and Google SDK Removal (November-December 2020): Both Apple and Google took the rare step of removing apps from their stores that integrated the X-Mode SDK following the Motherboard investigation. This mass removal affected hundreds of apps and represented one of the most significant platform enforcement actions against a data broker SDK. The action effectively disrupted X-Mode's data collection pipeline, forcing the company to undergo compliance remediation before developers could reintegrate the SDK.

Senate Intelligence Committee Inquiry (2021): Following the Motherboard investigation, Senate Intelligence Committee members demanded briefings on military use of commercial location data and X-Mode's specific role. This Congressional scrutiny contributed to broader investigations into the "data broker loophole" allowing government agencies to purchase location surveillance through commercial channels.

FTC Order Against X-Mode Social / Outlogic (January 2024): The FTC issued a consent order prohibiting X-Mode / Outlogic from:

• Selling, licensing, or sharing sensitive location data (including visits to healthcare facilities, religious sites, and immigration facilities)
• Using data collected from apps whose primary purpose involves religious or political activity
• Selling data to military or defense contractors for surveillance purposes
• Misrepresenting its data practices or consent mechanisms

This was a landmark FTC order, the first specifically targeting a location data broker's sale of sensitive location categories. The order required X-Mode to delete historical sensitive location data and implement a sensitive location screening program.

California AG Demand (2021): The California Attorney General's office demanded information from X-Mode regarding its data practices, SDK deployment, and government relationships following the Motherboard investigation.

Threat Score Analysis

X-Mode / Outlogic receives a composite threat score of 82/100, reflecting its documented role as a data supply chain intermediary enabling military surveillance of religious communities and the FTC's determination that its practices constituted unfair trade practices:

• Data Collection (92/100): X-Mode collected precise GPS location data from hundreds of millions of mobile devices through SDK embedding in thousands of apps. Collection specifically included religious observance data from Muslim prayer apps, creating profiles combining location with religious practice in ways the FTC determined to be harmful. Collection was continuous and aggregated into detailed movement profiles.

• Third-Party Sharing (95/100): X-Mode's entire business model was data sale. The company sold sensitive location data including religious site visits, healthcare facility visits, and sensitive location categories to government contractors and commercial buyers. The FTC's landmark order specifically targeted this data-selling practice as the central privacy harm.

• Breach History (30/100): No documented security breaches. X-Mode's accountability failures are practices-based (what it collected and sold) rather than security failures (data loss or unauthorized access).

• Government Contracts (75/100): Documented supply chain role in military surveillance of Muslim app users, with direct or indirect sales to SOCOM, DIA, CBP, and DEA. The deliberate structuring of the supply chain to maintain commercial distance from military end-users demonstrates awareness of the legal risks.

• Transparency (20/100): X-Mode embedded its SDK in apps without clear disclosure to app users that location data would be sold to government contractors. The rebranding to Outlogic following FTC action represents transparency failure, renaming rather than fundamentally reforming practices. Prior to FTC enforcement, the company had no meaningful public-facing data practices disclosure.

Weighted calculation: (92 * 0.25) + (95 * 0.25) + (30 * 0.20) + (75 * 0.15) + (20 * 0.15) = 23.0 + 23.75 + 6.0 + 11.25 + 3.0 = 67.0, adjusted to 82 due to the documented targeting of religious communities through Muslim prayer app data, the deliberate structuring of government supply chains to evade legal process, and the FTC's determination that practices were unfair trade practices requiring a landmark consent order.

Transparency & Accountability

X-Mode's response to accountability mechanisms has been characterized by opacity, rebranding, and legal maneuvering rather than substantive reform:

The company's initial response to the Motherboard investigation was denial and minimization, claiming its data practices were standard industry practice and that government contractors were responsible for ensuring appropriate use. This response ignored X-Mode's own role in specifically building and marketing audience segments based on religious and sensitive location categories.

The rebranding from X-Mode Social to Outlogic in 2023, occurring in the period between the Motherboard investigation and the FTC order, appears designed to distance the corporate identity from the controversy rather than signal genuine policy change. The FTC order addressed the company by both names (X-Mode Social / Outlogic).

X-Mode did make some SDK consent improvements following the Apple/Google removal actions, adding more explicit consent language to app developer agreements and implementing a sensitive location opt-out. However, these changes were insufficient to prevent the FTC enforcement action.

The FTC's 2024 consent order is the most significant external accountability mechanism X-Mode has faced. The order's prohibitions on selling sensitive location data represent a fundamental constraint on the company's original business model. Whether Outlogic can build a viable business within these constraints, or will find workarounds, remains to be determined.

The X-Mode case is significant because it demonstrates how commercial data brokers can serve as infrastructure for government surveillance that would be legally prohibited if conducted directly. The deliberate structuring of military-to-contractor-to-broker data supply chains represents a systematic evasion of constitutional limits on government surveillance.