In January, The Markup revealed a list of apps that have sold location data to X-Mode, a controversial data broker that claims to cover “25%+ of the Adult U.S. population monthly.” The data broker, which has faced intense criticism from privacy advocates, tracks the location and movement of users by planting special lines of code in over 100 apps, including data, music, weather, and Muslim prayer apps.
Federal contracting records show that both the Internal Revenue Service and the Department of Homeland Security are among the federal agencies that have recently contracted with X-Mode’s parent company, Digital Envoy. Previous reporting showed X-Mode, which recently rebranded as Outlogic, has also been used by various branches of the military.
While information on users from data brokers is primarily used for targeted ads, government and law enforcement agencies also purchase and use it for identification and tracking. The IRS, in particular, has come under increased scrutiny for its adoption of surveillance and high-tech solutions. Last year, members of Congress called for an inquiry into the IRS’s use of mass location data for its criminal investigation division, and the IRS recently abandoned a plan to use facial recognition to verify new accounts.
Sen. Ron Wyden, D-Ore., who has investigated warrantless location tracking and surveillance technology used by the government, expressed concern about the use of the company.
“I’m looking into Digital Envoy’s contracts with the government and have asked for a briefing to understand how these contracts impact Americans’ privacy,” said Wyden, in a statement to The Intercept. “I strongly believe the government should not be able to use its credit card to get around the Constitution and purchase sensitive information without a warrant. That’s why I introduced the Fourth Amendment is Not for Sale Act to close this loophole for good.”
The Department of Homeland Security, the IRS, and Digital Envoy did not provide comment after multiple requests from The Intercept.
In 2020, the IRS signed a contract with Digital Envoy for an archive database subscription to NetAcuity, a product used to “pinpoint users’ geographic location.” Last October, following its acquisition of X-Mode, Digital Envoy was contracted by the IRS enforcement division for another contract for services that extends through September of this year.
The current contract with the IRS is part of the IRS’s Identity Theft Tax Refund Fraud Information Sharing and Analysis Center, a special project that utilizes private sector data to identify tax fraud.
Homeland Security currently contracts with Digital Envoy, via the department’s science and technology wing, for $129,960, according to federal records.
Digital Envoy also contracts with the Pentagon’s logistics arm. In a statement, the Defense Logistics Agency, which coordinates the movement of troops, fuel, and other services for the military, confirmed that “DLA contracted with Digital Elements, a division of Digital Envoy, for commercial subscription services.”
X-Mode has previously contracted with the Air Force, according to public records. The company entered into an Air Force contract for $283,125 in 2019 and entered into another contract for $140,000 in 2020.
X-Mode is now an integrated part of Digital Envoy’s tools sold to clients. The company advertises a department called “Digital Element” that uses “precise, real-time geolocation data” which “compliments data from our sister company, Outlogic,” the rebranded name for X-Mode.
Last August, Digital Envoy purchased X-Mode for an undisclosed amount. The deal followed a string of controversies in the media about X-Mode’s practices. Many of the apps cataloged by The Markup may have included sensitive information about users, including the LGBTQ-friendly Bro App and buzzArab dating platform. Following the story, some of the apps, including the Bro App, discontinued sale of location data to the firm.
In a press release, Digital Envoy claimed that they instituted a code of ethics, created a data ethics review panel, and implemented a sensitive app policy. The firm announced that it has “taken additional care by shutting off all U.S. location data going to defense contractors.”
But the deal also stressed that the X-Mode, now known as Outlogic, would continue to serve government clients, claiming that collecting and selling location data “has been integral in confronting the COVID-19 pandemic, the fight against human trafficking, and the optimization of emergency vehicle and evacuation routes during natural disasters, among powering many other essential social services.”
The IRS has previously tapped location data brokers. In an attempt to identify and track potential criminals, the agency purchased access to mass location data in 2017 and 2018 from Venntel, another data broker, according to a report in the Wall Street Journal. Other federal agencies, including the FBI, have contracted with Venntel.
Venntel, as a data broker, operates similarly to X-Mode. The company sourced precise location data from a variety of unassuming apps, including apps used for gaming and weather. That data was stored and sold to a number of clients, including government agencies.
In response, Wyden and Sen. Elizabeth Warren, D-Mass., called for an internal audit of the agency’s use of the location tracking technology. “The IRS is not above the law and the agency’s lawyers should never provide IRS-CI investigators with permission to bypass the courts and engage in warrantless surveillance of Americans,” Wyden and Warren wrote to the Treasury Inspector General for Tax Administration.
The inspector general responded with a report that found Venntel location data was not useful for IRS investigations but asserted that the IRS’s use of location data rested on sound legal ground. The IRS lawyers claimed that “data obtained from marketers of information like Venntel is not subject to a warrant because the data is collected by apps loaded on cellphones to which the phone users voluntarily granted access.” This claim has not been tested in court.
Jack Poulson, an activist and co-founder of the watchdog group Tech Inquiry, said he is concerned that government agencies are increasingly deploying surveillance technology with little oversight.
Poulson called the government’s use of cellphone location tracking data “an abusive violation of privacy for vulnerable populations.” In previous reports, he has identified how X-Mode has transferred location data to a number of government and media clients. The change in brand and acquisition by Digital Envoy, he added, is a “corporate shell game” to “obscure these egregious practices.”