The Lawfare Podcast – Justin Sherman on the FTC Settlement with Location Data Broker X-Mode (Archive Episode)

Release Date: October 12, 2025
Original Air Date: January 19, 2024
Guests: Justin Sherman, founder/CEO of Global Cyber Strategies & Senior Fellow, Duke University
Host: Eugenia Lostry (Lawfare Fellow in Technology Policy and Law)
Summary by: Lawfare Institute

Episode Overview

This episode revisits Lawfare’s January 2024 conversation (archived for October 2025) between Eugenia Lostry and Justin Sherman regarding the Federal Trade Commission's (FTC) landmark settlement with X-Mode Social, a major location data broker. The discussion delves into how X-Mode’s practices triggered FTC action, the groundbreaking restrictions imposed on selling data from certain “sensitive locations,” and the persistent gaps in US privacy law. The episode also reflects on broader ramifications for the data broker industry, regulatory enforcement, consumer harms, and the dire need for comprehensive privacy legislation.

Key Discussion Points & Insights

1. X-Mode’s Business Model and Data Collection Practices ([06:01]–[09:28])

• Scope and Methods:

  • X-Mode is “one of the most notorious location data brokers” in the US, heavily covered in news for selling anonymous-but-trackable geolocation data aggregated from mobile apps.
  • They collect over 10 billion location data points daily, working with around 300 apps and operating two of their own (“Drunk Mode” and “Walk Against Humanity”), unbeknownst to many users.
  • Core method: Pay app developers to embed their software (SDK) into apps; users believe they share location with only the app, which then shares/sells it to X-Mode.
  • Sells both raw data and “segments” (e.g., lists of people who visit a certain location, like a military base or school).

• User Vulnerability:

  • Consumers are often unaware their location data is shared, especially via misleading or skipped privacy policies.
  • Certain app concepts exploit vulnerable users—e.g., an app to help retrace steps while drunk.

Quote ([09:28]):
“...this app that’s purporting to help you retrace your steps or has some GPS tracking associated with your fitness, your running is then taking that and packaging it and selling it to retailers and selling it to military contractors and figuring out which kind of building did you go to. And now we’re going to put you in this particular type of consumer category. So, you know, definitely, definitely creepy.”
—Justin Sherman

2. FTC’s Legal Complaint and Unfairness Grounds ([11:08]–[13:54])

• Section 5A Focus:
  • FTC’s action was based not just on deceptive practices but on “unfairness”—specifically, inflicting substantial, unavoidable harm with no offsetting consumer benefit.
  • Key unfair practices cited included:
    • Selling location data tied to medical facilities, reproductive health centers, places of worship, shelters, etc.
    • Ignoring user privacy controls (e.g., collecting location even when “limit tracking” was enabled).
    • Creating and selling categories based on sensitive characteristics without express, affirmative consent.

Quote ([13:54]):
“There are a couple core pieces of unfairness, such as it causes substantial injury to consumers, and it’s not something you can reasonably avoid.”
—Justin Sherman

3. Consumer Harms from Location Data Sales ([13:54]–[17:28])

• Types of Harm:
  • Near-complete profiling of individuals’ movements, habits, and affiliations (religion, health, sexual orientation, even immigration status).
  • Easy re-identification and risks of stalking, discrimination, and other civil liberties abuses.
  • Law enforcement purchases of data without warrants.
  • Marginal consumer “benefits”—better ad targeting don’t outweigh risks.

Quote ([13:54]):
“One is that location data from your phone is the equivalent of someone following you around 24/7 with a notepad, writing down everywhere you go ... there’s all these reasons. Location data is really sensitive and so companies and others can do very harmful stuff with that.”
—Justin Sherman

4. FTC’s Approach to Anonymization and Re-Identification Risks ([18:20]–[21:29])

• Data Not Truly Anonymous:
  • Even without names, “persistent identifiers” (Mobile Advertising IDs) tie data to people.
  • FTC requires technical and contractual safeguards to prevent re-identification or misuse.
  • Buyers must not be able to re-link “de-identified” data back to individuals.

Quote ([18:20]):
“Yes, you can take a name out of a data set. Well, guess what? That doesn’t mean it’s de-identified. That doesn’t mean you can’t ... link that information to a lot of sensitive characteristics about someone’s life ... And so that’s a really important part of the order.”
—Justin Sherman

5. Supplier Assessment & Affirmative Consent ([21:29]–[24:42])

• Enforced Consent Standards:
  • X-Mode must ensure all app partners actually get users’ affirmative, express consent to sell location data.
  • Responds to the reality that most people never read terms but their data is sold anyway.
  • FTC can’t fix systemic consent issues legislatively, but steps up enforcement within existing powers.

Quote ([22:03]):
“The FTC can’t fix these massive legislative problems. What the FTC can do is use its existing authorities to protect privacy against these particular abuses. And so I think what they’re doing here is fantastic.”
—Justin Sherman

6. Defining and Banning Sale from Sensitive Locations ([28:49]–[33:19])

• Groundbreaking Restriction:
  • FTC creates a precise list of “sensitive locations”:
    1. Medical facilities (including mental/reproductive health, substance abuse centers)
    2. Religious organizations
    3. Correctional facilities
    4. Labor union offices
    5. Child-focused education/childcare locations
    6. Entities providing racial/ethnic origin-based services
    7. Temporary shelters (homeless shelters, domestic violence refuges, refugee/immigrant centers)
  • X-Mode is strictly banned from selling location data about these.
  • Clarity and enforceability praised.

Quote ([29:18]):
“This is huge. This is unprecedented. ... there’s no ambiguity for X-Mode in terms of what do we need to do internally... From that standpoint, I think, you know, it’s a really important piece of the order. And again, it’s unprecedented. So ... the FTC is forging a new path here...”
—Justin Sherman

7. Compliance & Enforcement Challenges ([33:19]–[37:07])

• Effectiveness Tied to Compliance:
  • FTC’s order includes privacy training for X-Mode staff, deleting certain existing data, and rigorous reporting requirements.
  • FTC can request documentation and demand rapid, sworn compliance responses.
  • Consequences for non-compliance include further investigations, lawsuits, and financial penalties.

Quote ([36:01]):
“There are lots of points in here where the FTC could sink its teeth in if X-Mode is not complying ... If you violate that, as has happened with some social media companies ... then the FTC can bring additional action against you.”
—Justin Sherman

8. Industry Signal & Limitations ([37:07]–[40:22])

• Ripple Effects:
  • The order is a clear warning to location data brokers (“sends a strong signal”), but won’t reshape the entire industry—other data types and practices remain unaffected for now.
  • Could encourage some brokers to proactively stop selling data from sensitive locations to preempt scrutiny.

Quote ([37:24]):
“I do think it sends a clear message to location data brokers ... but I just think it also takes a lot more to deter data brokers. And as we’ll get to some of that probably is more legislative than regulatory at this point.”
—Justin Sherman

9. Future FTC Action and Comprehensive Privacy Legislation ([40:22]–[46:12])

• FTC Priorities:

  • Crackdown on health and location data misuses, with more investigations into similar brokers likely.

• Legislative Gaps & Grim Prospects:

  • US remains without comprehensive privacy law; prospects dim, especially in an election year (2024 reference).
  • Frustration voiced over lack of even piecemeal protections; “such a bipartisan issue.”
  • Journalistic expose (like the 1988 Video Privacy Protection Act’s origins) might be necessary to galvanize action.

Quote ([42:40]):
“There was a lot of momentum last year in conversation about this and then it kind of went nowhere. And so I don’t, I don’t think we’re going to get any new comprehensive bill introduced this year, especially because it’s an election year and Congress just has other priorities.”
—Justin Sherman

Quote ([44:23]):
"I just don't understand ... it's just frustrating looking at it and seeing these and some other privacy abuses ... and not having something done in the meantime, especially because this is such a bipartisan issue."
—Justin Sherman

10. Final Reflections: Enforcement Realities and the Economics of Data Brokering ([46:28]–[48:54])

• FTC’s Resource Constraints:
  • Only ~40 people at FTC focus on privacy, an “absurdly” small number given the population and the issue’s magnitude.
• Economic Incentives:
  • It can be highly lucrative for app developers to sell user data to brokers like X-Mode.
  • Comprehensive legislation and greater FTC resources are called for—current measures, while historic, remain stopgaps.

Quote ([46:28]):
“It is a big deal ... The privacy team at the FTC is about 40 people. And I think that is just a massive legislative failure ... But it really is an important settlement and I think something that anyone looking at location data privacy and the privacy and national security risks should dig into.”
—Justin Sherman

Memorable Quotes and Timestamps

• “[Location data is] the equivalent of someone following you around 24/7 with a notepad, writing down everywhere you go ...” ([13:54], Justin Sherman)
• “You can take a name out of a data set. Well, guess what? That doesn’t mean it’s de-identified.” ([18:20], Justin Sherman)
• “This is huge. This is unprecedented. ... the FTC is forging a new path here...” ([29:18], Justin Sherman)
• “...the privacy team at the FTC is about 40 people. And I think that is just a massive legislative failure...” ([46:28], Justin Sherman)
• “There are these really big problems with lots of apps giving away location data, selling location data without people’s consent.” ([22:03], Justin Sherman)
• “...sometimes the best solution to this problem is journalists and others ... pointing out to members of Congress how their privacy can be invaded...” ([45:16], Justin Sherman)

Takeaway

The FTC’s settlement with X-Mode marks a pivotal regulatory milestone in restricting the sale of sensitive geolocation data. However, it underscores the urgent need for robust, comprehensive privacy legislation—and for greater institutional resources to enforce it. As location data’s risks rapidly escalate while regulatory infrastructure limps behind, this case is both a warning to data brokers and a rallying cry for meaningful federal privacy protections.