Advocates for transparency on social media cheered this weekend when X, the app owned by tech billionaire Elon Musk, rolled out a new feature that disclosed what the company said were the country locations of accounts.
The feature appeared to unmask a number of accounts that were portraying themselves as belonging to Americans but in reality were based in countries such as India, Thailand and Bangladesh.
But by Monday, the effectiveness and accuracy of the feature were already in question, as security experts, social media researchers and two former X employees said the location information could be inaccurate or spoofed using widely available technology, such as virtual private networks (VPNs), to hide their locations.
The former employees said the idea had been pitched since at least 2018, but had been repeatedly shot down.
“Now that this feature exists, I think it’s absolutely going to be exploited, and people will learn to dodge it very quickly,” said Darren Linvill, a professor and a co-director of Clemson University’s Media Forensics Hub.
The geolocation information began appearing over the weekend on X users’ accounts, where an “about” page displays the month and year users joined, where their accounts are purportedly based, whether they used country-specific app stores and potentially other details.
Previously, the only location information on accounts was what users had entered themselves, which the platform didn’t fact-check. On some accounts, that might be nothing at all or joke locations. X also doesn’t require accounts to use real names, so the new feature kicked off a wave of sleuthing.
It wasn’t immediately clear what data X was using to label accounts’ locations, but like many tech companies, X may have access to signals such as internet protocol (IP) addresses, phone numbers or devices’ GPS data — any of which could be imperfect as a reflection of someone’s true location. Two former employees said that in recent years, X had used geolocation information from internet service providers; data brokers, including MaxMind, which is widely used in the trust and safety industry; and users who provided it themselves.
One of the former employees said that when they were at the company, it had estimated a user’s location by analyzing their most common login location within a rolling 30-day window.
The new feature at X is the latest chapter in a long-standing struggle within tech companies over how to handle so-called inauthentic behavior, in which people assume fake identities to run scams, push political causes, boost traffic to websites or otherwise chase clout.
The battle took on a sense of urgency after Russia-based operatives used social media to try to sway the 2016 presidential election. Alarmed by the threat of spies running massive troll farms, apps such as Facebook began to put labels on certain pages to disclose where they were managed from.
Twitter also took steps to fight troll farms, including hiring specialists to fight misinformation. But when Musk took over the platform in 2022, he cut many of those jobs and de-emphasized “trust and safety” teams. He also renamed it X.
While features such as country-of-origin labels may be a boost for transparency, experts said there’s a constant game of cat-and-mouse between tech companies and adversaries who are trying to avoid detection. At worst, the labels can backfire, they said.
When the labels were released last week, there were immediate accuracy issues. Three accounts belonging to NBC News journalists showed locations that did not correlate to where they are based but to where they had traveled to within the last several months instead. The issue persisted as of Tuesday.
The two former employees of X who both worked under Musk said in interviews Monday that geolocation data received by the company wasn’t always accurate and could be manipulated by bad actors, in part because of how common VPN software has become. They said the company had kicked around the idea of country-of-origin labels since at least 2018, four years before Musk took over, but that the idea had repeatedly been shelved. One of those former employees, who spoke on the condition of anonymity because they signed a non-disclosure agreement when they left X, remembers the proposal’s being made after Cyabra, a tech company that tracks bots and misinformation, issued a report in the run-up to the 2024 election saying a network of thousands of pro-Trump bots were attacking Trump’s competitors, including Ron DeSantis.
Another former employee, speaking on condition of anonymity because they are not authorized to speak about their work at X by their current employer, said the company had decided against deploying the idea in the past for two reasons: concern about creating a visible target for bad actors to manipulate and fear that the label could backfire. If a bad actor successfully spoofed a U.S. location, the platform would effectively be incorrectly verifying it as a trusted American voice.
“At worst, these kinds of features can lull users into a false sense of security when things don’t appear obviously wrong,” the former employee said.
Olga Belogolova, who formerly led counterinfluence operations at Meta, said country-of-origin labels are ultimately a Band-Aid for deeper issues on a social media app.
“In my experience, transparency features like location labeling only work if the data source is reliable and consistent,” she said. “If this relies on simple IP addresses or self-reporting, it is trivial for bad actors to circumvent it.”
An IP address indicates where someone’s device is connected to the internet. But VPN software, which is ubiquitous, can disguise an IP address and, depending on the VPN app, allow someone to pick which country they appear to be from — or “spoof” their location.
The new labeling system on X acknowledges the possibility of people using VPNs, and, from a technical standpoint, it’s not clear that X has a countermeasure. On some X profiles, the country label has a disclaimer saying: “One of our partners has indicated that this account may have used a proxy — such as a VPN, which may change the country or region that is displayed on their profile. This data may not be accurate. Some internet providers may use proxies automatically without action by the user.”
Musk’s Starlink satellite internet service, for example, warns users that location data may be “several states, provinces, or sub-regions” away from their actual location.
X didn’t respond on Monday to a request for comment.
Nikita Bier, X’s head of product, asked for patience in a post over the weekend.
“There are a few rough edges that will be resolved by Tuesday,” he posted Saturday. “If any data is incorrect, it will be updated periodically based on best available information. This happens on a delayed and randomized schedule to preserve privacy.”
He called the feature “an important first step to securing the integrity of the global town square.” He also shared a post from Nikki Haley, a former U.S. ambassador to the United Nations, who called the feature “a huge win for transparency and American security.” Haley said that “foreign actors are using social media to poison our politics and divide Americans.”
On X and other social media apps, there has been rapid reaction to the feature as users have explored it and questioned the national loyalties of other users. Several unmasking targets have been pro-MAGA accounts with large followings. Other targets included users raising money and alleged charities with suspicious locations.
In one example, an account using a photo of President Donald Trump and calling itself a “Trump Lover” was labeled as being based in Morocco, even though it asserted in its bio that it was based in New York and run by an “immigrant to the USA.” The account has more than 395,000 followers and links to a website for female bodybuilders. The user didn’t respond to a request for comment.
Belogolova, who now teaches about digital disinformation and influence operations at Johns Hopkins University’s Alperovitch Institute for Cybersecurity Studies, said she believed X “botched” the rollout of its feature by using unreliable data sources and not fully considering the effect of the feature on persecuted dissidents.
“In the chaos after the 2016 Russian election interference, I witnessed a lot of enterprising engineers trying to build new features they thought would ‘solve’ the troll farm problem overnight,” she said. “This botched rollout reminds me a bit of those early engineering experiments.”
In other ways, Musk has made X less transparent since he bought it. Most notably for academic researchers, Musk curtailed access to X’s application programming interface, or API, the software that allowed researchers to study the platform on a massive scale by examining the full firehose of posts. Reuters reported in 2023 that researchers had canceled, suspended or changed more than 100 studies about X as a result.
Linvill, of Clemson University, said the financial incentives are still in place to encourage some people to lie about their locations.
“It’s very likely that they are just influencers trying to make a buck and they’ve decided that the best way to engage in capitalism is to pretend to be an American. And there’s every reason to believe that that is a pretty successful path to making money on X,” he said.
X users have several paths to making money within the app, including collecting subscription fees from followers and sharing in advertising revenue with the company itself.
Luca Luceri, a research assistant professor of computer science at the University of Southern California, said researchers are always looking for new signals and data about possible coordinated operations to manipulate public opinion. He pointed to evidence that, in the run-up to last year’s U.S. election, networks from countries such as Russia, China and Iran tried to shape American politics.
“I will say I’m curious now how this will change with this new feature from X,” he said. “At least for me, it’s very difficult to say if the location provided through this new feature will be accurate or not.”
Experts also said tech companies have to worry about peaceful dissidents or others who might have good reason to mask their locations — although in the case of the new X feature, the labels don’t provide exact locations.
Calli Schroeder, the Global Privacy Project lead at the Electronic Privacy Information Center, said she wasn’t sure X fully understood the risks before it released the feature.
“If they’re willing to change something like this with no public consultation or discussion, that’s their right as a private company. But it does raise the question of how many other things are they going to decide are critical to share for transparency that they’re just going to unilaterally make changes to without talking to experts about how this could expose people to risk,” she said.