X just doxxed your location!

Last week’s editorial started with one of my catch-phrases. This one will too!

“I’m often early, but not often wrong!”

So, what came true this week? “Data is money!”

X’s new “About This Account” feature proves it. After a chaotic roll‑out, the platform began displaying a profile’s country or region alongside the number of times its username has changed, when it was created, and whether it was registered via the web or an app. You can access this information by tapping the “Joined” button under your bio and choosing to show either the exact country or a broader region; privacy toggles exist, and a disclaimer warns that the country or region may not be accurate if you connect through a proxy or VPN: another concept I have some opinions about. X’s head of product called the feature an essential step toward securing “the integrity of the global town square” according to Yahoo.com.

Reality intervened. Within hours, users posted screenshots of MAGA accounts whose location tags placed them in places like Pakistan. Ouch!

The discrepancy revealed how many influential profiles hide behind foreign IP addresses, but also exposed honest users to ridicule and suspicion. In Iran, for example, the update ignited a backlash when profiles of officials and pro‑government activists displayed Iran as their connection country despite their claims of using circumvention tools.

Some critics argued that the labels exposed privileged “white SIM cards” reserved for elites, while digital‑rights groups pointed out that VPN protocols can leak signals, and X itself acknowledged that the country indicator can be imprecise and is influenced by proxies or default network settings. X’s head of product admitted that the data was “not 100 percent” accurate for older accounts and promised an upgrade to improve the accuracy. TechCrunch also noted that many users found their listed location wildly off, with confusion likely arising from travel, global teams, VPNs, and old IP addresses.

This may sound like a minor transparency initiative, but it is a live demonstration of why location metadata matters.

In 2025, we inhabit an ecosystem of maliciousness, open‑source intelligence, political targeting, and automated harassment. Even a coarse region tag can be cross‑referenced with posting times, language, and follower lists to narrow down where someone lives. A “Western Europe” label, combined with a pattern of nighttime posts and local slang, can be enough to guess a whistleblower’s city; pair it with a leaked job title, and you have a target. In authoritarian contexts, a misattributed region can result in a person being imprisoned. During the Iranian uproar, users accused officials of having privileged, unfiltered connections, while others noted that widely used VPNs still leak underlying IP addresses.

Location metadata is not a cute transparency feature; it is a risk surface that can be exploited by stalkers, political opponents, and disgruntled bosses.

This fiasco highlights a deeper structural problem: centralized platforms cannot safely intermediate identity for billions of people, regardless of their benevolent intentions. Identity and time are the anchors of value. They tell us who did what and when. In the analog world, ledgers did that job while staying relegated to file cabinets, except under subpoena or perhaps during a tax audit.

In the digital world, social media companies have become ledgers that sell access to behavioral data. When the same entity controls your login token, your private messages, and your monetized feed, every feature becomes an incentive to harvest or leak more information. Even when X frames a new feature as transparency, the economic logic of centralization pushes it toward deeper surveillance. Because all data flows through a handful of servers, any bug, misconfiguration, or hack can become a global issue. Data is money for the platform, but in this case, it is pure risk for the user.

Back to the top ↑

So what do we do?

The fix is not to abandon identity, but to firewall it.

Users should hold their own sign‑in keys on their devices, with selective disclosure and minimal leakage. Instead of handing a platform a token that grants perpetual access to everything, we need cryptographic credentials that prove only what is necessary. Are you over 18? Live in a particular region? Hold a valid membership? Great! Prove these things using Bitcoin keys without revealing any additional information.

Those credentials should be portable across apps and anchored to private keys that the user controls, rather than being tied to a centralized database. Logging a location should be a deliberate choice with a clear benefit, not a byproduct of a platform’s policy shift.

There are already tools moving in that direction, and I covered them last week; however, I’ll summarize again here: Privy and Clerk, two popular authentication-as-a-service providers, illustrate the spectrum.

Privy starts from the wallet, offering progressive onboarding and embedded self-custodial wallets across EVM, Solana, BTC, and other chains. It hides cross-chain complexity, allowing developers to spin up programmatically controlled wallets for treasuries or high-volume apps.

Clerk begins as a full-stack user management platform; it excels at polished sign-up flows, session handling, organization management, and billing across web and mobile frameworks, and it adds Web3 capabilities where they make sense. Both support familiar auth flows like email, SMS, and passkeys and store keys in secure enclaves so they never see your private key. They are leaps ahead of the old username/password sprawl, yet both rely on blockchains such as Ethereum and Solana, which impose significant fees and limited throughput.

Sigma Auth on BSV points toward a more robust answer. Deriving identities from Bitcoin‑style keys and writing attestations to the BSV ledger, it eliminates password databases entirely. A user creates a key in their browser, signs a challenge, and receives a token; the app never sees the private key. Because the BSV network processes multi‑gigabyte blocks and has demonstrated throughput in the millions of transactions per second, on‑chain attestations cost fractions of a cent, making it economical to anchor every login event or proof of membership. Sigma Auth supports cross-chain identity because the underlying cryptographic curve is shared; a user can derive a BSV address from an Ethereum wallet, allowing their existing wallet to serve as their sign-in key. Developers can self-host Sigma on mainstream runtimes and integrate it with any OAuth client, thereby avoiding vendor lock-in. The result is an identity layer that remains anchored to time and cryptographic proof, yet is economically sustainable at a global scale.

This is where the real lesson lies. X’s location labels aren’t just a misstep; they are a gift to those of us advocating for device‑level control. They show how easily a transparency update can become a doxxing tool, how inaccurate data can cause reputational harm, and how quickly trust evaporates from a platform that I would really like to love!

They remind us that whoever controls sign‑in controls the most valuable data layer. As I mentioned last week, if you let a platform intermediate your login, you earn money for them and expose yourself to threats.

To builders, my plea is simple. Treat login as the foundational contract of your application. Adopt device-first keys, selective disclosure, and self-custody. Support cross-chain interoperability, allowing users to leverage existing wallets without compromising control. If your application requires high-frequency attestations or micropayments, avoid networks with high fees and limited throughput; instead, choose those designed for data at scale. Participate in open standards so that no single vendor monopolizes identity. Above all, remember that identity and time anchor value. Design systems that return that value to the people who generate it. Anything less is a step backward, and X has just handed us the clearest illustration yet.

Back to the top ↑

Watch: How do you build a successful ecosystem? Bring blockchain to the builders!