Catholic priest exposed via Grindr app highlights widespread data tracking – Chicago Tribune

When a religious publication used data from a smartphone app to infer the sexual orientation of a senior Roman Catholic official, it exposed a problem that goes far beyond a debate over the doctrine of Church and priestly celibacy.

With few US restrictions on what companies can do with the vast amount of data they collect from webpage visits, apps and location tracking built into phones, there’s not much to prevent similar spying on politicians, celebrities, and just about anyone else being targeted by another. the person’s curiosity – or malevolence.

Citing allegations of “possible inappropriate behavior,” the United States Conference of Catholic Bishops on Tuesday announced the resignation of its top administrative official, Monsignor Jeffrey Burrill, ahead of a report by Catholic media outlet The Pillar that probed his private romantic life.

The Pillar said it obtained “commercially available” location data from a provider it did not name and which it “correlated” to Burrill’s phone to determine that he had visited gay bars and private residences while using Grindr, a popular gay dating app.

“Cases like this are only going to increase,” said Alvaro Bedoya, director of the Center for Privacy and Technology at Georgetown Law School.

Privacy activists have long campaigned for laws that would prevent such abuse, though in the United States they only exist in a few states and then in varying forms. Bedoya said Burrill’s firing should drive home the danger of this situation and should finally spur Congress and the Federal Trade Commission to act.

Privacy concerns are often interpreted in abstract terms, he said, “when it’s really, ‘Can you explore your sexuality without your employer firing you?’ Can you live in peace after an abusive relationship without fear? Many victims of abuse take great care to ensure that their abuser cannot find them.

As a congressional staffer in 2012, Bedoya worked on legislation that would have banned apps that allowed attackers to secretly track the location of their victims through smartphone data. But it was never adopted.

“No one can claim it’s a surprise,” Bedoya said. “Nobody can claim that he was not warned.”

Privacy advocates have warned for years that location and personal data collected by advertisers and collated and sold by brokers can be used to identify individuals, is not as secure as it should be and are not regulated by laws that require the clear consent of the person being tracked. Legal and technical protections are needed for smartphone users to push back, they say.

The Pillar alleged “serial sexual misconduct” by Burrill – homosexual activity is considered a sin under Catholic doctrine, and priests must remain celibate. The online publication’s website describes it as focusing on investigative journalism that “can help the Church better serve its sacred mission, the salvation of souls.”

Its editors did not respond to requests for comment Thursday on how they obtained the data. The report only states that the data comes from one of the data brokers that aggregates and sells application signal data, and that the publication has also hired an independent data consulting firm to authenticate it.

There are brokers who charge thousands of dollars a month for huge volumes of location data, some of which is marketed not only to advertisers, but also to landlords, bail guarantors and bounty hunters, said John Davisson, senior counsel at the Electronic Privacy Information Center. He said someone looking to “reverse engineer” a particular person’s data from that bulk packet could potentially get it from one of the many data chain clients.

“It’s surprisingly and surprisingly cheap to get location data derived from mobile phones,” Davisson said. “It’s easy enough for a determined party to do it.”

US Senator Ron Wyden, a Democrat from Oregon, said the incident further confirms the dishonesty of an industry that falsely claims to protect the privacy of phone users.

“Experts have been warning for years that data collected by advertising companies from Americans’ phones could be used to track them and reveal the most personal details of their lives. Unfortunately, they were right,” he said in a statement. “Data brokers and advertising companies lied to the public, assuring them that the information they collected was anonymous. As this horrific episode shows, these claims were false – individuals can be tracked and identified. »

Wyden and other lawmakers last year asked the FTC to investigate the industry. It must “step up and protect Americans from these outrageous privacy violations, and Congress must pass comprehensive federal privacy legislation,” he added.

Norway’s data privacy watchdog concluded earlier this year that Grindr was sharing users’ personal data with a number of third parties without a legal basis and said it would impose a fine of 11.7 million dollars (100 million Norwegian crowns), or 10% of the worldwide turnover of the Californian company. .

Data disclosed to ad tech companies for targeted ads included GPS location, user profile information, and the mere fact that particular individuals were using Grindr, which could indicate their sexual orientation.

Sharing such information could put someone at risk of being targeted, the Norwegian Data Protection Authority has said. He argued that the way Grindr asked users for permission to use their information violated European Union requirements for “valid consent”. Users were not given the option to opt out of sharing data with third parties and were forced to accept Grindr’s privacy policy in full, he said, adding that users were not properly informed about data sharing.

Advertising partners Grindr shared data with included Twitter, AT&T’s Xandr service and other ad tech companies OpenX, AdColony and Smaato, the Norwegian watchdog said. Its investigation follows a complaint from a Norwegian consumer group that found similar data leakage issues in other popular dating apps such as OkCupid and Tinder.

In a statement, Grindr called The Pillar’s report an “unethical and homophobic witch hunt” and said it does not “believe” it was the source of the data used. The company said it had policies and systems in place to protect personal data, although it did not say when these were implemented. The Pillar said the app data it obtained on Burrill covered parts of 2018, 2019 and 2020.

Comments are closed.