(AP) – When a religious publication used data from a smartphone app to infer the sexual orientation of a senior Roman Catholic official, it revealed an issue that goes far beyond a debate over the doctrine of the church and priestly celibacy.
With few US restrictions on what businesses can do with the large amount of data they collect from web page visits, apps, and in-phone location tracking, there’s not much. to stop similar spying on politicians, celebrities and just about anyone who is another person’s target. curiosity – or nastiness.
Citing allegations of “possible inappropriate behavior”, the United States Conference of Catholic Bishops on Tuesday, July 20 announced the resignation of its highest administrative official, Monsignor Jeffrey Burrill, ahead of a report from Catholic media outlet The Pillar which probed his relationship private lover. life.
The Pillar said it obtained ‘off the shelf’ location data from a vendor it did not name and that it was ‘correlated’ to Burrill’s phone to determine he had visited bars gays and private residences while using Grindr, a dating app popular with gay people.
“Cases like this will only increase,” said Alvaro Bedoya, director of the Center for Privacy and Technology at Georgetown Law School.
Privacy activists have long advocated for laws that would prevent such abuses, although in the United States they exist in only a few states and then in various forms. Bedoya said Burrill’s sacking should make the danger of this situation clear and should finally spur Congress and the Federal Trade Commission to act.
Privacy issues are often interpreted in abstract terms, he said, “when it’s really about ‘Can you explore your sexuality without your employer firing you? Can you live in peace after an abusive relationship without fear? ‘ Many victims of abuse make sure that their attacker can no longer find them.
As a congressman in 2012, Bedoya worked on legislation that would have banned apps that allow attackers to covertly track the location of their victims using data from their smartphones. But he was never adopted.
“No one can claim it’s a surprise,” Bedoya said. “No one can claim that he was not warned.
Privacy advocates have warned for years that location and personal data collected by advertisers and gathered and sold by brokers can be used to identify individuals, is not as secure as it should be and are not governed by laws that require the clear consent of the person being tracked. Legal and technical protections are needed for smartphone users to push back, they say.
The pillar alleged “serial sexual misconduct” by Burrill – homosexual activity is considered a sin under Catholic doctrine, and priests are expected to remain celibate. The online publication’s website describes it as focused on investigative journalism that “can help the Church better serve its sacred mission, the salvation of souls.”
Its editors did not respond to requests for comment Thursday on how they got the data. The report only stated that the data came from one of the data brokers who aggregate and sell the app signal data, and that the publication also hired an independent data consultancy to authenticate it.
There are brokers who charge thousands of dollars per month for huge volumes of location data, some of which is marketed not only to advertisers but also to owners, serfs and bounty hunters, said John Davisson. , Senior Counsel at the Electronic Privacy Information Center. He said someone looking to reverse engineer a particular person’s data from this bulk package could potentially get it from one of the many clients in the data chain.
“It’s surprisingly and surprisingly inexpensive to get location data derived from mobile phones,” Davisson said. “It’s easy enough for a particular party to do it. “
US Senator Ron Wyden, a Democrat from Oregon, said the incident once again confirms the dishonesty of an industry that falsely claims to protect the privacy of phone users.
“Experts have warned for years that data collected by advertising companies from Americans’ phones could be used to track them and reveal the most personal details of their lives. Unfortunately, they were right, ”he said in a statement. “Data brokers and advertising companies lied to the public, assuring them that the information they collected was anonymous. As this horrific episode shows, these claims were false – individuals can be tracked and identified. “
Wyden and other lawmakers asked the FTC to investigate the industry last year. It must “step up and protect Americans from these outrageous privacy breaches, and Congress must pass comprehensive federal privacy legislation,” he added.
The Norwegian data privacy watchdog concluded earlier this year that Grindr was sharing users’ personal data with a number of third parties without a legal basis and said it would impose a fine of $ 11.7 million (100 million Norwegian crowns), or 10% of the Californian company’s worldwide revenues. .
Data disclosed to ad technology companies for targeted advertisements included GPS location, user profile information as well as the simple fact that particular individuals were using Grindr, which could indicate their sexual orientation.
Advertising partners Grindr shared data with included Twitter, AT&T’s Xandr service and other ad technology companies OpenX, AdColony and Smaato, the Norwegian watchdog said. Its investigation follows a complaint from a Norwegian consumer group that discovered similar data leak issues in other popular dating apps such as OkCupid and Tinder.
In a statement, Grindr called The Pillar’s report a “homophobic and unethical witch hunt” and said he did not “believe” that this was the source of the data used. The company said it had policies and systems in place to protect personal data, although it did not say when these were implemented. The Pillar said the app’s data it obtained from Burrill covered parts of 2018, 2019 and 2020.