A religious publication used data from a smartphone to determine the sexual orientation of a Roman Catholic official. This revealed a problem beyond the debate about church doctrine and priestly celibacy.
There are few restrictions in the U.S. on what companies can do about the huge amount of data they collect through web page visits, apps, and location tracking. This makes it difficult to stop similar spying on celebrities, politicians, and anyone else who is a target for another person’s curiosity or malice.
The U.S. Conference of Catholic Bishops announced Tuesday that Monsignor Jeffrey Burrill, its top administrator, had resigned. This was in response to a report from The Pillar, a Catholic news outlet, which probed Burrill’s private and romantic life.
The Pillar claimed it acquired “commercially available” data location data from an unknown vendor that “correlated” with Burrill’s phone in order to determine that Burrill had visited gay bars, private residences and while using Grindr (a popular gay dating app).
Alvaro Bedoya is the director of Georgetown Law School’s Center for Privacy and Technology.
Privacy activists have been calling for laws to prevent these abuses since the beginning, even though they are only available in a handful of states and in different forms in the United States. Bedoya stated that Burrill’s firing should highlight the danger and prompt Congress and the Federal Trade Commission into action.
He said privacy concerns are often understood in abstract terms. “When it really comes down to, ‘Can your employer fire you if you openly discuss your sexuality? “Can you live peacefully in an abusive relationship without fear?” Many victims of abuse take great care to make sure their abuser doesn’t find them.
Bedoya was a congressional staffer in 2012. He worked on legislation to ban apps that allowed abusers to secretly track victims’ locations using smartphone data. It was not passed.
Bedoya stated, “No one can claim that this is a surprise.” “No one can claim they were not warned.”
Privacy advocates warn that personal and location data, which is collected by advertisers and sold to brokers for the purpose of identifying individuals, are not as secure as they should be. The laws that regulate tracking require explicit consent from the individual being followed. They say that both technical and legal protections are needed to allow smartphone users to push back.
Burrill was accused of “serial sexual misconduct” according to The Pillar — homosexual activity is considered sinful in Catholic doctrine and priests must remain celibate. According to the website, it is focused on investigative journalism that can help the Church better fulfill its sacred mission of salvation of souls.
The editors of the publication didn’t respond Thursday to inquiries about how they got the data. According to the report, the data was obtained from one of the app signal data brokers. The publication also hired an independent data consulting firm for authentication.
According to John Davisson, Senior Counsel at the Electronic Privacy Information Center, there are many brokers who charge thousands of dollars per month for large volumes of location data. Some of this is sold not only to advertisers, but also to landlords and bail bondsmen as well as bounty hunters. He stated that anyone looking to “reverse engineer” a specific person’s data could possibly get it from any one of the customers in the bulk package.
Davisson stated that it is quite easy to get location data from mobile phones. It’s simple enough for a determined party to do it.
U.S. Senator Ron Wyden of Oregon said that the incident confirms the dishonesty in an industry that claims to protect the privacy of users of phones.
“Experts warn for years that the data collected from American phones by advertising companies could be used to track people and reveal their most intimate details. He said that they were wrong. “Data brokers and advertising agencies have lied to people, assuring them that the data they collected was anonyme. This horrible episode shows that these claims are false. Individuals can be tracked and identified, as this terrible episode demonstrates.
Wyden and other legislators asked the FTC to investigate the industry last year. He said that the FTC must “step up and protect Americans against these outrageous privacy violations” and that Congress should pass comprehensive federal privacy legislation.
Norway’s data privacy watchdog found that Grindr had shared user data with several third parties without legal basis earlier this year. It announced it would impose a $11.7 million fine (100 million Norwegian Krone) equal to 10% of California’s global revenues.
Data leaked to targeted advertising technology companies included GPS location and user profile information. It also revealed that Grindr was being used by specific individuals, which could indicate their sexual orientation.
According to the Norwegian Data Protection Authority, sharing such information could expose someone to being targeted. The Norwegian Data Protection Authority argued that Grindr’s request for consent to share users’ data violated European Union requirements for “valid permission.” Users were not given an opportunity to refuse sharing their data with third parties, and they were made to agree to Grindr’s entire privacy policy.
Grindr shared data information with Twitter, AT&T’s Xandr and other ad-tech companies OpenX and AdColony, according to the Norwegian watchdog. The investigation was initiated by a Norwegian consumer group who had reported similar data leakage issues at other dating apps like Tinder and OkCupid.
Grindr said that The Pillar’s report was an “unethical and homophobic witch hunting” and claimed it doesn’t believe it was responsible for the data. Although the company stated that it had policies and systems in place for protecting personal data, it did not specify when these were implemented. Pillar claimed that the app data it received about Burrill was for parts of 2018 and 2019, as well as 2020.