https://arstechnica.com/tech-policy/2021/07/catholic-priest-quits-after-anonymized-data-revealed-alleged-use-of-grindr/ Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe [ ] Close Navigate * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints Filter by topic * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Settings Front page layout Grid List Site theme Black on white White on black Sign in Comment activity Sign up or login to join the discussions! [ ] [ ] [Submit] [ ] Stay logged in | Having trouble? Sign up to comment and more Sign up Holy Grindr -- Catholic priest quits after "anonymized" data revealed alleged use of Grindr Location data is almost never anonymous. Tim De Chant - Jul 21, 2021 4:57 pm UTC Catholic priest quits after "anonymized" data revealed alleged use of Grindr Enlarge Pascal Deloche/Getty Images reader comments 230 with 114 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit In what appears to be a first, a public figure has been ousted after de-anonymized mobile phone location data was publicly reported, revealing sensitive and previously private details about his life. Monsignor Jeffrey Burrill was general secretary of the US Conference of Catholic Bishops (USCCB), effectively the highest-ranking priest in the US who is not a bishop, before records of Grindr usage obtained from data brokers was correlated with his apartment, place of work, vacation home, family members' addresses, and more. Grindr is a gay hookup app, and while apparently none of Burrill's actions were illegal, any sort of sexual relationship is forbidden for clergy in the Catholic Church. The USCCB goes so far as to discourage Catholics from even attending gay weddings. Burrill's case is "hugely significant," Alan Butler, executive director of the Electronic Information Privacy Center, told Ars. "It's a clear and prominent example of the exact problem that folks in my world, privacy advocates and experts, have been screaming from the rooftops for years, which is that uniquely identifiable data is not anonymous." Legally obtained The data that resulted in Burrill's ouster was reportedly obtained through legal means. Mobile carriers sold--and still sell--location data to brokers who aggregate it and sell it to a range of buyers, including advertisers, law enforcement, roadside services, and even bounty hunters. Carriers were caught in 2018 selling real-time location data to brokers, drawing the ire of Congress. But after carriers issued public mea culpas and promises to reform the practice, investigations have revealed that phone location data is still popping up in places it shouldn't. This year, T-Mobile even broadened its offerings, selling customers' web and app usage data to third parties unless people opt out. Advertisement Further Reading Verizon and AT&T will stop selling your phone's location to data brokers The publication that revealed Burrill's private app usage, The Pillar, a newsletter covering the Catholic Church, did not say exactly where or how it obtained Burrill's data. But it did say how it de-anonymized aggregated data to correlate Grindr app usage with a device that appears to be Burrill's phone. The Pillar says it obtained 24 months' worth of "commercially available records of app signal data" covering portions of 2018, 2019, and 2020, which included records of Grindr usage and locations where the app was used. The publication zeroed in on addresses where Burrill was known to frequent and singled out a device identifier that appeared at those locations. Key locations included Burrill's office at the USCCB, his USCCB-owned residence, and USCCB meetings and events in other cities where he was in attendance. The analysis also looked at other locations farther afield, including his family lake house, his family members' residences, and an apartment in his Wisconsin hometown where he reportedly has lived. The de-anonymized data revealed that a mobile device that appeared at those locations--likely Burrill's phone, The Pillar says--used Grindr almost daily. It also says that data "correlated" with the priest's phone suggests that he visited gay bars, including while traveling for work. The Pillar presented this information to the USCCB in advance of publication, and yesterday, the conference announced Burrill's resignation. Not anonymous While this might be the first case of a public figure's online activities being revealed through aggregate data, "it unfortunately happens very often" to the general public, Andres Arrieta, director of consumer privacy engineering at the Electronic Frontier Foundation, told Ars. "There are companies who capitalize on finding the real person behind the advertising identifiers." Furthermore, de-anonymizing data in the way The Pillar did is trivially easy. All you need to do to buy the data, Arrieta said, is pretend to be a company. There are no special technical skills required to sift through the data, he added. Advertisement Data from apps like Grindr have the potential not just to violate people's privacy, Arrieta said, but their safety, too. "When you are serving to a marginalized population whose lives are literally in danger in many areas of the world, or whose jobs are in danger even in the US, you need to have really high standards of privacy and security. The Pillar was able to de-anonymize the data because it wasn't truly anonymous in the first place. Data that is not connected to a person's name but still retains a unique identifier is what's known as "pseudonymous data," Butler said. To truly anonymize data, there are several approaches. One common tactic is known as "differential privacy," where noise is injected into the data, which makes it useful for statistical purposes but frustrates efforts to connect discrete data points to individuals. Pseudonymous data, on the other hand, makes associating individual records with an individual relatively easy, depending on what is in the set. Further Reading "Bad mergers" and noncompete clauses targeted in Biden executive order "When you're talking about location data, it's fundamentally not possible to have workable pseudonymity, because location data fingerprints are so revealing," Butler said. "Once location data is linked to a record, then it's going to be easy to link that back to a person," he said. "Most people have essentially a location fingerprint in their lives. They live at home, they go to work, they go to certain limited places. There have been studies that show that we're uniquely identifiable based just on a few key location points we go to in a given week." President Biden's recent executive order, which called attention to the surveillance of user data and his nomination of Lena Khan to the Federal Trade Commission suggests that there may be action coming soon. "There need to be practical, technical, and legal protections for this type of data, and protections for individuals, to prevent this type of abuse," Butler said. reader comments 230 with 114 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit Tim De Chant Tim De Chant covers technology, policy, and energy at Ars. He has written for Wired, The Wire China, and NOVA Next, and he teaches science writing at MIT. De Chant received his PhD in environmental science from the UC-Berkeley. Email tim.dechant@arstechnica.com // Twitter @tdechant Advertisement You must login or create an account to comment. Channel Ars Technica - Previous story Next story - Related Stories Today on Ars * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints Newsletter Signup Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up - CNMN Collection WIRED Media Group (c) 2021 Conde Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1 /20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices