One of the worst-case scenarios for the barely regulated and secret location data industry has come true: Allegedly anonymous gay dating data was apparently sold and linked to a Catholic priest who then resigned his job.
It shows how this data can and does fall into the wrong hands, despite frequent assurances by app developers and data users that the data they collect is “anonymised”. This can then have serious consequences for users who may have had no idea that their data was collected and sold in the first place. It also shows the need for real rules for the data brokerage industry, which knows so much about so many, but which is seen for so few laws.
Here’s what happened: A Catholic news provider called the Pillar somehow got “app data signals from the location-based connectivity app Grindr.” It used this to trace a telephone belonging to or used by Monsignor Jeffrey Burrill, who was a Executive Director of the United States Conference of Catholic Bishops. Burrill resigned his position shortly before the column published its study.
There’s still a lot we do not know here, including the source of the column’s data. The report, which presents Burrill’s apparent use of a gay dating app as “serial sexual misconduct” and inaccurately collects homosexuality and dating app use with pedophilia, simply states that it was “commercially available app signal data” obtained from “data providers.” We do not know who these suppliers are, nor the circumstances surrounding the purchase of this data. Either way, it was judgmental enough that Burrill left his position over it, and the pillar says it is possible that Burrill will also face “canonical discipline”.
What we do know is this: Dating apps are a rich source of personal and sensitive information about their users, and these users rarely know how this data is used, who can access it, and how these third parties use this data, or who they otherwise sell it to or share it with. This data is usually assumed to be “anonymized” or “de-identified” – as apps and data brokers claim to respect privacy – but it can be quite easy to re-identify this data, as several studies have shown, and as confidentiality experts and lawyers have warned about for years. Considering that data can be used to ruin or even end your life – being gay can be punishable by death in some countries – the consequences of mishandling it are as serious as it gets.
“The damage caused by location tracking is real and could have a lasting impact well into the future,” Sean O’Brien, lead researcher at ExpressVPN’s Digital Security Lab, told Recode. “There is no meaningful monitoring of smartphone surveillance, and the privacy abuse we saw in this case is made possible by a profitable and thriving industry.”
For its part, the Grindr Washington Post reported that “there is absolutely no evidence to support the allegations of inappropriate data collection or use related to the Grindr app as alleged” and that it was “impossible from a technical point of view and incredibly unlikely.”
Still, Grindr has been in trouble for privacy lately. Internet law firm Mozilla branded it “privacy not included” in its review of dating apps. Earlier this year, Grindr was fined nearly $ 12 million by the Norwegian Data Protection Authority for providing information about its users to several advertising companies, including their exact location and user tracking codes. This came after a nonprofit called the Norwegian Consumer Council in 2020 found that Grindr sent user data to more than a dozen other companies, and after a BuzzFeed News survey in 2018 showed that Grindr shared users’ HIV status, locations, e-mail mail addresses and telephone identifiers. with two other companies.
Although it is not known how Burrill’s data was obtained from Grindr (assuming again that the column’s report is true), app developers usually send location data to third parties through software development kits or SDKs, which are tools that add features to their apps or display ads. SDKs then send user data from the app to the companies that manufacture it. As an example, data broker X-Mode was able to get location data from millions of users across hundreds of apps, which it then gave to a defense contractor, who then gave them to the U.S. military – which is far from the only government agencies sourcing location data in this way.
Companies sell this data with ease because the data supply chain is opaque and practices are hardly regulated, especially in the United States. The $ 12 million fine from Norway was due to Grindr violating the European Union’s General Data Protection Regulation or GDPR. The U.S. still does not have a similar federal privacy law, so Grindr may not have done anything legally wrong here unless it lied to consumers about its privacy practices (at which point it may be subject to Federal Trade Commission sanctions, as they are).
“Experts have been warning for years that data collected by advertising companies from American phones could be used to track them and reveal the most personal details of their lives,” said Sen. Ron Wyden (D-OR), who has pushed for privacy rules on location data industry, said in the statement to Recode. “Unfortunately, they were right. Data brokers and advertising companies have lied to the public and assured them that the information they collected was anonymous. As this horrific episode demonstrates, these claims were false – individuals can be traced and identified. ”
In the absence of laws, companies could regulate themselves to better protect users’ privacy. But without anything forcing them to do so – and in an environment where violations are difficult to identify and track – the user is simply left to hope for the best. App stores like Apple and Google Play do not prohibit selling location data in their terms of service, but we know some companies do anyway. If Apple or Google finds out that apps are breaking these rules, they can ban them from their stores. But it does not help those people whose data was already collected, shared or sold.
You can also advocate for privacy laws that prohibit this practice at all by contacting your local and federal representatives. In 2021, two state privacy laws have been passed (Virginia and Colorado), but we are still waiting for a federal law. Although Democrats have the presidency, the House and the Senate (hardly and still not enough without a filibuster reform), they have not yet promoted any of the proposed privacy bills – and the year is more than half over.
The simple fact is that the data you give apps strengthens a massive economy to hundreds of billions of dollars, which is hundreds of billions of reasons why it does not change – until and unless it is forced to.
“The FTC needs to empower and protect Americans from these outrageous violations of privacy, and Congress must pass comprehensive federal privacy legislation,” Wyden said.