One of the worst-case scenarios for the barely regulated and secretive location data industry has become a reality: Allegedly anonymous gay dating app data has apparently been sold and associated with a Catholic priest who then quit his job.
It shows how, despite the frequent assurances from app developers and data brokers that the data they collect is "anonymized" to protect privacy, this data can and indeed does get into the wrong hands. This can then have dire consequences for users who may not have had a clue that their data was being collected and sold in the first place. It also shows the need for real regulation for the data broker industry, which knows so much about so many but is bound by so few laws.
Here's what happened: A Catholic news agency called Pillar somehow got "app data signals from the location-based hookup app Grindr." It used this to trace a phone owned or used by Monsignor Jeffrey Burrill, a senior official of the United States Bishops' Conference. Burrill resigned shortly before the column published its investigation.
There is still much we do not know here, including the source of the column's data. The report, which portrays Burrill's apparent use of a gay dating app as "serial sexual misconduct" and mistakenly confuses homosexuality and dating app use with pedophilia, simply says it is "commercially available app signaling data," that come from "data providers". We do not know either these providers or the circumstances of the purchase of this data. Regardless, it was devastating enough that Burrill gave up his position on it, and the Pillar says it is possible that Burrill will face "canonical discipline" as well.
What we do know is this: Dating apps are an abundant source of personal and sensitive information about their users, and these users rarely know how that data is being used, who can access it, and how these third parties use that data, or who else they are sell it or share it. This data is usually supposed to be "anonymized" or "anonymized" – that's what apps and data brokers claim to respect privacy – but it can be pretty easy to re-identify this data, as several research has shown and as privacy experts and advocates have warned since Years. Given that data can be used to ruin your life or even end it – being gay is punishable by death in some countries – the consequences of dealing with it incorrectly are as serious as it gets.
"The damage caused by location tracking is real and can have far into the future," Sean O'Brien, senior researcher at ExpressVPN's Digital Security Lab, told Recode. "There is no meaningful monitoring of smartphone surveillance, and the privacy abuse we've seen in this case is made possible by a profitable and booming industry."
For his part, Grindr told the Washington Post that "there is absolutely no evidence to support the allegations of improper data collection or use related to the Grindr app" and that it was "from a technical point of view and incredibly unlikely".
However, Grindr has run into trouble in the recent past due to privacy issues. Internet advocacy group Mozilla called it "privacy not included" in their review of dating apps. Grindr was fined nearly $ 12 million earlier this year by the Norwegian Data Protection Agency for providing information about its users, including their exact locations and user tracking codes, to several advertising companies. It came after a nonprofit called Norwegian Consumer Council found out in 2020 that Grindr had sent user data to more than a dozen other companies, and after a 2018 BuzzFeed News investigation found Grindr HIV status, the locations who have shared the email addresses and phone IDs of users with two other companies.
While it is unknown how Burrill's data was obtained from Grindr (assuming Pillar's report is true), app developers typically send location data to third parties, which are tools that add functionality to their apps, via software development kits or SDKs . or place advertisements. SDKs then send user data from within the app to the companies that make them. For example, the data broker X-Mode was able to retrieve location data from millions of users via hundreds of apps, which it then passed on to an armaments company, which then passed it on to the US military – which is by no means the only government agencies that do this in this way Obtain location data.
Companies sell this data easily because the data supply chain is opaque and practice is barely regulated, especially in the US. The $ 12 million fine from Norway was due to Grindr violating the European Union's General Data Protection Regulation (GDPR). The United States still doesn't have an equivalent federal privacy law, so Grindr may not have done anything legally wrong here unless it lied to consumers about its privacy practices (at which point it may be subject to Federal Trade Commission penalties such as are) .
"Experts have warned for years that data collected by advertisers from Americans' phones could be used to track them and reveal the most personal details of their lives," said Senator Ron Wyden (D-OR), who on Data protection regulations pushed the location data industry, according to the Recode statement. “Unfortunately they were right. Data brokers and advertising companies have lied to the public, assuring them that the information they are collecting is anonymous. As this terrible episode shows, these claims were false – individuals can be tracked and identified. "
You can also campaign for privacy laws that prohibit these practices altogether by reaching out to your local and state representatives. Two state-level privacy laws were passed (Virginia and Colorado) in 2021, but we're still waiting for a federal law. Even though the Democrats have the Presidency, House of Representatives, and Senate (barely, and still not enough, without filibuster reform), they still have one of the proposed privacy laws to table – and the year is more than half over.
The simple fact is that the data you give apps is fueling a massive economy worth hundreds of billions of dollars, which is hundreds of billions of reasons not to change until and unless it's forced to.
"The FTC needs to step up and protect Americans from these outrageous data breaches, and Congress needs to pass extensive federal data protection laws," said Wyden.