When a religious publication used smartphone app data to deduce the sexual orientation of a high-ranking Roman Catholic official, it exposed a problem that goes far beyond a debate over church doctrine and priestly celibacy.
With few U.S. restrictions on what companies can do with the vast amount of data they collect from web page visits, apps, and location tracking built into phones, there’s not much to stop similar spying on politicians, celebrities, and just about anyone that’s a target of another person’s curiosity — or malice.
Citing allegations of “possible improper behavior,” the U.S. Conference of Catholic Bishops on Tuesday announced the resignation of its top administrative official, Monsignor Jeffrey Burrill, ahead of a report by the Catholic news outlet The Pillar probed his private romantic life.
The Pillar said it obtained “commercially available” location data from a vendor it didn’t name that it “correlated” to Burrill’s phone to determine that he had visited gay bars and private residences while using Grindr, a dating app popular with gay people.
“Cases like this are only going to multiply,” said Alvaro Bedoya, director of the Center for Privacy and Technology at Georgetown Law School.
Privacy activists have long agitated for laws to prevent such abuses, although they only exist in a few states and then in varying forms. Bedoya said the firing of Burrill should drive home the danger of this situation and should finally spur Congress and the Federal Trade Commission to act.
Privacy concerns are often construed in abstract terms, he said, “when it’s really, ‘Can you explore your sexuality without your employer firing you? Can you live in peace after an abusive relationship without fear?‘” Many abuse victims take great care to ensure that their abuser can’t find them again. As a congressional staffer in 2012, Bedoya worked on legislation that would have banned apps that let abusers secretly track their victims’ locations through smartphone data. But it was never passed. No one can claim this is a surprise,” Bedoya said. “No one can claim that they weren’t warned.”
Privacy advocates have been warning for years that location and personal data collected by advertisers and amassed and sold by brokers can be used to identify individuals, isn’t secured as well as it should be, and is not regulated by-laws that require the apparent consent of the person being tracked. Both legal and technical protections are necessary so that smartphone users can push back, they say.
The Pillar alleged “serial sexual misconduct” by Burrill — homosexual activity is considered sinful under Catholic doctrine, and priests are expected to remain celibate. The online publication’s website describes it as focused on investigative journalism that “can help the Church better serve its sacred mission, the salvation of souls.”
Its editors didn’t immediately respond to requests for comment Thursday about how they obtained the data. The report said only that the data came from one of the data brokers that aggregate and sell app signal data. The publication also contracted an independent data consulting firm to authenticate it.
U.S. Sen. Ron Wyden, an Oregon Democrat, said the incident confirms yet again the dishonesty of an industry that falsely claims to safeguard the privacy of phone users.
“Experts have warned for years that data collected by advertising companies from Americans’ phones could be used to track them and reveal the most personal details of their lives. Unfortunately, they were right,” he said in a statement. “Data brokers and advertising companies have lied to the public, assuring them that the information they collected was anonymous. As this awful episode demonstrates, those claims were bogus — individuals can be tracked and identified.”
Wyden and other lawmakers asked the FTC last year to investigate the industry. It needs “to step up and protect Americans from these outrageous privacy violations, and Congress needs to pass comprehensive federal privacy legislation,” he added.