One of the worst-case scenarios for the barely regulated and secretive location data industry has come true: Data from allegedly anonymous gay dating apps was apparently sold and linked to a Catholic priest, who later resigned from his job. employment.
It shows how, despite frequent assurances from app developers and data brokers that the data they collect is “anonymized” to protect people’s privacy, that data can and does fall into the wrong hands. This can then have dire consequences for users who may have had no idea that their data was being collected and sold in the first place. It also shows the need for real regulations on the data broker industry which knows so much about so much but is beholden to so few laws.
Here’s what happened: A Catholic outlet called Pillar kind of got “app data signals from the Grindr location-based login app.” He used it to track a phone owned or used by Bishop Jeffrey Burrill, who was an executive officer of the United States Conference of Catholic Bishops. Burrill resigned from his post shortly before the pillar’s publication his investigation.
There’s still a lot we don’t know here, including the source of the Pillar data. The report, which presents Burrill’s apparent use of a gay dating app as “serial sexual misconduct” and mistakenly associates homosexuality and the use of dating apps with pedophilia, simply states that this was “commercially available application signal data” obtained from “data providers”. We do not know who these providers are, or the circumstances surrounding the purchase of this data. Either way, it was pretty damning that Burrill quit his post about it, and Pillar says it’s possible Burrill was facing “canon discipline” as well.
What we do know is that dating apps are a rich source of personal and sensitive information about their users, and these users rarely know how that data is being used, who can access it, and how these third parties use that data or who else they sell or share it with. This data is generally meant to be “anonymized” or “anonymous” – this is how apps and data brokers claim to respect privacy – but it can be. rather easy to re-identify this data, such as many surveys showed, and as privacy experts and advocates have warned for years. Considering that data can be used to ruin or even end your life, being gay is punishable by death in some countries the consequences of mismanagement are as severe as possible.
“The damage caused by location tracking is real and can have a lasting impact into the future,” Sean O’Brien, senior researcher at ExpressVPN’s Digital Security Lab, told Recode. “There is no meaningful surveillance of smartphone surveillance, and the abuse of privacy that we have seen in this case is made possible by a profitable and booming industry.”
For his part, Grindr told the Washington Post that “there is absolutely no evidence to support the allegations of collection or inappropriate use of data related to the Grindr application as it is claimed” and that it was “infeasible in a point technically and incredibly improbable ”.
Still, Grindr has gotten into trouble over privacy issues in the recent past. Internet advocacy group Mozilla called it “privacy not included” in its dating apps review. Grindr was a fine of nearly $ 12 million earlier this year by the Norwegian Data Protection Authority for providing information about its users to several advertising companies, including their precise locations and user tracking codes. This came after a nonprofit called the The Norwegian Consumer Council has found in 2020 that Grindr sent user data to over a dozen other companies, and after a 2018 BuzzFeed News survey found that Grindr shared users’ HIV statuses, locations, email addresses, and phone IDs with two other companies.
While it is not known how Burrill’s data was obtained from Grindr (assuming, again, that Pillar’s report is true), app developers typically send location data to third parties via software development kits, or SDK, which are tools that add functions to their applications or serve advertisements. The SDKs then send the application’s user data to the companies that manufacture it. For example, it’s like that data broker X-Mode was able to get location data from millions of users across hundreds of apps, which it then passed on to a defense contractor, who then passed it on to the U.S. military – which is far from the only one government agency location data source this way.
Companies sell this data with ease because the data supply chain is opaque and the practice is barely regulated, especially in the United States. Norway’s $ 12 million fine was due to Grindr violating the European Union’s General Data Protection Regulation, or GDPR. The United States still does not have an equivalent federal privacy law, so Grindr may not have done anything legally wrong here, unless he lied to consumers about its privacy practices (at that time it may be subject to Federal Trade Commission sanctions, as they are).
“Experts have warned for years that data collected by advertising agencies from Americans’ phones could be used to track them and reveal the most personal details of their lives,” said Senator Ron Wyden (D- OR), which has pushed for privacy regulations on the location data industry, said in the statement to Recode. “Unfortunately, they were right. Data brokers and advertising companies lied to the public, assuring them that the information they gathered was anonymous. As this horrific episode shows, these claims were wrong – individuals can be tracked and identified. “
In the absence of laws, companies could self-regulate to better protect user privacy. But without anything forcing him to do so – and in an environment where any transgression is difficult to identify and track – the user simply has to hope for the best. App stores like Apple and Google Play prohibit the sale of location data in their terms of service, but we know of some companies do it anyway. If Apple or Google finds out that apps are breaking these rules, they can forbid them of their stores. But that doesn’t help people whose data has already been collected, shared, or sold.
You can also defend privacy laws that prohibit these practices by contacting your local and federal officials. 2021 saw the passage of two state-level privacy laws (Virginia and Colorado), but we are still waiting for a federal law. Although Democrats have the Presidency, House, and Senate (barely and it’s still not enough without obstruction reform), they have still to move forward one of the proposed privacy bills – and the year is more than half over.
The simple fact is that the data you provide to the applications generates a massive saving of value. hundreds of billions of dollars, which is hundreds of billions of reasons for it not to change – until it is forced to.
“The FTC must step up and protect Americans from these outrageous privacy breaches, and Congress must pass comprehensive federal privacy legislation,” Wyden said.