One of the worst-case scenarios for the barely regulated and secretive location data industry has become reality: Supposedly anonymous gay dating app data was apparently sold off and linked to a Catholic priest, who then resigned from his job.
It shows how, despite app developers’ and data brokers’ frequent assurances that the data they collect is “anonymized” to protect people’s privacy, this data can and does fall into the wrong hands. It can then have dire consequences for users who may have had no idea their data was being collected and sold in the first place. It also shows the need for real regulations on the data broker industry that knows so much about so many but is beholden to so few laws.
Here’s what happened: A Catholic news outlet called the Pillar somehow obtained “app data signals from the location-based hookup app Grindr.” It used this to track a phone belonging to or used by Monsignor Jeffrey Burrill, who was an executive officer of the United States Conference of Catholic Bishops. Burrill resigned his position shortly before the Pillar published its investigation.
There’s still a lot we don’t know here, including the source of the Pillar’s data. The report, which presents Burrill’s apparent use of a gay dating app as “serial sexual misconduct” and inaccurately conflates homosexuality and dating app usage with pedophilia, simply says it was “commercially available app signal data” obtained from “data vendors.” We don’t know who those vendors are, nor the circumstances around that data’s purchase. Regardless, it was damning enough that Burrill left his position over it, and the Pillar says it’s possible that Burrill will face “canonical discipline” as well.
What we do know is this: Dating apps are a rich source of personal and sensitive info about their users, and those users rarely know how that data is used, who can access it, and how those third parties use that data or who else they sell it to or share it with. That data is usually supposed to be “anonymized” or “de-identified” — this is how apps and data brokers claim to respect privacy — but it can be pretty easy to re-identify that data, as multiple investigations have shown, and as privacy experts and advocates have warned about for years. Considering that data can be used to ruin or even end your life — being gay is punishable by death in some countries — the consequences of mishandling it are as severe as it gets.
“The harms caused by location tracking are real and can have a lasting impact far into the future,” Sean O’Brien, principal researcher at ExpressVPN’s Digital Security Lab, told Recode. “There is no meaningful oversight of smartphone surveillance, and the privacy abuse we saw in this case is enabled by a profitable and booming industry.”
For its part, Grindr told the Washington Post that “there is absolutely no evidence supporting the allegations of improper data collection or usage related to the Grindr app as purported” and that it was “infeasible from a technical standpoint and incredibly unlikely.”
Yet Grindr has gotten in trouble for privacy issues in the recent past. Internet advocacy group Mozilla labeled it as “privacy not included” in its review of dating apps. Grindr was fined nearly $12 million earlier this year by Norway’s Data Protection Authority for giving information about its users to several advertising companies, including their precise locations and user tracking codes. This came after a nonprofit called the Norwegian Consumer Council found in 2020 that Grindr sent user data to more than a dozen other companies, and after a 2018 BuzzFeed News investigation found that Grindr shared users’ HIV statuses, locations, email addresses, and phone identifiers with two other companies.
While it’s not known how Burrill’s data was obtained from Grindr (assuming, again, that the Pillar’s report is truthful), app developers usually send location data to third parties through software development kits, or SDKs, which are tools that add functions to their apps or serve ads. SDKs then send user data from the app to the companies that make them. As an example, that’s how data broker X-Mode was able to get location data from millions of users across hundreds of apps, which it then gave to a defense contractor, which then gave it to the US military — which is far from the only government agency sourcing location data this way.
Companies sell this data with ease because the data supply chain is opaque and the practice is barely regulated, especially in the United States. The $12 million fine from Norway was because Grindr violated the European Union’s General Data Protection Regulation, or GDPR. The United States still doesn’t have an equivalent federal privacy law, so Grindr may not have done anything legally wrong here unless it lied to consumers about its privacy practices (at which point it may be subject to Federal Trade Commission penalties, such as they are).
“Experts have warned for years that data collected by advertising companies from Americans’ phones could be used to track them and reveal the most personal details of their lives,” Sen. Ron Wyden (D-OR), who has pushed for privacy regulations on the location data industry, said in the statement to Recode. “Unfortunately, they were right. Data brokers and advertising companies have lied to the public, assuring them that the information they collected was anonymous. As this awful episode demonstrates, those claims were bogus — individuals can be tracked and identified.”
In the absence of laws, companies could regulate themselves to better protect users’ privacy. But without anything compelling them to do so — and in an environment where any transgressions are difficult to identify and track — the user is simply left to hope for the best. App stores like Apple’s and Google Play do forbid selling location data in their terms of service, but we know some companies do it anyway. If Apple or Google finds out that apps are breaking those rules, they may ban them from their stores. But that doesn’t help the people whose data was already collected, shared, or sold.
You can also advocate for privacy laws that forbid these practices from happening at all, by contacting your local and federal representatives. 2021 has seen the passage of two state-level privacy laws (Virginia and Colorado), but we’re still waiting for a federal law. Though Democrats have the presidency, House, and Senate (barely, and still not enough without filibuster reform), they have yet to advance any of the privacy bills proposed — and the year is more than half over.
The simple fact is, the data you give to apps powers a massive economy worth hundreds of billions of dollars, which is hundreds of billions of reasons for it not to change — until and unless it’s forced to.
“The FTC needs to step up and protect Americans from these outrageous privacy violations, and Congress needs to pass comprehensive federal privacy legislation,” Wyden said.