Catholic priest quits after “anonymized” data revealed alleged use of Grindr

In what appears to be a first, a public figure has been ousted after de-anonymized mobile phone location data was publicly reported, revealing sensitive and previously private details about his life.

Monsignor Jeffrey Burrill was general secretary of the US Conference of Catholic Bishops (USCCB), effectively the highest-ranking priest in the US who is not a bishop, before records of Grindr usage obtained from data brokers was correlated with his apartment, place of work, vacation home, family members' addresses, and more. Grindr is a gay hookup app, and while apparently none of Burrill’s actions were illegal, any sort of sexual relationship is forbidden for clergy in the Catholic Church. The USCCB goes so far as to discourage Catholics from even attending gay weddings.

Burrill’s case is “hugely significant,” Alan Butler, executive director of the Electronic Information Privacy Center, told Ars. “It’s a clear and prominent example of the exact problem that folks in my world, privacy advocates and experts, have been screaming from the rooftops for years, which is that uniquely identifiable data is not anonymous.”

Legally obtained

The data that resulted in Burrill’s ouster was reportedly obtained through legal means. Mobile carriers sold—and still sell—location data to brokers who aggregate it and sell it to a range of buyers, including advertisers, law enforcement, roadside services, and even bounty hunters. Carriers were caught in 2018 selling real-time location data to brokers, drawing the ire of Congress. But after carriers issued public mea culpas and promises to reform the practice, investigations have revealed that phone location data is still popping up in places it shouldn’t. This year, T-Mobile even broadened its offerings, selling customers' web and app usage data to third parties unless people opt out.

The publication that revealed Burrill’s private app usage, The Pillar, a newsletter covering the Catholic Church, did not say exactly where or how it obtained Burrill’s data. But it did say how it de-anonymized aggregated data to correlate Grindr app usage with a device that appears to be Burrill’s phone.

The Pillar says it obtained 24 months' worth of “commercially available records of app signal data” covering portions of 2018, 2019, and 2020, which included records of Grindr usage and locations where the app was used. The publication zeroed in on addresses where Burrill was known to frequent and singled out a device identifier that appeared at those locations. Key locations included Burrill's office at the USCCB, his USCCB-owned residence, and USCCB meetings and events in other cities where he was in attendance. The analysis also looked at other locations farther afield, including his family lake house, his family members’ residences, and an apartment in his Wisconsin hometown where he reportedly has lived.

The de-anonymized data revealed that a mobile device that appeared at those locations—likely Burrill’s phone, The Pillar says—used Grindr almost daily. It also says that data “correlated” with the priest’s phone suggests that he visited gay bars, including while traveling for work. The Pillar presented this information to the USCCB in advance of publication, and yesterday, the conference announced Burrill’s resignation.

Not anonymous

While this might be the first case of a public figure’s online activities being revealed through aggregate data, “it unfortunately happens very often” to the general public, Andrés Arrieta, director of consumer privacy engineering at the Electronic Frontier Foundation, told Ars. “There are companies who capitalize on finding the real person behind the advertising identifiers.” Furthermore, de-anonymizing data in the way The Pillar did is trivially easy. All you need to do to buy the data, Arrieta said, is pretend to be a company. There are no special technical skills required to sift through the data, he added.

Data from apps like Grindr have the potential not just to violate people's privacy, Arrieta said, but their safety, too. "When you are serving to a marginalized population whose lives are literally in danger in many areas of the world, or whose jobs are in danger even in the US, you need to have really high standards of privacy and security.

The Pillar was able to de-anonymize the data because it wasn’t truly anonymous in the first place. Data that is not connected to a person’s name but still retains a unique identifier is what’s known as "pseudonymous data," Butler said. To truly anonymize data, there are several approaches. One common tactic is known as "differential privacy," where noise is injected into the data, which makes it useful for statistical purposes but frustrates efforts to connect discrete data points to individuals. Pseudonymous data, on the other hand, makes associating individual records with an individual relatively easy, depending on what is in the set.

“When you’re talking about location data, it’s fundamentally not possible to have workable pseudonymity, because location data fingerprints are so revealing,” Butler said. “Once location data is linked to a record, then it’s going to be easy to link that back to a person,” he said. “Most people have essentially a location fingerprint in their lives. They live at home, they go to work, they go to certain limited places. There have been studies that show that we’re uniquely identifiable based just on a few key location points we go to in a given week.”

President Biden’s recent executive order, which called attention to the surveillance of user data and his nomination of Lena Khan to the Federal Trade Commission suggests that there may be action coming soon. “There need to be practical, technical, and legal protections for this type of data, and protections for individuals, to prevent this type of abuse,” Butler said.