
WHEN a religious publication used smartphone app data to deduce the sexual orientation of a high-ranking Roman Catholic official, it exposed a problem that goes far beyond a debate over church doctrine and priestly celibacy.
With few US restrictions on what companies can do with the vast amount of data they collect from web page visits, apps and location tracking built into phones, thereâs not much to stop similar spying on politicians, celebrities and just about anyone thatâs a target of another personâs curiosityâor malice.
Citing allegations of âpossible improper behavior,â the US Conference of Catholic Bishops on Tuesday announced the resignation of its top administrative official, Monsignor Jeffrey Burrill, ahead of a report by the Catholic news outlet The Pillar that probed his private romantic life.
The Pillar said it obtained âcommercially availableâ location data from a vendor it didnât name that it âcorrelatedâ to Burrillâs phone to determine that he had visited gay bars and private residences while using Grindr, a dating app popular with gay people.
âCases like this are only going to multiply,â said Alvaro Bedoya, director of the Center for Privacy and Technology at Georgetown Law School.
Privacy activists have long agitated for laws that would prevent such abuses, although in the US they only exist in a few states, and then in varying forms. Bedoya said the firing of Burrill should drive home the danger of this situation, and should finally spur Congress and the Federal Trade Commission to act.
Privacy concerns are often construed in abstract terms, he said, âwhen itâs really, âCan you explore your sexuality without your employer firing you? Can you live in peace after an abusive relationship without fear?ââ Many abuse victims take great care to ensure that their abuser canât find them again.
As a congressional staffer in 2012, Bedoya worked on legislation that would have banned apps that let abusers secretly track their victimsâ locations through smartphone data. But it was never passed.
âNo one can claim this is a surprise,â Bedoya said. âNo one can claim that they werenât warned.â
Privacy advocates have been warning for years that location and personal data collected by advertisers and amassed and sold by brokers can be used to identify individuals, isnât secured as well as it should be, and is not regulated by laws that require the clear consent of the person being tracked. Both legal and technical protections are necessary so that smartphone users can push back, they say.
The Pillar alleged âserial sexual misconductâ by Burrillâhomosexual activity is considered sinful under Catholic doctrine, and priests are expected to remain celibate. The online publicationâs web site describes it as focused on investigative journalism that âcan help the Church to better serve its sacred mission, the salvation of souls.â
Its editors didnât respond to requests for comment on Thursday about how they obtained the data. The report said only that the data came from one of the data brokers that aggregate and sell app signal data, and that the publication also contracted an independent data consulting firm to authenticate it.
Norwayâs data privacy watchdog concluded earlier this year that Grindr shared personal user data with a number of third parties without legal basis and said it would impose a fine of $11.7 million (100 million Norwegian krone), equal to 10 percent of the California companyâs global revenue.
The data leaked to advertising technology companies for targeted ads included GPS location, user profile information as well as the simple fact that particular individuals were using Grindr, which could indicate their sexual orientation.