It finally happened. After years of warning from researchers, journalists, and even governments, someone used highly sensitive location data from a smartphone app to track and publicly harass a specific person. In this case, Catholic Substack publication The Pillar said it used location data ultimately tied to Grindr to trace the movements of a priest, and then outed him publicly as potentially gay without his consent. The Washington Post reported on Tuesday that the outing led to his resignation.
The news starkly demonstrates not only the inherent power of location data, but how the chance to wield that power has trickled down from corporations and intelligence agencies to essentially any sort of disgruntled, unscrupulous, or dangerous individual. A growing market of data brokers that collect and sell data from countless apps has made it so that anyone with a bit of cash and effort can figure out which phone in a so-called anonymized dataset belongs to a target, and abuse that information.
"Experts have warned for years that data collected by advertising companies from Americans’ phones could be used to track them and reveal the most personal details of their lives. Unfortunately, they were right," Senator Ron Wyden told Motherboard in a statement, responding to the incident. "Data brokers and advertising companies have lied to the public, assuring them that the information they collected was anonymous. As this awful episode demonstrates, those claims were bogus—individuals can be tracked and identified."
In short, The Pillar says that Msgr. Jeffrey Burrill, who was the general secretary of the U.S. bishops' conference (USCCB) before his resignation, visited gay bars and other locations while using gay dating app Grindr.
"An analysis of app data signals correlated to Burrill’s mobile device shows the priest also visited gay bars and private residences while using a location-based hookup app in numerous cities from 2018 to 2020, even while traveling on assignment for the U.S. bishops’ conference," the outlet wrote. The Pillar says the location data is "commercially available records of app signal data," and that it obtained the records from "a data vendor" and then authenticated them with a data consulting firm.
Do you know about any other abuses of location data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
The data itself didn't contain each mobile phone user's real name, but The Pillar and its partner were able to pinpoint which device belonged to Burill by observing one that appeared at the USCCB staff residence and headquarters, locations of meetings that he was in, as well as his family lake house and an apartment that has him listed as a resident. In other words, they managed to, as experts have long said is easy to do, unmask this specific person and their movements across time from an supposedly anonymous dataset.
A Grindr spokesperson told Motherboard in an emailed statement that "Grindr's response is aligned with the editorial story published by the Washington Post which describes the original blog post from The Pillar as homophobic and full of unsubstantiated inuendo. The alleged activities listed in that unattributed blog post are infeasible from a technical standpoint and incredibly unlikely to occur. There is absolutely no evidence supporting the allegations of improper data collection or usage related to the Grindr app as purported."
It is not clear what Grindr sees as "infeasible from a technical standpoint." In January the Norwegian Data Protection Authority fined Grindr $11.7 million for providing its users' data to third parties, including their precise location data. Almost prophetically, Norwegian authorities said at the time that Grindr users could be targeted with this sort of information in countries where homosexuality is illegal.
Researchers have repeatedly shown that it is possible to figure out who a phone in an allegedly anonymized set of location data belongs to sometimes with a few points of reference, such as their home or place of work. The spokesperson did not respond to a request to elaborate on what Grindr believes is technically infeasible.
"The research from The Pillar aligns to the reality that Grindr has historically treated user data with almost no care or concern, and dozens of potential ad tech vendors could have ingested the data that led to the doxxing," Zach Edwards, a researcher who has closely followed the supply chain of various sources of data, told Motherboard in an online chat. "No one should be doxxed and outed for adult consenting relationships, but Grindr never treated their own users with the respect they deserve, and the Grindr app has shared user data to dozens of ad tech and analytics vendors for years."
Journalists have also used location data in similar ways before in their reporting. In February, The New York Times' opinion section married location and advertising data to reveal the movements and identities of specific people who attended the January 6 Capitol riots.
"While there were no names or phone numbers in the data, we were once again able to connect dozens of devices to their owners, tying anonymous locations back to names, home addresses, social networks and phone numbers of people in attendance. In one instance, three members of a single family were tracked in the data," the piece read.
Last week, Motherboard reported on the so-called "identity resolution" industry, in part by posing as a customer looking to buy sensitive data. These companies promise to match mobile advertising IDs—unique codes assigned to mobile phones by their operating systems, and which tech companies have repeatedly assured consumers are anonymous, or at least pseudonymous—to real-world identities. This makes unmasking people in datasets even easier; why bother trying to figure out which phone belongs to who when you can just buy that information instead.
"Anyone and everyone who has a phone and has installed an app that has ads, currently is at risk of being de-anonymized via unscrupulous companies," Edwards told Motherboard at the time when presented with our findings.
Senator Wyden called for the Federal Trade Commission to act on the data broker industry.
"Last year, I led a bipartisan letter to the FTC calling for a broad probe of the industry. The FTC needs to step up and protect Americans from these outrageous privacy violations, and Congress needs to pass comprehensive federal privacy legislation," he added.
Motherboard has also shown how wide spanning the customer base for this sort of location data is, with the U.S. military and various law enforcement agencies also purchasing it, skirting the need to obtain a warrant. And although the data was based on that generated by telecom networks and not apps, we also previously spoke to Ruth Johnson, a woman who was stalked and harassed by someone who gained access to her phone's location. Johnson said T-Mobile put her "life in danger." Motherboard also tied black market location data to the spot of a triple murder.
Subscribe to our cybersecurity podcast, CYBER.