Foreign media Arstechnica published an article saying that a public figure was ousted after the location data of an anonymous mobile phone was publicly reported, which seemed to be the first time. The data revealed sensitive information about his life and details of previous privacy. Jeffrey Burrill, secretary general of the American Catholic Bishops' Association (USCCB), is actually the highest-ranking non-episcopal priest in the United States.
A few days ago, the anonymized data exposed Burrill's use of the gay social networking app Grindr. While Burrill's actions were not illegal, clergy in the Catholic Church forbade this form of sexual relationship. The USCCB doesn't even encourage Catholics to attend gay weddings.
Alan Butler, executive director of the Electronic Information Privacy Center, told Ars that Burrill's case is "significant" and that "it's a clear and prominent example of what people, privacy advocates and experts in our world have been clamoring for years on the roof that the only identifiable data isn't anonymous." ”
Obtained in accordance with law
The data that led to Burrill's ouster was reportedly obtained through legal means. Mobile operators sell location data and continue to sell it to brokers, who aggregate it and sell it to a wide variety of buyers — including advertisers, law enforcement officers, roadside agents and even bounty hunters. In 2018, operators were found selling real-time location data to brokers, which sparked outrage from the U.S. Congress. But after carriers publicly apologized and promised to reform the practice, the survey showed that mobile phone location data still appeared where it shouldn't. This year, T-Mobile even expanded its services by selling customers' web and app usage data to third parties unless users opt out.
The Pillar, a publication that discloses the use of Pillar's private app, is a current affairs news agency covering the Catholic Church, but the publication does not specify where or how To obtain Polar's data. But the outlet described how it anonymized the aggregated data to link the use of the Grindr app to devices that appear to be Burrill's phones.
The Pillar said it obtained commercially available application signal data records for parts of 2018, 2019 and 2020, including Grindr's usage records and where the app was used. The article focuses on the addresses that Burrill frequently enters and exits, and also singles out a device identifier that appears at those addresses. Key locations include Burrill's USCCB office, his residence at the USCCB and USCCB meetings and event points in other cities he attends. The analysis also looked further afield, including his family's lakeside villa, his family's home and an apartment in his Wisconsin hometown where he allegedly lived.
The Pillar said the de-anonymized data showed that mobile devices showing up at those locations — possibly Burill's phone — were using Grindr almost every day. It also noted that data "related" to the priest's cell phone suggested he had been to gay bars, including on business trips. The Pillar submitted the information to the USCCB before it was announced, and yesterday, the agency announced The Pillar's resignation.
De-anonymization
Andrés Arrieta, head of consumer privacy engineering at the Electronic Frontier Foundation (EFF), told Ars that while it may be the first time a public figure's online activity has been disclosed through aggregated data, unfortunately this often happens to the general public. "Some companies have taken advantage of the opportunity to find the real people behind the advertising logo." In addition, de-anonymizing data in the way Of The Pillar is very simple. Arrieta points out that all you need to do to buy data is to pretend to be a company. He also added that screening this data does not require special technical skills.
Arrieta said data from apps like Grindr has the potential to invade people's privacy but also their security.
Pillar was able to de-anonymize data because it wasn't truly anonymous in the first place. Butler points out that data that is not related to an individual's name but retains a unique identifier is called "pseudonymous data." There are several ways to truly anonymize data. A common tactic known as "differential privacy" injects noise into the data, which makes it useful for statistical purposes but hinders efforts to connect discrete data points to individuals. On the other hand, based on what is in the collection, kana data makes it relatively easy to associate individual records with individuals.
"When you talk about location data, it's basically impossible to have a viable pseudonym because location data fingerprints are so exposed. Once location data is associated with a record, it's easy to associate it with a person. Most people basically have a location fingerprint in their lives. They live at home, they go to work, they go to certain limited places. Studies have shown that in a given week, we can be uniquely identified based on just a few key locations we go to," Butler said.