The Informer in Your Pocket

Commonweal [New York NY]

August 5, 2021

By Patrick Juola

No one’s data is ‘private.’

There is a narc in your pocket. It ratted out Msgr. Jeffrey Burrill, the general secretary of the U.S. bishops’ conference, and he had to step down. According to The Pillar, Burrill “visited gay bars and private residences while using a location-based hookup app in numerous cities from 2018 to 2020.” While pundits and activists might see an opportunity to opine about Catholic hypocrisy, what we should all be asking ourselves is what kind of a dirty turncoat would be in possession of, and then share, that kind of information about a person.

Per The Pillar: “According to commercially available records of app signal data obtained by The Pillar, a mobile device correlated to Burrill emitted app data signals from the location-based hookup app Grindr on a near-daily basis.” So the rat was Burrill’s cell phone (or maybe a tablet)—and for two years it was keeping daily tabs on him, compiling a dossier on his actions, a dossier that could be sold to anyone with the money. 

It’s not Grindr’s fault, or if it is, it’s endemic to the mobile economy. The terms of service of nearly every program allow the company to gather any data it likes and use it as it sees fit. Your actions, behaviors, interests, hopes, aspirations, and dreams are all fair game to be gathered and resold. This data is of tremendous value to advertisers and others. As cybersecurity expert Bruce Schneier said all the way back in 2010, “don’t make the mistake of thinking you’re Facebook’s customer, you’re not—you’re the product.”Your phone is not your tool. At best, it’s a partner with mixed loyalties.

And a decade before that, Microsoft had published “10 Immutable Laws of Computer Security.” The first law stated simply that “If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.” By that logic, “your” cell phone is owned by a collective of hundreds or thousands of different entities, some of which—or whom—you don’t even know about. You may have given your phone away to Facebook and Twitter (and Grindr?), but other people may have stolen your phone. In 2014, it was revealed that the National Security Agency was secretly reading and storing data gathered legitimately by the Angry Birds game app. The Guardian recently reported that NSO Group, an Israeli surveillance company, has sold hacking spyware called Pegasus to groups all over the world. Pegasus allows operators to read messages and email, look at photos, record calls, and even surreptitiously listen to microphones. Designed to fight criminals and terrorists, it has been used against human-rights activists, journalists, and lawyers. You wouldn’t even know if someone had pirated a copy and deployed it against you.

Your phone is not your tool. At best, it’s a partner with mixed loyalties; while you use it, it is using you to serve its other masters. This partnership may still be valuable, but that’s a personal decision for each person. In the long run, the bargain may prove Faustian.

What can be done? The obvious solution is to prohibit the collection of unnecessary data. While a cell phone needs to know where I am right now so that I can make and receive calls, there’s no reason that it should remember where I was two hours ago, let alone two years. Weather apps might need to know which city I’m in, but not which bars I frequent or in whose apartment I spend the night. Words With Friends doesn’t need my age, my birthday, my location, my contact list. But while those programs don’t need that information to work, the companies behind them need that information to make money. Remember: once I’ve installed the app, it’s no longer my phone anymore.

Maybe a technical solution would work? Upgrade the phone somehow to prevent apps from collecting data I don’t want them to? Unfortunately, technical solutions are only as good as the programmers, and the bad guys can hire skilled programmers as well. Apple is generally considered a gold standard for security among commercial cell phone providers, but NSO Group (among others) have found ways to easily bypass Apple’s security and extract or install whatever they want. In a privacy arms race, the advantage is always to the attackers, because they only need to be successful once. 

If Big Tech can’t solve our problem for us, maybe Big Government can? Many companies have been fined for violating European Union privacy and data access laws. In December 2020, Irish regulators fined Twitter for doing so, but the fine was less than $600,000, barely a slap on the wrist for a major multinational company that made more than a billion dollars in the first quarter of 2021. Furthermore, fines can be assessed only after a violation has occurred and after a lengthy assessment and adjudication process, which allows companies ample opportunity for political lobbying. Fining Grindr five years from now will not restore Burrill’s reputation and or give him back his job. Indeed, many of the most egregious privacy violations are completely legal in the United States. Grindr not only collects personal data, but sells it, and it is upfront about the possibility of such sales in its terms of service. 

There are no easy solutions, and the hard solution unfortunately falls upon us, the users. We have all been told the platitudes: don’t install software you don’t need. Read the terms of service before you click “agree.” Turn off any information-sharing that isn’t related to your needs. Turn off “location sharing” at the hardware level. And remember Schneier’s dictum: you are the product.  

But the harder issue is not just for us as users, but for us as members of society. Burrill was presumably good at his job, or he wouldn’t have held it. Whether he visited gay bars or not is—or should be—irrelevant to whether he can serve the needs of the conference of bishops. Learning that he did visit such bars should not affect our judgment of him as a person or his worth as an employee. If anyone is to be condemned for this act, the obvious candidate is The Pillar, the organization that obtained the data from Grindr, knowing that the people whose data was bought would almost certainly prefer to keep their activities private. Would the staff of The Pillar be happy to share all the intimate details of their personal lives with the world?

This article was made possible through a partnership between Commonweal and the Carl G. Grefenstette Center for Ethics in Science, Technology, and the Law at Duquesne University.

Patrick Juola holds the Joseph A. Lauritis, C.S.Sp. Endowed Chair in Teaching and Technology in the Department of Computer Science and Mathematics at Duquesne University. He has authored two books and more than 100 scientific publications and serves as the director of the Evaluating Variations in Language (EVL) lab.