Pages

Tuesday, July 27, 2021

"Anonymized" data that is NOT anonymous caught a Catholic prelate, sworn to abstinence, using Grindr, a gay dating app. He stepped down. But what about YOUR privacy expectations and assumptions when you carry that phone device around wherever you go?

 Where the prelate was placed in the Roman Church U.S. hierarchy, and the prior possible Catholics Bishops collectively voting for a denial of sacraments to Biden over reproductive choice, the short time gap, are existing facts. Causally related? You'd have to ask those who took the time and effort to snag the priest. There'd have to have been a motivational drive, else why do the sleuth work? It is a compelling question; online print media seem not to be asking. Aside from that, moving on to details -

Websearch likely would find multiple online postings, but the focus here is ArsTech, July 21, 2021, reporting, a published report beginning -

In what appears to be a first, a public figure has been ousted after de-anonymized mobile phone location data was publicly reported, revealing sensitive and previously private details about his life.

Monsignor Jeffrey Burrill was general secretary of the US Conference of Catholic Bishops (USCCB), effectively the highest-ranking priest in the US who is not a bishop, before records of Grindr usage obtained from data brokers was correlated with his apartment, place of work, vacation home, family members' addresses, and more. Grindr is a gay hookup app, and while apparently none of Burrill’s actions were illegal, any sort of sexual relationship is forbidden for clergy in the Catholic Church. The USCCB goes so far as to discourage Catholics from even attending gay weddings.

Burrill’s case is “hugely significant,” Alan Butler, executive director of the Electronic Information Privacy Center, told Ars. “It’s a clear and prominent example of the exact problem that folks in my world, privacy advocates and experts, have been screaming from the rooftops for years, which is that uniquely identifiable data is not anonymous.”

Well, gee. Imagine that. What more is there to the story about how your phone talks even when you're not talking through it. Much more - 

 The data that resulted in Burrill’s ouster was reportedly obtained through legal means. Mobile carriers sold—and still sell—location data to brokers who aggregate it and sell it to a range of buyers, including advertisers, law enforcement, roadside services, and even bounty hunters. Carriers were caught in 2018 selling real-time location data to brokers, drawing the ire of Congress. But after carriers issued public mea culpas and promises to reform the practice, investigations have revealed that phone location data is still popping up in places it shouldn’t. This year, T-Mobile even broadened its offerings, selling customers' web and app usage data to third parties unless people opt out.

The publication that revealed Burrill’s private app usage, The Pillar, a newsletter covering the Catholic Church, did not say exactly where or how it obtained Burrill’s data. But it did say how it de-anonymized aggregated data to correlate Grindr app usage with a device that appears to be Burrill’s phone.

The Pillar says it obtained 24 months' worth of “commercially available records of app signal data” covering portions of 2018, 2019, and 2020, which included records of Grindr usage and locations where the app was used. The publication zeroed in on addresses where Burrill was known to frequent and singled out a device identifier that appeared at those locations. Key locations included Burrill's office at the USCCB, his USCCB-owned residence, and USCCB meetings and events in other cities where he was in attendance. The analysis also looked at other locations farther afield, including his family lake house, his family members’ residences, and an apartment in his Wisconsin hometown where he reportedly has lived.

The de-anonymized data revealed that a mobile device that appeared at those locations—likely Burrill’s phone, The Pillar says—used Grindr almost daily. [...]

Not anonymous

While this might be the first case of a public figure’s online activities being revealed through aggregate data, “it unfortunately happens very often” to the general public, Andrés Arrieta, director of consumer privacy engineering at the Electronic Frontier Foundation, told Ars. “There are companies who capitalize on finding the real person behind the advertising identifiers.” Furthermore, de-anonymizing data in the way The Pillar did is trivially easy. All you need to do to buy the data, Arrieta said, is pretend to be a company. There are no special technical skills required to sift through the data, he added.

[...] The Pillar was able to de-anonymize the data because it wasn’t truly anonymous in the first place. Data that is not connected to a person’s name but still retains a unique identifier is what’s known as "pseudonymous data," Butler said. To truly anonymize data, there are several approaches. One common tactic is known as "differential privacy," where noise is injected into the data, which makes it useful for statistical purposes but frustrates efforts to connect discrete data points to individuals. Pseudonymous data, on the other hand, makes associating individual records with an individual relatively easy, depending on what is in the set.

“When you’re talking about location data, it’s fundamentally not possible to have workable pseudonymity, because location data fingerprints are so revealing,” Butler said. “Once location data is linked to a record, then it’s going to be easy to link that back to a person,” he said. “Most people have essentially a location fingerprint in their lives. [...]

 “There need to be practical, technical, and legal protections for this type of data, and protections for individuals, to prevent this type of abuse,” Butler said.

Bounty hunters? Yup, according to the linked item -

Carriers made “empty promises to consumers”

Of course, mobile carriers themselves could prevent such privacy problems by not selling their customers' location data in the first place.

Carriers were pressured into changing their policies last year after it was revealed that prison phone company Securus offers a service enabling law enforcement officers to locate most American cell phones within seconds. Securus' service relies on data from LocationSmart. It was also reported that a LocationSmart bug could have allowed anyone to surreptitiously track the real-time whereabouts of cell phone users.

At the time, US Sen. Ron Wyden (D-Ore.) urged all four major carriers to stop selling their customers' location data. They all said that they would, with limited exceptions: for example, AT&T said it would "be ending our work with aggregators" but continue to allow "important, potential lifesaving services like emergency roadside assistance."

Today, Wyden said he's disappointed that carriers are apparently still selling location data to data brokers.

Disappointment over such stuff is a mild characterization of how we should feel. Violated is a better word.