Top U.S. Catholic Church official resigns after cellphone data used to track him on Grindr and to gay bars

The top administrator of the U.S. Conference of Catholic Bishops resigned after a Catholic media site told the conference it had access to cellphone data that appeared to show he was a regular user of Grindr, the queer dating app, and frequented gay bars.

Some privacy experts said that they couldn’t recall other instances of phone data being de-anonymized and reported publicly, but that it’s not illegal and will likely happen more as people come to understand what data is available about others.

…

The resignation stemmed from reporting in the Pillar, an online newsletter that reports on the Catholic Church. Tuesday afternoon, after Burrill’s resignation became public, the Pillar reported that it had obtained information based on the data Grindr collects from its users, and hired an independent firm to authenticate it.

“A mobile device correlated to Burrill emitted app data signals from the location-based hookup app Grindr on a near-daily basis during parts of 2018, 2019, and 2020 — at both his USCCB office and his USCCB-owned residence, as well as during USCCB meetings and events in other cities,” the Pillar reported.

“The data obtained and analyzed by The Pillar conveys mobile app date signals during two 26-week periods, the first in 2018 and the second in 2019 and 2020. The data was obtained from a data vendor and authenticated by an independent data consulting firm contracted by The Pillar,” the site reported. It did not identify who the vendor was or if the site bought the information or got it from a third party.

The Pillar story says app data “correlated” to Burrill’s phone shows the priest visited gay bars, including while traveling for the USCCB.

Grindr did not respond immediately Tuesday to questions.

Privacy experts have long raised concerns about “anonymized” data collected by apps and sold to or shared with aggregators and marketing companies. While the information is typically stripped of obviously identifying fields, like a user’s name or phone number, it can contain everything from age and gender to a device ID. It’s possible for experts to de-anonymize some of this data and connect it to real people.