“This country is planted thick with laws, from coast to coast, Man's laws, not God's! And if you cut them down, and you're just the man to do it, do you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake!".
― Robert Bolt, A Man for All Seasons.
You might recall that entertaining story where an intrepid journalist, ex-cop, or even a highly curious group of teenagers has strong suspicions someone is up to no good? Our heroes, of course, happily accept that due process should rule the day and, after reporting to the proper authorities, forego any attempts at freelance surveillance or accountability. Right? Fat chance.
Whether it’s a stern Charles Bronson or those wacky kids and their talking Great Dane, or a costumed and genetically enhanced savior, popular entertainment often supposes extrajudicial surveillance is vastly preferable, not only for dramatic effect but for practical effect, and that freelance justice is essential to ensure accountability. Institutions, after all, are well known for sclerosis, incompetence or worse, cover ups. Absent a self-authorized prosecution in public, injustice will prevail, the thinking goes.
And so it goes for Monsignor Jeffrey Burrill, who resigned from his post at the U.S. Conference of Catholic Bishops after The Pillar, a Catholic news source, published allegations[1] that Burrill had been using “hookup apps,” along with evidence that tracked his movements to, among other places, a Las Vegas’ “gay bathhouse.” Even those concerned that Father Burrill failed to honor his promise to observe Catholic rules on celibacy for certain vocations, should be concerned about the surveillance used to uncover these claims, and their publication.[2]
This post makes several observations, starting with privacy considerations for de-identified location data, and concluding with observations on the ethical framework for the journalistic publication of such data. I think the right focus is less on the fact that such data is commercially available, as it can be used for a variety of purposes, but on principles that should guide its use and protect privacy.
As this blog has noted frequently, networked information tools can be particularly useful for promoting an agenda, whether for violence or for justice. To best promote principles of justice – particularly when, as here, the parties engaged in the surveillance believe they are promoting justice – effective responses start with upholding the principles one wishes to promote.[3]
Mobile phone applications generate location data and often record that location in the servers that support them. The location data will be generated by the phone’s operating system (consulting its own databases, or nearby satellites). The mobile carrier typically has no involvement in this process, or at most will provide the application with assistance in locating the nearest GPS signal.
This data developed by mobile applications is typically linked only to a pseudonymous device identifier. As the Pillar article explained, “Commercially available app signal data does not identify the names of app users, but instead correlates a unique numerical identifier to each mobile device using particular apps. Signal data… can be analyzed to provide timestamped location data and usage information for each numbered device.”[4]
Privacy analysts have long understood that pseudonymous location data requires additional protections for privacy so long as it is linked to any unique identifier, such as a device ID. For example, a person’s home address is easily found online. If a device ID was found at the coordinates for that address at regular intervals concurrent with hours one spends at home, one has linked that device ID to the person. Then, one need only look to see where else that device ID appears. That is what the Pillar did here: link a device ID to Father Burrill’s residence, office, and residences of known family members, and then see where else that device ID appeared.
The implications for privacy are clear: location data linked to a unique identifier can often be linked to a person. This means privacy protections need to be integrated so datasets can still be useful while minimizing individual privacy harms.[5] Such additional steps can include, for example, rotating the identifiers with sufficient frequency that patterns of movement cannot be detected.
Another privacy protection is sufficiently aggregating the unique data elements so that individual data cannot be distinguished. One such process is assuring a data set has an acceptable level of “k-anonymity” – the property that, for a given set of unique data elements, the data for a particular person cannot be distinguished from k-1 individuals.[6]
K-anonymity is not foolproof. For example, if the attributes involved are all very similar then it is a simpler inference that a particular person in that database has that attribute. And if the attribute is itself something sensitive, e.g., a database of patients with a given disease, then it’s sufficient to know someone is in the data set to impact privacy. The technique then needs to be consciously applied along with other approaches in order to protect privacy.
Which is to say these safeguards are particularly ineffective if not applied, and thus the ethical framework under which a data analysis is conducted makes a huge difference. And when looking for incriminating evidence of wrongdoing, one doing the looking can be so motivated by justice one may overlook if they have crossed an ethical line as well.
That self-awareness needs to be applied to use of location data, which is particuarly useful if one is looking for incriminating evidence. If a given device can be linked to a person, and that device later appears at the address of an unmarried woman, the work is more or less done. The old-fashioned and work of private investigators like Jake Gittes from the film Chinatown, personally stalking suspected spouses until they can be photographed in compromising positions, is unnecessary.
Importantly, though, Jake Gittes intended his compromising evidence to be presented solely to his clients. And he is distressed when, to his surprise, photos he provided to a client are published in the news media. In contrast, the Pillar presented its findings not only in private - to church officials - but to the public. It's important to examine the ethical framework guiding the Pillar’s use of the dataset, and what impacts that framework might work on human beings.
In a statement on Twitter,[7] JD Flynn of the Pillar explained their reasoning thusly: church leaders have pointed out inconsistency between actual behavior and doctrinal expectations of celibacy can contribute to a ‘culture of secrecy’ – i.e., a culture conducive to covering up child abuse. Therefore ‘outing’ this church leader’s behavior serves to warn church figures that secrets may not hold. The Pillar states it is not insinuating Father Burrill was in anyway involved in inappropriate contact with minors, though it alludes to connections between use of “hookup apps” and the abuse of minors.
Other commentators supported the Pillar’s actions on the basis that persons in a sensitive vocation deserve less privacy, given the interests of the people they serve in knowing if their priest is indeed struggling or in violation of his commitments. Janet Smith, writing in Crisis magazine, argues the disclosure of information was akin to the right of a spouse to know if their partner is being unfaithful.[8]
I think each of these arguments fail, for at least three reasons. First, to the extent one justifies the surveillance and disclosure of a person’s movements with reference to the benefit to an institution, more is needed to justify disclosure to the institution, not the public. The Crisis article elaborates why a supervising Bishop would want to know - and act on - such information, but her article makes little or no case defending the disclosure to the public.[9] And the Pillar explains the data was brought to the attention of Father Burrill’s employer, after which Father Burrill resigned.
Christian teaching cautions against public shaming of those in error as a first step. In the Gospel of Matthew, Chapter 18, Jesus counsels: “And if your brother sins, go and reprove him in private.”[10] Ongoing wrongdoing with no sign of change can be dealt with via escalations, including publication to the community, but the first ethical principle is to approach the matter humbly (recognizing no accuser is themselves without sin),[11] and with the goal of reconciliation. Which is to say, also, even those who have done wrong still have rights.
The analogy to surveillance and disclosure of marital infidelity is telling. A cold truth, but you have no “right” to know if your spouse is cheating. Or at least certainly no right that supersedes rights to electronic privacy. Indeed, such secret surveillance is a fairly clear example of the point I noted earlier: engaging in the excess secrecy you seek to prevent is likely to be ineffective at preventing it.[12] Moreover, it’s illegal to wiretap a spouse suspected of cheating and publish the findings, just as it’s illegal to wiretap with criminal intent.[13]
In this case, by all accounts the data was likely lawfully obtained through purchase from a data broker, but there is still the matter of the public disclosure. The Pillar may, in some sense, rationalize this disclosure with a belief that the fate of mortal souls hangs in the balance unless the church reforms, especially given experiences with child abuse in the institution. But it’s this rationalization for abrogating privacy that poses the most problems, in part because it elides distinctions between different uses of the tools.
Vigilante surveillance of an embezzler or an adulterer at least has some claim to moral authority in that it aims at stopping a clear wrong. “Hook up” relationships are wrong in that they are inconsistent with vocational promises of celibacy. And yes, even among private parties, such relationships can’t really lay claim to being paragons of virtue, but when pursued among consenting adults neither are they morally wrong at the same level as theft and infidelity. They are certainly no worse if pursued between adult persons of the same sex.
But the Pillar suggests a different argument: that because the tools used in pursuit of adult "hookups" have also been used for child abuse,[14] any use of the tools warrants a response proportionate to the goal of preventing such abuse. This strikes me as a straw man argument, at best.
Yes, “hookup apps” may have been used for the “grooming” involved in child abuse. But online safety research shows the process of “grooming” can occur through a variety of tools.[15] Did the Pillar needed to publicize Burrill’s identity and his failures in order to point out the risks of such apps? Indeed, the Pillar notes there is no evidence Burrill was in contact with minors. So why does the public need to know this particular person had a moral and professional failure?
It’s no secret the Catholic church is embroiled in a struggle between supporters of its traditional teachings on same-sex attraction and, on the other hand, both secular civic acceptance of same-sex relationships, and the positions of many Catholics (and other Christians) who find those traditional teachings absurd, even unsupported by Scripture. It’s not an implausible inference that someone interested in maintaining a bright line against validating same-sex relationships would seek to link secrecy accompanying child abuse in the Church to secrecy concerning same-sex attraction. I have no evidence myself this is the intent, but others have suspicions this is its true agenda.[16]
It’s not the place of this blog (nor the intent of this author) to parse the doctrinal discussions within Catholic Church (of which I am not a member). I bring this up solely to note that ethical use of networked information tools rests on a strong preference to respect individual privacy, including privacy of those engaged in some form of wrongdoing. When doctrinal and policy battles are waged using weapons of personal public attack, both privacy and policy deliberation suffers.[17]
It is indeed true, as The Pillar observed, that use of location-based hookup apps is inconsistent with clerical obligations to continence and chastity. And it is equally true, that such use was pursued in secrecy, just as child abuse was pursued in secrecy. But to end as I began, with reference to popular cinematic entertainment, the Pillar’s publication, even if well-intended, is no “Spotlight.”[18]
For one, private disclosure of the material may well have been more effective at protecting all the interests involved.[19] For another, seeking same-sex liaisons between adults, even if suffering under secrecy, is not per se criminal abuse. And thirdly, ethical journalism involves (as “Spotlight” showed), attention to the motives of those who provide information, and a commitment to submit oneself to constraints that serve the public interest.
A principle that “the public should know of private wrongdoing” needs to be carefully balanced against whether that publication is needed for a public purpose, such as safety, or shedding light on institutional statements, or where an individual persists in resisting accountability. Promoting a particular policy agenda is not such an offsetting interest, particularly where the person impacted is generally not a public figure who has chosen to make their behavior a subject of public interest.
In the 1983 film “The Star Chamber,” Michael Douglas is invited into a secret group of judges who hire an assassin to take out criminals who slip through the justice system, only to rue his extra-judicial abandonment of that system. Yes, the justice system has failures. And yet the system, at least in principle, maintains rules to balance accountability with privacy in ways that self-appointed arbiters may not elect to observe. The importance of that balance applies equally so to journalism.
[1]https://www.pillarcatholic.com/p/pillar-investigates-usccb-gen-sec
[2]See, e.g., https://www.washingtonpost.com/religion/2021/07/21/catholic-official-grindr-reaction/ (quoting Mike Lewis, Catholic commentator, noting that while Burrill did need to step down for violating his commitments, this practice “ruined a man’s life,” rather than bringing truth to light).
[3]See “Tool Without A Handle: Tools for Terror, Tools for Peace,” March 6, 2016, online at: https://cyberlaw.stanford.edu/blog/2016/03/tool-without-handle-tools-terror-tools-peace#
[4]See supra, n.1
[5]See, e.g., Yves-Alexandre de Montjoye, César A. Hidalgo, Michel Verleysen & Vincent D. Blondel, “Unique in the Crowd: The Privacy Bounds of Human Mobility,” Scientific Reports, (2013). online at: https://doi.org/10.1038/srep01376; Alex Berke, Dan Calacci, Kent Larson, Alex (Sandy) Pentland, "The Tradeoff Between the Utility and Risk of Location Data and Implications for Public Good," arXiv.org, 2019, online at: https://www.media.mit.edu/publications/the-tradeoff-between-the-utility-and-risk-of-location-data-and-implications-for-public-good/
[6]See Pierangela Samarati and Latanya Sweeney, "Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression" (1998), /content/files/dataprivacy/projects/kanonymity/paper3.pdf; see also Latanya Sweeney, “K-anonymity: A Model for Protecting Privacy,” International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, (2002); online at: /content/files/dataprivacy/projects/kanonymity/kanonymity.pdf
[7]See https://twitter.com/jdflynn/status/1417872232420974592?s=20
[8]See https://www.crisismagazine.com/2021/the-limits-of-a-priests-right-to-privacy
[9]Again, this is on its face not a matter involving child abuse, where public identification of the abuser would have ethical benefits, including encouraging other witnesses to come forward, protection of those associating with the abuser, and additional pressure to ensure accountability (including criminal investigations).
[10]Matthew 18:15 ("If your brother or sister[a] sins ,go and point out their fault, just between the two of you. If they listen to you, you have won them over").
[11]John 8:7 (“When they kept on questioning him, he straightened up and said to them, “Let any one of you who is without sin be the first to throw a stone at her”).
[12]An article on this matter quotes Daniella Zsupan-Jerome, the director of ministerial formation at St. John’s University School of Theology and Seminary in Collegeville, Minn., “[M]ore and more surveillance and tracking technology will not produce righteous men fit for ministry. Instead, she said, it will contribute to a culture of suspicion and perpetuate the lack of trust in the Catholic Church.” See Michael O’Laughlin, “What we do and don’t know about the methods used to track the Grindr habits of a top USCCB priest,” July 23, 2021, online at: https://www.americamagazine.org/politics-society/2021/07/23/grindr-data-privacy-catholic-burrill-241111 (“O’Laughlin”).
[13]The Electronic Communications Privacy Act (“ECPA”) prohibits intentional, unauthorized interception, disclosure, or use of electronic communications in which there is an expectation of privacy. And a spouse has an expectation of privacy in their emails, text messages, and other correspondence (and subjectively, cheating spouses have higher expectations of privacy). See 18 U.S. Code § 2701
[14]See, e.g., “Ohio priest’s plea raises tech accountability concerns,” online at: https://www.pillarcatholic.com/p/ohio-priests-plea-raises-technology
[15]See, e.g., Sonia Livingstone, Julia Davidson, Joanne Bryce, Saqba Batool, “Children's online activities, risks and safety,” London School of Economics (2017), online at: /content/files/business-and-consultancy/consulting/assets/documents/childrens-online-activities-risks-and-safety.pdf.; “What is Grooming?,” National Society for the Prevention of Cruelty to Children, online at: https://www.nspcc.org.uk/what-is-child-abuse/types-of-abuse/grooming/; “Unwanted Contact and Grooming,” Australia’s E-Safety Commission, online at: https://www.esafety.gov.au/parents/big-issues/unwanted-contact
[16]See, e.g., O’Laughlin, supra n.11.
[17]That’s not to say, of course, that such practices are unusual. See, e.g., Elaine Kamarck, “A Short History of Campaign Dirty Tricks Before Twitter and Facebook,” Brookings, July 2019, online at: https://www.brookings.edu/blog/fixgov/2019/07/11/a-short-history-of-campaign-dirty-tricks-before-twitter-and-facebook/
[18]The 2015 film depicting the work of investigative reporters at The Boston Globe to uncover evidence of extensive sexual abuse of children in the Catholic Church, and the associated cover up by church authorities. https://www.imdb.com/title/tt1895587/
[19]I’d written earlier about use of information tools for confessions, noting that privacy is often an enabler of transparency where it protects disclosed information from broader disclosure, beyond the sphere of those in a position to make constructive use of it. See “Tool Without a Handle: Online Confessions,” online at: https://cyberlaw.stanford.edu/blog/2018/03/tool-without-handle-online-confessions. So as to whether a private disclosure of this to church authorities would have been more effective at protecting all the interests involved, the Catholic tradition of a confidential confession (as distinct from a public shaming) is instructive.