De-anonymization Story

This is important:

Monsignor Jeffrey Burrill was general secretary of the US Conference of Catholic Bishops (USCCB), effectively the highest-ranking priest in the US who is not a bishop, before records of Grindr usage obtained from data brokers was correlated with his apartment, place of work, vacation home, family members’ addresses, and more.

[…]

The data that resulted in Burrill’s ouster was reportedly obtained through legal means. Mobile carriers sold­ — and still sell — ­location data to brokers who aggregate it and sell it to a range of buyers, including advertisers, law enforcement, roadside services, and even bounty hunters. Carriers were caught in 2018 selling real-time location data to brokers, drawing the ire of Congress. But after carriers issued public mea culpas and promises to reform the practice, investigations have revealed that phone location data is still popping up in places it shouldn’t. This year, T-Mobile even broadened its offerings, selling customers’ web and app usage data to third parties unless people opt out.

The publication that revealed Burrill’s private app usage, The Pillar, a newsletter covering the Catholic Church, did not say exactly where or how it obtained Burrill’s data. But it did say how it de-anonymized aggregated data to correlate Grindr app usage with a device that appears to be Burrill’s phone.

The Pillar says it obtained 24 months’ worth of “commercially available records of app signal data” covering portions of 2018, 2019, and 2020, which included records of Grindr usage and locations where the app was used. The publication zeroed in on addresses where Burrill was known to frequent and singled out a device identifier that appeared at those locations. Key locations included Burrill’s office at the USCCB, his USCCB-owned residence, and USCCB meetings and events in other cities where he was in attendance. The analysis also looked at other locations farther afield, including his family lake house, his family members’ residences, and an apartment in his Wisconsin hometown where he reportedly has lived.

Location data is not anonymous. It cannot be made anonymous. I hope stories like these will teach people that.

Posted on July 28, 2021 at 6:03 AM23 Comments

Comments

Etienne July 28, 2021 7:16 AM

The higher you get in life, the narrower the limits are, and the more privacy you need. Alas, the money and the status are addictive.

In the old days a private investigator would be hired, and they would create tails for the subject. Movies exploit these ancient techniques with black and white glossy photo’s of Priests in bed with infidels.

Fast forward to the 21st Century, and these gumshoe’s don’t even wear socks anymore, and buy their data in souks.

The only aristocrats left using smart phone are imbeciles.

I’m a pretty low-class citizen, retired even, and the only time I put my battery in, is if I need to make a call. Otherwise everything is forwarded to voicemail or my VOIP.

Course, I guess if you need multiple sex partners on a daily basis, the odds are going to go against you, even if you never leave your throne. As we used to say in the military: “there’s always a stink’n rat to spoil the party.”

WhyNot July 28, 2021 8:05 AM

The Pillar writes “The data was obtained from a data vendor and authenticated by an independent data consulting firm contracted by The Pillar.”

Why did they need the third party firm to “authenticate” the data? I’m not convinced that Grindr data contains enough information to simply look up a person’s physical address and find the unique phone identifier number. Grindr’s public statement said they did “not believe” they were the source of the data. That suggests that the data does not allow looking up locations to obtain unique identifiers and so the third party was needed to get into Burrill’s phone and obtain the unique identifier.

Let’s say you hire a private investigator. You tell them, “Don’t break the law while investigating this case” wink, wink. But they commit some “minor” violations anyway. They get paid. The customer doesn’t care as long as their hands are clean. This is not unusual. What did the third party do to authenticate the data and was it entirely legal?

Then there’s this from America Magazine: “Catholic News Agency published a story stating that the organization had been approached by a person in 2018 who “claimed to have access to technology capable of identifying clergy and others who download popular ‘hook-up’ apps, such as Grindr and Tinder, and to pinpoint their locations using the internet addresses of their computers or mobile devices.” The story said that C.N.A. declined to accept information from this person.”

I don’t believe the data was obtained and analyzed by the Pillar, a Catholic publication not known for investigative work. Someone handed them this story. And Burrill was targeted specifically. The Grindr data probably is a treasure trove of info on priests who stray, but only the highest ranking priest in the U.S. and the priest who does the most work on the issue of clergy who abuse kids was outed. There is more here than the Pillar is stating.

Clive Robinson July 28, 2021 8:05 AM

@ Bruce, ALL,

Location data is not anonymous. It cannot be made anonymous. I hope stories like these will teach people that.

It’s not just “location data” that “cannot be made anonymous”.

Hopefully Ross J. Anderson from the UK Cambridge Computer labs will pop up with some real world examples.

But the take away is this,

“1, For any data to be of use it has to be distinguishable in some way.”

“2, The process of distinguishing data effectively makes a collection of data points unique.”

Nothing particularly contentious or unsurprising about those two points.

However,

“3, Adding noise or in other ways trying to make unique data non unique is either going to make it useless thus of no value or can be removed to make it unique and of high value again.”

“4, Unique data is always idetifiable within it’s own data set or by the addition of one or more other data sets that are frequently public and not just effectively unique but tied to a specific entity ”

So,

Anyone who sells what thay claim is “anonynous data” is without doubt a lier and knows it without any doubt.

Who? July 28, 2021 9:54 AM

It is all about metadata. Data has some value, but metadata is even better as it clearly establishes sets of dyadic ties between actors. Data mining and analytics completes the missing details fully illuminating what looks like dark, mostly random, noise to the illiterated.

Why would the National Security Agency spend so many resources in gathering metadata if they are useless?

Winter July 28, 2021 10:16 AM

My first question is: Why is it still legal for mobile carriers to sell location data? If there is one thing the GDPR does well, it is to make it very clear, with heavy fines, that trading location data is a criminal offense.

This is telling us, again, that solutions to protect privacy need to involve the law. No technical solution will help here as the only option for the victim would have been to forego the use of a mobile phone.

Also, the Grindr data could also be a red herring. The data does not have to come from the victim, but could also have come from the partner he met. And this partner could have been much less concerned with hiding his use of Grindr.

JonKnowsNothing July 28, 2021 11:08 AM

@Winter

re: Why is it still legal for mobile carriers to sell location data?

Geolocation data is held not just by mobile carriers.

Unless the setting is disabled, geolocation data is carried in photos and images taken or stored on devices. Lots of folks upload the photos and videos to the cloud in RealTime, periodically or whenever they send an image to their MessagingGroup.

Even if you turn off the setting on your own phone, which may or may not work, anyone sharing their photos with you can have geolocation markers included.

  • Ever get a message photo and all of a sudden, a photo map location marker shows up? The name, location, and address of the sender shows up on the photo collection screen? (iPhone)

If perchance you do manage to turn off the geolocation marker, Google and the NSA have a joint project (with others), to build a giant geolocation image cross reference database from Every Single Picture They Can Scrape from social media sites and from those “storing” their images on “photo albums”. Once you upload the image, it belongs to FB, Google etc and they have all rights to it because that’s what the TOS/EULA says.

This project assigns a geolocation to every photo. Using ML/AI they cross reference images with the same background items (tree, building, stairs, skyline). Once they find a matching image Bob’s Your Uncle. Then they map every object in the image so the next round, they can find that perfect sunset spot where you took that vacation picture.

At Disneyland they have signs: “This is a Good Picture Spot”, so you can get the best commercial image of your trip to fairyland. It’s a perfectly well known geolocation spot. All things follow.

Telcos have moment by moment logs. Weather Reports App have the same logs. Weather apps also know the places you are interested in: locations for family and friends, towns and countries.

Hows the weather in YourTown?

Impossibly Stupid July 28, 2021 11:27 AM

@Etienne

The higher you get in life, the narrower the limits are, and the more privacy you need.

What? That’s not at all why this is a story. It’s a story because he’s chosen to be a bishop (and become a high-ranking one at that), and he’s supposed to be abstaining from all sex, with gay sex being especially sinful to the church. Who really cares if some openly gay hedonistic celebrity is using Grindr everywhere he goes? The issue here is the hypocrisy.

@WhyNot

Why did they need the third party firm to “authenticate” the data?

Because they’re journalists rather than cybersecurity experts. What a strange world you must live in when independent verification of claims makes them more suspicious. Coming out of the gate with that viewpoint already makes me wonder if you’re just trolling here.

I’m not convinced that Grindr data contains enough information to simply look up a person’s physical address and find the unique phone identifier number.

If you assume that’s how it works, you need to improve your investigation skills. The techniques were likely the same as are used by law enforcement: given a few known locations and times of a suspect, find all the phones that were there, correlate that data to narrow down the common IDs, then gather the rest of the location data on those IDs to see if you can further correlate it with the suspects movements.

Grindr’s public statement said they did “not believe” they were the source of the data.

Weasel words. The point is that the usage data was made available somehow. Maybe Grindr uses a third party library or service that gets your location (e.g., ads). Maybe the phone carrier records it when you hit Grindr’s servers. Maybe Grindr or it’s employees is directly selling out their customers, regardless of what their spokesperson was lead to “believe”.

And Burrill was targeted specifically . . . There is more here than the Pillar is stating.

Of course! Would you be equally surprised to find that, for every arrested drug kingpin that makes headlines, there are hundreds or thousands of other lesser criminals that you never hear about? The onus here is on the Catholic church to do more. Call them out for not stopping their sex scandals, not Pillar.

priests who stray

To my understanding, Grindr is not an app for those who simply “stray”.

JonKnowsNothing July 28, 2021 11:34 AM

@All

re: Forensic Data Analysis and Certified Collection Points

Over on Emptywheel, Marcy has a post about the collection of phone data from persons-of-interest, those currently being Jan 6 persons. Lots of interesting legal-wrangling and detailed explanations of what’s happening (or not).

The primary topic focus is the effect of Moxie Marlinspike post exposing vulnerabilities in the interface of Cellebrite, the cell phone extraction program used by FBI. (1)

The interesting part is where the FBI REQUIRES a “stipulation” (preagreement) that “that the exploitation of happened via reliable methods”. This is anything the FBI can get off the phone: digital data, phone information, location, etc.

note: some portions redacted

The stipulation provides, … that: “[t]he [digital] Images [… phone…] are accurate duplicates of the Digital Media and were created using reliable methods” and “[t]he Images of the Digital Media and/or any other copies are ‘admissible [into evidence] to the same extent as the original,’ within the meaning of Federal Rule of Evidence 1003.”

If you want a seized device returned, you have to agree to this:

To be clear: the government is generally making defendants stipulate to the accuracy of forensic reports before returning any devices…

It would appear that if you sign/agree to this you will not be able to challenge any data whatsoever that the government claims came from your device.

Extra Wings for Pegasus?

===

1, It would be odd if the FBI only had one program they used.

ht tps://www.emptywheel.net/2021/07/28/the-cellebrite-wars-moxies-stunt-and-freddies-phone/

note: Be mindful that there may be some “frothing” on certain topics a bit like shaving cream.

(url fractured to prevent autorun)

Scriptor July 28, 2021 3:14 PM

Clive Robinson: with respect, that is an undergraduate level fallacy. Data sets normally have a key precisely because the other fields may not be unique by themselves or in combination. The unique key is what allows data referring to a single identity to be grouped together with certainty. Identifying people from data is a nuanced process, where the more data you have about an entity, the easier it is to link it to other data. Often you can identify someone in practice long before you can prove without a doubt (or before you can identify every person in the data set).

Knowing that someone in the year 300 is called Marcus Aurelius just narrows them down to a sixth of the Roman empire, but if you also know they are a miller in a particular nome you can narrow it down. Marcus Aurelius’ brewer might keep a record of Marcus’ tab under his name because they know which M. Aurelius they mean. The name is not unique in the set of all Romans, but it is unique in the list of customers which the brewer keeps in their head.

R-Squared July 28, 2021 4:58 PM

@ Scriptor

Data sets normally have a key precisely because the other fields may not be unique by themselves or in combination.

I care not for unique keys or UUIDs for data not otherwise distinguishable.

Duplicate observations of the same data points should not be double counted, because this will skew the results with a pernicious observer bias.

SpaceLifeForm July 28, 2021 6:04 PM

@ JonKnowsNothing, Clive

I harped about Metadata on Emptywheel so much, starting years ago, that @bmaz called me Mr. Metadata

I still do not think he gets it.

I would take anything he says with some NaCl.

It may be an Upton Sinclair thing.

SpaceLifeForm July 28, 2021 7:05 PM

@ WhyNot

I’m not convinced that Grindr data contains enough information to simply look up a person’s physical address and find the unique phone identifier number.

Research EXIF.

It is all about cross-correlating Metadata from multiple sources.

JonKnowsNothing July 28, 2021 8:56 PM

@SpaceLifeForm, CMYK, tux, R-Squared, All

re: Exif Meta data

Most of the fields used maybe removed by right clicking the image and selecting properties/advanced…. there is an option to remove personal data.

That mostly affects the camera, lens, focal length and similar data in the file. The geolocation will be wiped if you are lucky.

However, be mindful that just like similar fields on music files, the stuff you see on the playlist, there are editors that will remove or add fields.

If your editor does not recognize ALL the possible fields, you may be lulled into thinking you cleared the info when it’s still just sitting there in plain view by a different editor. You might have to think in non-alphanumeric systems if you really want to cleanse the file.

Also be mindful of the Google/NSA project (already mentioned) to put back all that Exif data you so cleverly removed because they have about a bazillion images of the same place, same location, same time of day, already ID and ready to match whatever you plan on sharing.

Also, you need to wipe any editing you might have done, particularly on the device. Lots of them have build in image editors, which can crop, change color, and have a whole host of image manipulation options. Some editions of the iPhone keep it as a separate file which can just be unwound. Same for other OS provided editors. ReDo and UnDo and Revert to Original.

Then there is the problem for a good number of the Jan6 tag team, they group shared images and comments and videos. They went in all sorts of directions. You might have erased it on your side but their buddies did not and they got the full featured version, which now the FBI also has.

iirc(badly) tl;dr

Long time passing, I got this new smart device. It had some way cool features or they were way cool until a light bulb went off.

One of them was built in face recognition for “friends” and an auto-image-send feature if the device recognized or spotted your friend’s face in any group photo.

All you had to do was ID the mug shot of your friend’s faces once and as everyone shares their group photos with other members of the group…

Shazam!

===

ht tps://en.wikipedia.org/wiki/Gomer_Pyle

(url fractured to prevent autorun)

CMYK July 28, 2021 9:14 PM

I googled exif tools last month, like 9+ instances of what i would’ve classified in the 2000s as … what’s the word?

suspicious?

itemized, enumerated? are the words missing from current threads.

see, they’ve changed the product placement strategies. instead of the products being placed at the store and you having to goto them they have inverted the concept, you are the product and thus by mining quantifying extracting deducing enumerating and itemizing both you and your affections they can accessorize your person.

everything else is just an added bonus, or forgive the term – unexploited idle data.

it’s daft.

btw thanks tux.

lurker July 28, 2021 10:16 PM

@CMYK: Got a recommended EXIF stripping script/tool?

You want everybody’s favorite?

sudo apt-get install exiv2

or you can read the manual first at www[dot]exiv2[dot]org

Clive Robinson July 29, 2021 12:50 AM

@ Scriptor,

with respect, that is an undergraduate level fallacy. Data sets normally have a key precisely because the other fields may not be unique by themselves or in combination.

No data sets “get given keys” by humans for human conveniance.

I realy do not want to trudge through the reaaons behind “in-band” and “out-of-band” data used as “identifiers” not just of sets of data points but individual vectors within such sets.

But if you need a primer on such things have a look at the advantages and disadvantages of “Pascal-v-C Strings” and how it leads to all sorts of serialization issues that consequentky effect data set usage. It should be obvious but as certain professors of physics recently demonstrated not as many people who should know about it do show signs they know about it…

As for “Marcus Aurelius”…

“What’s in a name? That which we call a rose, by any other name would smell as sweet”.

Kelly Kapowski July 29, 2021 1:18 AM

Description:
“Metadata consist of information that characterizes data. Metadata are
used to provide documentation for data products. In essence, metadata
answer who, what, when, where, why, and how about every facet of the
data that are being documented.
.
Metadata within a file can tell a lot about you. Cameras record data
about when a picture was taken and what camera was used. Office
documents like PDF or Office automatically adds author and company
information to documents and spreadsheets.
.
Maybe you don’t want to disclose those information.
.
mat2 only removes metadata from your files, it does not anonymise their
content, nor can it handle watermarking, steganography, or any too
custom metadata field/system.
.
If you really want to be anonymous, use file formats that do not contain
any metadata, or better: use plain-text.
.
Formats supported to some extent are:
– Audio Video Interleave (.avi)
– Electronic Publication (.epub)
– Free Lossless Audio Codec (.flac)
– Graphics Interchange Format (.gif)
– Hypertext Markup Language (.html, .xhtml)
– Portable Network Graphics (PNG)
– JPEG (.jpeg, .jpg, …)
– MPEG Audio (.mp3, .mp2, .mp1, .mpa)
– MPEG-4 (.mp4)
– Office Openxml (.docx, .pptx, .xlsx, …)
– Ogg Vorbis (.ogg)
– Open Document (.odt, .odx, .ods, …)
– Portable Document Fileformat (.pdf)
– Portable Pixmap Format (.ppm)
– Scalable Vector Graphics (.svg)
– Tape ARchive (.tar, .tar.bz2, .tar.gz, .tar.zx)
– Torrent (.torrent)
– Waveform Audio (.wav)
– Windows Media Video (.wmv)
– ZIP (.zip)
.
mat2 provides a command line tool, and graphical user interfaces
via a service menu for Dolphin, the default file manager of KDE, and
an extension for Nautilus, the default file manager of GNOME.”

SQL July 30, 2021 11:32 AM

@Impossibly Stupid

The onus here is on the Catholic church to do more. Call them out for not stopping their sex scandals, not Pillar.

priests who stray

To my understanding, Grindr is not an app for those who simply “stray”.

Well, right, folks like Burrill had been using it for a longer time and probably intended to keep using it. It’s not about some temporary mishap. He may have gotten singled out because of US politics but likely there are many others like that.

Actually, considering what an embarrassment it is (or should be, I would think) for Catholic Church, it surprises me that we do not have people doing this and asking for ransom to keep the revelation out of public knowledge. Unless that already happens and the church has been silently paying them.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.