Melissa Harris-Perry: I'm Melissa Harris-Perry, and you're listening to The Takeaway. Last month, a Catholic news organization outed a priest as gay. He was forced to resign. Now the publication reportedly used location data collected and sold by an app to reverse identify the priest. What does that mean? Reverse identify. Basically by cross-referencing location data used from this location-based hookup app that the priest was using on his phone, the news organization was able to map the places he visited, which included gay bars and private residences.

Now, this story got attention because of the high-profile nature of the individual involved, but the truth is we're all vulnerable to this kind of reverse identification and the potential consequences are troubling at best and devastating at worst. For more on this, we spoke with Alan Butler, Executive Director and President of the Electronic Privacy Information Center. Alan walked me through the broader significance of the case where the priest was outed.

Alan Butler: What this specific case reveals is the underlying surveillance architecture of the internet, of the mobile apps, and a lot of the really revealing data that's generated and collected and transferred around between different entities about internet users all the time. Fundamentally, what is revealed by this is the fact that there really is not anonymity in any situation where an app or a data broker is collecting precise location information and is disclosing that to a third party.

In many situations, you may use a smartphone app to explicitly signal your location if you're on a map app or if you're trying to check the weather or something else, but it turns out that there's a lot of apps that don't necessarily have anything to do with your location, but that nevertheless track your location data. It's a significant problem in the United States because these business practices have gone essentially unregulated in the US for the last few decades.

Melissa Harris-Perry: Just how much information about us at a very tiny individual identifiable level is available?

Alan Butler: Sure. A lot of the times this analytics data and other big data is discussed in terms of its volume. I think the companies that traffic in this type of information tend to try to mask how individualized and how precise it really is with the fact that they're collecting so much of it. It's almost like, "Well, these are just large datasets. We're just looking at trends. We're just looking at aggregate information."

Well, any data set that contains unique identifiers can be used to correlate different types of data and to ultimately identify individuals as it happened in this particular case. What I mean by that is every device, particular take the example of a mobile smartphone, has a number of unique identifiers associated with it. Some are baked in naturally. Your wireless internet device has an ID baked into it, or your Bluetooth device, if you connect to headphones or other devices has an ID associated with it.

Then your phone itself, many phones have another ID that's associated with the phone called an ad ID that's collected specifically by apps and other entities that are involved in serving, measuring, and analyzing ads on the device. Any data that's collected in connection with that device, let's say the fact that you opened a particular app. In this example, we're talking about the Grindr app. The fact that you opened the use the Grindr app at a particular time, and potentially even a specific place could be collected in connection with that specific ID. Yes, there's a mountain of data, but if all those data points can be connected to specific devices, then that data can be used to build a very detailed profile of the individual that's using that device.

Melissa Harris-Perry: Presumably, the purpose or the main purpose that this information would then be used to build a profile is to sell us things, but so much of what we hear about the privacy question is, "Okay, we're using these algorithms, we're finding this information in order to target to you either the politics or the consumption items that you want most." How does it turn it into not simply this data being sold to people who want to sell us things, which is a bad enough problem, but to those who might be surveilling us in this way.

Alan Butler: I think what's important to understand is that fundamentally surveillance advertising is surveillance-based. Sometimes it's referred to as targeted advertising, it's surveillance advertising. It is surveillance for the purpose of advertising. Anytime you build a surveillance system like that, especially as I said in the United States where we don't have comprehensive privacy and data protection rules that apply to all these services, you create opportunities for further surveillance and abuse. What that means in practical terms is that a company that is collecting all these data about mobile phones is not under current law prohibited except in certain circumstances from selling that data to someone else.

What happened in this specific case we're talking about a priest is that the folks working on the story literally went out and bought all this data and were able to analyze it and reverse trace it and identify the specific individual and what app he had been using and where he had been going. Yes, it can be used by advertisers and it is, but it can be used by anyone else that collects it, including, let's say foreign entities. Or law enforcement or other bounty hunters. There've been plenty of examples over the last years where these data abuses have been uncovered and shown that again when you build a surveillance system, you're facilitating surveillance,

Melissa Harris-Perry: What legislative landscape as you've been talking about it would help to regulate and address these concerns?

Alan Butler: Sure. Well, what's needed in the United States is a comprehensive data protection regime like the one that exists in Europe. There have been attempts in some states over the last few years to erect some rules and some guardrails at the state level. California passed the California Privacy Rights Act last year as a ballot initiative. Previously they passed a piece of legislation, the CCPA that protects individual privacy. California has been upgrading the state-level privacy protections.

In the last year, we've seen Virginia and Colorado both pass laws. We've seen a number of states, including Florida and Maine and Oklahoma and other states consider legislation. What's needed is a comprehensive set of laws that define the rights of individuals, data subjects, and impose obligations and responsibilities on entities that collect and process personal information.

It really needs to be across the board. Historically in the United States, especially at the federal level, what we've had over the last 40 years are these kinds of very narrow sectoral laws that let's say protect privacy in certain contexts in related to health data, that's HIPAA, or related to electronic communications, that's sometimes called ACPA, or the Stored Communications Act, or other very narrow examples like the Video Privacy Protection Act, which protects the video rental records. We have a very stove pipe system in the United States. What's needed is a comprehensive set of rules that applies to all entities.

Melissa Harris-Perry: What can ordinary folks who are using apps right now do to begin to help to protect themselves before this legislation is actually part of our landscape?

Alan Butler: With respect to some of these business practices, there's really not much the individual users can do. Apps do increasingly have their own built-in privacy settings that do actually provide some controls for what data is collected or how that data is used. Some of the app platforms like Apple's operating system do provide built-in controls as well that can help. For example, that ad ID that I mentioned, which has a unique identifier that is used for advertising, Apple's mobile operating system actually allows you in the privacy settings to turn that off to essentially zero it out. That piece of data cannot actually be collected about you. There's also newer features that allow you to similarly scramble essentially the IDs associated with your Bluetooth signals or Wi-Fi signals.

Melissa Harris-Perry: Alan Butler is the Executive Director of the Electronic Privacy Information Center. Alan, thank you so much for joining us.

Alan Butler: Thanks for having me.

Copyright © 2021 New York Public Radio. All rights reserved. Visit our website terms of use at www.wnyc.org for further information.

New York Public Radio transcripts are created on a rush deadline, often by contractors. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of New York Public Radio’s programming is the audio record.