And a decade before that, Microsoft had published “10 Immutable Laws of Computer Security.” The first law stated simply that “If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.” By that logic, “your” cell phone is owned by a collective of hundreds or thousands of different entities, some of which—or whom—you don’t even know about. You may have given your phone away to Facebook and Twitter (and Grindr?), but other people may have stolen your phone. In 2014, it was revealed that the National Security Agency was secretly reading and storing data gathered legitimately by the Angry Birds game app. The Guardian recently reported that NSO Group, an Israeli surveillance company, has sold hacking spyware called Pegasus to groups all over the world. Pegasus allows operators to read messages and email, look at photos, record calls, and even surreptitiously listen to microphones. Designed to fight criminals and terrorists, it has been used against human-rights activists, journalists, and lawyers. You wouldn’t even know if someone had pirated a copy and deployed it against you.
Your phone is not your tool. At best, it’s a partner with mixed loyalties; while you use it, it is using you to serve its other masters. This partnership may still be valuable, but that’s a personal decision for each person. In the long run, the bargain may prove Faustian.
What can be done? The obvious solution is to prohibit the collection of unnecessary data. While a cell phone needs to know where I am right now so that I can make and receive calls, there’s no reason that it should remember where I was two hours ago, let alone two years. Weather apps might need to know which city I’m in, but not which bars I frequent or in whose apartment I spend the night. Words With Friends doesn’t need my age, my birthday, my location, my contact list. But while those programs don’t need that information to work, the companies behind them need that information to make money. Remember: once I’ve installed the app, it’s no longer my phone anymore.
Maybe a technical solution would work? Upgrade the phone somehow to prevent apps from collecting data I don’t want them to? Unfortunately, technical solutions are only as good as the programmers, and the bad guys can hire skilled programmers as well. Apple is generally considered a gold standard for security among commercial cell phone providers, but NSO Group (among others) have found ways to easily bypass Apple’s security and extract or install whatever they want. In a privacy arms race, the advantage is always to the attackers, because they only need to be successful once.
If Big Tech can’t solve our problem for us, maybe Big Government can? Many companies have been fined for violating European Union privacy and data access laws. In December 2020, Irish regulators fined Twitter for doing so, but the fine was less than $600,000, barely a slap on the wrist for a major multinational company that made more than a billion dollars in the first quarter of 2021. Furthermore, fines can be assessed only after a violation has occurred and after a lengthy assessment and adjudication process, which allows companies ample opportunity for political lobbying. Fining Grindr five years from now will not restore Burrill’s reputation and or give him back his job. Indeed, many of the most egregious privacy violations are completely legal in the United States. Grindr not only collects personal data, but sells it, and it is upfront about the possibility of such sales in its terms of service.
There are no easy solutions, and the hard solution unfortunately falls upon us, the users. We have all been told the platitudes: don’t install software you don’t need. Read the terms of service before you click “agree.” Turn off any information-sharing that isn’t related to your needs. Turn off “location sharing” at the hardware level. And remember Schneier’s dictum: you are the product.
But the harder issue is not just for us as users, but for us as members of society. Burrill was presumably good at his job, or he wouldn’t have held it. Whether he visited gay bars or not is—or should be—irrelevant to whether he can serve the needs of the conference of bishops. Learning that he did visit such bars should not affect our judgment of him as a person or his worth as an employee. If anyone is to be condemned for this act, the obvious candidate is The Pillar, the organization that obtained the data from Grindr, knowing that the people whose data was bought would almost certainly prefer to keep their activities private. Would the staff of The Pillar be happy to share all the intimate details of their personal lives with the world?
Please email comments to [email protected] and join the conversation on our Facebook page.