In Response To A Small Blog’s Homophobic Witch Hunt To Out A Gay Priest

Note: There are 22 linked sources in this response. For convenience, we have also listed them separately at the end of our response.

A small, conservative Catholic-focused blog released a story last week that revealed an unethical witch hunt to out a US priest for being gay, in part because he appears to have used Grindr.

The whole situation is ugly. We agree with how the incident is characterized in an editorial from Washington Post, describing the blog’s work as “unethical homophobic innuendo.” The number of ethical, moral, and legal lines the bloggers brazenly crossed in their work is astounding. All this to out a member of the clergy as gay. As UpWorthy writes on the matter, “It's a shame that Catholics such as [the target] are forced by doctrine to live their lives in the shadows.”

America: A Jesuits Review spoke with a data analytics firm that calls the data used in the blog’s investigation “alarming” and “unusually comprehensive,” going well beyond what is “available to advertising firms.” The data analytics firm estimates that the “database and deanonymization efforts” used would have “run into the hundreds of thousands if not millions of dollars.”

Our Investigation

When we learned of the blog post last week, we started an investigation into the incident. We assembled a group of industry experts to assist our investigation. The first step is to try to determine what actually occurred, which is difficult as the bloggers themselves have provided vague and incomplete descriptions of their work.

What is clear is that this work involved much more than just a small blog. We get confirmation of this in two places. First, the Catholic News Agency (CNA) reported that a group motivated by “Church reform” approached them back in 2018 to peddle a surveillance method that promised to uncover church members who used “hook-up apps such as Grindr and Tinder.” We also learn that the authors of the blog worked for CNA at this time. In rejecting the offer to these “reformers,” CNA says “it is hard to make the case that [the information] was acquired in a completely legal and moral manner.”

Next, the bloggers confirm their data set comes from another group in a subsequent podcast. They say an outside party, as with the CNA, approached them with a broad data set that would let them link dating app use to priests’ phones.

We do not believe Grindr to be the source of the data, nor do we think the evidence we have seen suggests this is the case. Grindr does not sell data about its users to anyone. The contracts with our ad partners carry strong restrictions on the information we provide them such as prohibitions on attempts to reverse engineer user identity and selling or transferring our data to another entity, and they detail for which purposes our data is permitted to be used within their systems. We regularly audit these partners to ensure they are in compliance with our data protection agreements.

We get a few other clues to help guide our investigation in the CNA article. Both CNA and the bloggers say the group that approached them promised their system would expose priests on “hookup apps like Grindr or Tinder,” so whatever their method, it seems to work on more than just Grindr. Next, consider this strange sentence from the blog: “The mobile device correlated to [the target] emitted hookup app signals.” To us, this suggests the data set is at a network level (ie, mobile carrier, ISP, or WiFi network). The bloggers have resisted repeated requests to be more forthcoming about the source of their data, so we cannot yet exclude other potential sources.

Currently, we are focusing on three potential sources:

Network providers: Data that may have come from network providers (mobile carriers, ISPs, or WiFi owners). It is known that carriers had sold information like this during the period of time covered by the bloggers' work. More on that here, here, and here.
Location data brokers: This is a tricky space, in particular, one company called X-Mode was identified to be selling user location data gathered from developers who accepted money to provide X-Mode user location while on their apps. Grindr has never partnered with X-Mode or any of its competitors. There is potential these brokers might link to data from source 1.
Ad networks: It is possible that one of our former or current partners, or one of their downstream ad partners, knowingly or unknowingly is the source of the data involved. We will investigate this possibility (potentially related to source 2) and pursue those who have violated our agreements.

In scenario 1, Grindr encrypts our app’s network communications. As a result, network providers cannot see what a user is doing on our app. They would not have access to our location data or other user activity on the app at this level. The network providers have their own access to location data from the user’s device and can see that our app is running and when it is using their network. There are ways we try to make this harder, but neither Grindr nor other developers can stop this. We are not aware of any terms of service to which a consumer has agreed that would allow this data to be sold by any of these network providers, and today all US carriers say they have stopped this practice.

Scenario 2 includes an interesting twist, as one of X-Mode’s biggest customers is the US government, via the military and other organizations. When X-Mode’s practices were exposed in 2020, both Apple and Google banned apps from providing them data in December 2020, though to this day some apps in the Google Play Store are still shown to be sending data to X-Mode. X-Mode (or any competitor) does not have access to Grindr data directly. But X-Mode says they employ other, less reliable methods to collect location information for their system. One method in particular called “bid-stream data” could be involved, but even X-Mode’s CEO admits this method yields low-quality geo data, particularly bad for uses such as tracking a specific device over a period of time.

Scenario 3 would involve a current or former ad partner, or one of their downstream ad partners, as the source of data. An outside party may have used methods prohibited by Grindr and our partners to collect data, similar to the “bid-stream” method described in scenario 2. In 2020, we reviewed all our ad partnerships and terminated those in which we were not comfortable a partner was taking enough precautions to meet our standards for privacy and data protection. But there is another issue with this source. The group behind the system said it worked for “hookup apps like Tinder or Grindr”. The chances of a common ad platform between Tinder and Grindr is low.

Aggressive Steps

Back in April 2020, Grindr took the aggressive step to stop sharing age, gender, or location information with any of our ad partners. We did this out of an abundance of caution rather than in response to a specific incident. We also do not share any information users put in their profiles with ad partners. None. This leaves almost no data for 3rd parties to use in ad targeting on Grindr, and, as a result, our third party ads are very untargeted. The other result of this change from 2020, is that going forward the risks in scenarios 2 and 3 are massively mitigated, as none of the ad bidding process includes location data from Grindr.

To put our decision to reduce ad targeting data in the proper context, we want to give you a comparison to a big player in the industry. Facebook announced this week that it will begin to limit advertising targeting for underage users on its properties to only: age, gender and location. The NY Times recognizes this change from Facebook as an effort to “protect teenagers,” suggesting it is in response to criticism the company had not done enough to “prevent underage users from sexual predators and bullying.” Those three data points about underage users, you will notice, are the exact ones Grindr stopped sharing more than a year ago, and our app is exclusively 18+.

One reason we can be aggressive in limiting ad targeting at Grindr is that our primary source of revenue isn’t ads. Our dominant source of revenue and growth is premium subscriptions. This makes it easier for us to cut back almost to nothing on data for ad targeting, to reduce the number of partners, and to reduce the total number of ads significantly over the past year. We will continue to reduce the ads we show to our users throughout 2021, letting us focus more on the quality of the user experience. You may have read many allegations about Grindr and ad data. Much of it is false. To learn more about our work on ads and privacy, check out this article from our Chief Privacy Officer: Ads on Grindr: Setting the Record Str8.

Propagating Hateful Stereotypes

Back to the bloggers. If their post stopped at outing their target, it would be terrible, but they aren’t done and things move from ugly to really warped, revealing their deeper agenda. Moving from their “unethical, homophobic” work to out a priest, they next begin an attempt to directly connect dating apps to pedophilia. LGBTQ Nation noted this bizarre jump and says, “The [blog] even quotes a Catholic seminary professor who said that using Grindr is ‘only a step away from sexual predation.’ The bloggers propagate hateful stereotypes of gay and bi men as rapists and child molesters.” After making this ridiculous connection, they pause for an inconvenient admission: despite the extent of their multi-year investigation, the bloggers uncovered “no evidence to suggest that [the target] was in contact with minors.” None.

Grindr For Equality

At Grindr, keeping our users safe is not just a technical or legal issue. LGBTQ+ people continue to face violence and discrimination simply for being who they are and loving who they love. To forward the cause of LGBTQ justice, in 2012 we established Grindr For Equality (G4E). G4E is led by Jack Harrison-Quintana, an unequaled expert in these issues who has spent over a decade fighting for the safety, health, and human rights of the community all over the world.

Grindr for Equality leverages the company’s resources and global reach to support LGBTQ activists doing work in their local communities. By bridging the gap between Grindr users and advocacy organizations, G4E has fought community outbreaks from HIV to meningitis to COVID-19; it has mobilized users in the fight for global equality; and it has supported groundbreaking initiatives to find new ways to push the community forward. Working with our team, G4E provides online safety resources in more than twenty languages and sexual health information in more than fifty languages.

The world has learned that when a small group of motivated ideologues are involved, it is difficult to protect anyone against all threats. Even so, we at Grindr are fully committed to protecting our users both in our platform and through our advocacy work. We will continue with our investigation to uncover what actually occurred in this case, and we are eager to determine if we can improve how we protect our users. We will report back with an update soon.

We would love your help. If you have more information about systems or methods used by these bloggers, please contact us here. If you have information on any potential security vulnerability in our service or app, please let us know here on our HackerOne bug-bounty page. Lastly, I want to thank the millions of people who use Grindr every day to find connections, friendships, and love. All of us at Grindr are dedicated to supporting and promoting the LGBTQ+ community.