The pastoral questions raised (but not answered) in The Pillar’s exposé of a USCCB official
On the morning of July 20, Msgr. Jeffrey Burrill resigned as the general secretary of the U.S. Conference of Catholic Bishops only hours before an article was published that afternoon by The Pillar revealing a pattern of usage of a “location-based hookup app” in violation of his commitment to clerical celibacy. The Pillar, an online newsletter and associated website covering the Catholic church, discovered this pattern, it said, through analysis of “commercially available” datasets of mobile phone location and app activity. The revelations in The Pillar’s article clearly require a response from those with pastoral authority in the church. Unfortunately, the methods they have used and the opacity around them work against a healthy pastoral response even as they demand one.
The immediate responses to The Pillar’s story on Tuesday quickly bifurcated into reactions to the reported moral failures themselves and concerns about the methods used to report on them.
Monsignor Burrill’s apparent moral failures are clear enough: first, a failure to maintain celibate chastity; second, a pattern of deception necessary to conceal that failure over years; and third, the hypocrisy of being in a position with responsibility, at the U.S.C.C.B., for addressing the sexual abuse scandal in the church (including the scandal of former Cardinal McCarrick’s decades-long pattern of deception), while he himself was not living with integrity. While Monsignor Burrill has not spoken himself, the conference’s statement said he resigned “to avoid becoming a distraction to the operations and ongoing work” of the conference. Neither he nor the conference has thus far cast doubt on the accuracy of The Pillar’s analysis nor attempted to excuse the behavior they documented.
Is it appropriate for a Catholic media outlet to take steps to de-anonymize data in order to publicly reveal the sins of another?
There are several levels of concern about the methods used in The Pillar’s reporting. The first is about both journalistic ethics and Catholic morals: Is it appropriate for a Catholic media outlet to take steps to de-anonymize data in order to publicly reveal the sins of another? The Pillar’s account does not allege any official misconduct in office by Monsignor Burrill, beyond his betrayal of his promise of celibacy as a priest. One commentator has argued that the report amounts less to an investigation than to innuendo, particularly because immediately after a single sentence acknowledging that there is no evidence to suggest that Monsignor Burrill had any contact with minors, fully one third of the article is devoted to explaining how hookup apps can be connected to abuse of minors. (J.D. Flynn of The Pillar, in a tweet the day after the article was published, reiterated both that they did not wish to insinuate that Monsignor Burrill had contacted minors on the app and also that “location-based hookup apps pose risks of both intentional and unintentional exploitation and abuse of minors.”)
Others have pointed out that The Pillar, by using data mining to expose a public figure’s sexual misbehavior, has crossed a line that secular journalists have thus far not crossed. And because The Pillar continued with plans to publish even after Monsignor Burrill had resigned his office and with no more than speculation about whether or not his sins had been connected to any further misconduct or corruption, some have argued that The Pillar has itself committed the sin of detraction by unnecessarily publicly disclosing the failings of another.
How did The Pillar identify Burrill?
But beyond the ethical question of whether or not such a piece should have been published, there are also a number of methodological questions about how the data analysis itself was conducted, and how that analysis led to Monsignor Burrill specifically. (The Pillar declined a request for an interview to discuss the methods used in their reporting of this story.)
In their published article, The Pillar said that they obtained “commercially available records of app signal data” and that their analysis correlated that data with Monsignor Burrill’s mobile device. That correlation was established by connecting a supposedly anonymous device identifier in the dataset with times and locations that presumably uniquely identify Monsignor Burrill. The Pillar’s report says they used locations like the U.S.C.C.B. offices and staff residence, a lake house and residences belonging to Monsignor Burrill’s family, and a Wisconsin apartment in his hometown at which he has been listed as a resident.
In a tweet posted the day after the article appeared, J. D. Flynn, one of The Pillar’s co-founders, explained that they analyzed the dataset they obtained “to identify patterns and trends in the context of the Catholic Church” and discovered, during that analysis, “an obvious correlation between hookup app usage and a high-ranking public figure.” But that simply leads to the questions: What made the correlation “obvious”? In what specific ways was it being looked for?
There are, indeed, commercially available datasets of cellphone location data. One such dataset is marketed as containing 59.4 billion monthly pings covering 275 million monthly active users. But how do you go about extracting a single needle, correlated to one priest’s smartphone, out of such a potentially enormous haystack?
But how do you go about extracting a single needle, correlated to one priest’s smartphone, out of such a potentially enormous haystack?
Some caveats are in order for the following discussion. I have no way of knowing what specific dataset The Pillar obtained; since they have not disclosed it, neither do I know the specific methodology they used. I am also not specifically an expert on location datasets. But before I became a Jesuit, I was a software engineer, and I now manage America’s technology, which includes doing some analysis on large datasets of website analytics. So as a reasonably competent technologist, I can tell you the two ways that I would think of to go looking for a needle, if I were handed such a dataset and tasked with finding it—and if I were not stopped by the ethical concerns about doing so.
To understand the shape of the problem, start by thinking of those old Family Circus comics where a dotted line tracks one of the kids roaming the neighborhood throughout the day. These datasets are like millions of those dotted lines, tracking us not only for days but years, all overlaid on each other—and with the power of cloud computing to instantly filter through them and extract one or more lines to focus on in detail.
Here’s how that actually works. The dataset is like a giant spreadsheet—billions of rows consisting of “location pings.” Each row is a bundle of data, minimally including: an “anonymized” device identifier uniquely identifying a particular phone, some reference to indicate which app sent the location ping, a timestamp for the ping, and the location from which it was sent. If you filter that dataset to focus on a single device identifier, then what you have is a series of points, a single dotted line, showing where that phone has been over time. If that line is a close match to the known whereabouts of a person at those times, you can make a pretty solid inference that this device identifier belongs to that person’s phone. A New York Times report on this kind of dataset from 2019 said that even though no directly personally identifiable information is included in the dataset, “it’s child’s play to connect real names to the dots that appear on the maps.”
But you still have to pick one line out of the pile to start identifying it. There are two basic ways to start. You can either start with some names—proposed targets for investigation—and try to find the devices belonging to them by using their known addresses and travel patterns, then follow their dotted lines to look at where else they’ve been. Or you can start with some significant locations and look at all the dotted lines going through those dots. Then, when you find a line that’s doing something or going somewhere it shouldn’t, you look at its consistent patterns of travel to connect that device to some specific person.
Questions raised by The Pillar’s data mining
The challenge for the church—and the problem with The Pillar’s approach to reporting this story—is that either starting point for analysis, whether from names to locations or from locations to names, raises many more questions, none of which have been answered in the initial coverage. I hope that the off-the-record communications The Pillar has had with the bishops’ conference have addressed these questions more than their published work has, but even if they have, the rest of the church, having been exposed to this public scandal, deserves the answers as well. In their absence, what the church is left with is the specter of effectively unlimited retroactive surveillance, deployed under private direction at The Pillar’s discretion for the purpose of policing failures in celibacy through the threat of public disclosure.
What the church is left with is the specter of effectively unlimited retroactive surveillance, deployed under private direction for the purpose of policing failures in celibacy through the threat of public disclosure.
If the data analysis started with Monsignor Burrill’s name and went looking for his phone in the dataset, then the next questions are: Why was Monsignor Burrill targeted? Did The Pillar receive a tip about him? And if so, did the tip allege some kind of misconduct related to his office (which The Pillar’s reporting did not find), or was it solely a tip about his failures in regard to celibacy? If someone is concerned about misconduct by a high-ranking U.S.C.C.B. staffer and they have no other recourse than an anonymous tip to journalists, that is a problem the church needs to address.
Or did The Pillar (or whatever source supplied the dataset) have a list of names of important church leaders that they worked through, identifying them by location patterns and then checking to see if they used any problematic apps? If so, how long is that list and how far down it did they have to go before finding a problem worth reporting on? Is Monsignor Burrill’s pattern of failure at celibacy broadly common among high-ranking churchmen, or did the data analysis effort have to correlate locations to phones for hundreds of priests and bishops before finding one whose indiscretions were obvious? Those two possibilities would suggest very different kinds of problems for the church to respond to.
The other approach, rather than starting with names, would be to start the analysis with a set of locations. Such an approach might use the locations of rectories, seminaries, chanceries and other church offices, and then filter the dataset to look for location pings from hookup apps in those locations. Once phones using those apps are correlated to a church-related location, then someone could go look at those phones’ movements over time to try to correlate a phone with a hookup app to a name based on matching to known addresses and travel patterns.
It seems slightly more likely that The Pillar started with locations and then worked backward to names, for two reasons. First, the language in Mr. Flynn’s tweet about “discover[ing] an obvious correlation between hookup app usage and a high-ranking public figure” implies that they were looking at pings related to specific apps before they started connecting pings to names.
Second, on July 19, one day before The Pillar’s piece was published, Catholic News Agency published a story revealing that they had been approached in 2018 by a party who claimed to have technology “capable of identifying clergy and others who download popular ‘hook-up’ apps.” The Pillar’s founders, J. D. Flynn and Ed Condon, previously worked for C.N.A.; Mr. Flynn served as editor in chief from 2017 to 2020. If there is a connection between the method used by The Pillar and the proposal made to C.N.A. back in 2018, then the broader focus of that proposal on “identifying clergy and others who download popular ‘hook-up’ apps” also suggests that the method starts at apps rather than with names. (The Pillar declined to comment on whether their present method was connected to the proposal C.N.A. referenced.)
In this locations-to-names approach, some of the further questions are similar to those regarding possible lists of names. How large were the lists of locations, and how were they developed? How prevalent were problematic patterns at those locations? Is Monsignor Burrill’s phone one among many devices for which such a pattern was detected, or was he one of a vanishingly small number of cases? Additionally, given that a location-based approach would probably start by filtering for pings from hookup apps, what list of apps was used, and what app data was included in the dataset? Monsignor Burrill’s identity was correlated with pings from Grindr, an app primarily used by gay men, and his presumed failures at celibacy were substantiated by tracking his phone’s location to gay bars and a gay bathouse in Las Vegas. Did The Pillar’s analysis also look for location pings from straight dating and hookup apps? Were pings from such apps even included in the dataset they used, or was their analysis, either by limitations of design or of available data, destined from the start to focus on failures of celibacy in relation to same-sex activity? Since the question of whether homosexuality is connected to sexual abuse is a matter for routine—and often quite poorly informed—debate in the church, this answer matters deeply for how the church should understand and respond to The Pillar’s reporting.
Finally, even if the specific methods used to de-anonymize the location data to point to Monsignor Burrill were sufficiently explained to allow the church to understand this scandal and pattern of sin more fully, there are still questions about how and by whom the data was obtained and analyzed. The C.N.A. article about the 2018 proposal of a similar method describes the person who approached them as “concerned with reforming the Catholic clergy.” Alejandro Bermudez of C.N.A. said in response to an emailed question that he was unable to remember the name of the person who made the proposal to them, and that he had immediately rejected the offering as contrary to their journalistic principles. The article from The Pillar neither attributes their method and data to an outside source nor clearly establishes it as originating solely from them. (The Pillar declined to comment on the source of or funding for their dataset.) They say “the data was obtained from a data vendor and authenticated by an independent data consulting firm contracted by The Pillar.”
The 2019 New York Times article on phone location databases reported that the companies selling such data “say the data is shared only with vetted partners.” Most commercially available datasets are made available for purposes such as advertising and consumer profiling. Given that it is far outside normal journalistic practice to obtain and de-anonymize data in order to reveal individual moral failings, greater transparency about such questionable methods is necessary. What data vendor sold the dataset? Did they know they were selling it to The Pillar and for use in publicly identifying individuals? And given that obtaining and analyzing such datasets can be quite expensive, who funded the acquisition and analysis of this data? If someone, as C.N.A. reported, has developed and is offering to some journalists a technological method for identifying, out of interest in church reform, some members of the clergy who are failing to live celibately, why are they opting to remain anonymous? There may be good reasons for anonymity, but it is best practice for journalists to describe in such cases why anonymity is being protected.
Challenges to rebuilding trust within the church
It seems clear that Monsignor Burrill was failing to live his commitment to celibacy with full integrity. Because of his position of trust and authority, that failure is not just personal but injures the church. But his sin has been revealed not because it came to light through injury done to another but rather because journalists used a dataset to retroactively track his movements and chose to publish their exposé even after he had resigned his office. That neither excuses his sexual sin nor his breach of the trust the church placed in him as a leader. Both require repentance and reconciliation.
But it is also a breach of trust in the life of the church to know that unnamed parties are approaching Catholic journalists offering to assist them in the technological surveillance of the clergy. It also weakens trust in the life of the church to learn that any and all users of smartphones have effectively already been tailed for years by the world’s most thorough private investigator, at least if someone has the funds and expertise to find an individual through data mining. It also injures trust in the life of the church to have leaders cast down—and widely vilified on social media—without knowing why or how their secret sin was targeted for revelation, how broad a net was cast or how widespread their pattern of sin was. All of these are injuries to ecclesial trust that are in The Pillar’s power to remedy by a full and frank disclosure of their methods and sources and a clear statement about whether and how they intend to continue to use such methods, both looking back and going forward.
The reason to apply that remedy is not so that members of the clergy can go back to feeling false security in hidden violations of their commitment to celibate chastity, nor so that such discussions can be swept back under the rug. Rather, that remedy is necessary because in order to support one another within the communion of the church, we need to trust that vigilance about sin is pastoral and medicinal, not only a means to apply public pressure. At present, the journalistic method The Pillar is employing can spark outrage and disgust at the hidden sins of those with authority in the church, but it cannot heal those wounds. Presumably the hope is that being forced to see these sins more clearly will push the church to reform—but if so, then fuller transparency about how they are going about uncovering these sins would help such reform even more.
Read more from America: