Location-based apps pose security risk for Holy See

News: Vatican

The use of location-based hookup apps by officials or employees of Church institutions could present serious security problems for the Church, even at the level of the Holy See’s diplomatic and international relations.

The use of such apps within the Vatican City State could be a point of vulnerability in the Holy See’s efforts to defend itself from cyberattacks and other intelligence-gathering exercises in recent years.

Share The Pillar

Analysis of commercially available signal data obtained by The Pillar, which was legally obtained and whose authenticity The Pillar has confirmed, shows that during a period of 26 weeks in 2018, at least 32 mobile devices emitted serially occurring hookup or dating app data signals from secured areas and buildings of the Vatican ordinarily inaccessible to tourists and pilgrims. 

At least 16 mobile devices emitted signals from the hookup app Grindr on at least four days between March to October 2018 within the non-public areas of the Vatican City State, while 16 other devices showed use of other location-based hookup or dating apps, both heterosexual and homosexual, on four or more days in the same time period.

The data set assessed by The Pillar is commercially available and contains location and usage information which users consent to be collected and commercialized as a condition of using the app.

Extensive location-based hookup or dating app usage is evident within the walls of Vatican City, in restricted areas of St. Peter’s Basilica, inside Vatican City government and Holy See’s administration buildings including those used by the Vatican’s diplomatic staff, in residential buildings, and in the Vatican Gardens, both during daytime hours and overnight.  

Signals emitted from most of the Vatican’s extraterritorial buildings, which house the offices of several key Curial departments were excluded from analysis because of the proximity of tourists, pilgrims, and the general public to those buildings on a daily basis.

Share

The use of any hookup app within the Vatican City State’s secured areas could pose a security risk for the Holy See. And use of the Grindr app among Vatican residents and officials and within the non-public areas of Vatican City State could present a particular diplomatic security risk for the Holy See in its dealings with China.  

The company was launched in California, but acquired by the Chinese gaming firm Beijing Kunlun Tech in 2016 for $93 million. 

While it was under Chinese ownership, the U.S. Committee on Foreign Investment in the United States (CFIUS) deemed the app’s ownership a national security risk, over concerns that data from the app’s some 27 million users could be accessed by the Chinese government and used for blackmail.

The app was sold in 2020 to a company based in the United States for a reported $608 million, at the demand of the U.S. government.

While it was still under Chinese ownership, Grindr allowed third-party engineers access to the personal data of millions of U.S.-based users, including their personal details and HIV status, according to media reports last year.

Because Chinese law requires tech companies to provide access to national intelligence-gathering agencies, app data could be available to the Chinese government. Under intelligence and cybersecurity laws, Kunlun Tech could have been compelled to turn over the data from company servers to the Chinese government for any reason pertaining to “national security,” experts have warned.

That data could include user details, private messages exchanged between users, and evidence of sexual liaisons arranged between users.

Grindr has said that the company has “never disclosed any user data (regardless of citizenship) to the Chinese government nor do we intend to.” But one former Grindr employee told Los Angeles magazine in 2019 that “there’s no world in which the People’s Republic of China is like, ‘Oh, yes, a Chinese billionaire is going to make all this money in the American market with all of this valuable data and not give it to us.’”

China-watchers warn that the country’s government is proactive and formidable in its online-surveillance and intelligence gathering.

“There is a rampant, habitual collection of and interception of internet communication and social media communications. Members of Congress were hacked,” Nina Shea, a former commissioner on the United States Commission on International Religious Freedom, told The Pillar last week.

Shea, who also served as a U.S. delegate to the United Nations' Commission on Human Rights, told The Pillar that “since the Vatican doesn't have a military component, the Chinese are tracking their religious ideas, spying on local Church figures in order to keep them in line. Blackmail is certainly one of the cards they have that they would have no compunction in using.”

“In terms of their engagement with the Vatican, I can understand well how they've targeted the Holy See through cyber attacks and everything else, and also the local church in Hong Kong and everything in the run up to the new Vatican-China deal,” Shea added.

Share The Pillar

In 2018, the Holy See agreed to a two-year provisional deal with the Chinese government, granting Beijing a role in the selection and vetting of candidates for episcopal appointment in Chinese dioceses. That deal, which was renewed in 2020, has been criticized for appearing to lend Vatican approval to efforts that force Catholic clergy in the country to acknowledge the Chinese Communist Party as the legitimate authority over Church affairs in China.

Since the deal was signed, China has come under growing international criticism for the mass imprisonment of more than one million Uighurs in Xinjiang Autonomous Region, where reports of systematic torture, sterilization, forced abortions, and ethnic cleansing have become frequent.

China has also moved to crack down on the exercise of civil liberties in Hong Kong, arresting several prominent Catholic pro-democracy activists and forcing the local diocese to issue warnings to Catholic priests and teachers to ensure sufficiently patriotic content in homilies and classrooms.

In recent years, the Holy See has been the target of several cyber-espionage attacks appearing to originate in China and apparently linked to China’s diplomatic negotiations with the Vatican.

In the months before the renewal of the Vatican-China deal in 2020, the cybersecurity media outlet Recorded Future reported that both the Vatican and the Diocese of Hong Kong had been targeted for hacks by RedDelta, a Chinese-state sponsored hacking organization. Other suspected network intrusions were identified at the Hong Kong Study Mission to China and the Pontifical Institute for Foreign Missions in Italy.

Internal data from Grindr users’ accounts could include personal details, including mobile device identifiers, as well as access to private messages sent across the app. Because the app’s primary function is to facilitate hookups (casual sexual encounters), the Grindr app plots users’ locations and flags other users nearby, creating a map of nearby users.

But the use of Grindr is not the only potential security threat for the Holy See.

The data analyzed by The Pillar also showed more than a dozen devices with patterns of use for other location-based apps within the secure sections of the Vatican, with Badoo and Skout the most common apps identified. Both apps use the device’s location to connect them with other individuals nearby to meet.

Skout allows children under 17 to set up accounts on the app, although with limited functionality, and has been flagged in some reports for the ease with which minors can circumvent restrictions.

Badoo is registered in Cyprus and the U.K. and was created by a Russian developer in 2006. It boasts more than 40 million users worldwide and has been repeatedly flagged as a data security risk for users. While the company claims it has tightened its security, a 2019 report found that downloading the app granted access to more than 90% of a user’s phone or device data.

In 2015, Ashley Madison, an online hookup service explicitly catering to those looking to commit adultery, was hacked and its user data stolen. Much of the data was put online, and several account holders reported receiving blackmail threats demanding payment in Bitcoin.

While actual personal data could be used to blackmail, coerce, or extort app users within the Vatican, selective use of such data could also be misrepresented to extort senior officials who are actually unconnected with location-based apps, if they live in a residence at which a guest or fellow resident has used frequently a hookup or dating app.

Selective presentation or framing of app signal data could present a blackmail or extortion risk even to cardinals in the run-up to a future conclave.

The Pillar met for more than 90 minutes with both Cardinal Pietro Parolin, Vatican Secretary of State, along with Dr. Paolo Ruffini, prefect of the Vatican’s dicastery for communications, to present its findings July 17. The meeting’s discussion was agreed by all parties to be mutually confidential, but the fact of the meeting was not itself off-the-record. 

After the meeting’s conclusion, Ruffini requested questions from The Pillar, which he said he would submit to Parolin for a response, and asked for a week for the formulation of a response, to which The Pillar agreed. 

On July 18, the day after its meeting with Parolin and Ruffini, The Pillar was informed that a meeting with senior USCCB officials scheduled for Monday, July 19, had been cancelled. The Pillar was asked to submit written questions instead. Overnight between Sunday and Monday, one Catholic media outlet reported the possibility of forthcoming media reports on the issue of app signal data. 

Late Sunday night, The Pillar submitted written questions to the USCCB at the conference’s request, and was then asked to extend an initial Monday deadline for response until the following day, which it did. On Tuesday, USCCB officials offered to schedule a meeting with The Pillar in the afternoon, to which The Pillar agreed. En route to that meeting, The Pillar learned from media reports that USCCB General Secretary Msgr. Jeffrey Burrill had resigned in response to “impending media reports alleging possible improper behavior.”

On July 23, Ruffini told The Pillar that “we have examined the questions you have posed to His Eminence the Secretary of State following on your meeting of 17 July. At this point, also in the light of what happened in recent days, I can say that no statement will be provided.”

Vatican City State policy does not presently prohibit employees or residents from the use of location-based hookup apps, even within secured locations connected to diplomatic responsibilities, Vatican officials have told The Pillar.

Editor’s note: Beijing Kunlun agreed to sell Grindr in 2020. This report initially identified incorrectly the year of that sale as 2018. The report has been corrected.