Grindr faces probe over ‘data protection law breaches’ after leaking users’ private info
Grindr could face a probe under European data laws – after it emerged that data on users’ HIV statuses is being disclosed to third parties.
It was revealed this weekend that a massive amount of user data from the gay hook-up app, including the stated HIV status of users, was shared with two private companies that help “optimise” apps, Localytics and Apptimize.
Cybersecurity experts also alleged that the dating app was sending advertisers its users’ precise GPS position, sexuality, relationship status, ethnicity, phone ID, and even their ‘tribe’ – an identifier of sexual identity such as ‘twink’ or ‘daddy’ or ‘leather’ -in a plaintext format that could be easily hacked and stolen.
The Norwegian Consumer Council Forbrukerrådet has since said it filing a complaint against the app “for breaching data protection law” off the back of the investigation by Norwegian research group SINTEF.
The NCC sent a letter to the Norwegian Data Protection Authority calling for a probe.
It said: “Information about sexual orientation and health status are sensitive personal data according to European legislation.
“Grindr processes sensitive personal data, such as HIV-status, sexual orientation, and sexual preferences. The Consumer Council find it disconcerting that users of the Grindr service are at risk of losing control over personal data regarding their sexual preferences and HIV-status.”
It also queried Grindr’s claims that data relating to European users was in fact subject to US law, which includes much weaker protections.
It said: “European users of the app have the right to have their personal data protected according to European law.
“The Consumer Council cannot see that Grindr is registered under the trans-Atlantic data transfer agreement Privacy Shield, which is meant to ensure that personal data that is transferred to the United States is protected in line with European data protection law.
“The Consumer Council see this as a cause for concern regarding whether the privacy rights of European Grindr users are sufficiently respected.”
Noting allegations that data about users’ sexual identity is shared in plaintext, it added: “If the user enters information about sexual orientation, sexual preferences, and tribe (for example trans, leather, and bear), this is shared in unencrypted form.”
It continued: “In the view of the Consumer Council, this does not fulfill the conditions of sufficient information security.
“When Grindr transmits sensitive personal data to third parties, who could use this information for advertising purposes, this is outside of the scope of the original purpose of the data collection, which is to offer a social networking service.
“This is in breach of the principle of purpose limitation, and to our knowledge Grindr does not sufficiently ask for consent to this further purpose.
“In the view of the Consumer Council, this is in breach of Norwegian and European data protection law.”
LGBT campaigners have voiced fury after the news came to light but the app – recently acquired by a Chinese conglomerate – has refused to apologise.
The app’s chief security officer Bryce Case told BuzzFeed that while he would “not admit fault”, the company would stop sharing the data “based on the reaction — a misunderstanding of technology — to allay people’s fears”.
In a statement to PinkNews, Grindr CTO Scott Chen said: “As a company that serves the LGBTQ community, we understand the sensitivities around HIV status disclosure. Our goal is and always has been to support the health and safety of our users worldwide.
“Recently, Grindr’s industry standard use of third party partners including Apptimize and Localytics, two highly-regarded software vendors, to test and validate the way we roll out our platform has drawn concern over the way we share user data.
“In an effort to clear any misinformation we feel it necessary to state:
“1. Grindr has never, nor will we ever sell personally identifiable user information – especially information regarding HIV status or last test date – to third parties or advertisers.
“2. As an industry standard practice, Grindr does work with highly-regarded vendors to test and optimize how we roll out our platform. These vendors are under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.
“3. When working with these platforms, we restrict information shared except as necessary or appropriate. Sometimes this data may include location data or data from HIV status fields as these are features within Grindr, however, this information is always transmitted securely with encryption, and there are data retention policies in place to further protect our users’ privacy from disclosure.
He added: “As an industry leader and champion for the LGBTQ community, Grindr, recognizes that a person’s HIV status can be highly stigmatized but after consulting several international health organizations and our Grindr For Equality team, Grindr determined with community feedback it would be beneficial for the health and well-being of our community to give users the option to publish, at their discretion, the user’s HIV Status and their Last Tested Date. It is up to each user to determine what, if anything, to share about themselves in their profile.
“The inclusion of HIV status information within our platform is always regarded carefully with our users’ privacy in mind, but like any other mobile app company, we too must operate with industry standard practices to help make sure Grindr continues to improve for our community.
“We assure everyone that we are always examining our processes around privacy, security and data sharing with third parties, and always looking for additional measures that go above and beyond industry best practices to help maintain our users’ right to privacy.”
Bryan Dunn, VP of Product at Localytics added: “Localytics is an app marketing platform that provides messaging and analytics tools to large enterprise companies. The information customers choose to send is stored and processed in our production systems, which meet industry security standards, including ISO27001, SSAE16-SOC1/2/3, FISMA and others.
“Localytics strictly controls all access to production systems, and leverages appropriate security controls to protect all customer data.
“Under no circumstances does Localytics automatically collect a user’s personal information, nor do we require personal information in order for our customers to get the benefits from using our platform. It is up to each customer to determine what information they send to Localytics, and Localytics processes that data solely for the customer’s use. We do not share, or disclose, our customer’s data.”
But the app has come under fire from LGBT campaigners.
Veteran LGBT rights campaigner Peter Tatchell told PinkNews: “Allowing private companies access to the HIV status of Grindr customers is as shocking as it gets and can only add to the anxieties experienced by gay and bisexual men with HIV.
“This is the second data scandal involving Grindr in a week and its users will not be reassured by this latest development.
“There are still 72 countries in the world that criminalise homosexuality and even more have governments that actively persecute LGBT+ people. Security breaches could be exploited to make arrests and by homophobic vigilantes to make violent attacks.
“Grindr and similar app providers must urgently audit their data security measures, come clean about any issues and fix them immediately.
“Data protection is the new frontier in the battle for human rights. Software companies that cater for LGBT+ people arguably have a special responsibility, given the potentially risky countries that many of their users live in.”
A spokesperson from HIV charity Terrence Higgins Trust said: “Sharing HIV-related data with third parties without permission is an absolutely unacceptable breach of its users’ privacy.
“We’re relieved to see that this decision has been reversed, but the fact it was ever made in the first place does raise questions about the privacy and safeguarding processes which Apps including Grindr have in place.
“We applaud Grindr for introducing App capability that enables users to list their HIV status or date of last sexual health screening. This helps to combat stigma and can help avoid awkward conversations that people living with HIV don’t want to (and shouldn’t have to) have. However, that information should absolutely never be shared by the App without clear permission to do so.
“There’s still so much work left to do to end the stigma that people living with HIV unfairly face, and Grindr must now step up its responsibility to protect the safety of its users. It must now reassure people living with HIV that this will never happen again.”
It is only the latest Grindr security flaw to be exposed in the past month after an exploit emerged that enabled Grindr users to find out who had blocked them.
Those security flaws were discovered by Trevor Faden, who created C*ckblocked, a website which allowed users to simply see the list that was buried with little protection in the app’s coding.
He later revealed that the C*ckblocked experiment had exposed another flaw.
After users had signed into the service with their Grindr account details, Faden was able to access a large amount of private data from their accounts – including unread messages, deleted photos and user location data.
The breaches have led to fears that the app could be open to exploitation by security services around the world.
Security experts have already warned that the app is ripe for cultivation by the Chinese government after the app’s founder Joel Simkhai was bought out by a Chinese tech giant last year.