Grindr was sharing users' location and HIV status with third parties
Last week there was an outcry after it was revealed that it was relatively simple to determine the location of Grindr users because of a security flaw. The company has now also admitted that it shared information from users' profiles with third parties -- specifically the analytics companies Apptimize and Localytics -- including their HIV status.
Grindr was quick to point out that, firstly, the information was sent via HTTPS, secondly, that the data was not sold to the analytics companies (it was provided free of charge) and, thirdly, that the data was public anyway. All three of these points will come as little comfort to Grindr users, but the company has said that it will now stop the practice of sharing HIV-related information.
See also:
- Security issues in gay dating app Grindr exposed users' locations
- Facebook makes its privacy settings easier to find -- including the option to delete your Facebook data
- Privacy: Facebook has been collecting call and text data from Android users
Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, was the one who made the discovery and shared his findings on GitHub. He pointed out that data including location, HIV test dates and status, email address and more were also being sent without security to Apptimize and Localytics. Speaking about his findings to Buzzfeed, he said:
The HIV status is linked to all the other information. That's the main issue. I think this is the incompetence of some developers that just send everything, including HIV status.
Grindr security chief Bryce Case has leapt on the defensive, saying to Axios: "I understand the news cycle right now is very focused on these issues", adding "I think what's happened to Grindr is, unfairly, we've been singled out."
He also pointed out that the information shared had already been made public by the users who added it to their profiles. It's fair to say, however, that the users would not have been expecting such sensitive facts to be shared with other companies. The good news is that Grindr has now said that it will stop sharing this information, although Case tried to further turn down the heat by saying that data had only been shared for "debugging and optimization purposes" anyway.
Grindr CTO Scott Chen issued a statement saying:
Grindr has never, nor will we ever sell personally identifiable user information -- especially information regarding HIV status or last test date -- to third parties or advertisers. As an industry standard practice, Grindr does work with highly-regarded vendors to test and optimize how we roll out our platform... When working with these platforms, we restrict information shared except as necessary or appropriate. Sometimes this data may include location data or data from HIV status fields as these are features within Grindr, however, this information is always transmitted securely with encryption, and there are data retention policies in place to further protect our users' privacy from disclosure. It's important to remember that Grindr is a public forum. We give users the option to post information about themselves including HIV status and last test date, and we make it clear in our privacy policy that if you choose to include this information in your profile, the information will also become public.
The company was keen to stress that it believes the outcry surrounding the matter was down to a "misunderstanding" about what was being shared, but confirmed to Axios that HIV status would no longer be shared.
Image credit: Tero Vesalainen / Shutterstock