Users who include their HIV status in their Grindr profile may not have control of who sees their diagnosis outside the platform.
BuzzFeed News reports that Grindr has been sharing data on its users’ HIV status and testing date with two companies, Apptimize and Localytics. The former helps improve users’ experiences while using apps, while the latter is primarily engaged in app optimization and analytics overviews.
Antoine Pultier, a researcher with Norwegian independent research company SINTEF, warns data on users’ HIV testing date and status are sent together alongside other identifying information, such as a user’s GPS location and email. That means HIV-positive users on Grindr could be identified and outed in a potential data breach.
“The HIV status is linked to all the other information. That’s the main issue,” Pultier said to BuzzFeed News. “I think this is the incompetence of some developers that just send everything, including HIV status.”
as several privacy advocates pointed out, this is all troubling for an app that is used by 3.6 million active daily users who, in many places, could be in physical danger for using the app in the first place/ being gay/ being HIV positive https://t.co/0DvdwLc7At— Azeen Ghorayshi (@azeen) April 2, 2018
A report from SINTEF published on GitHub, which was later verified by BuzzFeed News, further identifies privacy concerns found throughout the service. While the study claims that a user’s HIV status and testing date are securely sent via HTTPS to Apptimize and Localytics, SINTEF reportedly found users’ gender, GPS location, age, Phone ID, Advertising ID, and various other identifying details are sent off to third-parties under “unsafe HTTP and HTTPS.” This means some data is sent to third-party companies under plain text, BuzzFeed News reports, which is much easier to obtain and read due to its unencrypted nature.
“It allows anybody who is running the network or who can monitor the network—such as a hacker or a criminal with a little bit of tech knowledge, or your ISP or your government—to see what your location is,” Electronic Frontier Foundation’s Cooper Quintin told BuzzFeed News.
LGBTQ activists, meanwhile, are outraged by Grindr’s handle on users’ profile information. A potential data breach means users could be individually identified based on any information they gave to Grindr, and with multiple companies owning details on users’ profiles, that means there’s a higher risk for Grindr users to end up being identified without their consent.
“Grindr is a relatively unique place for openness about HIV status,” James Krellenstein of AIDS advocacy group ACT UP told BuzzFeed News. “To then have that data shared with third parties that you weren’t explicitly notified about, and having that possibly threaten your health or safety—that is an extremely, extremely egregious breach of basic standards that we wouldn’t expect from a company that likes to brand itself as a supporter of the queer community.”
Oh you have got to be fucking kidding me. There is no fucking excuse for this. https://t.co/Tg4sUgOLfn— Sarah Jamie Lewis (@SarahJamieLewis) April 2, 2018
Despite all the positive work that Grindr has done recently with Article19, this sends a very strong message that their user's safety is not a priority :( https://t.co/lmruRcJaKq— Norman (@NormanShamas) April 2, 2018
Grindr fucking sucks. Its toxic influence on gay interaction can hardly be overstated. The eternal search, the commodification and cookie cutter-ization of desire.— Johnny Ray Huston (@jrayhuston) April 2, 2018
Like Krellenstein, some are particularly upset because Grindr was designed by and for the queer community. It’s not like Elon Musk was running a gay dating app; gay users trusted their own to manage data properly.
Grindr's making it clear they're not here to protect our privacy or our safety.— Kian Vesteinsson (@kianvest) April 2, 2018
– They sell your HIV status data linked to your email & location (https://t.co/nHYNAh6zZZ)
– They transmit your location data without securing it, making it easy to access (https://t.co/9HAUfUHbmU) pic.twitter.com/sG4N8y0hzS
Like it should be fucking obvious, but if it isn't I compiled an entire book full of essays from queer people about how technology utterly fails to protect them and their threat models.https://t.co/U5ixKScGjV— Sarah Jamie Lewis (@SarahJamieLewis) April 2, 2018
The news follows Grindr rolling out an HIV testing reminder designed to hook up its users with nearby facilities to check their status. But with the dating app reportedly sharing users’ data with other companies, privacy concerns may lead users to pass on the opportunity.
Update 8:22pm CT, April 2: Grindr has said it’s no longer sharing users’ HIV status with third-party vendors, Axios reported Monday. Security chief Bryce Case emphasized that users’ most sensitive information was encrypted and not shared with advertisers, but that when users share information on their profile, it becomes publicly available.