Popular gay dating app Grindr has been sharing users’ HIV statuses with third parties without informing users, BuzzFeed reported Monday.
Researchers at Norwegian nonprofit SINTEF found that the popular hookup app had shared sensitive personal information, including users’ HIV status, GPS data, and the last time they were tested for the virus, with multiple third-party companies. The researchers worry the data could be used to identify individual users and their statuses.
Users’ HIV status and last tested date is shared with Apptimize and Localytics, third parties that promise to optimize mobile apps through A/B testing and measuring engagement. Nearly everything users put in their profiles—gender, email, age, heigh, weight, body type, sexual position preference, ethnicity and more—is shared with third-party firms. (Not all data is shared with every third party, and users’ photos and messages are not shared with third parties, according to SINTEF’s findings.)
For example, Grindr requires sharing GPS data. Users are geolocated and the app shows how near they are to other users. This GPS data is shared with multiple third-party advertising companies, sometimes over unencrypted HTTP connections. Similarly, users can report their “tribe” (generally, the social group they’re a part of, including Jocks, Bears, Geeks) and whether they’re looking for a relationship, a hook up, casual dating, etc. This all might make it easier to find someone who wants what you want, but it’s also valuable data when choosing which ads to serve users. This is all sent to some third parties as well.
Reached for comment, Grindr’s CTO, Scott Chen, confirmed the data collection to BuzzFeed, and defended the company sharing user data with Apptimize and Localytics. “Thousands of companies use these highly regarded platforms. These are standard practices in the mobile app ecosystem,” Chen said. “No Grindr user information is sold to third parties. We pay these software vendors to utilize their services.”
SINTEF worries that, because HIV status is bundled with GPS data, phone ID, and email, it could be possible to individually identify users. Though Grindr has never reported a breach of its servers, sensitive data is, generally speaking, more secure when it’s not duplicated in multiple locations. It is not currently clear what data management practices are being employed with regards to the information Grindr shares with Apptimize and Localytics.
Grindr has encouraged users to report their HIV status as a way of combating the stigma against the disease and those affected by it. Users can report their HIV status, with five options: Negative, Positive, Undetectable (positive, and undergoing treatment that makes them virtually impossible to transmit), Negative on PreP (negative, and taking medicine that makes them unlikely to contract HIV), and Don’t Know. Beginning in March, Grindr began sending tailored push notifications to remind users to get tested for HIV. The notifications use GPS data to recommend users to local testing centers.
UPDATE 5:30PM: In a statement, Scott Chen, CTO of Grindr, confirmed Buzzfeed’s reporting, while noting that information shared with third parties is “always transmitted securely with encryption, and there are data retention policies in place to further protect our users’ privacy from disclosure.” Chen also included the following statement:
As an industry leader and champion for the LGBTQ community, Grindr, recognizes that a person’s HIV status can be highly stigmatized but after consulting several international health organizations and our Grindr For Equality team, Grindr determined with community feedback it would be beneficial for the health and well-being of our community to give users the option to publish, at their discretion, the user’s HIV Status and their Last Tested Date. It is up to each user to determine what, if anything, to share about themselves in their profile.
The inclusion of HIV status information within our platform is always regarded carefully with our users’ privacy in mind, but like any other mobile app company, we too must operate with industry standard practices to help make sure Grindr continues to improve for our community. We assure everyone that we are always examining our processes around privacy, security and data sharing with third parties, and always looking for additional measures that go above and beyond industry best practices to help maintain our users’ right to privacy.
UPDATE 4/2/18 8AM: Axios spoke with Grindr security chief, Bryce Case. Case confirmed Monday night that Grindr will stop the practice of sending HIV status to third parties.