Dating app Grindr exposed user HIV statuses to at least two third-parties [Update]

Dating app Grindr exposed user HIV statuses to at least two third-parties [Update]

A popular gay hookup app has come under fire for sharing highly-sensitive user details with third-party companies. Used by more than 3.6 million men daily, Grindr has been handing over its users’ HIV status to at least two other companies, according to a report by BuzzFeed News.

The app, which aims to facilitate safe hookups in the gay community, gives users the option to display their HIV status — including their “last tested date” — on a public profile as a means of active disclosure.

This information is then shared with two companies: Apptimize and Localytics. Both, as best we can tell, are testing firms meant to optimize the user experience inside mobile apps. TNW has reached out to Apptimize and Localytics for clarification. Neither were able to comment as of this writing.

Here’s the rub. Because users’ HIV status is just one data point of a much larger package — including GPS position, email, age, height, weight, ethnicity, phone number, etc. (see the full list here) — it’s possible for motivated individuals to piece together a fairly comprehensive look at individual Grindr users.

“The HIV status is linked to all the other information. That’s the main issue,” Antoine Pultier, the Norwegian researcher who uncovered the issue told BuzzFeed. “I think this is the incompetence of some developers that just send everything, including HIV status.”

Worse, the data — including HIV status — is sometimes shared in non-encrypted plain text, leaving it highly susceptible to online hacks and data breaches.

In a statement to Axios, Localytics essentially shifted the blame back to Grindr, saying it wasn’t necessary to provide this level of personal information to make use of its platform.

Under no circumstances does Localytics automatically collect a user’s personal information, nor do we require personal information in order for our customers to get the benefits from using our platform. It is up to each customer to determine what information they send to Localytics, and Localytics processes that data solely for the customer’s use.

Grindr is unique in that it’s one of the few dating apps to encourage disclosing sexually transmitted infections on a public profile. To then share that data with multiple third-parties without explicitly notifying its users is an egregious breach of trust and privacy.

TNW was unable to reach Grindr for comment.


Update 4/3/2018 10:49am PST

Grindr CTO Scott Chen had this to say in a statement:

As a company that serves the LGBTQ community, we understand the sensitivities around HIV status disclosure. Our goal is and always has been to support the health and safety of our users worldwide.

Recently, Grindr’s industry standard use of third party partners including Apptimize and Localytics, two highly-regarded software vendors, to test and validate the way we roll out our platform has drawn concern over the way we share user data.

In an effort to clear any misinformation we feel it necessary to state:

  1. Grindr has never, nor will we ever sell personally identifiable user information – especially information regarding HIV status or last test date – to third parties or advertisers.  

  2. As an industry standard practice, Grindr does work with highly-regarded vendors to test and optimize how we roll out our platform. These vendors are under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.

  3. When working with these platforms, we restrict information shared except as necessary or appropriate. Sometimes this data may include location data or data from HIV status fields as these are features within Grindr, however, this information is always transmitted securely with encryption, and there are data retention policies in place to further protect our users’ privacy from disclosure.

  4. It’s important to remember that Grindr is a public forum. We give users the option to post information about themselves including HIV status and last test date, and we make it clear in our privacy policy that if you chose to include this information in your profile, the information will also become public. As a result, you should carefully consider what information to include in your profile.

As an industry leader and champion for the LGBTQ community, Grindr, recognizes that a person’s HIV status can be highly stigmatized but after consulting several international health organizations and our Grindr For Equality team, Grindr determined with community feedback it would be beneficial for the health and well-being of our community to give users the option to publish, at their discretion, the user’s HIV Status and their Last Tested Date. It is up to each user to determine what, if anything, to share about themselves in their profile.

The inclusion of HIV status information within our platform is always regarded carefully with our users’ privacy in mind, but like any other mobile app company, we too must operate with industry standard practices to help make sure Grindr continues to improve for our community.  We assure everyone that we are always examining our processes around privacy, security and data sharing with third parties, and always looking for additional measures that go above and beyond industry best practices to help maintain our users’ right to privacy.

Read next: Rant: In-app browsers are annoying and mostly useless