Grindr refuses to apologise for sending users’ HIV statuses to third parties

Grindr, the gay dating app

Gay dating app Grindr has confirmed it has shared the HIV status of its users with outside firms – but declined to issue an apology.

It was revealed this weekend that a massive amount of user data from the gay hook-up app, including the stated HIV status of users, was shared with two private companies that help “optimise” apps, Localytics and Apptimize.

Cybersecurity experts also alleged that the dating app was sending advertisers its users’ precise GPS position, sexuality, relationship status, ethnicity, phone ID, and even their ‘tribe’ – such as ‘twink’ or ‘daddy’ in a plaintext format that could be easily hacked and stolen.

Grindr (Leon Neal/Getty Images)

(Leon Neal/Getty Images)

LGBT campaigners have voiced fury after the news came to light in a BuzzFeed report, but the app – recently acquired by a Chinese conglomerate – has refused to apologise.

The app’s chief security officer Bryce Case told BuzzFeed that while he would “not admit fault”, the company would stop sharing the data “based on the reaction — a misunderstanding of technology — to allay people’s fears”.

In a statement to PinkNews, Grindr CTO Scott Chen said: “As a company that serves the LGBTQ community, we understand the sensitivities around HIV status disclosure. Our goal is and always has been to support the health and safety of our users worldwide.

“Recently, Grindr’s industry standard use of third party partners including Apptimize and Localytics, two highly-regarded software vendors, to test and validate the way we roll out our platform has drawn concern over the way we share user data.

“In an effort to clear any misinformation we feel it necessary to state:

“1. Grindr has never, nor will we ever sell personally identifiable user information – especially information regarding HIV status or last test date – to third parties or advertisers.

“2. As an industry standard practice, Grindr does work with highly-regarded vendors to test and optimize how we roll out our platform. These vendors are under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.


“3. When working with these platforms, we restrict information shared except as necessary or appropriate. Sometimes this data may include location data or data from HIV status fields as these are features within Grindr, however, this information is always transmitted securely with encryption, and there are data retention policies in place to further protect our users’ privacy from disclosure.

“4. It’s important to remember that Grindr is a public forum. We give users the option to post information about themselves including HIV status and last test date, and we make it clear in our privacy policy that if you chose to include this information in your profile, the information will also become public. As a result, you should carefully consider what information to include in your profile.”

He added: “As an industry leader and champion for the LGBTQ community, Grindr, recognizes that a person’s HIV status can be highly stigmatized but after consulting several international health organizations and our Grindr For Equality team, Grindr determined with community feedback it would be beneficial for the health and well-being of our community to give users the option to publish, at their discretion, the user’s HIV Status and their Last Tested Date. It is up to each user to determine what, if anything, to share about themselves in their profile.

“The inclusion of HIV status information within our platform is always regarded carefully with our users’ privacy in mind, but like any other mobile app company, we too must operate with industry standard practices to help make sure Grindr continues to improve for our community.

“We assure everyone that we are always examining our processes around privacy, security and data sharing with third parties, and always looking for additional measures that go above and beyond industry best practices to help maintain our users’ right to privacy.”

Bryan Dunn, VP of Product at Localytics added: “Localytics is an app marketing platform that provides messaging and analytics tools to large enterprise companies. The information customers choose to send is stored and processed in our production systems, which meet industry security standards, including ISO27001, SSAE16-SOC1/2/3, FISMA and others.

“Localytics strictly controls all access to production systems, and leverages appropriate security controls to protect all customer data.

“Under no circumstances does Localytics automatically collect a user’s personal information, nor do we require personal information in order for our customers to get the benefits from using our platform. It is up to each customer to determine what information they send to Localytics, and Localytics processes that data solely for the customer’s use. We do not share, or disclose, our customer’s data.”

 

But the app has come under fire from LGBT campaigners.

Veteran LGBT rights campaigner Peter Tatchell told PinkNews: “Allowing private companies access to the HIV status of Grindr customers is as shocking as it gets and can only add to the anxieties experienced by gay and bisexual men with HIV.

“This is the second data scandal involving Grindr in a week and its users will not be reassured by this latest development.

“There are still 72 countries in the world that criminalise homosexuality and even more have governments that actively persecute LGBT+ people. Security breaches could be exploited to make arrests and by homophobic vigilantes to make violent attacks.

“Grindr and similar app providers must urgently audit their data security measures, come clean about any issues and fix them immediately.

“Data protection is the new frontier in the battle for human rights. Software companies that cater for LGBT+ people arguably have a special responsibility, given the potentially risky countries that many of their users live in.”

A recent push to encourage people to share their HIV status and when they were last tested made no clear mention that the data will be shared with outside companies.

Grindr’s privacy policy warns users that information shared on the platform can be disclosed.

Grindr Founder Joel Simkhai was bought out by Chinese investors last year (Photo by Alberto E. Rodriguez/Getty Images)

RELATED: C*ckblocked: Grindr has blocked you from seeing who blocked you

James Krellenstein, a member of ACT UP New York, told BuzzFeed: “To then have that data shared with third parties that you weren’t explicitly notified about, and having that possibly threaten your health or safety — that is an extremely, extremely egregious breach of basic standards that we wouldn’t expect from a company that likes to brand itself as a supporter of the queer community.”

The company also shares users’ sexual orientation, relationship status, “tribe,” and ethnicity with the companies if the information is listed in their profile.

It is only the latest Grindr security flaw to be exposed in the past month after an exploit emerged that enabled Grindr users to find out who had blocked them.

The security flaws were discovered by Trevor Faden, who created C*ckblocked, a website which allowed users to simply see the list that was buried with little protection in the app’s coding.

He later revealed that the C*ckblocked experiment had exposed another flaw.

After users had signed into the service with their Grindr account details, Faden was able to access a large amount of private data from their accounts – including unread messages, deleted photos and user location data.

The breaches have led to fears that the app could be open to exploitation by security services around the world.

Security experts have already warned that the app is ripe for cultivation by the Chinese government after the app’s founder Joel Simkhai was bought out by a Chinese tech giant last year.