This just in: Grindr has been secretly sharing its 3.6 million daily active users’ HIV statuses and other sensitive information to at least two other companies.
That’s right, folks. The hookup app has been sending your most personal information, including your HIV status and “last tested” dates, to Apptimize and Localytics, two companies which both help optimize apps.
Related: Yikes! Grindr has a major security flaw that can pinpoint a user’s exact location
According to BuzzFeed News:
How about we take this to the next level?
Our newsletter is like a refreshing cocktail (or mocktail) of LGBTQ+ entertainment and pop culture, served up with a side of eye-candy.
Because the HIV information is sent together with users’ GPS data, phone ID, and email, it could identify specific users and their HIV status, according to Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, which first identified the issue.
“The HIV status is linked to all the other information. That’s the main issue,” Pultier told BuzzFeed News. “I think this is the incompetence of some developers that just send everything, including HIV status.”
James Krellenstein, a member of ACT UP New York, calls the whole thing “an extremely, extremely egregious breach of basic standards.”
“Grindr is a relatively unique place for openness about HIV status,” he says. “To then have that data shared with third parties that you weren’t explicitly notified about, and having that possibly threaten your health or safety–that is an extremely, extremely egregious breach of basic standards that we wouldn’t expect from a company that likes to brand itself as a supporter of the queer community.”
But it’s not just your HIV status Grindr has been sharing.
BuzzFeed News says the app has also been sharing users’ precise GPS positions, “tribes”, sexualities, relationship statuses, ethnicities, and phone IDs to other third-party advertising companies.
Not just that, but the info has often been shared via “plain text,” which can be very easily hacked.
Related: This simple new tool lets you see exactly who’s blocked you on Grindr
“When you combine this with an app like Grindr that is primarily aimed at people who may be at risk–especially depending on the country they live in or depending on how homophobic the local populace is–this is an especially bad practice that can put their user safety at risk,” Cooper Quintin, a senior staff technologist and security researcher at the Electronic Frontier Foundation, says.
Grindr insists the reason it has been sharing people’s highly sensitive health information in an effort to “make the app better.”
“No Grindr user information is sold to third parties,” the company says. “We pay these software vendors to utilize their services.”
But Quintin tells BuzzFeed News the fact that Grindr isn’t selling the information is not the issue. It’s the fact that it’s making it available to third parties that’s a problem.
Brian
Did anyone really think that this information wasn’t being shared or sold?
When Facebook ads started popping up for things I had just done a Google search for, I realized that nothing I did online was private. I just hope for the best that my credit card and banking information is safe, and assume everything else is up for grabs.
And I love that we’re supposed to be worried about our “highly sensitive health information” being located on some random server of some data mining company, but totally cool with any of Grindr’s fine, fine quality members, who are all in your neighborhood, seeing it and sharing it with anyone they want to. If it’s that sensitive, maybe Grindr ain’t the place for it in the first place?
DCguy
Isn’t sharing medical stats a violation of HIPPA laws? Or does it matter that they’ve supplied that information to the app so it’s not considered protected info? I was under the impression that anything medical had some pretty strict regulations against sharing data.
Brian
I can’t imagine that any medical information that you voluntarily put onto a completely public platform is covered by any sort of HIPAA protection.
Coreydnyc
Yes its a public site but its still an option to be anonymous. releasing phone ID’s and email addresses along with the info that you intend to be anonymous is the issue here
Brian
Your HIV status is part of your profile on Grindr, it’s not anonymous.
LABrad
I think he’s wondering if a non hospital or a non doctor can be guilty of violating HIPPA. I think the answer is no.
PinkoOfTheGange
This is the way it was explained to me:
Unless a hand written signature to release the data is on file, no one can share the data, and it can only go that one step if a release is signed.
Theoretically you could have an “HIV+” tattoo on your forehead, but no one could tell someone else unless you specifically gave them hand signed permission to do so.
mhoffman953
If you write something publicly, it can be shared. Just as if someone writes something on Facebook or posts a photo. If you publicly disclose it, the public can see it and you can’t sue over invasion of privacy.
@PinkoOfTheGange
That’s not true. When you download an app or join a website, you click that you Accept the Terms and Conditions. That counts as your signature. You don’t need a physical signature on a piece of paper. Web companies and apps even have Privacy Policies which are in the Terms of Service which you click Agree to when signing up.
I’m not advocating for businesses to share users’ data. I’m just pointing out that what you’re saying is false
saramedina5655
52514415
like Timothy answered I am amazed that someone able to make $7869 in four weeks on the
computer . find out here…
Bob LaBlah
The HIPPA law meant well but it is next to impossible to sue someone because they leaked your status or any information about you. Do a google search and see how few attorneys come up regarding the HIPPA law.
mhoffman953
@BobLaBlah
HIPPA laws only apply to healthcare professionals and others in the healthcare industry. Someone couldn’t get a HIPPA lawyer to sue Grindr over information someone publicly wrote in their profile
Tête Carrée
Thanks for the spam, bot.
JerseyMike
Everything we do online is tracked… sucks, but what can we do
Sam6969
Privacy, as we have known for a long time, does not exist anymore. Whatever we put on the net, even with so-called “privacy settings”, does not belong to us anymore. It is scandalous, agreed, but until we do something collectively against that state of fact, we must be very careful about what we put out there. If you do not want sensitive personal data being used, sold and shared without your consent, then do not put them on ANY website, PC and, worse, smartphones and tablets included. Let’s stop being delusional and naive.
phallictomato
I’m not surprised. When I downloaded Grindr to see what all the fuss was about, after noticing how easily other people could find my EXACT location, even with the location setting set to ‘off’, I was like ‘nope’ and immediately uninstalled it.
Who knows what kind of psycho’s / murderers / stalkers there are out there, and there’s no way in hell I’m telling everyone in the world my exact location. That’s just messed up. Haven’t downloaded it since.
Your privacy means nothing to them.
Kangol
Even though many of us may have suspected that Grindr was sharing everything, as all apps and most commercial (and many non-commercial) online sites do, this is still very disturbing, especially given the precision with which a Grindr subscriber can be geotagged and located. We really no longer have any real privacy unless we figure out how to deplug ourselves from the online world, which is why things like Alexa and Siri, and the Internet of Things that puts the Net in your toaster and refrigerator and car, are so worrisome. Even more terrifying is that this lack of privacy and invisibility could easily be abused, and probably is being abused, across the globe.
NateOcean
Many/most of these apps require an email address to activate the account. And many also require a phone number for account recovery.
But they also claim they will *NEVER* sell email addresses or phone numbers to third parties. If, in fact, they are selling that info *and* HIV status info, that’s a pretty egregious breach of trust.
Typically the sneaky, disingenuous way they do this is by endlessly amending the original “terms of service” to the point that you’ve signed away everything.
He BGB
I guess the stigma will never go away.
drmiller
I saw this same story pop up in other publications and everyone needs to CALM down. Queerty, do some research on the companies Grindr is sharing with—localytics and apptimize. These platforms aren’t anything like the Facebook debocal. They’re third party tools you integrate with your app so you can get metrics on app useage (how many people tapped X, how many people went to Y section, how many people bought Z product). It’s a tool to help you improve DAU and get real-time product useage data. It also allows you to send pop ups and push notifications to a subset of users based on criteria you set. FOR EXAMPLE: in Grindr, you can (obviously) indicate your HIV status, and you can also indicate when you were last tested. Grindr wants to start this whole campaign reminding users to get tested (a brilliant idea). Using a platform like Localtics you can target (this is arbitrary) say, all users who are status= negative, and last test date > 3 months. You can send them a push to get an STI/HIV test. This isn’t a huge scandal. It’s smart product integration. Chilllllll out. Literally anyone who works in tech knows this.
Sam6969
Well, “Literally anyone who works in tech knows” it is not because third-party tools are widely used that they are safe, drmiller… and sharing personal data to two other companies (here, Apptimize and Localytics) increase the risks these data gets hacked, but also used and aggregated by our ISP and the government, or any criminal with a bit of knowledge in computing. Plus, privacy contracts or not, I am not convinced those third party companies do not (discreetly) do what they want with those data.
I remind you that all the details and arguments are in the original article, quoting research security experts, including the SINTEF, an independent body, who first alerted the public: https://www.buzzfeed.com/azeenghorayshi/grindr-hiv-status-privacy?utm_term=.dvDpZq79G#.loXoLq29w
[…]
“The two companies — Apptimize and Localytics, which help optimize apps — receive some of the information that Grindr users choose to include in their profiles, including their HIV status and “last tested date.”
Because the HIV information is sent together with users’ GPS data, phone ID, and email, it could identify specific users and their HIV status, according to Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, which first identified the issue.
“The HIV status is linked to all the other information. That’s the main issue,” Pultier told BuzzFeed News. ”
“SINTEF’s analysis also showed that Grindr was sharing its users’ precise GPS position, “tribe” (meaning what gay subculture they identify with), sexuality, relationship status, ethnicity, and phone ID to other third-party advertising companies. And this information, unlike the HIV data, was sometimes shared via “plain text,” which can be easily hacked.”
“It allows anybody who is running the network or who can monitor the network — such as a hacker or a criminal with a little bit of tech knowledge, or your ISP or your government — to see what your location is,” Cooper Quintin, senior staff technologist and security researcher at the Electronic Frontier Foundation, told BuzzFeed News.
“When you combine this with an app like Grindr that is primarily aimed at people who may be at risk — especially depending on the country they live in or depending on how homophobic the local populace is — this is an especially bad practice that can put their user safety at risk,” Quintin added.
[…]
“Even so, security experts say, any arrangement with third parties makes sensitive information more vulnerable.
“Even if Grindr has a good contract with the third parties saying they can’t do anything with that info, that’s still another place that that highly sensitive health information is located,” Quintin said. “If somebody with malicious intent wanted to get that information, now instead of there being one place for that — which is Grindr — there are three places for that information to potentially become public.””
[…]
drmiller
Sam6969
Yes, I read the article, and I reread the points you listed. With respect, we just have different view points on this. I have first-hand experience with working with these companies (as do a number of friends, colleagues, and professional acquaintances in the industry). The argument is essentially… It could be hacked. Or perhaps more specifically, because Grindr shares data with third parties the likelihood of it getting hacked increases. Okay, that’s fair, and (being someone who works in technology) I would never suggest that is untrue.
My issue with this article, and how other news sources are framing this, is three points (and this is just my opinion, anyone can disagree):
1) Perhaps the most obvious point here is that users share this data willingly. I understand that we need to hold companies accountable and they cannot be flippant with this data, but the fact of the matter is no law is being broken and Grindr is perfectly within their own Terms and Conditions (to which all their users agree) to do this. The buck really stops there, in my opinion. If you, as a user, have misgivings about sharing your HIV status with a mobile application, then you shouldn’t share it. Period. We ALL know companies get hacked and swindled all the dang time. If this information would be precarious for you, then you need to make better choices about where and to whom you share it (in my opinion).
2) The tone of all these articles is very Facebook-Cambridge related. These articles seem to think they caught Grindr with their pants down (you’ll pardon the metaphor haha) but that isn’t the case. Companies use third party integrations with SaaS businesses like Localytics and Apptimize all-the-time. This is as pervasive as it gets. And ultimately, the usage of these services really is to make the platform serve the user better.
3) All the points these “security experts” are making in the Buzzfeed article (and others, HuffPost comes to mind, but obviously Queerty as well) are purely hypothetical and entirely suppositional. Just because something CAN happen, doesn’t mean we all get to throw our hands up and scream foul-play at Grindr. I have an online account with my bank, should I start yelling at them because they COULD get hacked? My health information with my care provider is entirely online. Should I start writing to the NY Times because there’s potential for it to get hacked? Freaking duh, of course it can get hacked. That’s ubiquitous.
I just feel the angle at which this story is being told isn’t really fair. The articles are covering a topic they clearly don’t understand and I think we can all agree that most people (myself included at times) don’t do much reading past a hysterical headline (like this one) or much digging other than a single article. I just don’t think this is doing anyone any service other than making us think Grindr isn’t playing by the rules.
Anyway, that’s my 2 cents. Anyone is welcome to disagree. Cheers 🙂
Sam6969
Drmiller, with respect and according to what you wrote, you have first-hand experience working with those third-party companies (or just using their apps), not first-hand experience working in those third-party companies…
Do we really need another whistle blower to tell us what human history told us countless times (including recently from Snowden, in particular, to Christopher Wylie in the Facebook/Cambridge Analytica scandal) : wherever there is information concentration (and information is power), temptation to use such power for personal and venal interests is never very far. It is part of human nature…and business reasoning.
Grindr is a company and their goal is to make money. They may say they do not sell our information, but they still share our (sensitive) data with commercial ads companies (not only third-party tools companies), who certainly have less scruples to use or let use of those information for themselves or other business legal structures, whatever the confidentiality contracts they signed directly with Grindr. It is the principle of the Russian dolls: at the end of the day, no one feels responsible for the way their service providers respect the contracts, since they (loosely or not) legally covered themselves. So, it is not just only about hacking.
What comes off from the various recent scandals is that they are very likely just the tip of the iceberg and all these opacity and ambiguity leave us the bad taste of a pervasive deceitfulness in the business world of information.
As I wrote earlier, we must be very careful with what we share and we agree on that point, drmiller, but those deceitful people know that sooner or later, we all drop our guards if we use new technologies. That’s the trick, they know how to manipulate us and dance with the law.
drmiller
Sam6969
Didn’t see your response. So this may be way too late to be pertinent haha, but I just want to highlight my third point in my first reply to you: you’re sensationalizing this whole discussion and creating conspiracy theories. There is no evidence to suggest Grindr has done anything wrong. There is no evidence to suggest Localytics or Apptimize have done anything wrong. You’re simply stating that historically things get hacked and companies are dishonest. Again, just because something can happen, does not mean it will.
On that same note, I’d like to turn your argument on you. If history has shown us again and again that companies are deceitful, that a concentration of information is a magnet for wrong-doers, and that we shouldn’t need another whistleblower–then why share your information at all? It comes down to my first point, learn from this history you’re describing, and don’t share your information. I’d answer my question with a point I think we are all considering: the majority of the population probably does not care.
I think at the end of the day, we are in a precarious moment in history where a lot of this awful crap is coming to light, and everyone is looking for a whistle to blow, a blog post to write, or a company who’s doing nefarious things. Everyone is tip-toeing around everything nowadays because any a$$ hole with a twitter account or Medium blog thinks he can bring down a law-abiding, fair-playing company (there are a lot of crappy companies out there who deserve the bad publicity, don’t get me wrong). But I think we need to be careful in this witch-hunt (I am not a Trump supporter haha) because we are fasting moving into an era where no one can do anything right, everyone feels entitled to everything, and everyone is somehow insulted. If that is a reality, then we all lose.
My point: do research, and try to fully understand the topic you are discussing (this topic, I presume, you don’t have any first-hand experience with, so none of your points are empirical). When something negative comes from this, then we can chat. But in my opinion, Grindr, Localytics and Apptimize have done nothing wrong.
surreal33
You on Grindr, you get what you deserve.
DCguy
Please explain why them being on a particular website means that they deserve to get their private information stolen and shared? Waiting……