Popular gay dating app Grindr has been sharing users' HIV statuses with third parties without informing users, BuzzFeed reported Monday.
Researchers at Norwegian nonprofit SINTEF found that the popular hookup app had shared sensitive personal information, including users' HIV status, GPS data, and the last time they were tested for the virus, with multiple third-party companies. The researchers worry the data could be used to identify individual users and their statuses.
Users' HIV status and last tested date is shared with Apptimize and Localytics, third parties that promise to optimise mobile apps through A/B testing and measuring engagement. Nearly everything users put in their profiles - gender, email, age, height, weight, body type, sexual position preference, ethnicity and more - is shared with third-party firms. (Not all data is shared with every third party, and users' photos and messages are not shared with third parties, according to SINTEF's findings.)
For example, Grindr requires sharing GPS data. Users are geolocated and the app shows how near they are to other users. This GPS data is shared with multiple third-party advertising companies, sometimes over unencrypted HTTP connections. Similarly, users can report their "tribe" (generally, the social group they're a part of, including Jocks, Bears, Geeks) and whether they're looking for a relationship, a hook up, casual dating and so on. This all might make it easier to find someone who wants what you want, but it's also valuable data when choosing which ads to serve users. This is all sent to some third parties as well.
Reached for comment, Grindr's CTO, Scott Chen, confirmed the data collection to BuzzFeed, and defended the company sharing user data with Apptimize and Localytics. "Thousands of companies use these highly regarded platforms. These are standard practices in the mobile app ecosystem," Chen said. "No Grindr user information is sold to third parties. We pay these software vendors to utilise their services."
SINTEF worries that, because HIV status is bundled with GPS data, phone ID and email, it could be possible to individually identify users. Though Grindr has never reported a breach of its servers, sensitive data is, generally speaking, more secure when it isn't duplicated in multiple locations. It is not currently clear what data management practices are being employed with regards to the information Grindr shares with Apptimize and Localytics.
Grindr has encouraged users to report their HIV status as a way of combating the stigma against the disease and those affected by it. Users can report their HIV status, with five options: Negative, Positive, Undetectable (positive, and undergoing treatment that makes them virtually impossible to transmit), Negative on PreP (negative, and taking medicine that makes them unlikely to contract HIV), and Don't Know. Beginning in March, Grindr began sending tailored push notifications to remind users to get tested for HIV. The notifications use GPS data to recommend users to local testing centres.
We reached out to Grindr for comment but had not heard back at time of writing.