Mozilla privacy report on dating apps singles out Grindr for serious security lapses
21 of the 24 dating apps examined were tagged with the “*Privacy Not Included” warning label.
Image: Getty Images/iStockphoto
Dating has been a lot tougher for singles since the onset of the COVID-19 pandemic, forcing many people onto dating apps to supplement the real thing. Most dating apps require users to enter a significant amount of information for safety purposes, but a new report from Mozilla has found that some of the most popular dating apps take a lot more data from you than you’d expect.
Ahead of Valentine’s Day, Mozilla released its *Privacy Not Included report, poring through the data collection policies and security posture of the 24 most popular dating apps like Tinder, Bumble, Grindr, Match, and OkCupid.
Mozilla researchers dug deep into the privacy policies and security practices of dating sites, pressing companies with questions like “Can this app or product snoop on me? What data is being collected and who is it shared with? What is the company’s track record for protecting users’ data? And, What could happen if something goes wrong?”
Mozilla researchers put their “*Privacy Not Included” warning label on 21 of the dating apps examined, noting that apps like Grindr are a “privacy and security nightmare.”
“In the past, Grindr shared users’ HIV status with third parties. And in the present, Grindr continues to share other user data, like location, with third parties. Plenty of Fish is also creepy, mandating information like users’ vehicle ownership and their parents’ marital status,” the study noted.
SEE: Big data’s role in COVID-19 (free PDF) (TechRepublic)
“In a world of data-hungry dating apps, Lex stands out. Built for the lesbian, queer, trans, and non-binary community, this dating app collects minimal data, and doesn’t share it for marketing purposes. Further, their privacy policy is crystal clear. eHarmony is another app that respects users’ privacy and security.”
The study notes that because so many dating apps urge users to build profiles from information on Facebook, they are granted significantly more personal data than what might be expected. Dating apps are also almost constantly in the news for breaches, with popular apps and sites like Tinder, Bumble, OKCupid, Facebook Dating, and more reporting breaches in the last few years.
The report also notes the many discriminatory algorithms backing these apps, with Mozilla researchers finding that some apps use a “collaborative filtering algorithm” that they assert contribute to bias against “racial, ethnic and sexual orientation minorities.” But the researchers could not confirm it due to a lack of transparency from the companies behind these apps.
“Love isn’t dead in the time of coronavirus. It has moved online, just like so many other aspects of our daily life. Thanks to dating apps and connected sex toys, we’re still finding love and sex while social distancing,” said Jen Caltrider, Mozilla’s *Privacy Not Included lead.
Raya, Match, Tinder, Ashley Madison, Christian Mingle, Facebook Dating, Grindr, and Jdate were all given a “super creepy” tag for a variety of reasons related to the data they ask for, collect, and share.
Grindr got a particularly bad assessment, with researchers calling it “one of the worst out there for privacy.”
“Not going to sugar coat this: Grindr is a horrible dating app for user privacy and security. Of all the dating apps we reviewed, Grindr is the worst of the worst. They’re so bad, in fact, the Norwegian Data Protection Authority recently fined them $11.7 million for illegally sharing private, personal information with advertising companies,” the report said.
The report describes numerous problems that go far beyond relatively simple security issues.
“Given Grindr is the world’s largest gay dating app, and given that in some parts of the world outing someone as gay can get them killed, these bad data privacy practices aren’t just awful and illegal, they are also life threatening. On top of that, back in 2018, Grindr was caught exposing users’ HIV status to companies. Seriously, not only did Grindr ask users’ to provide their HIV status, they then turned around and shared that very sensitive information. Like we said, Grindr is the worst,” the researchers added.
The report then references a 2018 situation where the app was embroiled in a major international dispute between the United States and China after it was sold to a Chinese company. The US government took issue with the company’s new engineers in China being given full access to “the personal information of millions of Americans such as private messages and HIV status,” according to Reuters. The US government effectively forced the Chinese owner to sell it last year.
Two weeks ago, the Norwegian Consumer Council fined Grindr more than $11 million for violating parts of the GDPR by unlawfully sharing user data with advertisers, after previously denying that they did.
“As a location-based app that tracks users’ movements and matches them based on proximity, Grindr knows a lot about its users. It has an absolutely terrible track record of protecting, securing, and being honest about how it shares users’ data,” the report said.
“On top of all of this, they claim to require a strong password to access the app, yet we were able to login with 123456. What’s the worst that could happen? Grindr could leak your location, homophobes could search you out, find you, and murder you for being gay. This has happened already in the real world. Grindr is bad. Our recommendation, delete Grindr.”
TechRepublic reached out to Grindr for comment but did not hear back.
Last year, the same Norwegian Consumer Council found that OkCupid and Tinder were doing many of the same things as Grindr, selling personal information taken from user accounts to advertisers, ZDNet reported.
The Mozilla report notes that OkCupid and Tinder are owned by Match Group, which controls about 25% of the dating app market through products like Match.com, Hinge, and Plenty of Fish.
In addition to the complaints from the Norwegian Consumer Council, the FTC sued Match in 2019 for “allegedly using misleading ads and deceptive email marketing tactics to get hundreds of thousands of Match users to pay for their services.”
“Match has all been known to not adequately secure their users’ data, thanks to a number of security vulnerabilities. They collect a huge about of data—everything from what you say in your chats to religion, ethnicity, even what you eat, and how many pets you have—and then share it with the other 45 or so Match Group dating sites as well as potentially a host of other third parties,” the report said.
“That’s a lot of personal data you might have thought only going to one place getting shared across multiple dating sites and companies.”
Mozilla researchers added that Tinder suffered a serious data breach in early 2020 that led to more than 70,000 images of women being shared online.
The study adds that a number of these sites, like Ashley Madison, have already suffered major breaches that should terrify any user into either getting off of them or limiting the amount of information they put on it.
But others ask for extraordinary control over your smartphone for seemingly no reason, like Christian Mingle, which demands the power to not only use your device’s flashlight but also wants the ability to disable your lock screen.
The three dating sites or apps to avoid the dreaded “Privacy not included” label are eHarmony, Happn, and Lex. The study notes that eHarmony had breaches in 2011 and 2012 but since has tightened up its security features. But while it is one of the better ones, it still has a lot to improve on, according to Mozilla
“eHarmony seems to be one the better mainstream dating app when it comes to privacy and security. Unfortunately, that’s not saying a whole lot. They do use some of this personal data to target you with lots of advertisements and perhaps shares some with third parties for the same,” the report said.
“We will also add, eHarmony has one of the worst written privacy policies we’ve seen. Not only does it have spelling and grammar mistakes, but also at one point refers to the wrong company. Which begs the question, would you trust your sensitive data to a dating app that can’t even write their own privacy policy error free? We wouldn’t.”
Cybersecurity Insider Newsletter
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays
