A new report from the Wall Street Journal finds that dating app Grindr quietly sold user location data to a third-party ad network from “at least” 2017 until early 2020, making it available to thousands of parties. The app curtailed the practice in 2020, but some “legacy” data that was previously sold could still be in circulation.
Grindr is one of the biggest names in dating apps that focus on the LGBTQ community, and user presence on the app has been used for harassment purposes and even to remove employees and professional athletes from their positions in various countries. The app is also not new to security and privacy issues, having had prior data breaches that exposed user locations as well as sensitive personal information.
Grindr location data sold to third party advertising network for three years
The WSJ report finds that “precise” user location data was sold through UberMedia, a partner of online ad network MoPub. Now going by the name UM, UberMedia is a major data platform that has a particular focus on targeted advertising based on location data. The company was acquired in 2021 by Near, another major location data platform that profiles some 1.6 billion users in 44 countries for targeted ad purposes.
This likely exposed the sensitive location data of Grindr users to thousands of UberMedia buyers during the sales window, which lasted from “at least” 2017 to sometime in early 2020. Grindr changed its policies for sharing information with ad networks at that time, curtailing the specific location data that was shared with MoPub and UberMedia. However, the prior data already sold could be residing in advertising profiles that continue to exist.
The story came to WSJ from an anonymous former Grindr employee said to have some sort of senior position in the company. The source said that the company’s management initially didn’t believe that sharing location data with ad networks would create any privacy problems, failing to come around on the issue until it ran into public trouble with the transmission of sensitive user data to multiple third parties in early 2020. This incident helped to spur its adoption of a new privacy policy, which the company says is more restrictive to ad networks than any other big tech platform.
Garret Grajek, CEO of YouAttest, notes that the handling of this sort of location data and personal information is better regulated in other parts of the world (particularly the EU) and that similar legislation in the US might have defused the entire situation: “In America we haven’t even touched the level of data privacy and data governance that the Europeans have with their sweeping GDPR mandate of 2016. California has enacted CCPR and CCPA and a few other states are making or looking to make similar moves, but the US does not have a national law guiding data. Industry will demand it to help navigate their own data privacy practices and to insure against lawsuits.”
Information collation by ad networks can lead to outing of individual identities
The management of Grindr’s initial mistaken belief that sharing user data with ad networks could not cause privacy problems may have been rooted in the fact that the information is pseudo-anonymized; things like location data are generally tied to a unique identifying number that is not supposed to be connected to names or personal contact information.
This isn’t necessarily the case, however, as demonstrated by the outing of a high-ranking Catholic priest in summer 2021. The magazine Pillar, which is aimed at a Catholic audience, was open about conducting an investigation into the priest’s movements using “commercially available records” of his location data that were tied to his Grindr activity. The magazine boasted of being able to identify the priest’s movements from 2018 to 2020, identifying him as visiting gay bars, bathhouses, and private residences identified with other Grindr users. The priest resigned after the story came out. Pillar did not disclose which of the ad networks it obtained this data from.
Worries about the use of Grindr in this way to compromise politicians and high-ranking military figures led the United States government to force the sale of the company in 2019 (with the deal completed in 2020). It had been owned by China-based Kunlun Tech Co. since 2016 and was purchased by Los Angeles-based San Vicente Acquisitions. Since that purchase and the 2020 change in privacy policy, Grindr says that the app only links the unique device identifier it assigns with the user’s IP address and “basic information necessary for ad delivery.” Grindr also says that it does not communicate with ad networks in countries in which LGBTQ users are at risk due to local laws.
The app has a history of privacy issues that predates all of this, however. A lot of this has had to do with the way it handles location data; security researchers have previously demonstrated that they could locate anyone using the app regardless of their privacy settings, by using two accounts under their control as a means of triangulation. This is separate from a security issue that emerged in 2020, in which the app’s password reset page was found to leak access tokens. The first major security issue for the app emerged in 2014, and also involved the use of location data and ability to triangulate other users. The app first became available in 2009.
Rajiv Pimplaskar, CEO of Dispersive Holdings, elaborated on what apps should be doing to properly secure sensitive user data of this nature: “Privacy is a proactive first step for security, as threat avoidance is much easier and less costly than mitigation and remediation. Most sensitive information has a “long tail” and Grindr user data exchanging hands across third parties can be subject to misuse and be dangerous. These challenges are analogous to those in the data communications world today. For decades we have been complacent relying on basic encryption to keep our sensitive communications private and secure. New threat actors are playing a long game of Steal Now Decrypt Later (SNDL) which can be especially deadly with the rise of nation state threat actors and the imminent arrival of quantum computing. Intelligence, military, and forensic techniques focus on managed attribution which obfuscates source and destination relationships and makes traffic patterns hard to identify. This makes them very hard to detect in the first place and thereby making them harder to intercept and decrypt enhancing security as a whole.”