Testing conducted by the Norwegian Consumer Council (NCC) has found that some of the biggest names in dating apps are funneling sensitive personal data to advertising companies, in some cases in violation of privacy laws such as the European General Data Protection Regulation (GDPR).
Tinder, Grindr and OKCupid were among the dating apps found to be transmitting more personal data than users are likely aware of or have agreed to. Among the data that these apps reveal is the subject’s gender, age, IP address, GPS location and information about the hardware they are using. This information is being pushed to major advertising and behavior analytics platforms owned by Google, Facebook, Twitter and Amazon among others.
How much personal data is being leaked, and who has it?
NCC testing found that these apps sometimes transfer specific GPS latitude/longitude coordinates and unmasked IP addresses to advertisers. In addition to biographical information such as gender and age, some of the apps passed tags indicating the user’s sexual orientation and dating interests. OKCupid went even further, sharing information about drug use and political leanings. These tags appear to be directly used to deliver targeted advertising.
In partnership with cybersecurity company Mnemonic, the NCC tested 10 apps in total over the final few months of 2019. In addition to the three major dating apps already named, the organization tested several other types of Android mobile apps that transmit personal information:
Clue and My Days, two apps used to track menstrual cycles
Happn, a social app that matches users based on shared locations they’ve been to
Qibla Finder, an app for Muslims that indicates the current direction of Mecca
My Talking Tom 2, a “virtual pet” game intended for children that makes use of the device microphone
Perfect365, a makeup app that has users snap photos of themselves
Wave Keyboard, a virtual keyboard customization app capable of recording keystrokes
So who is this data being passed to? The report found 135 different third party companies in total were receiving information from these apps beyond the device’s unique advertising ID. Nearly all of these companies are in the advertising or analytics industries; the biggest names among them include AppNexus, OpenX, Braze, Twitter-owned MoPub, Google-owned DoubleClick, and Facebook.
As far as the three dating apps named in the study go, the following specific information was being passed by each:
Grindr: Passes GPS coordinates to at least eight different companies; additionally passes IP addresses to AppNexus and Bucksense, and passes relationship status information to Braze
OKCupid: Passes GPS coordinates and answers to very sensitive personal biographical questions (including drug use and political views) to Braze; also passes information about the user’s hardware to AppsFlyer
Tinder: Passes GPS coordinates and the subject’s dating gender preferences to AppsFlyer and LeanPlum
In violation of the GDPR?
The NCC believes that the way these dating apps track and profile smartphone users is in violation of the terms of the GDPR, and may be violating other similar laws such as the California Consumer Privacy Act.
The argument centers around Article 9 of the GDPR, which addresses “special categories” of personal data – things like sexual orientation, religious beliefs and political views. Collection and sharing of this data requires “explicit consent” to be given by the data subject, something that the NCC argues is not present given that the dating apps do not specify that they are sharing these particular details.
A history of leaky dating apps
This isn’t the first time dating apps have been in the headlines for passing private personal data unbeknownst to users.
Grindr experienced a data breach in early 2018 that potentially exposed the personal data of millions of users. This included GPS data, even if the user had opted out of providing it. It also included the self-reported HIV status of the user. Grindr indicated that they patched the flaws, but a follow-up report published in Newsweek in August of 2019 found that they could still be exploited for a variety of information including users GPS locations.
Group dating app 3Fun, which is pitched to those interested in polyamory, experienced a similar breach in August of 2019. Security firm Pen Test Partners, who also discovered that Grindr was still vulnerable that same month, characterized the app’s security as “the worst for any dating app we’ve ever seen.” The personal data that was leaked included GPS locations, and Pen Test Partners found that site members were located in the White House, the US Supreme Court building and Number 10 Downing Street among other interesting locations.
Dating apps are likely collecting far more information than users realize. A reporter for the Guardian who is a frequent user of the app got ahold of their personal data file from Tinder in 2017 and found it was 800 pages long.
Is this being fixed?
It remains to be seen how EU members will respond to the findings of the report. It is up to the data protection authority of each country to decide how to respond. The NCC has filed formal complaints against Grindr, Twitter and a number of the named AdTech companies in Norway.
A number of civil rights groups in the US, including the ACLU and the Electronic Privacy Information Center, have drafted a letter to the FTC and Congress asking for a formal investigation into how these online ad companies track and profile users.