Experts are sounding alarms over privacy issues with dating apps like Grindr, but they still remain ubiquitous among gay and bisexual men. How are the top sites handling their users’ data? We took a look.
“Privacy is and always will be one of our top priorities,” said Scott Chen, the company’s chief technology officer. “We know that there has been confusion about this, and we apologize for the distress caused to any of our users.”
Chen added that Grindr would “continue to look for ways to ensure Grindr remains a safe space for all.”
Jack Harrison-Quintana, our VP of Social Impact and founder of Grindr for Equality, addresses concerns about HIV status information on Grindr and explains how we handle user data. Read our full statement about our HIV status data here: https://t.co/5Rw1id0HJw pic.twitter.com/mydtY4mqNN
— Grindr (@Grindr) April 5, 2018
The app also faced criticism last month after the creator of the site C*ckblocked showed he could access members’ location data, unread messages, email addresses, and deleted photos by getting them to provide their login and password with the promise of showing them who blocked them.
After a few days, Grindr closed the loop on the flaw that allowed the breach and reminded users not to enter their username and password into third-party apps.
And back in 2016, scientists at Kyoto University demonstrated how easy it was to discern a Grindr user’s location, even if they disabled that function.
It’s an issue with all the apps that sort members based on location: Using something called trilateration you can still determine someone’s approximate location by process of elimination—moving around and tracking the varying distances from them to you. This is especially concerning in countries where being gay is still illegal.
The good news is it takes some effort—and technological savvy—to reverse-engineer a user’s location using trilateration. It’s even more difficult when apps randomize a user’s location—while you can tell if someone is near you, the app won’t place their location based on exact coordinates.
“Grindr’s method of abstraction in our application is via geohashing,” Bryce Case, head of information security, told NewNowNext. With geohashing, a geographic location is encoded into a short string of letters and digits, which is used as a grid to determine an approximate position.
Case also noted Grindr installed other protections in regions where it is unsafe or illegal to be LGBT, including, “providing users with a discreet app icon and security PIN, transmitting daily safety messages to users in as many local languages as possible, and providing users with Grindr’s safety guide in as many local languages as possible.”
Still, the only foolproof way to avoid being exposed is to stay off location-based dating apps altogether.
Scruff responded to the recent spate of security breaches by republishing an 2014 article by CEO Eric Silverberg that warned of the possibility of a trilateration attack while using any location-based program, including its own. He insisted it would take “a sophisticated user to reverse-engineer the app,” but said Scruff has still taken steps to increase security for users who hide their location.
“When a user elects to hide his distance on Scruff, we not only remove the information from his profile data, but we also randomize his location on our servers.”
The app, which claimed more than 12 million users worldwide in 2017, also takes population density into account: Those living in rural areas have their locations randomized by a few miles, as opposed to a few blocks for those who live in big cities.
“We never share the sensitive information that our users disclose in their profiles, nor do we use any other identifying information about our users.”
The company, which counted more than 25 million members as of 2017, also noted it has a “bug bounty” program, where tech experts are encouraged to find vulnerabilities that could lead to data breaches. Since at least 2014, Hornet has also been “randomly obscuring” a user’s distance, showing three nearby points to make it harder to pinpoint their location.
President Sean Howell even went to Egypt recently “to investigate how to make users safer and advocate for their rights” amid the ongoing anti-gay crackdown there.
Traffic on Growlr, which has more than 7 million users worldwide, is encrypted, and CEO Coley Cummiskey stressed to NewNowNext that it doesn’t sell account information to third-party companies.
Cummiskey also explained that the app uses “random variations in sorted grid placements for users that choose to hide their locations, in order to prevent triangulating their exact position.”
He also encouraged users to follow Growlr’s safety guidelines, which include common sense steps like meeting in public and telling a friend or family member where you’re going.
A report from February indicated data from Jack’d, which counts some 5 million users, was not being properly encrypted when sent to third-party advertisers.
But Alon Rivel, the app’s marketing director, told NewNowNext, “Our tech team has addressed the problems mentioned and are almost complete with resolving the matter.”
Jack’d has also taken steps to make it harder for someone to determine a user’s location if that functionality is disabled.
“We take safety and privacy very seriously and that is why we released the blurring distance feature on Jack’d back in 3rd quarter of 2017. That allows users to blur their distance and location so that members who feel they are unsafe in disclosing their location are not found easily.” The app automatically blurs the distance, he added, “in countries that do not tolerate homosexuality, such as Egypt and Russia.”
In addition, HIV status is not an option on Jack’d member profiles so that “users can choose when and if to disclose their status to partners, as it is a personal and private matter,” says Rivel.