A popular gay hookup app has come under fire for sharing highly-sensitive user details with third-party companies. Used by more than 3.6 million men daily, Grindr has been handing over its users’ HIV status to at least two other companies, according to a report by NOV.
The app, which aims to facilitate safe hookups in the gay community, gives users the option to display their HIV status — including their “last tested date” — on a public profile as a means of active disclosure.
This information is then shared with two companies: Apptimize and Localytics. Both, as best we can tell, are testing firms meant to optimize the user experience inside mobile apps. NOV has reached out to Apptimize and Localytics for clarification. Neither were able to comment as of this writing.
Here’s the rub. Because users’ HIV status is just one data point of a much larger package — including GPS position, email, age, height, weight, ethnicity, phone number, etc — it’s possible for motivated individuals to piece together a fairly comprehensive look at individual Grindr users.
“The HIV status is linked to all the other information. That’s the main issue,” Antoine Pultier, the Norwegian researcher who uncovered the issue told BuzzFeed. “I think this is the incompetence of some developers that just send everything, including HIV status.”
Worse, the data — including HIV status — is sometimes shared in non-encrypted plain text, leaving it highly susceptible to online hacks and data breaches.
In a statement to Axios, Localytics essentially shifted the blame back to Grindr, saying it wasn’t necessary to provide this level of personal information to make use of its platform.
Under no circumstances does Localytics automatically collect a user’s personal information, nor do we require personal information in order for our customers to get the benefits from using our platform. It is up to each customer to determine what information they send to Localytics, and Localytics processes that data solely for the customer’s use.
Grindr is unique in that it’s one of the few dating apps to encourage disclosing sexually transmitted infections on a public profile. To then share that data with multiple third-parties without explicitly notifying its users is an egregious breach of trust and privacy.