Grindr—the gay hookup app that has over 3.6 million daily active users globally—has been reportedly transmitting its users’ HIV status (of those who include it) with two mobile app contractors.
On Monday, Bryce Case, the company’s top security official, responded to public outcry over the issue by saying the company would stop the practice.
“I understand the news cycle right now is very focused on these issues,” Case told Axios, which first reported the change on Monday evening. “I think what’s happened to Grindr is, unfairly, we’ve been singled out.”
Case argued that the public is now more sensitive to data breaches in the wake of the Cambridge Analytica debacle, adding that some users were “trying to put us in the same camp where we really don’t belong.”
The story first broke in March 2018, when the Swedish public broadcaster, SVT, reported that the app sends highly personal information—including GPS location, sexual preferences, and HIV status—to two companies: Apptimize and Localytics.
On Monday, BuzzFeed News cited research done by Antoine Pultier of the Norwegian group SINTEF, which found that, because all of these data points are transferred, Grindr users could easily be identified.
“Thousands of companies use these highly-regarded platforms. These are standard practices in the mobile app ecosystem,” Grindr’s CTO, Scott Chen, initially told BuzzFeed News in a statement that was later sent to Ars Monday afternoon. “No Grindr user information is sold to third parties. We pay these software vendors to utilize their services.”
He added: “The limited information shared with these platforms is done under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.”
Before the company yanked the HIV status data sharing, Pultier told Ars by email on Monday that his organization was hired by SVT to do the privacy audit work. He tested not only Grindr but also Tinder and Happn, other similar hookup apps. (Crucially, however, those apps seemingly do not have an option to list HIV status.)
“The Grindr response is exactly the same [as] the Happn response we got a few weeks ago,” Pultier told Ars. “Standard practice, software as a service, they pay the third party company… They don’t want to acknowledge the problem for obvious reasons. We hope they will change their practices; this response is not satisfying.”
In an earlier Monday statement, Grindr’s Scott Chen said that the company “has never nor will we ever” sell personal information “especially information regarding HIV status or last test data—to third parties or advertisers.”
However, neither SVT nor BuzzFeed have accused Grindr of selling this information. Instead, Grindr includes it as part of their data-sharing with Apptimize and Localytics.
As an industry standard practice, Grindr does work with highly-regarded vendors to test and optimize how we roll out our platform… When working with these platforms, we restrict information shared except as necessary or appropriate. Sometimes this data may include location data or data from HIV status fields as these are features within Grindr, however, this information is always transmitted securely with encryption, and there are data retention policies in place to further protect our users’ privacy from disclosure.
Chen added that it’s “important to remember that Grindr is a public forum,” adding that “you should carefully consider what information to include in your profile.”
But what Chen and Grindr seem to fail to understand, at least initially, is that, while most users who share their HIV status in the app want it to be seen by other potential partners, they may not fully realize that this data may also be shared outside of Grindr.
Grindr spokeswoman Paige Verducci also sent Ars a statement from Bryan Dunn, a Localytics vice president. He said:
Localytics strictly controls all access to production systems and leverages appropriate security controls to protect all customer data… Under no circumstances does Localytics automatically collect a user’s personal information, nor do we require personal information in order for our customers to get the benefits from using our platform. It is up to each customer to determine what information they send to Localytics, and Localytics processes that data solely for the customer’s use. We do not share, or disclose, our customer’s data.