It's Grindr's Turn In The Barrel As America Finally Decides To Care About Consumer Privacy
from the standard-operating-procedure dept
Whatever you think about the Facebook Cambridge Analytica kerfuffle, it's pretty obvious that the scandal is causing a long overdue reassessment of our traditionally lax national privacy standards. While most companies talk a good game about their breathless dedication to consumer privacy, that rhetoric is usually pretty hollow and oversight borders on nonexistent. The broadband industry is a giant poster child for that apathy, as is the internet of very broken things sector. For a very long time we've made it abundantly clear that making money was more important than protecting user data, and the check is finally coming due.
While it may only be a temporary phenomenon, the Cambridge Analytica scandal is finally causing some much-needed soul searching on this front. And given how deep our collective privacy apathy rabbit hole goes, being sloppy with consumer data may actually bear witness to something vaguely resembling accountability for a little while. Case in point is gay dating site Grindr, which this week was hammered in the media after it was revealed that the company was sharing an ocean of data with app optimization partner companies, including location data and even HIV status.
Norwegian nonprofit SINTEF was commissioned to dig into the problem on behalf of Swedish public broadcaster SVT, which first broke the story. According to SINTEF, Grindr was also sharing its users’ precise GPS position, "tribe" (their preferred gay subculture), sexuality, relationship status, ethnicity, and phone ID with third-party advertising companies. And, because even "anonymized" data can never be truly considered anonymous, they concluded it isn't hard to identify these users based on this data.
Many were surprised that such a popular company would have such a casual disregard for its consumer privacy:
"Grindr is a relatively unique place for openness about HIV status,” James Krellenstein, a member of AIDS advocacy group ACT UP New York, told BuzzFeed News.
“To then have that data shared with third parties that you weren’t explicitly notified about, and having that possibly threaten your health or safety — that is an extremely, extremely egregious breach of basic standards that we wouldn’t expect from a company that likes to brand itself as a supporter of the queer community."
But again, this casual treatment of data isn't errant behavior on Grindr's part -- it's the norm. And in this case, many are correct to point out that in addition to it being problematic that users didn't know this data was being shared outside of the Grindr community, the exposure of the HIV data (which again was only with two app optimization companies) could potentially have placed people living in homophobic areas at risk of violence:
Privacy isn’t just about credit card numbers and passwords. Sharing sensitive information like this can put LGBT Americans at risk.https://t.co/Guay2RBuk8
— Ed Markey (@SenMarkey) April 2, 2018
To its credit, Grindr wound up announcing that it would stop sharing HIV data with third parties, but not before the company issued a statement tinged with the usual lamentations about "misinformation." Several statements were made of the "everybody does it," flavor which didn't help the company's case. Grindr security chief Bryce Case also got defensive in comments to Axios about how the company was being "unfairly" singled out due to the Cambridge Analytica scandal:
"I understand the news cycle right now is very focused on these issues," Case said, but added, "I think what’s happened to Grindr is, unfairly, we’ve been singled out..."It’s conflating an issue and trying to put us in the same camp where we really don’t belong."
But nobody accused Grindr of doing what Cambridge Analytica did. They did however accuse the company of what's now fairly standard privacy apathy across countless industries, including overlong terms of service that don't make it clearer what data is being shared with whom, the sharing of some of private consumer data in unencrypted plain text (you know, like your television probably does), and sharing extremely-sensitive HIV status data that pretty clearly wasn't necessary for "app optimization":
"But some security experts say that this argument about whether the data was being sold to a third party for nefarious purposes or not misses the point: that HIV data is highly sensitive, and that sharing it with any outside companies is a move away from the security of its users.
"There was no reason for them to be storing that data with these analytics companies in the first place," Cooper Quintin, senior staff technologist and security researcher at the Electronic Frontier Foundation, told BuzzFeed News. "Grindr should be taking extra steps to secure this sort of very personal data."
It's understandable that Grindr doesn't want to be lumped in with Cambridge Analytica, and it's obvious that there's a vast chasm between sharing some data with ad optimization partners and using unauthorized data to disrupt elections. Still, companies like Grindr are lucky that this come to Jesus moment in consumer privacy didn't arrive years ago.
Assuming this concern for privacy isn't just a temporary fashion trend, Grindr's certainly not going to be the last company caught in the crossfire of what should be seen as a cultural learning process. And hopefully, some of the truly terrible players on this front (like the telecom sector) will ultimately witness their time in the barrel as well. Especially since what many wireless carriers have routinely been up to makes Grindr's privacy missteps look like child's play, and the government's response so far has been to make it easier than ever to violate consumer privacy.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data sharing, hiv status, location data, privacy
Companies: grindr
Reader Comments
Subscribe: RSS
View by: Time | Thread
Bullshit
If I have to say one thing, this is one thing a Trump presidency was good for. But it's a shame the people can't be proactive about these things instead of a bunch of reactive hypocrites.
"Assuming this concern for privacy isn't just a temporary fashion trend,"
It is, it is...
We are being massively spied on by every sector of the economy, just the non-optional forced participation in the "credit" system is proof of that, even if you have never applied for credit you are on file and have a score! Almost every service you use no matter how simple comes with a privacy notice where they share your data!
[ link to this | view in chronology ]
Re: Bullshit
I'm with "crazy" Richard Stallman on this. They whole mass surveillance business model needs to go, now:
https://www.theguardian.com/commentisfree/2018/apr/03/facebook-abusing-data-law-privacy-big-tech-sur veillance
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Do you think that legislation is the correct solution?
[ link to this | view in chronology ]
Re: Re:
Legislating privacy, though trusting Congress to get that right is really hard to consider, is probably the right way to go about it. A good piece of legislation would require that any data held by any public or private company would have to be purged, and new information only held long enough for say billing purposes. And that data would need to be very very closely held. Government held information would need to be treated differently, but also purged after some amount of time, say a few years.
[ link to this | view in chronology ]
Re: Re: Re:
Sure. Why not? If legilaters aren't going to do it for us...
[ link to this | view in chronology ]
Re: Re: Re: Re:
The why not is if every company is doing it do you really think all commerce will just stop? Gonna stop eating? The grocery stores are as bad as the rest.
[ link to this | view in chronology ]
Re: Re: Re: Re:
For one thing, can you find housing if you don't let a landlord share data with credit rating agencies?
[ link to this | view in chronology ]
Re: come to Jesus moment
Note that this fustercluck was a known evolution to the entire infosec community since the invention of cookies. All of them said "there are better architectures, and this is eventually going to blow up in a severe way.". Marketers, advertisers and other criminals everywhere told them to fuck off with prejudice.
The people who really should be on the shit end of the stick, are MS, Google, the Mozilla foundation etc. Because this all derives known bad systems architecture. It was built broken, with full foreknowledge that it was broken. If there is a crime here, then it was certainly facilitated by the major browser vendors. They've always known WTF was going on, and have always had the ability to say "no" by implementing a more secure architecture. Instead they actually made insecure features "on" by default, and even took the ability to turn them off out of the user interface.
They all competed to be the biggest conspirator in a corporate war on civil rights. The carriers are at fault too, but this has always been a fixable problem within the applications themselves.
Now they are probably all going to start touting their new "privacy features" which will mostly just be a matter of aggregating the data-rape into a few, more powerful, more corrupt companies instead of a million small ones.
The hype is really about market consolidation. It always is. And congress will applaud the move, while it paruses peoples living rooms through their television sets.
[ link to this | view in chronology ]
Re: Re: come to Jesus moment
I agree that the marketoids who think that Brave New World is an operating manual need to be told off here -- as it turns out, one can actually deliver more pertinent advertising to someone by focusing on matching the ads to the content being delivered, not on the recipient. (I get some hilariously off-base ads at times, myself, because the ad-trackers see things that are actually irrelevant from an advertising standpoint.)
BTW: can you name the insecure features you're talking about? Because if you're saying "cookies should never have been implemented", then that's going to be a serious problem for anyone trying to do session management...
[ link to this | view in chronology ]
Re: Re: Re: come to Jesus moment
There are other ways to do session management. But even if there weren't, the only time that you actually should do it, is during the transmission of a contract based data. Whether that is ecommerce, or other terms based services.
If your session tracking outside of a contract based relationship, you are wiretapping. We can use whatever techno babble we want to say otherwise, but ultimately we are aggregating communications without the subjects knowledge or consent. There are statutes that say you can't do that.
The web was never designed to take the UCC into consideration. At the executive level, all of the companies involved with facilitating all of the various crimes we are experiencing today, are acutely aware of this and have been for 20 years. They all played hot potatoe with the problem until an orweillian society was created. And ALL of them have employed people during that period who have been warning of this eventuality for years.
This issue wasn't engineered by the law, though TD often slants in that direction. Sometimes the technology emulates bad law. But sometimes the law emulates bad technology. Lawyers don't waste their time understanding how to build things if they can just steal them. We are just making suckers of ourselves if we think this is ever going to change. So the impetus is on the engineers.
Hopefully it is possible to write a comm protocol, that enforces the rights that the state and the oligarchy refuse to honor.
[ link to this | view in chronology ]
So nothing keeps me from signing up at CanineCaper.com as "Fetcher78", a lovable Labrador with honorable mention for underwater basket retrieval at the Calhoun County Dog Trials.
Then the distemper status of your prize-winning Pomeranian is mine!--to know and to share as I wish.
[ link to this | view in chronology ]
Still Facebook and Cambridge Analytica is nothing compared to GOOGLE!!! You think all those free services are out of the Goodness of their heart? They are in fact #1 an Advertising Company. That is in fact how Google makes MOST of their money!!! Everything you do with Google is kept track of. Everything on your Android phones is tracked. You are spied on 24/7 and there's no escaping it unlike Cambridge Analytica and Facebook. Not unless you flee Android.
I'm sure not surprised by any of this stuff, which is why I limit it to very, very little. I don't throw up personal stuff on my on the Internet. I visit Facebook for a few minutes maybe once a month.
Nothing in life is FREE. Someone, somewhere is paying for it. In these cases, it's YOU. YOU are the product being sold by these companies. In fact, I'm fine with it. It doesn't bother me at all. I know better and so don't use them. Or limit what I do with them. My life doesn't need to be up on social media sites. I don't need to take those Quizzes which is just another way to know you even better.
They offer a service and it has to be paid for one way or another. They are not the Government and so can't legally steal from you.
[ link to this | view in chronology ]
Re:
I'm fine with it. It doesn't bother me at all. I know better and so don't use them.
The bigger issue is not yours and my privacy, it is the ability of government actors and their co-conspirators, to use this data to manipulate society as a whole e.g. by hacking elections.
Same as with the data collected by the spooks. Most people do have nothing really to fear from them personally. But everyone benefits from the actions of whistleblowers and investigative journalists and dissidents that legitimately do have something to fear from bad state actors.
This is not an issue that it is wise to be individualistic about. Mass surveilence of a society can effect us indirectly in a variety of ways, even if we minimize our personal exposure to it.
[ link to this | view in chronology ]
Re:
I like it. My battery lasts long, I can make calls, send and receive SMS and I pay very little per month because I'm not on a data plan.
When I need to use the Internet, I'll come home to my computer. It's safer on my desktop and home network, I've got more control over it and can filter out what I don't want using any number of tools and methods I desire.
Life is good.
[ link to this | view in chronology ]
Re: Re:
I call them "spyphones." I'm still carrying an 11-year-old dumbphone. I know its position can be triangulated by cell towers and that my call metadata, or for all I know the calls themselves, are stored by my cellular provider. I'm still not really happy about that, and it's the hard limit of what I'm willing to put up with.
When my antique phone dies, I may well replace it with a pager. Yes, they're still out there...
[ link to this | view in chronology ]
Barrel?
Gay sailor jokes, now?
[ link to this | view in chronology ]
I wonder how easy it would be to impersonate someone, sign them up to a bunch of gay dating sites, set their HIV status to positive and watch their medical insurance skyrocket once their metadata gets passed around like a whore to enough "third parties".
This is not only frightening for those whose true HIV status is being shared, but also for anyone, anywhere, ever, when you consider that companies consider any data they've purchased in bulk to be truthful.
[ link to this | view in chronology ]
Re:
I can see similar dynamics in predictive policing for a wide variety of crimes.
There is also the issue of retributive media feeds. What happens when companies and/or the state band together to induce vices onto specific sections of society? Or more to the point, all the booze ads, and all the content and advertising that glorifies drug use and prostitution, get vectored at the families of those who are critical of the media vendors or the state?
I'd bet money that that is going on already, and will eventually be leaked.
We know that MkUltra had some success. Ted Kezinskly proved it. Consider hypothetically that the techniques used by the CIA to create the unibomber, are perhaps currently being used in mass media content and advertising. Then answer this question:
"If I was a government that wanted to disarm my well armed citizens, how would I do it?"
You wouldn't try and do it by force. You create a circumstance where the citizens called for disarmorment themselves. And the way you do that, is gaslight a bunch of vulnerable people, until they snap and grab a rifle. Of course this is all hypothetical. We haven't seen anything like that lately.
Conscious decisions are less prevalent than they appear.
[ link to this | view in chronology ]
Someone asked a question about if this would violate HIPPA as they were disclosing a medical condition to 3rd parties without affirmative consent.
There are still guys who will use it b/c they still get laid & don't worry about the bigger picture.
If only there were like laws to require disclosure of what apps gather & where it goes... but instead we have laws to make sure 2 consenting adults can't have sex if money was ever exchanged.
[ link to this | view in chronology ]
Because it's fucking eerie that some people I don't know, whether they are governments or corporations (and in many cases, it means the same) get to know about things that I don't really want to share.
Moreover when their only purpose is to control me, or to suck me dry out of my money and/or other random things they think about.
We talk big about soviets and commies and their control, but we are allowing a control on our privacy that rivals what the russkies did (because of lack of means back then).
Is it better because it's a "private business" doing it instead of a "government"?
In my opinion, both are equally bad. Sure, govs can put you in jail, but companies have the ability to make your life a hell.
Just imagine people being rejected out of a job because they are gay. Or because you're HIV positive.
Yeah, doesn't happen nowadays, eh?
[ link to this | view in chronology ]