The dating/hook-up app Grindr is sharing the HIV status of its roughly 3.6 million daily users with two other companies.
On the platform that caters largely to queer men, Grindr users can share what their status is using an “HIV status” category where they can put if they’re positive, negative, being treated, etc. Grindr has also long promoted sexual health, even recently implementing a feature that will regularly remind users to get tested for HIV.
But now Buzzfeed News reports that the Norwegian nonprofit SINTEF discovered that companies Apptimize and Localystics, which reportedly help optimize apps, were receiving users’ HIV status, along with other highly specific information like users’ GPS data, phone ID, sexuality, relationship status, and email address. And all of that information together, if leaked beyond these companies, could potentially endanger users if they’re not fully out with their status.
“When you combine this with an app like Grindr that is primarily aimed at people who may be at risk — especially depending on the country they live in or depending on how homophobic the local populace is — this is an especially bad practice that can put their user safety at risk,” Cooper Quintin, a senior staff technologist and security researcher at the Electronic Frontier Foundation, tells Buzzfeed.
While Grindr’s chief technology officer defended the choice to use what he referred to as “highly-regarded platforms,” the data sharing still makes Grindr users vulnerable, especially data as sensitive as someone’s HIV status. And while users might feel comfortable sharing that specific information with Grindr, it’s not clear enough in the app’s privacy policy that their personal information could potentially be shared elsewhere.
Just a few days ago, NBC News reported that a security flaw in Grindr was revealed after a man named Trever Faden created a site in which users could see who blocked them on Grindr. After users entered their username and password, Faden gained a bunch of users’ data like unread messages, photos, and email addresses. Shortly after Faden exposed the security loophole, Grindr told NBC News it had changed its system to prevent that kind of access.