Love Lockdown: Data and privacy issues in dating apps

Kanye West once sang the lyrics “Keep ya love lockdown, you lose”. Ironically, whilst many countries are in fact immersed in a lockdown, these lyrics couldn’t ring more true. In the context of his song, "Love Lockdown", these lyrics can be interpreted in a number of ways. On the one hand, if you never open up to the person you love about your feelings, you may end up not getting the result you want. However, it could also be interpreted as if you do open up to people, it could cause you to get hurt. Let’s apply the latter interpretation in a legal sense. Sometimes, when we share too much information, this can sometimes lead to a bad thing. On the quest to find love, we need to be wary of the data we not only see in front of us but also the data that is collected from us when we sign up to the apps.

Let’s break it down…

What once started off as an organic meet up between two people has now become more constructed and curated with the use of dating websites and apps. If you have not used these apps before, you essentially create a profile with a picture of yourself and information about who you are and what you're looking for. Once your profile is set up, you can then begin to search for other profiles that take your fancy. Swipe right if you're interested; swipe left if you're not. As you can imagine, during the Covid-19 pandemic, this created a surge in new users signing up to dating apps in lockdown in the hopes of seeking a virtual connection in the absence of a physical one.

Given that the main demographic for dating apps these days is ages 18 to 30, it means that a lot of young users are active on the app and younger users often mean more social media handles which then in turn means that more of their personal information is online.

This blog aims to look at data and privacy issues, three popular dating apps and how they've managed their data and privacy; notably Tinder, Bumble and Grindr, and tips to protect yourself when it comes to your own data.

Dating, data and the law

To understand where you stand in terms of your legal rights, all dating apps will come with their own privacy policy. This policy outlines the app's privacy commitments to you as a user as well as what they do with the information you provide. As a general rule, when you sign up to a dating app, the main information you're required to provide is your name, gender, date of birth and contact details such as email address and phone number. In terms of optional personal information you can provide, this can include anything from your sexuality, political views and religious views. But why is this data collected?

Whilst I'm unfamiliar with the US laws surrounding data and privacy, the laws of the UK and EEA mainly rely on GDPR, arguably the most rigid data laws to date. In the context of dating apps and processing personal data, Article 6 of the GDPR sets out the main ways in which data processing may be done lawfully and why your data is collected in the first place; namely that:

1. The user has given their consent for data processing

2. It is necessary for the performance of a contract

3. It is necessary to comply with a legal obligation

4. It is necessary to protect the vita interests of the data subject/natural person

5. It's necessary to perform a task which is in the public's interest

6. It is necessary for the legitimate interests of a business

When it comes to processing of special categories of personal data, such as sexuality and political views as mentioned above, this is set out Article 9 of the GDPR. This states that more sensitive data shall be prohibited from being processed unless the following exceptions apply (in a similar nature to Article 6 above):

1. The data subject has given their explicit consent to this data to be processed

2. It is necessary for the purposes of carrying out their obligations

3. It is necessary to protect the vita interests of the data subject/natural person

4. It is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any not-for-profit body

5. It relates to personal data which is made public

6. It is necessary for legal claims

7. It is necessary for reasons of public interest

8. It is necessary for the purposes of medicine/public health

One fact that many users may overlook is that more often than not, dating apps are transferring user data to other third party companies. This includes information such as a user's location and IP address. You might ask, "But why exactly do other companies outside of the dating app need my personal/sensitive information in the first place?".

On the outset, data sharing may seem a little sketchy, but ultimately, user data is collected so that companies can better understand trends when it comes to a user's engagement and create a tailor-made experience when you log on to the app. For example, if you were based in Manchester, UK and had included that you love dogs in your dating bio, you may come across ads that relate to Manchester and dogs as you swipe. If the majority of your users are also active on Instagram, you may see the occasional Instagram ad pop up too. Once these advertising companies receive the data you provide, they use it to track and generate a user's behaviour and preferences.

Mini Case-Studies on Tinder, Bumble and Grindr

Tinder

Undoubtedly one of the most popular dating apps used, the dating app Tinder roughly has 50 million users worldwide. However, popularity does not always equate to safety. If anything, a popular dating app with millions of users could mean that information is often overlooked.

In early 2020, 70,000 photos of women found on Tinder were found to be shared by an online cyber-crime forum. The reason that these photos were easily hacked were because they were all found in one centralised location which makes it easier for the hacker to focus on one specific part of the app rather than several parts which needed to be hacked. Whilst we aren't aware of the real reason why these photos were hacked in the first place, this was a real wake up call to not only Tinder, but also other dating apps that hold million of users and how they manage their privacy.

Since then, Tinder have kept a pretty good reputation when it comes to their user's data.

Bumble

What separates Bumble from Tinder is that once you get a match, it will then be down to the female to make the first move. If she doesn't, then the match will disappear after 24 hours. Whilst many consider this fact to be a game changer when it comes to female to male interaction, the app has also faced a previous data slip up.

At the end of 2020, articles came out insisting that the app had put it's entire user base at risk when it came to their personal information. Sanjana Sarda, an Independent Security Evaluator at ISE had stumbled across API vulnerabilities. API stands for Application Programming Interface and refers to a software which allows multiple applications to interact with each other. Let's take YouTube for example. You can not only watch this on the official website but can also share the video onto your social media, such as Facebook.

To understand API in the context of Bumble, we need to understand that dating apps have two formats. You can sign up as a normal user who swipes for matches or you can pay an additional fee which will give you premium access to the app and give you additional perks as a user. These perks can include information on the users who have already swiped on you before you've matched with them and how many time your profile was viewed. Essentially, a bug in Bumble's API allowed Sanjana to bypass paying for Bumble's premium services, access every user's personal information and when it comes to API, if a Bumble user had their Facebook or Instagram connected to the app, then Sanjana could access this information as well.

When Sanjana had informed Bumble, it took them some months to rectify this. Whilst they weren't fined or given a penalty, it it's a good lesson to dating apps to carry out further testing on their apps to ensure that their user's personal information is as secure as it can be.

Grindr

Grindr is a dating app that caters to users who are part of the LGBTQ+ community. In Grindr's Privacy Policy, it states that users have the option to include other information including share location and even HIV status. Back in 2018, it was discovered that Grindr had leaked information about users HIV status. This information was provided to Apptimize and Localytics, two companies which help to optimise apps and improve their functionality. At the time, users weren't aware that this data would be shared to third party companies.

As this is seen as sensitive information, many users were naturally furious that this was sent to other companies as they weren't aware this was happening. Grindr responded by stopping the sharing of this information and issuing statement saying that they will never sell personally identifiable user information to third parties or advertisers, especially "information regarding HIV status or last test date". You can read the full statement from Grindr's CTO here.

Earlier this year, the app also faced a fine worth $10m (roughly equating to £7.2m). Data research from Norway shows a handful of dating apps, Grindr included, showed that they were sharing personal information for marketing purposes. The Norwegian Consumer Council discovered that this sharing was done unlawfully as it had violated GDPR, particularly that consent was not valid. This information included a user's location and their involvement in other websites. The reason that these types of data leaks can cause harm to users is that there are still many countries across the world that do not accept homosexuality. In the event that an individual is found to be active on Grindr in a country that forbids homosexuality, this could cause serious consequences for users being traced by location and even worse, harmed.

So, how I can protect myself?

It can be a bit of a difficult feat to reach a happy medium when it comes to your data. Dating apps want your personal information for you to find love, but you don’t want to share too much that users know everything about you. Below sets out tips and advice for dating app users:

• Verified: Many dating apps these days have implemented certain aspects onto their apps to ensure that the profiles are legitimate and safe. One option is to ensure that your profile is verified. To do this, many apps will ask you to take a picture of yourself to see if you match the pictures you have uploaded. Once verified, your profile will include a blue tick next to your name to let other users know that people can trust you. Vice versa, it would be wise to swipe with other verified profiles.

• Sharing vs oversharing: It’s always good to come across as an open person with a lot of information on your profile but one mistake many users make is that they tend to overshare. Oversharing can mean including your social media handles so that users can search you on different platforms. As mentioned above in the Grindr section, it would be wise to think twice before sharing sensitive personal data. Just because oversharing is an option, doesn't mean that option needs to be chosen.

• Reporting: In the event that you match with someone and suspect the person you're speaking to is not who you think they are i.e. a catfish (a user impersonating somebody else), all dating apps have an option to report this profile and provide a specific reason for reporting them. To take this one step further, you can also screenshot their picture and reverse image this on Google to see if they could be impersonating someone.

• Deactivation: If you decide to delete your profile and are still concerned about where your data goes, most privacy policies will stipulate that your data is disposed of. In accordance with Article 17 of the GDPR, you also have the right to have your personal data erased but only if your reason falls under any of the six grounds set out in Article 17.

Final thoughts

Whilst data and privacy may be the last thing on your mind when you’re looking for love, it is something that needs to be given some serious thought. Now we’re not saying that you need to read every privacy policy word for word (although, lockdown has given us more time than usual so if you wanted to, there's no stopping you!), but it would be wise to know about what type of personal information you upload onto your desired dating app.

The digital age aims to innovate but what it also needs to improve on is creating a safe space for people. This is evident from the dating app case studies above. As much as they've innovated and created a name for themselves in the world of online dating, there is still a long way to go when it comes to processing their user's personal data safely and securely. In their defence, because there is no specific data and privacy framework that governs all these apps, this can cause further security and privacy issues.

In the meantime, as a user, please remember that you possess a degree of control of how public and accessible you want to make your dating profile. Truly think about what it is you want to upload and what it is that can be saved for later. After all, isn't the real test when you meet your match face to face rather than screen to screen?

For more information on dating apps, data, privacy and related articles, check out the following links:

• https://www.brookings.edu/blog/techtank/2020/11/20/this-cuffing-season-its-time-to-consider-the-privacy-of-dating-apps/

• https://policies.tinder.com/privacy/intl/en

• https://bumble.com/en/privacy

• https://www.grindr.com/privacy-policy/?lang=en-US

• https://gdpr-info.eu/art-6-gdpr/

• https://decrypt.co/17167/tinders-hack-shows-the-perils-of-centralization

• https://techcrunch.com/2018/04/02/grindr-sends-hiv-status-to-third-parties-and-some-personal-data-unencrypted/

• https://gizmodo.com/70-000-tinder-photos-of-women-just-got-dumped-on-a-cybe-1841043456

• https://www.cnbc.com/2018/04/02/gay-dating-app-grindr-reportedly-shares-user-hiv-status-with-other-companies.html

• https://techhq.com/2020/01/popular-dating-apps-could-be-in-breach-of-gdpr/

• https://threatpost.com/dating-site-bumble-swipes-unsecured-100m-users/161276/

• https://www.bbc.co.uk/news/technology-55811681

• https://medium.com/rakuten-rapidapi/top-10-social-media-apis-twitter-facebook-instagram-and-many-more-5c13262c61fe

• https://www.buzzfeednews.com/article/azeenghorayshi/grindr-hiv-status-privacy#.yp0J48W0N

• https://www.forbes.com/sites/thomasbrewster/2020/11/15/bumble-vulnerabilities-put-facebook-likes-locations-and-pictures-of-95-million-daters-at-risk/?sh=144ec7333ddf