Grindr Has Been Sharing Users’ HIV Statuses With Third Party Companies

Chances are high that you’ve used Grindr or know someone who has. The v popular app allows users to choose from a few options when it comes to disclosing their HIV status — positive, positive and on HIV treatment, negative or negative and on PrEP. A report from Buzzfeed News says that Grindr has been sharing this info and “last tested date” with two third party companies: Apptimize and Localytics.

Along with this info, third party apps also receive GPS data, emails and phone IDs. According to Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, which first saw this issue, anyone could access this data — including hackers and governments.

“The HIV status is linked to all the other information. That’s the main issue,” Pultier told BuzzFeed News. “I think this is the incompetence of some developers that just send everything, including HIV status.”

But Grindr reckons it uses these two companies to make things better for its users. “Thousands of companies use these highly-regarded platforms. These are standard practices in the mobile app ecosystem,” Grindr Chief Technology Officer Scott Chen told BuzzFeed News. “No Grindr user information is sold to third parties. We pay these software vendors to utilise their services.”

“Grindr is a relatively unique place for openness about HIV status,” James Krellenstein, a member of AIDS advocacy group ACT UP New York, told BuzzFeed News. “To then have that data shared with third parties that you weren’t explicitly notified about, and having that possibly threaten your health or safety — that is an extremely, extremely egregious breach of basic standards that we wouldn’t expect from a company that likes to brand itself as a supporter of the queer community.” Exactly.

And it’s a particularly scary thing because Grindr has already had a massive security breach when C*ckblocked, an app that allowed Grindr users to see who had blocked them, pulled everyone’s personal data including private messages, location data (even if users switched location services off, and other identifying information.

“It allows anybody who is running the network or who can monitor the network — such as a hacker or a criminal with a little bit of tech knowledge, or your ISP or your government — to see what your location is,” Cooper Quintin, senior staff technologist and security researcher at the Electronic Frontier Foundation, told BuzzFeed News.

“When you combine this with an app like Grindr that is primarily aimed at people who may be at risk — especially depending on the country they live in or depending on how homophobic the local populace is — this is an especially bad practice that can put their user safety at risk,” Quintin said.

“Even if Grindr has a good contract with the third parties saying they can’t do anything with that info, that’s still another place that that highly sensitive health information is located,” Quintin said. “If somebody with malicious intent wanted to get that information, now instead of there being one place for that — which is Grindr — there are three places for that information to potentially become public.”

Of course, users can decide what information they disclose on the app. And while there’s a moral difference between disclosing something to a community, and disclosing something to companies who have the ability to sort and compile data, there’s evidently not a legal one.

Be careful.