Grindr, “the world’s #1 FREE mobile social networking app for gay, bi, trans, and queer people to connect,” has been caught selling the private HIV statuses of all its members to private companies, Endgadget reports.
BuzzFeed News and Norwegian non-profit SINTEF first reported of Grindr’s policy of sharing private users’ HIV statuses with two app optimization companies, Apptimize and Localytics. The data in apps is attached to user information including email addresses, GPS information and phone IDs. Intruder could potentially hack this information and link specific people’s identification data with their confidential health data and information.
Data that Grindr was sharing– without user permission– was an extensive range of information including gay subculture and lifestyle habits, relationship status, precise GPS locations, and other personal information. Some of the information was shared in plain text, making it easier to hack.
In a statement to BuzzFeed, Grindr’s CTO Scott Chen said the company was following “standard practices” for sharing app data and that it doesn’t sell private information to third parties. Apptimize and Localytics are under “strict contractual terms,” which restricts them from sharing data, Chen added.
But the problem, Endgadget notes, is that Grindr is storing sensitive information on servers it doesn’t control. It states, “Users may be willing to make their HIV statuses public, but that doesn’t mean they want to share those statuses with corporate partners, no matter how above-board those partners may be.”
By spreading private information to companies, an increased risk of being hacked is likely. Endgadget points out that people are already anxious about data sharing in light of the Cambridge Analytica scandal. This case involved the company collecting Facebook friends’ information without their consent.
In an interview with Axios, Grindr’s security chief Bryce Case said it the company stopped sharing private information with third parties and disagreed with comparisons to its policy and the Cambridge Analytica situation.
Should they be providing users’ HIV status as a public service to others?
Does privacy law trump the public’s safety and right to know?