Recently, another worrying case of international data leakage has been uncovered. On this occasion the company involved is responsible for Grindr, a social network aimed at facilitating contacts among the gay community through its popular mobile application.
It is focused on the male homosexual community and currently has more than 3.6 million active users around the world. The objective of this application is to facilitate dates in person among users from this community through shared information, chats, geolocation, photos, etc. It is available for both Android and iPhone.
The alarm was extended when it was discovered that the company shared information with other companies that is as sensitive as if the user is a carrier of the HIV AIDS virus and the last date on which the medical test was performed to prove it.
What happened?
Sintef, a Norwegian foundation dedicated to research and security in various fields, detected and published that Grindr shared sensitive information on its users, including location and/or HIV status, with some companies hired to optimize their software and other advertising companies. They also did it without including any type of encryption to the data, which would allow the information to be read by anyone who intercepted it.
This application requires data such as name, email, age, etc. from its users. Moreover, as additional non-mandatory information, it is also possible to provide the HIV status and the date on which the last analysis was performed.
The application has a tool to notify the user when the next HIV test should be performed, although this information can be configured as public or private. Surely many of these users have trusted the privacy of the application and have accepted this service because they found it interesting. In addition, declaring this status in these types of environments is key to offering transparency on what kind of relationships can be had.
The problem is that this information was also shared with third parties, which has made all the alarms go off, once again, on the privacy of social networks. With all the information collected it would be extremely easy to identify specific users. Not only is it a lack of privacy for people, but a potential risk seeing that it is a group of people prone to attacks and hate crimes in various regions of the world.
What can we do?
The truth is that if we are users of this social network and believe that our information may have fallen into the hands of third parties, we can do little or nothing.
Perhaps the most prudent thing is to check if we have included this information and remove it as a precaution. But in reality, this same is applicable to any other social network of any kind and with a lot of information that we provide for free.
The advisable thing would be to incorporate in them only the personal data strictly necessary for its operation and to flee from giving non-required info or simply lie.
As of May 25, 2018, the new European Data Protection Regulation becomes effective. This regulation will be applicable to companies around the world as long as their users are European citizens. The penalty for Grindr, in case of this data leakage happening after its entry into force, would have been 20 million euros or 4% of its annual turnover, the largest of these amounts.
We hope that the companies responsible for social networks and other Internet services take note and henceforth apply all measures necessary to ensure the privacy of personal data collected.