Bryce Case, Grindr’s head of security, said that sharing information with Apptimize and Localytics is “standard industry practice for rolling out and debugging software” and was done securely to test and optimize the app’s features, such as HIV testing reminders.
“Any information we provide to our software vendors including HIV status information is encrypted and at no point did we share sensitive information like HIV status with advertisers,” Case said in a statement. “As the testing of our feature is completed, any information related to HIV status has been removed from Apptimize and we are in the process of discussing removal of this data from Localytics.”
“The HIV status is linked to all the other information. That’s the main issue,” Antoine Pultier, a researcher at SINTEF, told BuzzFeed. “I think this is the incompetence of some developers that just send everything, including HIV status.”
The findings raised concerns among advocacy groups and cybersecurity experts who told BuzzFeed that the sharing of information could put users at risk, especially if they live in countries that are unfriendly to gay men.
“Grindr is a relatively unique place for openness about HIV status,” James Krellenstein, of the AIDS advocacy group ACT UP New York, told BuzzFeed. “To then have that data shared with third parties that you weren’t explicitly notified about, and having that possibly threaten your health and safety — that is an extremely, extremely egregious breach of basic standards that we wouldn’t expect from a company that likes to brand itself as a supporter of the queer community.”
The revelation also caught the attention of at least one lawmaker.
“Privacy isn’t just about credit card numbers and passwords. Sharing sensitive information like this can put LGBT Americans at risk,” Sen. Edward J. Markey (D-Mass.) said on Monday.
In a piece in the Guardian, British columnist and book author Owen Jones called the data-sharing an act of betrayal.
“It may be a commercial app, but as an LGBTQ app Grindr has responsibilities to the wider communities. That does not include sharing something as profoundly personal (and still stigmatized) as HIV status,” Jones wrote. “If people wish to be open about their status on Grindr, that should be applauded and celebrated. Having an app that wraps itself in the rainbow flag passing on that status to third parties without their consent is a betrayal.”
“One prominent LGBTQ activist put it to me that this was Cambridge Analytica for the LGBTQ communities,” Jones added, using a variant of LGBT where Q stands for “queer” or “questioning.”
Case said there shouldn’t be any comparison between Grindr and Cambridge Analytica, a British data firm that worked for President Trump’s campaign and is now under criticism over reports that it improperly accessed the personal information of tens of millions of Facebook users.
“There is a major difference between a company like Grindr sharing encrypted data with a software vendor to debug its app, and having it harvested from an outside third party like Cambridge Analytica, which is not what is happening here,” Case said.
Founded in 2009, Grindr bills itself as “the world’s largest social networking app for gay, bi, trans, and queer people.” Last year, Grindr became a space for users to freely share their HIV status. The company said it provided users with that option to “foster an open dialogue” about sexual health. Last month, and just a week before the BuzzFeed story was published, Grindr announced a new feature allowing users to receive reminders to get tested for HIV every three or six months.
In a lengthy, point-by-point statement, Scott Chen, Grindr’s chief technology officer, said the company does not sell personally identifiable user information to third parties or advertisers. San Francisco-based Apptimize and Boston-based Localytics, Chen said, are “highly-regarded software vendors” hired to improve the app and “are under strict contractual terms” to ensure user privacy and data security.
“When working with these platforms we restrict information shared except as necessary or appropriate,” Chen said. “Sometimes this data may include location data or data from HIV status fields as these are features within Grindr, however, this information is always transmitted securely with encryption, and there are data retention policies in place to further protect our users’ privacy from disclosure.”
Chen also said that Grindr reminds its users that sharing their HIV statuses on their profiles will make that information public.