On Monday, the news website Buzzfeed released a story revealing Grindr , the gay hookup app, was sharing personally identifiable information, including HIV status information with third parties. Grindr is one of the most popular gay hookup apps on the market, with over 3.6 million daily active users. Buzzfeed learned that Grindr was sharing certain pieces of user information with two companies, Apptimize and Localytics, companies that operate in the background to help Grindr optimize their user experience. (Note: In a statement, Grindr have said they will no longer be sharing HIV status information with third parties).
Later the same day, Grindr released a public post to address the story and set out four points intended to clear up any misinformation around Buzzfeed’s story. Rather than admitting they had made mistakes and laying out how they would address them, they took a defensive approach, shifting responsibility onto their users. Here I will discuss these four statements and unpack them in an attempt to understand what went wrong.
1. Grindr has never, nor will we ever sell personally identifiable user information – especially information regarding HIV status or last test date – to third parties or advertisers.
It is important to be honest with users about what information is being shared, who this information is being shared with, and for what purpose. Grindr states here that they never sell personally identifiable user data to third parties. However, they do not address non-identifiable data. Non-identifiable data is the same data but anonymized. What does this mean? Simply put, it means the same data but with any uniquely identifiable attributes, such as your name or your e-mail address removed. Non-identifiable data is still very valuable, but history has shown us that it can often be de-anonymized when correlated with other data sets. Whilst Grindr and similar companies give reassuring messages to users that their personally identifiable information is not sold, more transparency is needed around non-identifiable data. How is it shared? With whom? And for what purpose? And importantly, how is it protected to prevent it from being de-anonymized in the future?
2. As an industry standard practice, Grindr does work with highly-regarded vendors to test and optimize how we roll out our platform. These vendors are under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.
3. When working with these platforms we restrict information shared except as necessary or appropriate. Sometimes this data may include location data or data from HIV status fields as these are features within Grindr, however, this information is always transmitted securely with encryption, and there are data retention policies in place to further protect our users’ privacy from disclosure.
Social media companies share data with third parties. There is a whole industry that runs behind large companies like Grindr which support them in various different ways, from analytics helping them improve their software, to payment system allowing them to invoice customers. It is important to recognize the value of these third parties. In many ways they are the hidden companies of the Internet, we use their services each day but few of us have ever heard their names. Ever heard of Cloudflare? Probably not, but I could almost guarantee that you have used their services multiple times today without realizing it. If we are to accept that sharing of personal data with third parties is valuable and here to stay, how can companies like Grindr share user data without violating privacy expectations? Firstly, they need to move away from the current “better to beg for forgiveness than to ask for permission” model of managing user data, especially in Grindr’s case where begging is replaced with blaming.
Going forward, perhaps social media companies could employ a simple privacy rule when evaluating decisions related to users’ personal data. “If a user would be surprised by how their personal data is being used, something is broken”. No user should ever be surprised by how their data is being shared, however legally compliant the sharing of that information is. Users should be appropriately informed prior to consenting to how their data is being used and clearly Grindr’s current model is broken. After all, companies should be applying an ethical test, as well as a legal test to their data sharing practices.
4. It’s important to remember that Grindr is a public forum. We give users the option to post information about themselves including HIV status and last test date, and we make it clear in our privacy policy that if you choose to include this information in your profile, the information will also become public. As a result, you should carefully consider what information to include in your profile.
Grindr is not a public space. To gain access to a Grindr profile, you must sign up with an account, provide a verified e-mail address, and agree to Grindr’s terms and conditions, which include their privacy policy. Once inside the Grindr app, a reasonable expectation exists around who can view the information on a profile. For example, people outside of Grindr are unable to view profiles and a profile is usually limited to people who are geographically close by. The mass transfer of user information to third parties (which includes HIV status information) falls well outside these expectations. Simply stating that Grindr is a public space fails to consider the norms and expectations of its users. It implies fault and responsibility with the user, rather than Grindr. Whilst users should consider what they disclose on their profiles and take personal responsibility where they can, there are limits to this. Users can only evaluate the cost and benefits of disclosing information if they are being appropriately informed about how their data is being shared with others.
Grindr suggested to its users that they should have read the privacy policy and been more careful when considering what information they disclosed in their profiles. However, it is often difficult for users to evaluate the potential future cost of agreeing to these often complex privacy policies. These policies require users to agree to 100% of their terms or be locked out of the service, and for some users, Grindr is an integral part of their sex and social lives. Disagreeing with the policy and being locked out is not a viable option for some. Finally, are we really expecting users to read every privacy policy they encounter? In a research paper by Lorrie Faith Cranor and Aleecia McDonald from Carnegie Mellon, it was estimated that the average person would need to spend just under 1 month each year to read every privacy policy they agreed to. And it’s not just the time it takes to read all these policies. Our circumstances are constantly changing which can impact on our willingness to share certain information with others. This is no truer than for men who are diagnosed with HIV. Being told that Grindr shares HIV status with third-party apps may not be of much concern for someone who is HIV negative, but for a recently diagnosed man, this can be an extremely sensitive piece of information. Should we really expect people to go back and review previously agreed to privacy policies when their life circumstances alter?
I don’t know the reason behind Grindr’s decision to share their users’ HIV status information with third parties. Perhaps it allowed them to make more appropriate advert targeting, avoiding insensitive adverts for HIV testing and PrEP to HIV positive users. Whatever the reason, Grindr has failed to be transparent with its users and has taken no responsibility for this failing. Grindr has built a community, and in order for it survive it must respect the privacy of that community which means considering both the legal and ethical aspects to data sharing. It needs to be open and honest with users on how their data is being used, otherwise it will lose their trust. Once trust is gone, even begging will not help.