Grindr, a popular dating app for gay men, on Wednesday announced that it will no longer share its users' HIV data with third-party companies—the latest chapter in a growing dialogue about companies relying on years-old user data sharing practices
About the controversy
Last year, Grindr made it possible for users to share their HIV status if they chose to, and announced a new feature that reminds users every three or six months to get tested for HIV. But on Monday, Buzzfeed reported findings that Grindr had shared users' HIV data, their GPS location, and other potentially sensitive information, such as sexuality, relationship status, ethnicity, and phone IDs with two third-party analytics companies, Apptimize and Localytics.
A nonprofit group in Norway first raised alarms about the practice, and it alleged in a complaint to Norwegian authorities that Grindr's practices had violated European data privacy laws for health data.
Grindr Chief Technology Officer Scott Chen clarified that the company does not sell user information to third parties, but said it works with vendors to improve the app and had paid "these software vendors to utilize their services." He said, "These are standard practices in the mobile app ecosystem. ... The limited information shared with these platforms is done under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy."
Chen in a statement also wrote, "It's important to remember that Grindr is a public forum. ... You should carefully consider what information to include in your profile."
But the Buzzfeed report and Grindr's response prompted immediate backlash from advocacy groups, cybersecurity experts, and some lawmakers.
James Krellenstein, from the AIDS advocacy group ACT UP New York, said, "Grindr is a relatively unique place for openness about HIV status. To then have that data shared with third parties that you weren't explicitly notified about, and having that possibly threaten your health and safety—that is an extremely, extremely egregious breach of basic standards that we wouldn't expect from a company that likes to brand itself as a supporter of the queer community."
Sen. Edward Markey (D-Mass.) said, "Privacy isn't just about credit card numbers and passwords. Sharing sensitive information like this can put LGBT Americans at risk."
Cooper Quintin, senior staff technologist and security researcher at the Electronic Frontier Foundation, said, "Even if Grindr has a good contract with the third parties saying they can't do anything with that info, that's still another place that that highly sensitive health information is located." He added, "If somebody with malicious intent wanted to get that information, now instead of there being one place for that—which is Grindr—there are three places for that information to potentially become public."
Grindr changes data-sharing policy
Following the criticism, Grindr on Wednesday announced that it will no longer share its users' HIV data with third-party companies.
Brian Case, Grindr's head of security, said, "As the testing of our feature is completed, any information related to HIV status has been removed from Apptimize and we are in the process of discussing removal of this data from Localytics."
However, Case continued to defend Grindr's original practice, saying, "Any information we provide to our software vendors including HIV status information is encrypted and at no point did we share sensitive information like HIV status with advertisers" (Phillips, Washington Post, 4/3; Ghorayshi/Ray, Buzzfeed, 4/2; Singer, New York Times, 4/3; Huet, Bloomberg, 4/2).
Just updated: Your cheat sheet for understanding health care's legal landscape
With the new tax law, MACRA, HIPAA, and countless others, the health care landscape has become an alphabet soup of legislation. To help you keep up, we've created a series of cheat sheets for some of the most important—and complicated—legal landmarks.
Check them out now for everything you need to know about the Affordable Care Act, antitrust laws, fraud and abuse prevention measures, HIPAA, MACRA, and the two-midnight rule.