Tinder and other apps

Dating and fertility apps siphon data to advertisers

Image credit: Dreamstime

The Norwegian Consumer Council has found that 10 extremely popular Android apps are sharing user data, including details about sexual preferences, with at least 135 advertising companies.

A report by the council, 'Out of Control: How consumers are exploited by the online advertising industry' [PDF], found that the apps were not just gathering highly sensitive data, but passing it on to many advertising and marketing companies without full user knowledge and consent in what could be violations of European data protection law.

Finn Myrstad, director of digital policy for the Norwegian Consumer Council, told Reuters: “These practices are out of control and in breach of European data protection legislation. It is impossible for users to control this because the terms and conditions are really long and impossible to understand.”

The popular apps investigated for the report are: period-tracking apps Clue and My Days; dating apps Grindr, Happn, OkCupid, and Tinder; prayer aid Muslim-Qibla Finder; free children’s mobile game My Talking Tom 2; makeover app Perfect365; and keyboard app Wave Keyboard. Most of the apps transmit data to unexpected third parties, do not provide meaningful options for reducing data sharing, and have long, complex privacy policies that users are unlikely to read and understand.

Data collected by the apps were often unspecified, but includes sexual orientation, religious affiliation, ovulation, and sexual activity. The investigation saw data transmissions from the apps to 216 different domains, and at least 135 advertising companies.

The study found that dating apps were sharing uncomfortable quantities of personal data; for instance, OkCupid shares information related to sexuality, drug use, and political views with an analytics company.

The report singled out Grindr, the world’s most popular gay dating app, for sharing data with 18 third parties – including Google Crashlytics, Google Firebase, Tencent, Facebook, and Twitter’s MoPub – many of which reserve the right to pass this data on to many others in a “cascading data sharing” process. However, Grindr only lists MoPub as an advertising partner and advises users to read MoPub’s own privacy policy to understand how their data is used. MoPub has more than 160 partners, making it extremely difficult for Grindr users to understand which companies could acquire their personal data.

“Sharing location data for gay people can be risky in certain extreme circumstances,” Norwegian data protection commissioner Bjorn Erik Thon said, in a statement. “There are still some who do not want to be open about their orientation, and there are many countries in the world where being gay carries great risks.”

Grindr attracted controversy in 2018 when it was caught sharing users’ HIV status with third parties. It put an end to sharing health and ‘tribe’ information (e.g.: twink, bear, daddy, leather) following a GDPR complaint from the Norwegian Consumer Council to the Norwegian Data Protection Authority.

The council has filed a complaint against Grindr and the companies receiving data from it with the Norwegian data authority; the authority has stated that it is investigating whether data rules have been violated. The EU’s General Data Protection Regulation (GDPR), which gives Europeans control over their own data, requires companies to disclose data collection, storage, sharing and processing.

According to the Norwegian Consumer Council’s report, the vagueness in Grindr’s privacy policy makes it “impossible” for users to know exactly what they are consenting to, and that by telling users to read the privacy policies of any third parties that receive data, Grindr is offloading accountability in a manner which violates GDPR.

Grindr challenged some details of the report and said that its privacy policy is shared with all users, who have control over what information they include in their profiles. A spokesperson said: “As the data protection landscape continues to change, our commitment to user privacy remains steadfast.”

The council’s report concludes that none of the apps and third parties investigated appear to fulfil the legal conditions for collecting valid consent from users: “Data subjects are not informed of how their personal data is shared and used in a clear and understandable way, and there are no granular choices regarding use of data that is not necessary for the functionality of the consumer-facing services.”

Concerns about how personal data is collected and shared without the knowledge and consent of the individuals have intensified since the Cambridge Analytica scandal, in which it emerged that the personal data of 87 million Facebook users had been collected and used to create political ad targeting tools based on psychological profiles.

“On a lot of social media apps that are not charging users for their service, the users are undoubtedly the product,” said James McQuiggan, a security awareness advocate at KnowBe4. “Their information is collected and sold off to third-party organisations for revenue […] only in recent years are governments finally taking action.”

In response to the report, a group of US civil rights and consumer groups (including Public Citizen, the Center for Digital Democracy, and the ACLU) have called for state and federal regulators to investigate the apps over their data sharing practices.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles