Online dating platforms: privacy challenge and open-data goldmine

With Covid-19 restrictions still in place and Spring approaching, many Brits are turning to online dating sites as a way of getting back into the mating game.

A user poll on British online dating platform Bumble suggested many started using it after a pandemic-related breakup. User behaviour also shifted. There is now a trend to leave more data on these platforms.

User analytics for some platforms suggests messages sent back and forth have grown longer and more frequent since the start of the pandemic. That helped valuations of platforms like Bumble and its plans for a public debut where it was reported to be seeking to raise more than $1bn. 

In the open data world, online dating apps pose both risks and advantages. Needless to say, increased interest is a boon for the operators of these sites. For users, the benefits in times of social distancing and limited personal interaction seem obvious, too. Instead of meeting people in bars that are now shut, technology helps singles to connect.

Users can set up elaborate profiles and charm the other sex via Tinder, Bumble, Hinge, OkCupid, Once, or flirt with the same sex via Scissr, Grindr or Her.

All these platforms are now minted with extremely sensitive private user data. A paper on unexplored open-source intelligence data sources in IEEE Acess Journal put it this way: “Unlike other social networks, where many users restrict their personal details, more intimate aspects are usually revealed in here. Tinder or Badoo are useful for investigating the background information, personal character, interests, preferences or behaviour of the target.”

Such open data can have advantages for transparency and help protect singles who are unsure who is reaching out to them. Open data investigators and citizen journalists can use it to feel safer after verifying that the person they are flirting with is genuine.

An example is Tinder, for which people have started to write open-source intelligence guides. Even without a profile, these allow you to query usernames via the URL. Using DuckDuckGo, for its ability to respect users' privacy, you can search for a username. As people often use their real name as their username, anyone with browser-access can have a go. Search for http://tinder.com/@<Username> and then play around with the search query. False positives are possible, so keep this in mind.

Nonetheless, the data, which is a photo (or multiple photos), a name, an age, and an occupation, is often enough to verify an identity. Reverse image and facial search platform, as well as facial comparison platforms such as Microsoft’s Facial image tool, can connect the dots to other open-data repositories on the web. There are also Exif data tools that can be used for images which examine the GPS location of where they were taken. Exfiltool to examine Exif data is one example but be aware that scammers can embed fake data, too.

To verify an identity with a name there are websites like WebMii, 411.com or Social Catfish that can help. If you have an email address, you can perform a reverse email lookup and target dating sites.

Open data from other open repositories allows us to perform 'rough' background checks. One such tool is Truthfinder.com, which makes it possible to add information on individuals based in the US. 

Free databases dating site users can also check the US National Sex Offender lists, for which there is a UK equivalent, the convicted sex offenders list.

There are risks associated with making such data public. Bad actors or stalkers, as a blogger explains here, may actually write code to have a bot program cycle through various variants of usernames – in this case, a name containing a number, like Ashley1, Ashley2 and so on.

Hackers and impersonators could use the data or the image for nefarious causes. Tactics involving con artists and catfishers during lockdown isolation have increased in Hong Kong's online dating market, the BBC reported.

Anyone with the knowledge could write code to query open-data APIs from dating platforms and geolocate other users. A python tutorial which explains 'for educational purposes' how to do this for Tinder warns that it gives user location information to all other users and is “dangerous to the privacy of users”.

The open data would allow anyone [with a verification token accessing the Tinder API] to abuse the data for malicious purposes, which “seems a big issue as we live in a period where stalking on the internet is a serious problem,” the blogger writes.

Users might try to spoof their location on Tinder by using an emulator like Genymotion that allows them to access GPS settings and change locations on the go. There is also Bluestacks which does a similar job.

Why would anyone want to do this? Manipulating your Tinder location may allow you to reveal military personnel's position at secret or isolated military bases. If you set the GPS on your phone to the location you expect your target to be can allow to identify soldiers on a specific military base (if they use Tinder locally, that is). It might be one reason why the Indian army now prohibits its personnel from using platforms like Tinder (see a leaked list from last year, below).

A Python library called Pynder is a client for the Tinder API. Its authors warn that recorded requests may contain personal data.

One final thought is how to address these privacy issues. Examples such as the Ashley Madison data breach show data is at risk to be exploited and shared freely. Maybe less surprising, it also shows that there are a high percentage of fake accounts on these platforms.

Open data can be a blessing and a curse. A boon if you want to verify whether the person you are flirting with is real. It's often a curse when it comes to your own privacy. What’s the answer to the dilemma? A start would be to hold dating apps accountable for encouraging oversharing. For Forbes, cybersecurity columnist Joe Gray criticised that “the [dating] sites may ask questions that are too invasive or possibly enabling that level of oversharing”. This is something dating site operators need to work out, even if this means to be a turn-off for some users.