Grindr Found to Be Sharing Users' HIV Status With Other Companies

*Updated on 4/04/2018 at 10:31 AM EST

Just days after Grindr—a geosocial networking app geared toward gay and bisexual men to help them meet other men in their area—revealed a new feature which allowed users to opt-in to receive automatic HIV testing reminders, a data analysis launched by a Norwegian outside research firm found that the app was sharing users’ HIV status with 2 other companies.

Since its launch in 2009, Grindr has grown into “the world’s largest social networking app for gay, bi, trans, and queer individuals; it has upwards of 3.6 million daily active users throughout the world. The app was found to have shared personal information (such as HIV status and last tested date) that users included in their profiles to 2 companies that help optimize apps: Apptimize and Localytic.

Grindr has long promoted HIV awareness, offering information about free testing sites and opt-in reminders for semiannual testing. In the app, users can choose to display HIV status ranging from positive to positive and in treatment to negative or negative and on PrEP, an option Grindr intended to help foster open dialogue among users. The app also links to a sexual health FAQ about HIV and how to begin treatment.

Because developers are sending HIV information with users’ GPS data, phone ID, and email, this could identify specific users and their HIV status, which calls into question the company’s users’ privacy policy.

The disclosure of HIV status raises concerns regarding the app’s privacy policy, warning customers that the information that they put in a profile may be revealed. Experts argue that the app should be more specific in its user agreements about how it’s using their data. The company’s policy states: “You may also have the option to provide information concerning health characteristics, such as your HIV status or Last Tested Date. Remember that if you choose to include information in your profile, and make your profile public, that information will also become public.”

SINTEF’s data, which was confirmed by cybersecurity experts, disclosed that Grindr shared its users’ precise GPS position, gay subculture, sexuality, relationship status, ethnicity and phone ID to other third-party advertising companies, which unlike HIV data, was shared via plain text — a method that can easily be hacked.

“The HIV status is linked to all the other information. That’s the main issue,” Antoine Pultier, a researcher at Norwegian nonprofit SINTEF, told BuzzFeed News. “I think this is the incompetence of some developers that just send everything, including HIV status.”

According to the analysis, the third-parties are not necessarily certified to host medical data.

Grindr insists its sole purpose for sharing highly sensitive health information is an effort to better the app. While it’s not selling data for marketing purposes, it’s offering other companies intimate user information.

“No Grindr user information is sold to third parties,” Scott Chen, chief technology officer, Grindr, told BuzzFeed News. “We pay these software vendors to utilize their services. The limited information shared with these platforms is done under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.”

The company claims the contracts with the 2 companies are both standard practice and secure.

“Grindr is a relatively unique place for openness about HIV status,” James Krellenstein, member of AIDS advocacy group ACT UP New York told BuzzFeed News. “To then have that data shared with third parties that you weren’t explicitly notified about and having that possibly threaten your health or safety — that is an extremely egregious breach of basic standards that we wouldn’t expect from a company that likes to brand itself as a supporter of the queer community.”

A previous version of this article was posted on MDMag.com.

UPDATE: According to NPR, Grindr admitted to sharing the sensitive data in encrypted form to the 2 companies as part of "standard industry practice for rolling out and debugging software." Grindr responded to accusations on its Tumblr page by writing, "It's important to remember that Grindr is a public forum. We give users the option to post information about themselves including HIV status and last test date, and we make it clear in our privacy policy that if you choose to include this information in your profile, the information will also become public." Hours after this statement, the security chief of Grindr told another news website that the company has since changed its policy and "will no longer provide that information to vendors."