On the heels of revealing a new feature promoting HIV testing, a data analysis finds that the app was sharing sensitive information with other companies.
*Updated on 4/04/2018 at 10:31 AM EST
Just days after Grindr—a geosocial networking app geared toward gay and bisexual men to help them meet other men in their area—revealed a new feature which allowed users to opt-in to receive automatic HIV testing reminders, a data analysis launched by a Norwegian outside research firm found that the app was sharing users’ HIV status with 2 other companies.
Since its launch in 2009, Grindr has grown into “the world’s largest social networking app for gay, bi, trans, and queer individuals; it has upwards of 3.6 million daily active users throughout the world. The app was found to have shared personal information (such as HIV status and last tested date) that users included in their profiles to 2 companies that help optimize apps: Apptimize and Localytic.
Grindr has long promoted HIV awareness, offering information about free testing sites and opt-in reminders for semiannual testing. In the app, users can choose to display HIV status ranging from positive to positive and in treatment to negative or negative and on PrEP, an option Grindr intended to help foster open dialogue among users. The app also links to a sexual health FAQ about HIV and how to begin treatment.
SINTEF’s data, which was confirmed by cybersecurity experts, disclosed that Grindr shared its users’ precise GPS position, gay subculture, sexuality, relationship status, ethnicity and phone ID to other third-party advertising companies, which unlike HIV data, was shared via plain text — a method that can easily be hacked.
“The HIV status is linked to all the other information. That’s the main issue,” Antoine Pultier, a researcher at Norwegian nonprofit SINTEF, told BuzzFeed News. “I think this is the incompetence of some developers that just send everything, including HIV status.”
According to the analysis, the third-parties are not necessarily certified to host medical data.
Grindr insists its sole purpose for sharing highly sensitive health information is an effort to better the app. While it’s not selling data for marketing purposes, it’s offering other companies intimate user information.
“No Grindr user information is sold to third parties,” Scott Chen, chief technology officer, Grindr, told BuzzFeed News. “We pay these software vendors to utilize their services. The limited information shared with these platforms is done under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.”
The company claims the contracts with the 2 companies are both standard practice and secure.
“Grindr is a relatively unique place for openness about HIV status,” James Krellenstein, member of AIDS advocacy group ACT UP New York told BuzzFeed News. “To then have that data shared with third parties that you weren’t explicitly notified about and having that possibly threaten your health or safety — that is an extremely egregious breach of basic standards that we wouldn’t expect from a company that likes to brand itself as a supporter of the queer community.”
A previous version of this article was posted on MDMag.com.