Skip to main content

Research: Grindr Is Sharing HIV Status Data With Third Parties

Research done by the Norwegian nonprofit SINTEF revealed that Grindr, a gay dating application similar to Tinder, has been sharing highly sensitive information such as HIV status data with at least two other companies.

Grindr’s Privacy Leaks

On Februayr 7, SINTEF conducted an experiment for a local Norwegian show to analyze privacy leaks in the Grindr dating application. That’s when the nonprofit discovered not only that Grindr was using many trackers, but also that it was directly sharing user data, including its users’ HIV status, with two other companies.

According to SINTEF, sharing the HIV status with analytics companies was unnecessary and those companies were not certified to hold medical data. Additionally, Grindr users were likely unaware that this sort of information was shared with third parties.

Unencrypted Sharing

Grindr wasn’t just sharing highly sensitive information with other companies, but it was also doing it via unencrypted channels. That means other malicious groups or governments may have been able to acquire that sensitive information about Grindr’s users, too.

These groups could have been listening on networks to discover who is using Grindr (and therefore learn about their sexual preferences), where the users may be located during the day, how they look, what they like, and what they browse. All of that information could have been exposed because of Grindr’s poor data protection policies.

Existing Privacy Policies Are Not Enough

All of these recent leaks and stories of abused data policies seem to show us that it’s not okay for companies to pretend that if their users installed theirs app and use them, then they must have agreed to all the terms of these companies’ privacy policies.

The reality is that the vast majority of users will never read or understand these legal documents. Therefore, either companies will need to have a higher standard for consent, or the U.S. government may need to follow in the European Union’s footsteps with its own protection law that requires proper consent from users before companies are allowed to collect or share certain types of sensitive data with third parties.