LGBTQ+ social app Grindr accused of breaching GDPR

The Norwegian Consumer Council (NCC) has filed a series of General Data Protection Regulation (GDPR) complaints against LGBTQ+ social networking app Grindr and a number of online advertising companies, alleging that they have engaged in comprehensive illegal collection and indiscriminate use of personal data.

The complaints come in the wake of a new report compiled by the NCC alongside cyber security company Mnemonic, entitled Out of control, which again highlights how advertising technology companies receive personal data about app users’ interests, habits and behaviour, ostensibly to profile them for targeted advertising, but which can also lead to discrimination, manipulation and exploitation.

“These practices are out of control and in breach of European data protection legislation,” said Finn Myrstad, director of digital policy at the Norwegian Consumer Council. “The extent of tracking makes it impossible for us to make informed choices about how our personal data is collected, shared and used.

“This massive commercial surveillance is systematically at odds with our fundamental rights and can be used to discriminate, manipulate and exploit us. The widespread tracking also has the potential to seriously degrade consumer trust in digital services.”

Max Schrems, founder of European privacy non-profit NGO noyb, said: “Every time you open an app like Grindr, advertisement networks get your GPS location, device identifiers and even the fact that you use a gay dating app. This is an insane violation of users’ EU privacy rights.”

In the case of Grindr, a social networking app that has largely supplanted traditional cruising for gay men by facilitating casual sexual encounters more easily, concerns over the ethicality of personal data collection and targeted advertising are amplified by the fact that many of its users live in jurisdictions where gay people are still legally persecuted.

If data on Grindr users was to leak or be exposed in some way, this means that what might be merely embarrassing for a user in Norway or the UK becomes a potentially lethal threat for a user in Russia or the United Arab Emirates (UAE).

Besides Grinder, the NCC’s complaints under section 77(1) of the GDPR concern five advertising companies – Twitter’s MoPub, AT&T’s AppNexus, OpenX, AdColony and Smaato.

In a response to requests from the NCC and Mnemonic, Grindr said it collected numerous data points on its users. These are chat message text, images (potentially explicit), email addresses, display names, age, height, weight, body type, favoured sexual position, ethnicity, relationship status, “‘tribes” (bear, twink, jock, trans, etc), “looking for” (chat, friends, right now, etc), gender, preferred pronouns (he, they, etc), HIV status and testing details, profile pictures, linked Facebook data, linked Twitter data, linked Instagram data, location data, IP address, and device ID such as Google Advertising ID.

It shares personal data points including Google Advertising ID (if allowed by user), age, gender and location data.

As an example, Twitter’s MoPub was observed to collect device identifiers such as Google Advertising ID and IP address, location data either through GPS or inferred from IP address, age, gender, detailed device hardware information, app usage information, and information about ads served. In technical testing, it was also found to receive information about device operating systems, the name of the app and the hardware of the device, probably through its software development kit (SDK) integration into Grindr. Computer Weekly understands that Twitter has now disabled Grindr’s MoPub account, pending an investigation.

Note that the linked complaints also contain information about the data collection practices of the other companies involved.

Legal analysis conducted by the NCC and Mnemonic with assistance from noyb (which plans to file its own complaints in Austria soon) suggest that Grindr and the ad companies involved possess data without a valid legal basis that contravenes sections six and nine of the GDPR. Section nine covers “special categories” of data, which includes information on sexual orientation.

Ala Krinickytė, a lawyer at noyb, said: “In the case of Grindr, it seems especially problematic that third parties do not just get the GPS location or device identifiers, but also the information that a person is using a dating app that is described as being ‘exclusively for gay/bi community’. This obviously reveals the sexual orientation of the user.”

James McQuiggan, security awareness advocate at KnowBe4, said: “It is difficult in today's society with social media applications for people to actually read the privacy or end-user agreements and to understand what is happening with their name, address, pictures, contacts and GPS location once the data is entered into, or collected by, an app.

“On a lot of social media apps that are not charging users for their service, the users are undoubtedly the product. Their information is collected and sold off to third-party organisations for revenue for the social media app.

“Some organisations such as Twitter are taking a step in the right direction when it comes to protecting their customers by disabling plugins that violate their privacy terms and are blocking the sharing of information to third parties without permission.”

The NCC urged companies that rely on digital advertising to look towards alternative technologies that rely less on widespread sharing and collection of data.

“The situation is completely out of control,” said Myrstad. “In order to shift the significant power imbalance between consumers and third-party companies, the current practices of extensive tracking and profiling have to end.

“There are very few actions that consumers can take to limit or prevent the massive tracking and data sharing that is happening all across the internet. Authorities must take active enforcement measures to protect consumers against the illegal exploitation of personal data.”

Computer Weekly contacted Grindr for comment but had not received a response at the time of going to press. The app’s full privacy and data protection policy can be read here.