Future Tense

Security Flaws Show Grindr Still Isn’t Taking Gay Men’s Safety Seriously Enough

The 'Grindr' app logo is seen amongst other dating apps on a mobile phone screen.
Leon Neal/Getty Images

Grindr, the world’s largest gay dating app, made headlines Wednesday thanks to the discovery of a security flaw that exposes users’ location data, even for users who decline to share that information. The bigger problem is that this type of issue was also discovered in 2014. And 2015. And 2016. And 2017.

The specifics of each exposé have varied—the weaknesses have been revealed by the concerted efforts of concerned cybersecurity specialists and by high-profile incidents involving unwitting victims of the exploit alike. But in that time, the central issue has remained the same: Grindr makes it possible for third parties to gain alarmingly unfettered access to the locations of gay men in 234 countries and territories*, including some where homosexuality is criminalized. The company’s halfhearted solutions have all had simple workarounds, and determining users’ whereabouts is still a relatively easy task. In the absence of prolonged public scrutiny, there just hasn’t been enough pressure forcing it to commit to a more comprehensive overhaul.

Other dating apps have been in this position before. Tinder’s lack of encryption was written about in March of 2017 and still hadn’t been resolved almost a year later. For the most part, dating apps have been able to weather these scandals without addressing the problems that caused them, thanks to how ingrained they are in their users’ daily lives. (In Grindr’s case, upward of 3 million check in every day.) The attorney of one victim of the vulnerabilities described Grindr as an “ostrich with its head in the sand,” and to be honest, it’s easy to see why: It’s a strategy that has so far served the company well. In a post–Cambridge Analytica world, however, there may finally be enough outrage to force a lasting fix.

Today’s news comes from Trever Faden,* the creator of C*ckblocked, a service designed to show Grindr users who had blocked them on the dating app. Users who connected their Grindr profiles to the third-party website unwittingly revealed far more than they’d intended, Faden said—including their exact location, even if they had opted out of location sharing within Grindr itself. Grindr responded quickly, releasing a patch that prevented access to data on which users had blocked each other, and Faden shut down C*ckblocked. But it’s an exceptionally narrow solution that doesn’t resolve any of the other concerns Faden brought to the company’s attention.* And while Faden told NBC that he had not shared or collected any other user data, the nearly 50,000 users who signed into C*ckblocked in the space of a few days also inadvertently gave him access to unread messages, email addresses, and deleted photos. Without an interface designed to protect user info from third-party apps through the use of secure tokens, another plugin could still do the same.

Just as Facebook’s cavalier approach to data sharing was built into its API, Faden characterized the easy access to location data as “a feature, not a bug.” The former’s recent scandal, and the accumulating bad press, may be the wake-up call that both developers and users have needed to prompt real action with regard to what is often an abstract problem, albeit one with real consequences. So far, though, it’s unclear whether individuals’ increasing awareness of the need for vigilance will be enough to prompt the necessary change from within.

These security issues are particularly important in countries where being LGBTQ can put you in danger. As Norman Shamas recently wrote in Future Tense:

We don’t want to perpetuate a shame culture or create digital closets. But all individuals should have the opportunity for informed consent. Platforms have a responsibility to provide users with information about the specific risks they may take using their technologies and reasonable features that can mitigate some of those risks.

Fortunately, unlike Facebook, Grindr is pretty easy to replace—so until it starts taking privacy seriously, the best advice for gay men might simply be to use SCRUFF instead.

*Correction, March 29, 2018: This post originally misstated the number of countries and territories where Grindr is used: It is 234, not 232. This post also originally misspelled Trever Faden’s first name.

*Correction, March 31, 2018: This post originally misstated that Grindr transmitted users’ location data unencrypted. Grindr has since issued Slate a statement saying that that report, based on an NBC News article, was incorrect. A spokeswoman for the company stated that all geohash information is encrypted, and that “information (including location) transmitted in the app cannot be intercepted by malicious parties even on public WiFi.”