Incognito — June 2022: Dating Apps and Your Data

Welcome to the June 2022 issue of Incognito, a monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month:

• Digital dating. Catfishing, romance scams, and harassment—these three things are synonymous with online dating apps. Yet the privacy risks of using apps to find love are often overlooked. 
• Recommended reads including “Cybercriminals Can Hack People’s Accounts Even Before They’re Created.”
• Q&A: Is there any way to automatically reject cookies? 

And more!

If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter.

When it comes to online dating apps, the choice is limitless. There are obviously the usual suspects like Tinder, Bumble, and Grindr. But there are also apps that only work one day a week, promise to introduce you to your celestial match, or cater exclusively to people with beards (or those looking for beards). 

Facial hair preferences aside, almost all dating apps have one thing in common: your data privacy is not their priority. 

Date Wanted. Must Share Own Data

When, several years ago, the French journalist Judith Duportail asked Tinder to see what kind of data they had on her, she was sent an 800-page report. It contained everything from the age rank of men she showed an interest in to what words she used the most.

Seeing all this data made Duportail cringe, as she said in an article for The Guardian. But she wasn’t the only one who had access to it. 

• Dating apps need personal user data to personalize their experiences. However, the information you share on dating apps (or that dating apps infer about you) can often also be accessed by other users, third-party services, and even random strangers. 
• So, while your data can influence your matches—and potentially help you find the love of your life—it can also leave you open to targeted advertising, doxxing, and identity theft. It can even affect your car insurance quote or the type of job offers you get on LinkedIn. 

What Do Data Apps Know About You?

Data apps/sites have access to the information you share with them. On Tinder, this includes, at a minimum, your phone number or Google/Apple account, name, date of birth, sexual orientation, location, and two photographs of yourself (i.e., the information required to create an account).

Of course, most dating apps encourage you to volunteer more information about yourself, like your ethnicity or hobbies. Your activity within the app/site (for example, whom you interact with) also provides valuable information. If you link your social media accounts to a dating app, the app will also have access to data on that social media profile. 

Scarily, some dating apps can even control your smartphone. For example, Christian Mingle can disable your lock screen and take control of your phone’s flashlight. 

A recent study found that dating apps are some of the worst offenders when it comes to collecting personal information (here’s a report listing the most data-hungry dating apps out there). Few dating apps provide clear information about what users consent to when they sign up for an account. 

Dating Apps Are Not Faithful Data Partners

Here are just some of the ways the data you share on dating apps may be shared with other parties and abused. 

1. Stalkers and other malicious individuals can use location-based dating apps to find out where users live, work, and socialize. In 2021, location data from Grindr was used to oust a priest.

2. Sensitive user information can end up in the hands of analytics companies. In 2018, Grindr shared users’ HIV status along with identifying data with two companies that help optimize apps. 

3. Researchers and other individuals can scrape data from dating apps and sites for their own uses. A programmer scraped 40,000 profile pictures from Tinder to create a facial dataset in 2017. That same year, Danish researchers publicly published the information of 70,000 OkCupid users, including their location and the type of relationship or sex they were seeking. Asked if they considered anonymizing this data, one of the researchers said,  “No. Data is already public.”

4. Dating apps also allegedly share users’ information, like their locations, political beliefs, and sexual orientation, with advertisers and data brokers. For example, Grindr sold location data to ad networks from 2017 to 2020, and most dating sites have advertising trackers. Some dating apps also prompt users to take sponsored surveys from marketing partners in return for premium features as a way to diversify revenue streams.

5. Security flaws in dating apps and sites can expose user data to the whole internet. A few years ago, a bug in the gay dating app Jack’d made users’ private photos available to all. Similarly, a Tinder vulnerability allowed researchers to take control of users’ accounts with only their phone numbers. In 2021, a data breach of MeetMindful.com leaked the data of 2.28 million users.

Ways to Protect Your Privacy On Dating Apps

To start with, use the *Privacy Not Included guide by the Mozilla Foundation to determine how creepy a dating app/site is before you sign up for it. Spoiler alert: out of 24 apps in the guide, a whopping 21 have the “*Privacy not included” warning label. 

When you’re signing up for an app/site, be careful about the type of data you share. 

• Don’t share your full name (use your first name or nickname), home address, phone number, or email address.

• Avoid disclosing any other personal information, like where you went to school or your place of work. In 2017, Kaspersky researchers ran an experiment to see if they could match users to their social media pages based on the information someone shared about their job and education on one of three dating apps. They were successful in 60% of cases. 
• Don’t use photos from social media, as this makes it possible for people to do a reverse image search and find you elsewhere online.

Above all, remember that whatever information you share on a dating app/site (or any app/site for that matter) will likely end up elsewhere. 

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

DuckDuckGo Browser Doesn’t Block Microsoft Trackers

The privacy-focused internet search engine DuckDuckGo is under fire for not disclosing that it allows Microsoft trackers to continue running in its mobile browser even though it blocks trackers from Facebook and Google. This is a result of a search syndication agreement between the two companies. DuckDuckGo was quick to clarify that while Microsoft can track your IP address and other information, it’s not linked to a user advertising profile. 

Cybercriminals Can Hack People’s Accounts Even Before They’re Created 

Due to security flaws in popular websites like Instagram and LinkedIn, hackers can break into people’s accounts before they’ve even registered for a service. As long as hackers know their victim’s email addresses, they can create an account in their name and then use various different methods to place that account into a pre-hijacked state. Once the victim is using the account, the attacker can take over.

Mastercard Wants You to Pay with a Smile or a Wave

Mastercard is launching a Biometric Checkout Programme that will let in-store customers make payments with a wave of the hand or a smile into a camera. According to Mastercard, the new payment system will speed up queues. It is also more hygienic. A pilot version has gone live in five supermarkets in Sao Paulo, Brazil. Further tests will also likely be carried out in Asia and the Middle East. 

Data Marketplace Sells Data On People Who Use Period Tracking Apps

A data marketplace has been found selling information on people who have downloaded period tracking apps like Clue, Period Calendar Period Tracker, and Planned Parenthood Direct. Although the data sold doesn’t include information about menstrual cycles, it does include device information. Privacy experts worry that this could potentially be used to identify people who have gotten pregnant, had a miscarriage, or had an abortion.

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: What should I do with an old email account that I no longer need/use?

A: You can do one of two things with an old email account: 

1. Change your password and turn on multi-factor authentication 
2. Delete it.

Over the last decade or so, countless data breaches have exposed millions of records. Therefore, the chances that someone got ahold of your email username and/or password are quite high. 

With older accounts you don’t use, you may not immediately notice that someone has broken into your email, gone through messages in your inbox, taken control of your other accounts, or even used the address itself to impersonate you. 

For this reason, if you choose to keep your old email address, you should, at the very least, change the password for it AND enable MFA (FYI, you should really do that for all your important accounts). You can also “devalue” your email account by downloading all of the messages in your inbox and deleting that data from the cloud.

However, a better option is to delete an email account (or, really, any account) you no longer use. Just make sure you know what your old email address is linked to so you don’t lock yourself out of important services or accounts. Here too, it’s a good idea to download your emails if there are any important messages or attachments you might want to keep. 

Note that if you delete your Yahoo account, you will delete your ENTIRE account, including Flickr, Skype, etc. 

Q: Is there any way to automatically reject cookies? 

A: There are a number of browser extensions that can automatically decline cookies on your behalf:

• Consent Manager by PrivacyCloud rejects cookies when and if possible, flagging sites that do not let it do so (Chrome, Firefox)
• Consent-O-Matic is an open-source browser extension that responds to cookie pop-ups for you with your preferences (Chrome, Firefox). 
• I don’t care about cookies is probably the most popular. It blocks or hides cookie pop-ups, but when the site requires them to function, it will accept cookies for you (depending on what’s easier, it may accept all or necessary cookie categories). (Chrome, Firefox).

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @Deleteme or @Abine).

Share with friends! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. What are your thoughts on dating app privacy? Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito! Stay safe and we’ll see you in your inbox next month.