Grindr, OKCupid Selling Personal Information to 3rd Party Sparks Controversy Drew Wilson | January 30, 2020 If you are concerned about your personal information and have used OKCupid or Grindr, your information may be in the hands of a third party. When it comes to highly sensitive information, some types tend to be more sensitive then others. Not many would dispute the idea that things like sexual preferences, sexual identity, and love interests can rank pretty high up there in terms of sensitivity. In an investigative report published by the Norweigian Consumer Council (NCC), sites like Grindr and OKCupid were flagged for their handling of personal information flowing through their networks. That report was followed up by another report on Ad Age which says that Twitter was announcing the suspension of Grindr pending an investigation into user consent concerns. From the report: The new report, commissioned by the Norwegian Consumer Council, alleged that Grindr transmitted personal information on its estimated 3 million daily users worldwide to ad tech partners, including Twitter’s MoPub, which is a mobile ad network that helps apps make money by filling their ad inventory. The report also names other advertising platforms OpenX and AppNexus, which help brands bid on ads through platforms like MoPub to appear on apps like Grindr. AppNexus is a part of Xandr, the advertising and analytics division of AT&T. “Twitter’s MoPub managed data transmissions that included personal data of a Grindr user,” according to researchers from Mnemonic, a Norwegian security firm that studied the app and ad tech partners. “Simultaneously, a number of other third parties were observed receiving personal data directly through their SDK integrations in the Grindr app.” The dating app caters to the gay community and could collect personal details on sexual preferences, gender identity and health issues. Grindr was accused of sharing data like age, gender, location, and device information with Twitter’s MoPub. After the report was made public, first reported in The New York Times, Twitter said it would investigate how Grindr obtained permission from users to share their data, which is at the heart of the complaint. “We are currently investigating this issue to understand the sufficiency of Grindr’s consent mechanism,” a Twitter spokeswoman said in an e-mail statement. “In the meantime, we have disabled Grindr’s MoPub account.” The New York Times also highlighted potential problems with other dating apps, like OK Cupid and Tinder, sharing personal information with marketing partners. U.S. privacy watchdogs have since called for regulators and lawmakers here to investigate dating and health apps, based on the reports findings. The Electronic Frontier Foundation (EFF) criticized the development, but didn’t just blame the services. They also suggest that the Twitter owned ad network also shares some of the blame. From EFF: Let’s be clear: Grindr was in the wrong. It built a platform that encourages people to be exceptionally open with sensitive, potentially dangerous personal information, then it invited third-party advertisers to harvest and share much of that data with impunity. Twitter likely hopes to paint Grindr as an anomaly, a single bad actor misusing its tracking technology which will be disciplined appropriately. But Twitter’s suspension of Grindr is hypocritical: Grindr was using Twitter’s ad tools almost exactly as intended. Moreover, Grindr is just one of over 55,000 apps using MoPub to collect and share data. When we formulate policy responses to the privacy violations exposed by the NCC report, we need to focus on the adtech systems like MoPub that enable companies like Grindr. MoPub operates in the vast, convoluted, opaque ecosystem of personal data collection and sharing that powers modern adtech. To understand how that ecosystem works and where Grindr and MoPub fit in, we need to talk about real-time bidding, or RTB. RTB is the automatic, milliseconds-long data-sharing frenzy that occurs whenever you see a third-party ad on one of your devices. First, an app developer, like Grindr, decides it wants to monetize its app. To do so, it partners with a Supply-Side Platform (SSP) like MoPub. SSPs are companies that app developers and website publishers hire to sell their advertising space. When you install the Grindr app on your phone, part of what you get is a big chunk of code from MoPub, called a software development kit (SDK). After some initial configuration, Grindr leaves the details of sharing data and serving ads up to MoPub. When a user opens the Grindr app, code from the MoPub SDK kicks into action. The process looks like this: The SDK gathers as much data as it can about the user’s phone. This may include the phone’s advertising ID, its precise GPS-derived location, and data from Grindr itself, like age and gender. The app directs the user’s phone to send all this information to MoPub. MoPub links the data it got from Grindr with what it knows about the user from other sources. This includes the 55,000 other apps that use MoPub, such as The Weather Channel app, Ubisoft games, and Ask.fm. MoPub packages this data into a “bid request,” a standardized dossier about the user that includes device ID, location, gender, age, and interest keywords. MoPub sends the bid request to dozens or even hundreds of demand-side platforms (DSPs). DSPs are companies which advertisers hire in order to target and serve their ads, such as Criteo, Rocketfuel, and AppNexus. You may not have heard of them, but those and hundreds of other DSPs have probably handled a lot of your personal information. MoPub partners with over 130 different DSPs, listed here. Each DSP that receives the bid request can link the included device ID to its own profile of the user, or purchase additional information about the user from data brokers like LiveRamp. Each DSP submits a bid to serve an ad to that particular user at that particular time. MoPub determines the winning bidder and notifies all participants in the auction. The winning advertiser serves its ad to the user’s phone. Often, the ad itself allows the advertiser to collect even more information directly from the device. All of this happens in a fraction of a second. MoPub boasts that its software reaches over 55,000 apps and 1.4 billion devices worldwide. So while Grindr’s actions definitely violated users’ privacy, it was using MoPub as intended. Twitter’s suspension of Grindr’s ad account pending “investigation” is an attempt to deflect blame, and lawmakers shouldn’t be fooled. MoPub is still operating at full tilt, harvesting and sharing sensitive personal data in at least 54,999 other apps. Dating sites have a long history of privacy issues. Sometimes, the policies over how you can delete your own account remain unclear. In some instances, profiles are not deleted, but instead, get placed in a dormant status. Of course, this is far from the only privacy concern raised in the past about dating and hookup websites. With such a high profile report being published by an organization operating in Europe, that also raises the question over whether or not there could be General Data Protection Regulation (GDPR) enforcement. As we’ve noted several times in the past, an aspect about the laws could get these companies to pay attention. That is the fact that penalties can rack up to the tune of a percentage of annual global turnover. Unlike maximum fines in the past, such penalties do have the potential to sting companies that fail to comply with the law. Whether or not such enforcement is on the horizon for these sites remain to be seen, though. Still, if anything, these latest reports suggest that privacy issues still remain problems in the sector. This latest development could only further confirm some people’s fears that their personal information on such sites are not necessarily as safe as one might think on first blush. Drew Wilson on Twitter: @icecube85 and Facebook.