A Norwegian consumer group said its research found “serious privacy infringements” among popular dating apps and the advertising firms that buy their user data (at least one of which involves Twitter, their report found).
On Tuesday, the Norwegian Consumer Council published a collaborative report which found that dating apps such as Grindr, Tinder and OkCupid may be leaking users’ personal data to advertising and marketing firms in violation of the European Union’s General Data Privacy Regulation (GDPR) rules, some of the strongest such laws ever enacted.
The report was written with help from researchers Wolfie Christl of Cracked Labs and Zach Edwards of Victory Medium, legal expertise from the privacy NGO noyb, with technical testing being performed by Andreas Claesson and Tor E. Bjørstad of the cybersecurity company Mnemonic.
Overall, the government-funded nonprofit described the current data-sharing situation as “out of control” based on research it commissioned from Mnemonic, focusing on 10 popular Android apps, as the Associated Press reported Tuesday.
According to the council, those apps sent user data to at least 135 different advertisers or other third parties whose business involves behavioral profiling — in some or all cases, without giving users a viable way to opt out.
Among other things, the group wrote, “This audit showed how the Twitter-owned adtech company MoPub is acting as an advertising mediator in Grindr, facilitating transmissions containing personal data from Grindr to other adtech companies. These MoPub-mediated transmissions included the combination of the unique identifiers such as the Android Advertising ID and the IP address.”
The council also said it has filed formal complaints with Norway’s data protection authority against Grindr, the Twitter-owned mobile advertising platform MoPub and four ad tech firms.
A representative for Twitter commented by email that the company has disabled Grindr’s MoPub account while it is investigating the issue “to understand the sufficiency of Grindr’s consent mechanism.”
A spokesperson for Grindr commented by email, “User privacy and data security is, and always will be, a high priority for Grindr. Examples of this commitment include sharing our revised privacy policy in its entirety to every Grindr user in order to gain their consent and provide even greater transparency about [our] privacy-forward practices … So while we reject a number of the report’s assumptions and conclusions, we welcome the opportunity to be a small part in a larger conversation about how we can collectively evolve the practices of mobile publishers and continue to provide … an option of a free platform.”
None of the apps provided the information necessary for the consumer to make an informed choice when launching the apps. Furthermore, we found a near complete lack of in-app settings to regulate or prevent the sharing of personal data with third parties … If the consumer does not want their apps to transmit personal data to commercial third parties, the only option is often not to install the apps in the first place.
Match Group, which owns Tinder and OkCupid, commented in an emailed statement: “Privacy is at the core of our business. Unlike other tech companies whose model relies on the sale of personal information, ours is subscription-based and reliant on engendering trust and a great experience for users. Tinder and OkCupid use third party providers to assist with technical operations and providing our overall services, similar to all other apps and online platforms.”
“For example,” the statement read, “OkCupid uses Braze to manage communications to its users about its services. We only share the specific information deemed necessary to operate our platform, in line with the applicable laws including GDPR and CCPA.”
The full report, part of an investigation into numerous companies’ privacy practices in Norway and elsewhere, is available here.