Two Democratic senators sent letters to the popular gay dating app Grindr on Tuesday, asking for detailed information about how they handle sensitive user data. Letters also went to Apptimize and Localytics, the two analytics companies that Grindr sent its users' HIV status data to.
“Simply using an app should not give companies a license to carelessly handle, use, or share this type of sensitive information,” the letter, written by Sen. Edward Markey of Massachusetts and Sen. Richard Blumenthal of Connecticut, stated. “Grindr and those with whom it shares its users’ sensitive information has an obligation to both protect this data and ensure users have meaningful control over it.”
BuzzFeed News reported on Monday that Grindr was sharing user-submitted information about their HIV status with Apptimize and Localytics as part of routine operations of their app. The HIV information is sent together with users’ GPS data, phone ID, and email, causing concern that it could potentially identify specific users and their HIV status.
Late on Monday evening, Grindr responded to public outrage by saying it would stop sending this sensitive information when the new version of its app is released. But the company also said it was being unfairly targeted.
"It's being conflated with Cambridge Analytica," Grindr's chief security officer, Bryce Case, told BuzzFeed News, stressing that the HIV data was shared securely, was never sold, and met industry standards. "I will not admit fault in the regard that the data was used."
Grindr also shares its users’ precise GPS position, “tribe” (meaning what gay subculture they identify with), sexuality, relationship status, ethnicity, and phone ID to other third-party advertising companies. Unlike the HIV data, this information is sometimes shared via “plain text,” which has raised alarm among some security experts.
Grindr's promise to stop sharing HIV data was not enough to assuage concerns from the senators, both members of the Senate Commerce, Science, and Transportation Committee.
“Grindr’s actions don’t negate past behaviors," Markey's office told BuzzFeed News. "The oversight of this egregious privacy violation includes full details of what occurred and for how long. The only way to stop this type of privacy violation from occurring again is to know how it was exploited in the first place."
The letter to Grindr sent Tuesday was addressed to Yahui Zhou, who has been Grindr's interim CEO ever since the China-based gaming company Kunlun Group fully acquired the gay dating app in January.
The senators asked Grindr to clarify the company's privacy policies, including whether it gets users' "affirmative opt-in consent" to use, share, or sell sensitive profile information, what security requirements they impose on third parties, and how they work to de-identify user information that's shared outside the company.
"We welcome the questions about our policies and always look for opportunities to improve," Grindr said in a statement to BuzzFeed News. "As always, the trust of our users is the foundation of the Grindr network, and we are committed to maintaining that trust that we have established since Grindr started in 2009."
Letters sent to the CEOs of Apptimize and Localytics asked them to clarify their data security practices. Those companies did not immediately respond to a request for comment.
This story has been updated with a statement from Grindr.
Azeen Ghorayshi is a science reporter for BuzzFeed News and is based in New York. Her PGP Fingerprint is 672A 7C08 9443 A95F 9D85 78FB 91EB 9C30 B197 5963.
Contact Azeen Ghorayshi at firstname.lastname@example.org.
Got a confidential tip? Submit it here.