
When I asked Tinder for my data, it sent me 800 pages of my deepest secrets - Cbasedlifeform
https://www.theguardian.com/technology/2017/sep/26/tinder-personal-data-dating-app-messages-hacked-sold
======
thestephen
"Some 800 pages came back containing information such as my Facebook “likes”,
my photos from Instagram (even after I deleted the associated account)"

It's going to be interesting to see how Tinder tackles the 2018 EU General
Data Protection Regulation in 2018 and how things will play out in courts and
practice.

For example, are you allowed to store information that I have chosen to
unlink? Will Tinder have an easy way to export the data without having to
settle to long email conversations, as there is a right to data portability?
If so, in what format will this data be presented?

~~~
slamdance
I think worst case (best case?) scenario is that they will 'copy' the data
they're not supposed to keep off to another country, _maybe_ anonymize it but
otherwise the data will still be there. Its too important - even in anonymized
form. Its capable of helping sociologists, medical researchers, advertisers,
etc... They don't need to know that "James. T. McLovin' of 123 Happy Lane,
went on 15 dates and slept with 3 women, prefers brunettes", but knowing that
a "John Doe, M, 27, income of $50k, likes rugby, etc..." is good information
to have.

~~~
nicktelford
The country the data resides in is irrelevant. If the data is about an EU
citizen, that's all that matters.

I believe the company in question would also need a legal entity in the EU in
order for the EU to prosecute them, as I don't think you can take (e.g.) an
American company to an EU court. IANAL though.

~~~
slamdance
eh. Maybe. If they copy the data to a 3rd party in America (i.e. sell the data
a marketing company, for "research" purposes), then the EU can't really go
after the marketing company. I'm not saying it's right. I don't see why they
couldn't anonymize the data (morally or ethically). But, I don't own a
marketing company.

~~~
vidarh
If a company based in the EU is transferring the data to a 3rd party in
America without appropriate safeguards to ensure said data is treated in a way
that complies with EU law, then the transfer itself is unlawful, and the EU
can go after the company for that.

------
dejawu
I got fed up with Tinder's Android client and reverse-engineered their API
(this was back when the Android security model let you use mitmproxy). Two
things stood out to me:

1\. The AI was kind of hacky. Updates were done by polling rather than push.
There were a lot of unused fields - for example, "remaining likes" would hang
at 100 until the likes were used up, then it would go straight to 0.

2\. They tracked absolutely every action you took and sent it to a different
server from the API requests. Opening settings, opening your own profile,
opening someone else's profile - it was all logged. They knew exactly what you
were doing in the app and for how long.

It wouldn't surprise me nowadays if this is standard practice but it was eye-
opening to see it happening firsthand.

~~~
wackro
Number 2 is standard. In my experience It's a form of logging more than a form
of data collection.

~~~
firloop
What's the difference between logging and data collection?

~~~
gknoy
I work on a web application, and would love to have some metrics which I would
consider "logging". The distinction I would make is,

\- Data collection is about learning things about your users \- Logging is
about learning what your users were doing when Something Went Wrong.

Obviously, there's a _ton_ of overlap here, in that a lot of (all of?) the
info one uses collects for one purpose could be used for the other. As a
developer of the UI, however, my main concern is not about learning more about
our users (our UX people already do that), but rather about understanding what
happened, or which features are actually being used (so that we can know if
they are safe to prune).

~~~
slaymaker1907
In reply to and0, you also need to keep in mind that companies alao might need
to know which behaviors did NOT cause a crash to figure out the root cause of
a crash as a sort of control group.

------
donquichotte
> A few months earlier, 70,000 profiles from OkCupid (owned by Tinder’s parent
> company Match Group) were made public by a Danish researcher some
> commentators have labelled a “white supremacist”, who used the data to try
> to establish a link between intelligence and religious beliefs.

The guy's name is Emil Kirkegaard and the paper and data is still available. I
skimmed the paper and have no idea why he was labled a "white supremacist", or
by whom. ("some commentators", really? Is this journalism?)

[EDIT]

paper:
[https://openpsych.net/files/papers/Kirkegaard_2016g.pdf](https://openpsych.net/files/papers/Kirkegaard_2016g.pdf)

dataset:
[https://www.reddit.com/r/datasets/comments/4jj53i/here_is_a_...](https://www.reddit.com/r/datasets/comments/4jj53i/here_is_a_mirror_for_the_okcupid_osf_emil/)

~~~
pdehaye2
Hi, I am the person who is cited in the article and who helped Judith get
access to her data. If you are interested in the OKCupid story, Judith also
wrote about this in more details, also with my input.
[https://www.letemps.ch/sciences/2017/04/07/laboratoire-
fake-...](https://www.letemps.ch/sciences/2017/04/07/laboratoire-fake-science)

~~~
donquichotte
Thanks for the clarification.

Just a brief look on the titles of the Kirkegaard's other publications seems
to confirm that he appears to have a deep interest in immigration, genetics,
crime and IQ. One of his independent papers even mention cranial volume, which
sounds vaguely familiar:
[https://en.wikipedia.org/wiki/Scientific_racism#Craniometry_...](https://en.wikipedia.org/wiki/Scientific_racism#Craniometry_and_physical_anthropology)

------
zoltaan
I always felt a bit silly logging in to Facebook in a private browser window
in every other week, many times through a VPN. Also not sharing much more than
jokes and cartoons or memes. Not to mention my absense from the hip social
web, including Tinder, but many more as well.

I don't feel silly anymore. :)

(btw: my name is not zoltaan ;) )

~~~
beager
Outliers such as yourself won't do much to curtail the practice of companies
amassing identifiable, weaponizable, and often undersecured data about their
users. And because the data is valuable and there have been few regulations
put in place to balance that value with the burden of responsible handling,
those companies will continue to collect more and in more creative ways,
whittling away at your creative maneuvers to avoid it.

In my estimation, this is a good first step, but privacy has to be a feature
of the system, not just a heavy shield you carry through it.

~~~
lordCarbonFiber
I just don't see the doom and gloom. You say "weaponizable" but even the worst
offenders for oversharing aren't giving facebook information that seems that
bad? Compare the data talked about in this article (likes, jobs, dating
preferences) to data that already is public knowledge and avaliable to
_everyone_ : (assuming US) how much you payed in property taxes, where you
live, what your phone number is, which political party you're registered to
vote in (depending on the state this might also be linked to your telephone
number or even last 4 SSN), all documents related to any companies you may
have incorporated. Your _public_ data footprint is far more expansive than the
tiny slice companies like tinder and facebook have. The only reason they don't
bother linking to the public realm is that personal data (unaggregated) is
worthless from the prospective of "building models to sell adds".

------
zokier
I think Tinder specifically has far better grounds for having all this data
than most tech companies. After all it is their core function to try to match
people, and to do that well you need to know the people.

~~~
emodendroket
I wouldn't go so far as to say they _need_ all this data. The service could
work fine with just self-reported preferences and profiles if you wanted it
to.

~~~
throw-away-8
Self-reported preferences and experimentally observed preferences are not the
same.

~~~
emodendroket
I agree, but I don't know that that is such an impediment that the app
wouldn't be usable.

------
turc1656
It just dawned on me that Tinder is basically the new and improved version of
Zuckerberg's original creation - Facesmash. Except Tinder can do so much more
than that. And amusingly, Tinder is hailed as a great app while Facesmash was
decried as a way of dehumanizing and objectifying people. My, how far we have
come.

~~~
blevs
I think a big part of that is people consent to being on tinder.

~~~
dopamean
Absolutely. That also says something about the difference in the times.
Zuckerberg forced people onto Facemash probably because he thought it would be
easier than getting people to sign up voluntarily.

------
avenius
I'm somewhat curious about the verification process here. Wouldn't this be a
prime target for would-be blackmailers?

------
anc84
I wonder what Snapchat would return. All the messages ever? Regardless of
their pretend volality? Someone please try it, I don't have an account.

~~~
ronnier
Rumor is that snap keeps messages in google cloud compute encrypted. When
messages are expired or read by the user, they just delete the encryption key.

~~~
emodendroket
Why would they do that? Keeping around a bunch of blobs nobody can decrypt
seems like a huge waste of resources.

~~~
sanxiyn
I suspect the same reason PostgreSQL has VACUUM. Immediate deletion can be
expensive, and deletion can be cheaper if done in batch. On the other hand,
they want to make it immediately unreadable. Deleting key seems to be a good
way to make something immediately unreadable while avoiding expensive
immediate deletion.

~~~
emodendroket
OK, yeah, if we're talking about some sort of tombstone operation I get it; I
thought the claim was the nefarious overlords of Snapchat were keeping the
data around, which was harder to understand.

------
fny
Wow--there's some pretty intense SEO in the slug for that URL: tinder-
personal-data-dating-app-messages-hacked-sold

~~~
vanderZwan
They're all keywords relating to the topics discussed in the article, aren't
they?

I wouldn't be surprised if it was auto-generated from keywords that the author
can assign to their article.

------
y04nn
I just downloaded a 16GB archive from
[https://takeout.google.com/settings/takeout](https://takeout.google.com/settings/takeout)
I'm impatient to see what it contains.

Update: I have forgotten to unselect Google Photos and GMail, that's what
takes most of the space.

------
Overtonwindow
Dating websites are, quite possibly, worse for our privacy than any social
network ever invented. Consider this: A website like OkCupid can go much
deeper than Facebook in understanding who you are, and what makes you tick.
This is invaluable to marketers, and the government for that matter. I avoid
dating websites because whose to say this data can't be used by others, such
as insurance, employment, or the police? The following exchange from the
television program "Person of Interest" I think is quite telling, albeit
tongue in cheek, as to this threat:
[https://www.youtube.com/watch?v=DPirWp2oAJ4](https://www.youtube.com/watch?v=DPirWp2oAJ4)

------
wakkaflokka
How would an individual get access to their data without a lawyer?

~~~
pdehaye2
Email Chommy, the data protection robot: Chommy@PersonalData.IO

------
hexadecimated
I think the more interesting question would be, how much data do they retain
on you if you close your account?

~~~
imron
All of it?

~~~
adrian1973
It sucks that you are probably correct.

My own biggest issue with data retention is not that these companies collect
all this data (they need to for their business models to work) but that they
keep all of it, forever, regardless of whether it could possibly still be
relevant to any business purpose (such as chat conversions from a decade ago).

~~~
sanxiyn
I actually think chat conversation from a decade ago would be quite relevant.
One baseline recommendation system is "people who bought X also bought Y".
Consider "people whose conversation is in cluster X generally liked people in
cluster Y". If chat conversation can be usefully used to cluster users for
better matching (and I think it can), it would be valuable to keep even if
content is of no interest.

~~~
adrian1973
> even if content is of no interest.

Can't they just keep (at most) the metadata?

~~~
sanxiyn
As a data scientist, I think losing actual words would be a loss. Words would
be only used by word embeddings like word2vec, but actual words let you switch
to better word embedding later.

------
kristianp
It's scary that this data can be kept for years without the user being aware
of it. If this data was breached it would be worse than Ashley Madison. I
suggest there should be laws that say users should be given the option to
delete data older than x months selectable by the user. It seems obvious that
sensitive data should not be kept indefinitely after following
[https://haveibeenpwned.com](https://haveibeenpwned.com) .

------
aaronhoffman
In the EU, when I ask for my data, do I have rights to "views" of my profile?

------
jacquesm
The Ashley Madison hack [1] will look like a walk in the park if and when
Tinder gets breached.

[1]
[https://en.wikipedia.org/wiki/Ashley_Madison_data_breach](https://en.wikipedia.org/wiki/Ashley_Madison_data_breach)

------
forgottenpass
Aside form the ethical considerations of long term storage, what is tinder
doing with all this data if they can't even keep the bots off the service?

~~~
colecut
I think they just don't try to keep the bots off...

------
spodek
I can't believe Eben Moglen's FreedomBox isn't a bigger project. It would help
solve a lot of these problems.

[https://en.wikipedia.org/wiki/FreedomBox](https://en.wikipedia.org/wiki/FreedomBox)

[https://freedomboxfoundation.org](https://freedomboxfoundation.org)

~~~
mynewtb
While I love that project I don't see how a tinder-like dating app would work
on it.

------
midgetjones
This is terrifying

~~~
imron
Only if you've got something to hide, right? /s

~~~
dvhh
/"swipe right" ?

To be fair, this article is a vulgarization of what "tech-savvy" internet user
already know.

~~~
d33
"/s" means "sarcasm"

------
NiklasMort
tip for starters: never ever use your real identity for online services if not
absolutely necessary

~~~
emodendroket
That seems a little hard to navigate on a dating app.

~~~
NiklasMort
Why? Lot of people use aliases or nicknames. I never had issues doing that.

~~~
emodendroket
I'd have to imagine it'd put some people off.

~~~
NiklasMort
Never had that, actually lot of people don't use their real names on dating
sites or even FB. And if someone asks you say its for privacy reasons, people
do understand. Look at Okcupid, its all nicknames there ;) same goes for other
sites. Same goes for Apps.

------
vectorEQ
what can i say... welcome to the internet? ;D

------
spullara
It seems really dangerous that you can ask for and get this data en mass. How
do they really verify it is you? Can that be easily social engineered?

------
Jdam
Tl;dr Tinder stored her messages and pics and she was embarrassed reading them
again.

~~~
npsimons
Shit, if I dig deep enough in Usenet or my email archive (going back to the
nineties!), I can easily find some cringe worthy things written by me. It's
actually rather humbling and enlightening.

------
nomoarcookies
Tinder is like GNU social, no actual conversations. Fake news

------
teetermld
880 matches holy shit, that has to be 8x as much as the average guy. Life must
be so easy.

~~~
thunderman10
That's around 220 matches a year since shes had the app, so like 18 matches
per month for four years...

She matched with a new guy every two days basically, and he mentioned she only
sent 1700 messages since she started. That's almost two average messages per
match before getting bored and moving on.

With that much abundance of choice, I guess you could say life is nice and
easy for the author.

~~~
emodendroket
Well, you could say that, but is it true? Perhaps the post-match experience
isn't necessarily very good, and anyway I'm not sure raw quantity maximizes
anything normal people care about.

~~~
doktrin
The going stereotype about Tinder is that most men (all but the most
attractive) match poorly while most women (all but the least attractive) match
well - but that (again, most) women nonetheless experience a lack of
communication post-match.

~~~
michaelchisari
Women have more matches, but a worse experience. Men have less matches, but
the matches they get are better.

Which is better, getting 1,000 matches in a day, when 999 of them are people
who just swiped right no matter what, or who are downright rude, aggressive or
poor communicators?

Or getting 2 meaningful matches in a day from people who actually want to meet
you and might be a good fit for a relationship or friendship?

The first is just a bunch of noise with no signal. The second is preferable.

And plus, I'm a guy and I would easily get 3 or 4 matches a day when I was on
Tinder. It's not like men are completely ignored on it. I'm hardly a
supermodel, but nice pictures and a well-written profile can go a long way on
online dating. Plus living in a high-population city.

~~~
emodendroket
I've never used online dating and, barring some kind of calamity, won't ever
be dating again, so I'm working only with second-hand experience. But what you
say makes some sense for sure.

------
grecy
I assumed everyone used a fake FB profile for Tinder... is that not the case?

~~~
wingerlang
I doubt even 0.1% of their users does that.

