
Grindr Shares Personal Information With Third-Parties - tjwds
https://github.com/SINTEF-9012/grindr-privacy-leaks
======
JumpCrisscross
Even within its confines, Grindr's data are rich for blackmail. (Consider:
images and messages sent and received within 100 feet of Capitol Hill.) It was
recently acquired by an offshore billionaire [1].

[1] [https://www.bloomberg.com/news/articles/2016-01-12/china-
tec...](https://www.bloomberg.com/news/articles/2016-01-12/china-tech-
billionaire-buys-control-of-us-gay-dating-app-grindr)

~~~
rdtsc
Yikes. Combine this with the Chinese OPM hack, where extremely personal data
for most government employees with security clearance has been stolen, and
they have a blackmail goldmine on their hands.

[https://en.wikipedia.org/wiki/Office_of_Personnel_Management...](https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach)

They can verify what has been reported on sf-86 vs what might be found from
this service. Any affairs or issues not reported are ripe for blackmail.
Possibilities are endless as they say.

~~~
jimmy1
Why is this a blackmail goldmine? I am ignorant of Grindr, but what I have
heard it is basically Tinder but for gay men. Would Tinder be blackmail data?
It's hook ups and relationships, dating, etc, no?

~~~
rdtsc
> but what I have heard it is basically Tinder but for gay men. Would Tinder
> be blackmail data? It's hook ups and relationships, dating, etc, no?

Absolutely when cross-referenced with information from OPM database. Employee
with TS/SCI clearance working on a <military project X> hasn't reported
reported his gay affairs (that his wife might not know about even). The
Chinese find out, approach him and make him an offer "Look buddy, how 'bout we
become friends. You just tell us what you know and we'll give you some money
and most importantly keep quiet about your meeting with your secret partner on
such and such dates or places?"

~~~
crankylinuxuser
And that's why lack of blackmailability is one of the biggies on clearance
applications.

Or, "Lets not become friends. You can tell my wife. She thought it'd be fun to
do that!" aaaaand so much for that blackmail. And just don't forget to tell
the security officer that someone tried funny shit.

~~~
rdtsc
Normally yeah, nothing wrong with the lifestyle as long as it is declared and
is known and no fear of it being exposed. Except that the Chinese got their
hands on the OPM database so they tell what is declared there and what isn't.
If they didn't disclose these things there, they'd still hopefully run to the
security officer and report but they might be think again since they'd be in
hot water as well for lying before.

------
josecastillo
It might be worth making another post to highlight an additional concern: this
repository itself appears to leak profile images of many Grindr users. The
raw-data folder includes nearly 14,000 files, including many ads and scripts,
but also thumbnails of many user profiles. This file[1] for example, once you
strip out the HTTP headers, is a JPEG that shows the legs and gym socks of one
user. This one [2] shows a user's bare torso.

I would link to others, but most of the ones that I've found include clear
views of users' faces, sometimes clothed and sometimes shirtless. In some
cases it looks like the photos were taken in their homes. It's ironic that in
exposing Grindr's mishandling of users' personal data, this party appears to
have mishandled personal data themselves.

[1]: [https://github.com/SINTEF-9012/grindr-privacy-
leaks/blob/mas...](https://github.com/SINTEF-9012/grindr-privacy-
leaks/blob/master/raw-data/raw/2992_s.txt)

[2]: [https://github.com/SINTEF-9012/grindr-privacy-
leaks/blob/mas...](https://github.com/SINTEF-9012/grindr-privacy-
leaks/blob/master/raw-data/raw/3006_s.txt)

~~~
tallanvor
Since SINTEF is based in Norway, it's certainly possible that my profile
picture is somewhere in there, and that really pisses me off. I'm out and have
no problem with people knowing that I'm gay, but I shouldn't have to deal with
"researchers" pulling this type of crap.

~~~
zeth___
Are you happier with teens in Slovakia pulling this type of crap? If it isn't
locked down someone has already scraped it and saved it forever. That you
don't see most of the data being stored about you means nothing.

Just another data-point explaining why in 10 years you got pulled off that
Emirates plane in a layover in Dubai and were never seen from again.

~~~
tallanvor
To me that's the slippery slope argument.

Sure, someone else could have done it already, or could be doing it right now.
But SINTEF is supposed to be reputable research organization, and I think it's
more than acceptable to expect them to properly handle any data they gather.

Grindr faces significant hurdles in improving security and complying with
GDPR, and we do need to hold them to account, but that does not absolve SINTEF
of their responsibilities either.

------
buro9
If you are using Grindr on Android, install and use NetGuard.

[https://play.google.com/store/apps/details?id=eu.faircode.ne...](https://play.google.com/store/apps/details?id=eu.faircode.netguard&hl=en_GB)

[https://github.com/M66B/NetGuard](https://github.com/M66B/NetGuard)

NetGuard is an open source local VPN that allows you to block DNS lookups to
prevent calls to 3rd parties, and it does not require root access.

Calls to all of the 3rd parties mentioned are blockable. Grindr does not need
many domains to be operational to work, just their own domains (.grindr.com on
443, grindr.mobi on 443) and a couple of Google static domains like
csi.gstatic.com on 443 .

Of course this does not prevent Grindr from rolling up the data and sharing
that with 3rd parties, but the linked analysis suggests that this is all via
the app making calls rather than the company selling it in bulk.

~~~
andrepd
AFWall is a pretty user-friendly and configurable firewall. Let's you easily
block apps from accessing the web.

[https://github.com/ukanth/afwall](https://github.com/ukanth/afwall)

~~~
ktta
AFWall requires root, while NetGuard doesn't. Important distinction now that
rooting affects ability to use features like Google Pay, Netflix (offline
download), etc.

~~~
pmlnr
Rooted phone, no google services, and netflix downloads are just fine.

~~~
ktta
SafetyNet is a cat and mouse game. A lot of people don't have the patience for
it.

~~~
FridgeSeal
I've been running Magisk since maybe August or September last year and I have
not had a single issue with safetynet.

I have netflix installed (after rooting) without issue, and I use
Android/Google pay practically every day along with another app that requires
safetyNet without any issue at all.

------
olliej
So vending HIV status is a straight up HIPAA violation, I'm fairly sure that's
been found to be the case over and over again -- it doesn't matter what your
business is, health information is covered by HIPAA.

That's 250k per violation fine, and leaking status positive or negative is a
violation. And every person, and every time they pass that information to
every "partner" is a distinct violation.

~~~
lotharbot
via [https://www.hhs.gov/hipaa/for-professionals/security/laws-
re...](https://www.hhs.gov/hipaa/for-professionals/security/laws-
regulations/index.html)

"The Security Rule applies to health plans, health care clearinghouses, and to
any health care provider who transmits health information in electronic form
in connection with a transaction for which the Secretary of HHS has adopted
standards under HIPAA (the “covered entities”) and to their business
associates."

via [https://www.hhs.gov/hipaa/for-
professionals/privacy/index.ht...](https://www.hhs.gov/hipaa/for-
professionals/privacy/index.html)

"The HIPAA Privacy Rule establishes national standards to protect individuals’
medical records and other personal health information and applies to health
plans, health care clearinghouses, and those health care providers that
conduct certain health care transactions electronically."

in what circumstances has HIPAA been found to apply to businesses other than
those?

~~~
your-nanny
It applies to researchers.

------
werber
Does anyone have any information on how Scruff handles that information? Also,
does HIPAA say anything about technology companies outside of the medical
field's data that may voluntarily collect HIV status?

~~~
esilverberg2
CEO of SCRUFF here, and daily reader of HN. We have not, do not, and would not
share this information with third parties.

The data that we share with our third-party ad providers is:

\- Your location (so you can get those local car dealer ads)

\- Your gender

\- Your age

\- The targeting keyword "gay"

We currently use AdMob and MoPub to provide our network advertising.

More broadly, this kind of information is never something we would share. We
know the sensitivity of HIV status, and know that it has been used to
discriminate against our community in the past. When we do take money from
direct advertisers (full-screen ads shown at launch), we make sure that they
are promoting relevant and beneficial products for our community, and the ads
they place are serviced 100% in-app and come with no extra data nor api calls.

Ultimately, our business model is based on subscriptions, which means we are
successful when we make software that people love to use. We don't spend our
days trying to squeeze a marginal penny out of some remainder-bin ad unit by
trading personal data of our users. Instead, we spend our time focused on how
to make an excellent product, that works reliably, is free of spambots and
harassment, and connects gay guys with each other and the global gay
community.

~~~
salvar
How granular is the location data you share, on the scale from postcode to
lat/lon?

~~~
esilverberg2
For these third-party ad networks, they accept a lat/lng, so we (and I suspect
most apps) just pass in a value obtained from the device.

That said, upon further reflection, a local advertiser could surely get enough
targeting information with a much, much less precise value...we'll look into
making this change in a future release.

~~~
nobody_nowhere
Weigh that privacy consideration against the value of CPGs looking to spend
shopper marketing advertising dollars in-store, just sayin'...

------
joshstrange
I'd be interested to see how Scruff/Jack'd/etc stacks up. My guess is Scruff
does better (it has always been a better designed/developed app) but I
understand why they focused only on Grindr as it does have the largest market
share (admittedly a guess).

Grindr has never been exactly a bastion of good programming... Their app has
always been subpar at best with infrequent updates, months/year long bugs,
terrible UI/Navigation, lack of features that could be coded up in a weeks
time that would GREATLY improve the experience (Message archival/hiding), and
I could go on. It would be one thing if they features were relegated to the
paid version (Grindr Xtra) but the only really big feature for Xtra is push
notifications for when you get a new message.

All of this is to say the fact they are using HTTP to talk to these
analytics/ad companies doesn't shock me at all. My bet is they haven't updated
the libraries for these services in forever (which wouldn't be too hard to
investigate).

As for HIV status getting sent it really depends on the service. They are not
subject to HIPAA (even if you wish they were) so they can do this and I'm sure
for targeting ads it makes sense. No need to waste ad dollars on "Get tested
for HIV" for people who already know they are positive. As someone in this
community and knows the orgs that pay for some of these ads are severely
underfunded I have hard time saying this isn't important to make sure your ad
dollars go as far as they can.

Lastly for people saying "just don't enter your status" you clearly don't
understand this community, I'm sorry. But people who are positive face a HUGE
stigma. Chatting on Grindr/Scruff is already an emotionally draining
experience in a lot of cases, I don't you all want the details but let's just
say failed conversations (for most people at least) don't exactly fill you
with confidence/self-worth (yes there is a whole other discussion to be had
there I'm sure). So waiting until you start a conversation to tell someone you
are positive (instead of it being in your profile) is going to lead to even
more failed conversations. If I were positive I think I'd trade my status away
to analytics/ad companies in exchange for not having to talk to people who
aren't interested in the first place. I'm saying that as a white male living
in the US so depending on your situation you may disagree.

~~~
tallanvor
Grindr has the largest share of users by far. I suspect SCRUFF is #2, both
because it is almost as old, but also because they clearly skew towards a
different segment of the community. I assume that Jack'd and Hornet are more
popular in certain geographical areas.

But I agree with pretty much everything you say, except for wanting to
emphasis that getting people to enter their status is crucial in helping to
normalize regular testing, safe sex practices, and allowing HIV+ individuals
to be open members of the community.

~~~
joshstrange
It's kind of funny, and while this wasn't always the case until I educated
myself on it, but I trust/feel safer with people who are positive more than
those who aren't in some ways. Having sex with something who is positive but
undetectable (even unprotected) is better than having sex with someone who
doesn't know their status. Even putting HIV aside people who are positive are
being tested much more regularly than the general public. Similarly to people
on PrEP as they are required to get tested (only for HIV but I know a number
of people who also take the opportunity to get tested for other things) every
3 months.

------
amq
A bit unrelated, but imagine how much data has Tinder collected, if Cambridge
Analytica could do that much with just a comparatively unpopular quiz app.

~~~
cavanasm
The quiz app wasn't the real data source though was it? People who want to
take the quiz have to press "yes" on a menu that vaguely mentions "We need
your friends list" and things like that, and those permissions were used to
harvest the data as far as I understood, not the quiz itself.

~~~
Asparagirl
Yes, the quiz was the bait to get to the real prize, your friends list and
their info, likes, etc.

However, your answers to a different Facebook quiz in 2014 were scrutinized by
Cambridge Analytica, who were looking for the “dark triad” of personality
traits, scouting for sociopaths:

[https://mobile.twitter.com/carolecadwalla/status/97590547206...](https://mobile.twitter.com/carolecadwalla/status/975905472069988352?lang=en)

------
ordinaryradical
We need a new business model for social media, one which actually serves the
customer instead of trying to lure them into productizing themselves.

~~~
overcast
So you're going to pay to use it right? If this imaginary product managed to
get 1% of Facebook to hand over their credit card. That would be the most
wildly successful pay to use application in existence. Will never happen.
Social Media sites rely on mass adoption, among those who refuse to pay for
just about anything.

~~~
johnchristopher
Just as some people pay for fastmail I am pretty sure there'd be some people
paying an entrance fee to a social network.

Wasn't the social network of last week, vero, supposed to be like that ?

~~~
macintux
Network effects are brutally hard to overcome.

[https://www.digitaltrends.com/social-media/app-net-shut-
down...](https://www.digitaltrends.com/social-media/app-net-shut-down/)

~~~
cookiecaper
It's not network effects. It's hostile copyright and network access law.
There's no reason that you shouldn't be able to interact with the content
streams from both Twitter and App.Net at the same time, for example, except
that our legal system allows the dominant company to sue the scrappy upstart
into oblivion if they begin to do so. This is not theoretical; small companies
are destroyed frequently by BigCo breaking out the lawyers for supposed
violations of the CFAA and the Copyright Act.

This sorry legal situation has completely obliterated meaningful competition
in the online space, and we are letting them get away with it when we just
hand-wave that it's because of "network effects". There's no reason that
YoungSiteA shouldn't be able to act as a user agent on my behalf to access and
reskin OldSiteB. If it could, the negative impact of switching providers would
be small.

------
morley
For what it's worth, the most private data here is shared to analytics
companies for Grindr's only analytical use. My guess is that Grindr's
agreement with Apptimize and Localytics asks for the strictest possible
protection of that data. If anyone at Apptimize or Localytics has access to
that data, I'd be incredibly surprised.

This sort of deal isn't the same as sharing the HIV status to Google or
Facebook so that advertisers can target or exclude that user information for
the purposes of advertising.

For people who think this is still wrong, I'm curious what their pragmatic
alternative is. How else are app developers supposed to analyze their app
performance? The open source, self-hosted pickings are slim. (I can only think
of Piwik, which in my experience has a dated feature set and severe
performance issues.) Not everyone can afford to perform their own product
analysis. Using a third-party analytics saas is kind of the only way to go and
seems like a reasonable tradeoff of security for product visibility.

~~~
hackcasual
They have the option of not sending HIV status to any third party.

~~~
geofft
What is the privacy distinction between a third party with a contractual
agreement and an employee with a contractual agreement?

Remember that Russian intelligence got a spy hired by Microsoft:
[https://www.theguardian.com/technology/2010/jul/14/russian-s...](https://www.theguardian.com/technology/2010/jul/14/russian-
spy-worked-for-microsoft) Will your interview questions find a foreign spy, or
someone who isn't even a spy but is interested in looking at private data for
personal amusement?

~~~
madeofpalk
What?

How about _" lets just not spend medically sensitive information to third
party services"_

~~~
geofft
That seems reasonable, but can we also say, let's not send medically sensiive
information to every employee at the first party?

------
Guyneedham
I used to be a data engineer at an ad tech company, Blis. A huge proportion of
the GPS data we relied upon for retargeting and enrichment of the bids came
from Grindr, but even so we almost never bid on traffic from them, the brands
we worked with were opposed to being associated with that app. So we benefited
a lot from Grindr data without giving much back.

------
olivierduval
Grindr has health-related datas and share it... And I guess that they have
some european customers, right? Might be a really nice case for GDPR in 2
months !!! :-)

------
dawhizkid
It's also 100% owned now by a Chinese software company, so might as well
assume everything you share there is visible to the Chinese gov't while you're
at it.

------
dschuetz
It's scary that it doesn't surprise me anymore.

Especially _social networks_ are considered most lucrative in terms of
targeted marketing and data mining, and it's obvious why. Social networking
remains a big deal, it's almost mandatory to have some social networking
footprint online, or else you miss out on social life. Why is it still OK to
trade data distilled from social media accounts? It's not! One of the many
reasons and implications are in that article.

Is independent social media possible? How to fund basic service infrastructure
if not by running online ads, or trading user data? Is decentralized social
media feasible, and who maintains a decentralized service if it is?

EDIT: If an app developer wants to analyze how the app performs, why share
most intimate user data with third parties, Facebook being one of them?

~~~
inetknght
> How to fund basic service infrastructure if not by running online ads, or
> trading user data?

Subscriptions, combined with community awareness advertisements showing where
users' money is going to (and where it is _not_ going to) and why it benefits
them.

~~~
dschuetz
Yes, that's usually how it works with Netflix, Spotify and similar single-
purpose services. But social media? If you take social network as a single-
purpose service then there is no need for several or dozens of different
similar services, because it wouldn't make sense as a social network, if you
cannot interconnect them.

Suppose you pay a subscription for one social network, you'll need to pay also
for the other one, to get connected to people on that other social network! It
needs to be one big single social network and everyone pays for one
subscription. Anything else doesn't make sense, but a single social platform
as a network is unthinkable. So, basically, subscription doesn't make sense
for social networking.

~~~
iamatworknow
I don't understand your point here. Just like people pay separate subscription
fees for Netflix and Hulu, which essentially provide the same service with
different content, why wouldn't people pay separate subscription fees for
Twitter and Facebook, if it were an option to avoid ads?

~~~
dschuetz
Because, in the end it would cost a fortune? Imagine that, most people only
pay for one _content provider_.

A social network is not a content provider, just a different kind of social
network. If you cannot afford a subscription of some social network, you miss
out. And that's not acceptable in terms of social life of a human being. Rich
folks would be able to roam all networks, poor people wouldn't. So, if you
only can afford some "cheap" networks, the whole thing ceases to make sense,
as soon as you are barred from accessing other networks. Exclusiveness in
social media is an oxymoron. See where this is going?

------
napolux
I think we all agree on how stupid is to track all the little details
(including positions, hiv status, etc...) for the only purpose of making
money, but I would like to underline that there are only two reasons to not
use https today. You’re stupid or you’re lazy.

Can’t tell the worst, but I can tell that users should completely delete their
Grindr account, now.

------
jonbarker
Also, many mobile users name their device their whole name, effectively
deanonymizing all their app usage for the massive ecosystem of marketing
companies out there. Having worked in the mobile marketing industry I was
shocked at how many people were doing this and probably had no idea this was
the case.

~~~
Jonnax
Is that an iPhone thing?

I know it's not possible to set the hostname of your phone on most android
phones but it's unique.

Of course with Android making build versions and etc. Available to devs and in
the case of chrome to your user agent. You're pretty much identifible.

~~~
jschwartzi
Oh, but it is possible. It's buried in the networking settings but there's a
phone name option which is used for just about everything.

Although on my LG devices it defaults to the series name, for example G3 for
an LG G3.

------
arcaster
This is deeply troubling. Anyone who uses Tinder or any other dating site
should try requesting their data and realize that these services could likely
label you a sexual deviant, racist or otherwise based on your swipes alone.

~~~
odiroot
OkCupid may be even more dangerous in that regard. As far as I know they allow
you to set ethnicity preferences.

~~~
CamperBob2
Most dating services do. Why shouldn't they?

~~~
rurounijones
I think the reasoning is innocent, the problem is that if it gets leaked you
have people (probably incorrectly) interpreting things using the data which is
half the problem.

"Your ethnicity preference is white? You goddamn racist".

This gets worse when those interpreters are in a position of power.

------
adamzk
1) it's all in the terms of service. Idk why anybody is surprised. They own
everything you enter into the app anywhere full stop.

2) it's not going anywhere. Its the gay Facebook. It has monopolized the
market of an already vulnerable demographic so they can do whatever they want
and still charge an extraordinary amount (almost $20 per month??) and provide
no customer service.

The app doesn't even function as advertised (at least on Android). Push
notifications and read receipts have been broken for years. Btw if you
restrict the permissions of the app they permanently change your status to
offline.

------
Sideloader
I am shocked, truly shocked at this development. An app that collects user
data and passes it on to third parties without users’ consent? Unprecedented!

------
wackspurt
I remember this paper on ad intelligence I read a few weeks ago: "Exploring
ADINT: Using Ad Targeting for Surveillance on a Budget — or — How Alice Can
Buy Ads to Track Bob".

[https://adint.cs.washington.edu/ADINT.pdf](https://adint.cs.washington.edu/ADINT.pdf)

------
jessaustin
ISTM that "poz" "tribe" is largely equivalent to a positive HIV status?

If they're this sloppy when the client device is on one end of the connection,
how sloppy are they once the data is on their end and we can't see what
they're doing?

------
product50
These are 3rd party analytics firms and not any random companies. Both these
firms have strong data protection processes and are very secure. From Grindr's
perspective, they are probably looking for analytics for different segments of
their users and send all data to Localytics who help them with this (vs.
trying to build these internally).

Here is a thought. Do we think that the data is more secure with Grindr itself
or with Localytics? I feel the answer might be the latter given data security
means a lot to Localytics (as they provide analytics as a service to thousands
of apps) vs. Grindr itself who may not go to the extent of Localytics to
safefuard user info.

~~~
EmilStenstrom
The data is already in Grindr’s systems, this means it is ALSO at Localytics
(and others). This is not as safe as if it was only in Grindr’s own systems.

~~~
busterarm
And any of these companies could be purchased by some other entity and change
their data privacy policy.

~~~
product50
This is not really true. These companies entire model is handling data and
they charge their partners for it. It is not a free product. As such, going
off and selling the data is not really going to happen.

~~~
busterarm
Huh? That has nothing to do with what I said.

I said if any of these companies get acquired, the acquiring party can do
whatever the hell they want with that data, previous privacy policy be-damned.
This has already happened. A lot.

~~~
product50
It really depends on how you as an entity who is supplying data to analytics
firm have negotiated your contract with the analytics firm. Just saying an
acquisition will completely negate all contracts before is incorrect.

Also, these agreements are between 2 companies (the company providing the data
and the analytics firm which will show analytics on that data). There is no
privacy policy per se in this case. It is all about contract negotiation on
the rights you give to the analytics firm on how to share the data and what
happens if they get acquired.

------
billmalarky
It's become clear over the last year there is a strong need for a data privacy
regulatory agency in US government. I understand that regulation hampers
growth, but the tech industry is mature and developed to the point that it's
time to reel in "moving fast and breaking things" a bit.

~~~
DoofusOfDeath
> It's become clear over the last year there is a strong need for a data
> privacy regulatory agency in US government.

I wouldn't trust a governmental regulatory agency to aggressively fulfill it's
mission. My impression is that in general they're too much at the mercy of
politicians.

I suspect a more effective strategy is to enact legislation that makes
companies liable under civil law, with private citizens empowered to sue.

~~~
jumelles
> I wouldn't trust a governmental agency to aggressively fulfill it's mission.
> My impression is that in general they're too much at the mercy of
> politicians.

I think this sort of attitude is a big problem - instead of throwing our hands
up and deciding that regulatory agencies have always been and thus will always
be toothless, we need to give said agencies more power to enable them to
actually enforce the rules. Right now, companies regularly weigh the costs of
compliance against the costs of non-compliance because to a multinational
corporation, the usual fines and punishments just don't hurt that much.

Companies that break the law should regularly never, ever recover financially.

~~~
news_to_me
> Companies that break the law should regularly never, ever recover
> financially.

Personally I would have this reworded to "Companies that regularly break the
law should never, ever recover financially."

As much as I believe things are tilted too far in favor of companies these
days, it is true that over-harsh regulation on business can be very bad —
particularly when it becomes harder to start new businesses.

But I agree with your sentiment. To a large degree the government is as good
as we make it.

~~~
Silhouette
This is an important point, I think. If our ultimate goal is to incentivise
good practice, we have to deal with a range of problems from simple ignorance
of good practice or what the law requires through to gross negligence or
"wilful ignorance" situations. If you have a business that is acting in good
faith but makes an error in judgement or isn't aware of some specific
regulation, there is no sense taking a punitive stance. Obviously if their
actions have caused damage to another party then compensation may be
appropriate, but otherwise constructive engagement is likely to work best. On
the other hand, if you have a business that is knowingly and deliberately
acting in bad faith, there may be little point in being constructive, and the
penalties need to be significant enough to force them to change (or their
business to fail).

------
ransom1538
Why wouldn't HIV status be protected by HIPAA?

~~~
Asparagirl
HIPAA only covers health care providers who bill for services, such as a
doctor’s office or insurance. But there might be other laws that apply.

------
Redoubts
They also scrape your clipboard aggressively...

~~~
udli3
Source?

~~~
Redoubts
At least on iOS, proof by demonstration. Install the app, turn on clipboard
sharing, copy something on your mac, then open the iOS app. You'll see the
"Pasting from your Mac" dialog pop up pretty frequently.

------
dumbfounder
"Grindr's users may not be aware that they are sharing such data with them"

I believe that to be an understatement!

------
ponderatul
I see they have some instructions there for how they did it. Any chance anyone
could make a small instructive tutorial, so we can start replicating this
process for other apps as well?

Then we can put everything in a giant repo and make it publicly accessible
information.

------
GeneralTspoon
Looks like the repo got deleted. Can't find an arhive.org version either.

According to a friend, an article he saw earlier also got pulled. Are Grindr
attempting to do some damage control?

------
onewhonknocks
Image of the data structure.

[https://i.imgur.com/hstbZio.png](https://i.imgur.com/hstbZio.png)

------
asow92
Does anyone actually find this surprising? It's fairly normal to send user
data to third party analytics providers. If you want to know which, check your
terms of service.

------
gsich
"shares" sounds too friendly.

------
dang
Please don't use allcaps for emphasis in HN comments. This is in the site
guidelines:
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html).

~~~
madeofpalk
fixed.

~~~
dang
Great, thanks. I've detached this subthread from
[https://news.ycombinator.com/item?id=16736341](https://news.ycombinator.com/item?id=16736341)
and marked it off-topic.

------
jdelsman
None of that data seems to be "private" according to Grindr's privacy policy:
[https://www.grindr.com/privacy-policy](https://www.grindr.com/privacy-policy)

------
frgtpsswrdlame
So there's lots of talk about how we're going to regulate/manage data
protection going forward but what are we going to do about the stuff that is
already out there? I mean HIV status is a pretty toxic thing to just be
floating around. It doesn't seem that we can even be sure who has this data
and who doesn't.

