By Natasha Singer Y
According to a new report that examined some of the world’s most downloaded Android applications, popular dating services such as Grindr, OkCupid and Tinder are spreading user information, such as dating elections and precise location, to advertising and marketing companies in ways that may violate privacy laws.
Grindr, the world’s most popular gay dating application, transmitted user tracking codes and the name of the application to more than a dozen companies, essentially labeling people with their sexual orientation, according to the report, which was published on Tuesday by the Norwegian Consumer Council, a non-profit organization funded by the government in Oslo.
Grindr also sent a user’s location to several companies, which can then share that information with many other companies, according to the report. When The New York Times tested the Grinder Android app, it shared accurate information about latitude and longitude with five companies.
The researchers also reported that the OkCupid application sent a user’s ethnicity and answers to personal profile questions, such as “Have you used psychedelic drugs?”, To a company that helps companies customize marketing messages for users. users The Times discovered that the OkCupid site had recently published a list of more than 300 advertising and analytical “partners” with whom it can share user information.
“Any consumer with an average number of applications on their phone, anywhere between 40 and 80 applications, will have their data shared with hundreds or perhaps thousands of online actors,” said Finn Myrstad, director of digital policy for the Norwegian Consumer Council , who oversaw the report.
The report, “Out of control: how consumers are exploited by the online advertising industry,” adds to a growing body of research that exposes a vast ecosystem of companies that freely track hundreds of millions of people and sell their personal information. This surveillance system allows dozens of companies, whose names are unknown to many consumers, make a discreet profile of people, orient them with ads and try to influence their behavior.
The report appears only two weeks after California enacted a new and comprehensive consumer privacy law. Among other things, the law requires that many companies exchange consumers’ personal data for money or other compensation to allow people to easily stop spreading their information.
In addition, European Union regulators are intensifying the application of their own data protection law, which prohibits companies from collecting personal information about religion, ethnicity, sexual orientation, sexual life and other sensitive issues without the explicit consent of a person.
The Norwegian group said it planned to file complaints on Tuesday asking regulators in Oslo to investigate Grindr and five advertising technology companies for possible violations of European data protection law. A coalition of consumer groups in the United States said it was also sending letters to U.S. regulators, including the California attorney general, urging them to investigate whether company practices violated federal and state laws.
In a statement, Match Group, owner of OkCupid and Tinder, said it worked with outside companies to help provide services and shared only user-specific data deemed necessary for those services. Match added that it complied with privacy laws and had strict contracts with suppliers to ensure the security of users’ personal data.
The report examines how developers integrate software from advertising technology companies into their applications to track the use of applications and users’ real-life locations, a common practice. To help developers place ads in their applications, advertising technology companies can disseminate user information to advertisers, personalized marketing services, location data brokers and ad platforms.
The personal data that the advertising software extracts from the applications is usually linked to a user tracking code that is unique to each mobile device. Companies use tracking codes to create rich profiles of people over time in multiple applications and sites. But even without their real names, people in such data sets can identify and locate themselves in real life.
For the report, the Norwegian Consumer Council hired Mnemonic, a cybersecurity company in Oslo, will examine how advertising technology software extracted data from users of 10 popular Android applications. The findings suggest that some companies treat intimate information, such as gender preference or drug habits, not differently from more innocuous information, such as favorite foods.
Among other things, the researchers discovered that Tinder sent a user’s gender and the gender that the user was looking for to date to two marketing companies.
The researchers did not test the iPhone applications. The settings on both Android phones and iPhone allow users to limit ad tracking.
The group’s findings illustrate how difficult it would be for even the most intrepid consumers to track and prevent the dissemination of their personal information.
The Grindr application, for example, includes MoPub software, the Twitter advertising service, which can collect the name of the application and the precise location of the user’s device, according to the report. MoPub in turn says it can share user data with More than 180 associated companies. One such partner is an advertising technology company owned by AT&T, which can share data with more than 1,000 “external suppliers.”
In a statement, Twitter said: “We are currently investigating this problem to understand the sufficiency of Grindr’s consent mechanism. Meanwhile, we have disabled the Grindr MoPub account. “
AT&T did not immediately respond to a request for comment.
The dissemination of the location of users and other confidential information could present particular risks for people who use Grindr in countries, such as Qatar and Pakistan, where consensual same-sex sexual acts are illegal.
This is not the first time that Grindr faces criticism for disseminating the information of its users. In 2018, another Norwegian non-profit group discovered that the application had been broadcasting H.I.V. of the users. Status of two mobile application services companies. Subsequently, Grindr announced that he had stopped the practice.
The report’s findings also raise questions about the extent to which companies comply with the new California privacy law. The law requires that many companies that benefit from the personal data of commercial consumers prominently publish the “Do not sell my data” option, which allows people to stop the dissemination of their information.
But Grindr’s stance defies that idea. By accepting your policy, His site says that users “are telling us to disclose” their personal information “and, therefore, Grindr does not sell their personal data.”
Myrstad said that many consumers felt comfortable sharing their data with applications they trusted. “But this study clearly shows that many applications abuse that trust,” he said. “The authorities must enforce the rules we have, and if they are not good enough, we have to make better rules.”