Buzzfeed News reports:
The gay hookup app Grindr, which has more than 3.6 million daily active users across the world, has been providing its users’ HIV status to two other companies, BuzzFeed News has learned. The two companies — Apptimize and Localytics, which help optimize apps — receive some of the information that Grindr users choose to include in their profiles, including their HIV status and “last tested date.”
Because the HIV information is sent together with users’ GPS data, phone ID, and email, it could identify specific users and their HIV status, according to Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, which first identified the issue. “The HIV status is linked to all the other information. That’s the main issue,” Pultier told BuzzFeed News. “I think this is the incompetence of some developers that just send everything, including HIV status.”
This could also land Grindr in some fairly serious legal trouble. HIV and AIDS status are protected under the Americans With Disabilities Act, and it’s also often protected on the state level. And while Grindr may not have technically violated medical records law, since it’s a dating site instead of a doctor’s office, it may also be facing questions on that basis depending on where the records went and who used them.
Grindr is leaking users’ GPS locations over plaintext and sharing users’ HIV status with companies. Their disappointing response?
“These are standard practices in the mobile app ecosystem.” https://t.co/xlVfvrvQp9
— EFF (@EFF) April 2, 2018