“Walk in the swamp.” “Replace the houseplants.” “Take a driving test.” “Go to the carwash.” “Rehome feral kittens.” “Take up tea-totalling.” “Ride in a Lamborghini.” “Install a Magic Keyboard.” Judging by the number of charming euphemisms for anonymous sexual encounters in my blogroll recently, it seems that the lot of you are done with pandemic isolation and revving up your libidos again. And since we are in the roaring 2020s, that means booting up your smartphones and hitting the apps.
Well, Old Stick-in-the-Mud Lurker is here to offer a note of caution about Grindr in particular. In my opinion this app has not had a good track record about caring about your privacy. Let’s ignore the fact that the company was owned by the Chinese for a few years before being sold to a mysterious group of “US” investors including a former executive of Baidu. That’s just geopolitics, and besides China has a commendable record of treating its minority populations with kindness and respect. Instead, let’s examine a few instances of how the company treated your data.
There was, of course, the infamous disclosures of HIV status to analytics companies (as documented by the security researchers). That feels unpleasant, but since we have drug cocktails now there is no more HIV stigma, so I guess this was no big deal. Also it is not surprising at all — pretty much every app on your phone makes use of a bunch of other surveillance companies and libraries, and it is exceedingly common to allow those apps to collect more data than you intend.
How about the incident with Norway, which got mad at Grindr for sharing potentially-identifying data with advertisers. Again, I guess this is no big deal, and probably Norway was just being a bully.
The incident that worries me the most happened last October, when noted computer security researcher Troy Hunt (oh behave! That’s his real name. This is not a “Lost Boys” post.) discovered that you could exploit the “forgot your password?” functionality of Grindr to log into someone else’s account.
Oh wait. Troy Hunt didn’t discover this bug. Another less famous security researcher named Wassime Bouimadaghene discovered the exploit, tried to tell Grindr about it, and was summarily ignored. It wasn’t until Hunt boosted the signal that Grindr bothered to respond.
Look. I’m not computer literate but even I know that bugs happen in computer programs. This was kind of a stupid bug to leave uncaught in your code (especially for a security-related function like password resets) but it does not surprise me that such a bad bug got through.
Having said that, this bug is really serious. You did not need a virus or a phishing email to exploit this. You just needed someone’s email address (is your email address floating around the Internet somewhere?). The unforgivable sin here is that Bouimadaghene reported a serious problem and Grindr ignored it. It does not matter than Bougimadaghene was not famous. It would not matter if it was reported by a completely anonymous source. When somebody tells you about a bug like this, you investigate and you act. Otherwise people get hurt. (I am tempted to make a Lindsey Graham joke here, but that would undermine the point. It might be nice schadenfreude if
Miss Lindsey’s Lady G’s account got hacked, but being happy for security bugs because they hurt people we dislike is a bad security attitude that gets us into lots of trouble.)
Once Troy Hunted the company on Twitter, Grindr acted quickly to fix this particular bug. That’s great, but the fact that they needed to be publicly shamed before acting is reprehensible. That does not matter for me because nobody on Grindr would ever want to
date chat with me, but my blogroll is full of beautiful charismatic people and I want you all to be safe.
So should you switch to another hookup app? This is not an easy question. On the surface it might seem like Bumble or Scruff or ChristianMingle might be a better choice, but on the other hand they all have bugs too. Some people might argue that Grindr is safer because (as the market leader) it is under so much scrutiny. Personally (and perhaps irrationally) the underlying values a company demonstrates matters a lot in my technology decisions. WordPress and Blogger are both big targets and have lots of security issues, but my values align more closely with WordPress, so I chose that platform for my regrettable blog. It might have been the wrong choice or it might have been the right one, but as a heuristic it has not been awful. In that sense, Grindr is right off the table for me.
Mind! Learning anything about the underlying values of a capitalist enterprise is no easy task, especially if you want to dig deeper than the marketing fluff. So most of us just use whatever everybody else is using and rest assured we will all go down on the ship together. Maybe that is not an awful strategy, but sometimes these ships do sink.