Grindr must pay $6.3M fine for privacy violations

Conscat · on Sept 29, 2023

I use Grindr very often and would love to support them more, except for that every single aspect of the company and their product epitomizes unethical business practice. Their adaptive pricing model is extremely exploitative and the app directly lies to users to convince them to purchase boosts.

They're enacting return to office mandates as a response to workers unionizing (who haven't even made formal requests yet except to have a union rep on the board of directors, which is not unusual or unreasonable).

Also the app crashes every day and consumes the same amount of power as a household of four.

rahimnathwani · on Sept 30, 2023

  to have a union rep on the board of directors, which is not unusual

It is extremely unusual in the US, where Grindr is based.

wkat4242 · on Sept 30, 2023

Grindr's particular purpose is not my thing. However, I do use another app/site (fetlife) which very much is aligned with my particular interest. I'm so glad the owners of that platform are super ethical and genuine. You don't even have to pay for anything, except for viewing material from people you don't know. Everything about it conveys the message that they built it to support the community, not to get rich. I support them financially anyway. Because I want a platform with such values to stick around.

I recently was on another app that was being promoted locally ("fet") and that was just like grindr. Everything is blocked in the app, you have to pay for everything. Screw that. It feels like they take the community hostage. I'm so glad we have fetlife.

graypegg · on Sept 30, 2023

There are alternatives! (Scruff, sniffies, squirt)

Thankfully the “let me chat with people, shown in a list by order of proximity, with some custom filters” is basically a weekend project worth of work. Seen quite a few alternative apps (and web apps!) pop up over the past few years.

lopis · on Sept 30, 2023

Saying there are alternatives to Grindr is like saying there are alternatives to reddit or Instagram. I don't think I need to explain HN the meaning of network effect. In many places around the world all other apps are literally empty.

graypegg · on Sept 30, 2023

Not really in my experience? People aren’t very picky about the app they use, and many people I know (me included) will keep profiles on 2-3.

Totally possible this is only a thing here? (Canada, Toronto / Montréal) I have a feeling it’s pretty common though.

lakomen · on Sept 29, 2023

I don't understand, the autonatic google translation is weird. What exactly is the transgression? Some advertiser ID and GPS location combined, did what exactly?

tveita · on Sept 29, 2023

It says the complaint was based on the report "Out of Control" (https://www.forbrukerradet.no/out-of-control/)

The technical report lists the following information being sent for Grindr:

  MoPub (ads.mopub.com): App name, advertising ID, GPS location, gender, age, device information
  AppNexus (Xandr) (secure.adnxs.com): App name, advertising ID, IP address
  OpenX (grindr2-d.openx.net): App name, advertising ID, GPS location, gender, keywords
  Bucksense (j.bksn.se retargeting.bkswin.com): App name, advertising ID, GPS location, IP address
  Liftoff (adexp.liftoff.io): App name, advertising ID, location(inexact), device configuration
  PubNative (api.pubnative.net): App name, advertising ID, GPS location,
  Aarki (Multiple subdomains of *.aarki.net): App name, advertising ID, year of birth, gender
  Adtelligent (Vertamedia) (*.vertamedia.com): App name, advertising ID, location (inexact), IP address
  InMobi (js.w.inmobi.com): App name, advertising ID, GPS location
  Fyber (Inner-Active) (wv.inner-active.mobi): App name, advertising ID, GPS location, gender, age
  Mars Video (vpaid.mars.video): App name, advertising ID, IP address
  Mobfox (my.mobfox.com): App name, advertising ID, GPS location

  Smaato (sdkandroid.ad.smaato.net): App name, advertising ID, GPS location, some device information and configuration, gender, age
  AdColony (Multiple subdomains of *.adcolony.com): App name, advertising ID, GPS location, device information including permissions, device configuration, gender, Grindr user ID
  AppsFlyer (t.appsflyer.com): App name, advertising ID, Grindr user ID, Braze user ID, device information, device configuration (including mobile operator)
  Braze (gaspra.iad03.braze.com): App name, GPS location, Grindr user ID, Braze user ID, app usage (GUI events), relationship type
  Crashlytics (e.crashlytics.com): Grindr user ID, possibly other data
  Facebook (graph.facebook.com): App name, advertising ID
  SafeDK (api.safedk.com): App name, device information
  Google (appmeasurement.com): App name, advertising ID

wkat4242 · on Sept 30, 2023

I wonder how they manage to obtain things like date of birth. Maybe from the Google account? I never provide the real one anyway :P

Gender though is pretty much a given when it comes to grindr, let's be honest :)

GPS Location being exfiltrated is really really bad though :( Especially for an app like this with serious criminal consequences in some backwater countries.

karencarits · on Sept 29, 2023

There is some more info other places, e.g. https://www.datatilsynet.no/en/news/2021/intention-to-issue-...

> In 2020, the Norwegian Consumer Council filed a complaint against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes. The data shared include GPS location, user profile data, and the fact that the user in question is on Grindr.

> Our preliminary conclusion is that Grindr needs consent to share these personal data and that Grindr’s consents were not valid. Additionally, we believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection.

> - The Norwegian Data Protection Authority considers that this is a serious case. Users were not able to exercise real and effective control over the sharing of their data. Business models where users are pressured into giving consent, and where they are not properly informed about what they are consenting to, are not compliant with the law, said Bjørn Erik Thon, Director-General of the Norwegian Data Protection Authority.

> Users were forced to accept the privacy policy in its entirety to use the app, and they were not asked specifically if they wanted to consent to the sharing of their data with third parties. Furthermore, the information about the sharing of personal data was not properly communicated to users. We consider that this was contrary to the GDPR requirements for valid consent.

danielskogly · on Sept 29, 2023

English announcement by the Norwegian Consumer Council:

https://www.forbrukerradet.no/side/e-58-million-fine-for-gri...

wkat4242 · on Sept 30, 2023

Mobile phone privacy in general is not great.

I used to manage phones for a company years ago and in the SaaS management system it was technically two clicks to make a list of all users who had Grindr installed, even for personal (BYOD) phones that were work enrolled. We never did this but it worried me that it was possible at all.

I always thought this was a big issue especially because we operated in some countries where gay activity is highly illegal (unfortunately). The same goes for other apps but of course it's one of the few that implies things so private.

These days the situation on the Android side is better as there is 'work profile' that stops this from happening. It's basically a work section within your phone and your employer can manage only that part. If you install an app on the private side the employer no longer sees it.

But on the iOS side things are very open. You can see all the other apps. Some management platforms now limit the information you can see because of GDPR but the issue is the info is still there.