Hacker News new | comments | show | ask | jobs | submitlogin
Grindr and OkCupid Spread Personal Details, Study Says (www.nytimes.com)
136 points by doener 5 months ago | hide | past | web | 77 comments | favorite

Be careful with OKCupid. I'd been using it on and off for a while and recently I got a notification saying that my email address on my account had been changed, then 2 minutes later, that my password had. You don't need to confirm anything to change the email on your account! Not even click an email link!

I was panicking

I was still receiving phone notifications despite not being to log into the app. I could see that messages were being sent and received but couldn't access my account. I believe that others are being scammed using my account

I quickly changed all other passwords and contacted OKC immediately. It's been a week now with no response. OKC have lost a paying customer for life

> You don't need to confirm anything to change the email on your account! Not even click an email link!

Same with instagram. If you don't have 2fa on. I've had my account taken over and couldn't believe it. Utterly pathetic levels of security

You mean you can change the email without a password? Why would it be a problem if they require your password but nothing else in order to change your email?

I'm saying its a problem to change the email without using an email verification link to do so

What if you're changing email because you no longer have access to your old one?

What legitimate scenario would manifest that situation?

That is a by far and away a tiny, minuscule, edge case

You should make sure to chargeback your credit card in that case.

Well, a paying (until you meet someone) customer

In real life. The founders already proved that doesn’t happen on the internet.

Well duh.

OKCupid specifically requires your real name which is beyond stupid for a dating site.

Anyone whose done online dating knows about stalkers and the need to hide your identity but these guys want real names.

As for Grindr we’ll isnt that owned by China? What better place to entrust your most compromising personal information, and what better long term investment if you want compromising information that one day in the distant future might be to your advantage.

Before (and for some amount of time after) they made the Real Name policy their safety tips page specifically said Guard your identity. Don’t share your real name https://web.archive.org/web/20160928225651/https://www.okcup...

They also removed a blog titled "Why You Should Never Pay For Online Dating" when they were acquired by Match.com (a paid dating site) [0].

[0] https://www.themarysue.com/okcupid-pulls-why-you-should-neve...

Even before requiring your real name, OkCupid was pretty blah for some people, a friend of mine had a woman message him, before he could reply, with a few things in his profile she was able to identify him and then went full psycho. Ultimately she made multiple posts on Cheaterville.com and made claims he gave her STDs etc, which cost him an acting job when the casting people googled him and BAM it was one of the first things to pop up. The messages she sent were just nuts, I documented them here: https://www.ryanmercer.com/ryansthoughts/2012/1/20/a-troll-a...

And then more than a month later she started with more Cheaterville posts, this time posted as his full name https://www.ryanmercer.com/ryansthoughts/2012/3/15/aimeexx1-...

Now, I wonder if perhaps staff/owners of Cheaterville weren't using dating sites to attempt to find people to blackmail. IIRC the site would remove any posts about you for a hefty fee.

I was an early adopter of OkCupid, in fact long before they were acquired I was actually a volunteer moderator. It was interest in the early days because you could tag stuff "I like [[Metallica]], I read a lot of [[science fiction]], and I like to eat [[pizza]] before going to [[SCA]] fighter practice" and you could find people with similar interests that way, which was cool. I actually met some really cool women and am still friends with a couple of them. But then it started going downhill pretty quickly once they were purchased by the Match.com folks. Lots of dumb changes, removal of long-standing features, drastic increase in spam messages from people hundreds (or thousands) of miles away, requiring real names etc.

Didn't surprise me.

Every single time I'd pay for a Match.com account (over multiple years, as recently as last year), within a day of my subscription someone would message me. I'd always, like a sucker, pay again and reply and nothing... or they'd reply once or twice with very basic replies and stop. Now, I'm not saying they're scamming users to get them to pay for another month but... sure feels like it.

I anecdotally noticed a massive increase in spam/fake accounts when the same company bought Tinder too.

Is this actually a problem? Many people use a fake name that looks real. The same is true on Facebook and other services that "require" a real name.

This sounds to me more like "better police involvement around the crime of stalking" than "okcupid are bad"

I can see why having "screen names" is good and why having "Jenny S from NYC" beats "picture of Jennifer Smith, 32 acadia Avenue Queens" on the site profile but if it's crime we worry about, it's police we need.

I would be interested in knowing if I am deaf to a much larger problem than I am aware of.

“I can see why having a lock is better than leaving your door open, but if it’s robberies we worry about, it’s police we need.”

Yeah I still would be upset if my landlord didn’t fix the lock on my door.

If the person who kills you is caught and prosecuted, it's almost like you're not even dead.

Isn't it better to prevent undesirable behaviour in the first place rather than place additional burden on the police (for a trivial mostly non-dangerous behaviour)?

Also, is stalking actually a crime now? When does "wanting to talk to someone" become a crime? Are recruiters stalking me on LinkedIn? What if they keep sending me emails and I keep not replying?

I think the bar for putting people in jail should be much higher than that.

Eh, we are not really talking about facebook "stalking" with someone looking at your facebook profile, but about people continually harassing you and trying to contact you through all sorts of means.

I think the bar for putting people in jail for the above is just right, might even be too low.

> Also, is stalking actually a crime now?

Stalking has a crime in all of the US states for 15 years, and has been a crime in most for longer than that.

If you are repeatedly contacting or surveilling someone, despite being told to stop, and are making them feel unsafe or intimidated, then you are probably violating the laws against stalking.

With their multiple-choice questions, OkCupid has a lot of in-depth personality data that is a total privacy nightmare if leaked to anyone. And therefore very valuable. Things like diet, sleeping habits, sexual preferences, religious and political alignment, addictions, everything really.

"Leaked?" "Privacy nightmare?" Last time I used OkCupid was like a decade ago. Back then you could view everyone's answers to their multiple choice questions right on their profile. It's purpose is (was?) literally to be read by others. Just like the purpose of this HN post is for others to read.

Edit: I think you could view them only if you both gave answers to the same question.

>Edit: I think you could view them only if you both gave answers to the same question.

Correct, but it would show you the questions you hadn't answered and let you answer them right then and there to see their response, meaning a couple of clicks. Scripting that for mining would have been trivial via the website.

OkCupid has a lot of in-depth personality data that is a total privacy nightmare if leaked to anyone

Don’t you remember this? https://www.vox.com/2016/5/12/11666116/70000-okcupid-users-d...

OKC has been problematic for years now.

Solution: inject it with even more incorrect information about yourself.

But that messes up the data it's using to try to give you compatible matches. And it misinforms the people you're trying to meet (assuming public answers).

Exactly. These are features.

Grindr is section 5.1.5, page 72 of the report PDF: https://fil.forbrukerradet.no/wp-content/uploads/2020/01/202...

Thanks for the links. Honestly, the OKC info looks incredibly bland.

I think a dating app (especially the ones which have vulnerable groups like Grindr in this case) should never be ad supported. OkCupid also has a lot of detailed data about users and that getting leaked to third parties is absolutely horrible.

IIRC, there are “anonymized” OKC datasets out there already. Given the nature of the data and a few bits worth of information, it would probably be really easy to deanonymize the dataset.

> I think a dating app should never be ad supported

Then it's subscription based, which has been shown to be a hard market to work in. Plus any company that gets paid via subscription has an incentive to keep users on the site and paying money -- which, if a dating app works, won't do. Like, if the app is effective then people will find a partner and stop using it, ending their subscription and cutting costs.

> (especially the ones which have vulnerable groups like Grindr in this case)

I fail to see how their privacy is different from anyone elses. Or how their kinks are any less or more destructive than others. Grindr is already banned in Iran, Turkey, and Saudi anyway

Not really. All the match.com's owned apps (Tinder, OkCupid, Hinge etc) have very successful subscription models. I follow the top grossing apps for iOS and Tinder, Match, OkCupid are always on the list. It's more so that here, the Match.com people want to squeeze every dollar out of their users and are willing to compromise their privacy by supporting ads.

I understand and agree with the point about subscriptions leading to an incentive to keep users on the app. But this is also true for ads supported ones. Dating apps have conflicting goals with user goals. That's why Tinder grosses so much money - because it's a mostly hookup app where quantity matters. So people keep coming back to the app and Tinder keeps making more money.

I do think if the data for the vulnerable groups falls in the wrong hands, it can destroy people's lives. Imagine an international student from Iran visiting US and having a profile on Grindr. If this info somehow gets leaked back home, his life is in danger next time they visit back home. This also has higher chances of being used as blackmail material by someone else.

This is one of the cases which the 2 Nigerian brothers have against Jussie Smollett's lawyers - the lawyers had made a claim that the brothers were attracted to Jussie. The brothers make the claim it's not true and that also puts their life in risk when they visit back home.

What about, rather than a subscription, you pay a one-time fee?

Sadly this is not new. Back in the days (at least in 2013) I played with wireshark to find out what dating apps were sharing with advertising platform to generate banners. There was the following data:

- OS platform with version

- Prefered language

- Career network

- Current connection (3g/Wifi).

- Exact position (altitude/latitude/longitude)

- Sexual orientation

- Twitter ID and Facebook ID (as long as the app can have access to it).

But all of this over HTTP, not HTTPS!

> - Exact position (altitude/latitude/longitude)

Given the context, when I first read this I was like wow! Advertisers want to know your sexual position? Then, I saw lat, lon and then realized that either way shouldn't surprise me.

I can see it now "We only want to advertise to 'missionaries', we find their click-through rates are better."

Is there a dating site with reasonable privacy / data security policies? Asking for a friend, of course...

I'm not aware of any. But if someone does has a reasonable privacy policy, how do you know that they actually adhere to it?

I've used dating sites in the past, but more recently I learned that it's much more fun, and works much better, to engage in real-life activities that get me around people I don't know, then ask interesting people out directly.

I was hacked 3 times on okc. Thankfully, all the info there I put was fake, I somehow sensed their security is wack judging from the user interface and the constant app crashes and bugs. There are also multiple reports of users who got hacked. I remember on one occasion my phone number was on a conversation and was picked up by hackers to text me in person pausing under some "Jessica".

Absolutely no surprise..

> The report, “Out of Control: How Consumers Are Exploited by the Online Advertising Industry,”

While it seems a bit hyperbolic, its really not.

Out of interest, are there any restrictions/regulations on which parties can actually purchase that information ?

I could see hate groups taking aim. Then who is at fault ?

Perhaps I’m naive, but given Grindr’s very vulnerable user population I expected more...

I would never assume or blindly expect companies to be dilligent. It's not like we've ever seen great examples of it.

Exibitionist445 likes that.

Seriously it is probably not restricted to dating sites, but information about sexual orientation and preference is especially worth it to marketeers. Not just products but also media companies that might like to know how to cater to specific audiences and their needs.

I don't understand how certain laws exist yet without the obvious steps to ensure it is followed - no oversight for companies like this? I'm pretty sure the companies taxes will be checked every year.

Pragmatic Solution: Implement a federal tax on data use.

How about a ban on establishing a database of individually identifiable user profiles? Restrict data storage to anonymised statistical usage only. A technically possible way to achieve this is using a system like Keybase which could transfer profile data ownership to the individual.

> Restrict data storage to anonymised statistical usage only

Alas, this is easily 'de-anonymised' and so any privacy gains would be quickly lost:


The big data economy and privacy are mutually exclusive.

> How about a ban ...

A ban costs politicans money to enforce. A tax gives politicans more money when enforced.

Draw your own conclusions.

Politicians don’t spend any of their own money more than any other taxpayer. However, the more money politicians can influence to be spent, the more influence they have.

For example, the ban on marijuana has yielded tremendous returns for politicians and their associates in the police equipment and prison businesses.

You've banned gmail.

If Gmail was an unsustainable business because obeying the law is too expensive, it'd deserve to die.

Edit: My point is that existing businesses must not be exempt from new legislation, nor compensated under investor protection. Conversely, whether something should be allowed or not must not be based on the number of succesful businesses in that sector.

And my point was that yours is far more restrictive than GDPR - if you interpret "profile" literally, you've also banned all online banking, possibly banking in its entirety!

The GDPR allows you to collect profile information for the purposes of performing a service etc.

How would this work? E.g. how do you audit whether such a tax is properly paid? What precisely would be taxed?

The current discourse in America seems to be that corporations are justified in anything they do as long as it stays within the letter, if not the spirit, of the law. Therefore, even if they are not possible to audit, I can see value in laws that establish how the system is intended to work.

Constructive question and answering this properly might take a few years and a couple of thousand pages. Tax legislation isn't done by forum posts.

However, in generic terms. Financial transactions are audited by enforcing the use of a ledger, with rules for how all transactions must be entered into the ledger. Auditing data transactions could be implemented in a similar fashion, by demanding that all data usage is entered into a ledger, and that evidence is produced that the rules are followed. It could be similar to what EU is doing this with GDPR. GDPR can be audited and it is purely related to what is being done with data. Modelling a "data usage" legislation on this type of existing data legislation could be possible.

Precisely what would be taxed is perhaps not the core of my message. However, taxes have side effects: companies wants to minimize taxes. If society would like to minimize the use of personal data, a tax on personal data use would have such an effect. Unprofitable use of personal data would decrease.

The key is to make data a liability not an asset. So it is too expensive to store any data that is not directly essential. Maybe a ratio of number of users in your database to the turnover of the company? A flat fee of $100/year perhaps for every permanent record you keep, a company could still sell products perfectly well without requiring users to actually register.

Big companies don't pay taxes anyway, and they represent the greatest risks.

The question isn't whether they pay taxes,

It's whether they ought to pay and get away with not doing do (due to lack of oversight), or if they are allowed not to pay.

They ought to pay taxes now already and they don't and they get away with it.

The taxman doesn't follow up?

So they can pay and be allowed to break the law?

There would be oversight where there is not currently b/c of the motivation of taxes. No one suggested paying taxes on illegal activity would make it legal - but it would create a papertrail.

Neither Grindr nor OkCupid are non-profits. As the apps are free as in beer, if you don't pay with money, you pay with your data. If they didn't sell data, how would they make money? How would they get those valuations? If paid dating services do this, which they probably do, I agree it's scandalous. But in this case, it's more or less implied. Of course it's sad that so few people are aware of this fact.

They both make money from premium memberships that give extra functionality and features. Remember kids, collecting and selling data is never okie dokie.

Good point. They are a paid/non-paid hybrid then. Paying money for a service and getting your data sold is extremely shitty.

It doesn't follow that because an app is free as in beer that the app company is selling your data to make up the cost of running the app. For one thing, the likes of Plenty of Fish got to near billion $ valuation via AdSense and banner ads. I imagine people generally think this is how apps earn their money, if they were forced to think about it, especially since lots of freemium apps simply remove some banner ad when you pay.

Secondly, many companies are getting to mega valuations with free apps, via debt.

> got to near billion $ valuation via AdSense and banner ads

...which are probably collecting your data.

The idea that if you pay for a service they won't probe for, exploit, and sell your data is a fairy story where companies leave money on the table because they decide they have enough money. The data of paying customers is worth even more than the data of deadbeats.

It wouldn't be so sleazy if the fact that that's the transaction being made was less of an "open secret" and more of an acknowledged fact.

Funny Europe media report more about Tinder being among the worst data abuser, but the US version mainly talk about the Chinese application Grindr...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact